Tuesday, August 7, 2012

Black Hat Panel: Top Skills


Jennifer Granick moderated a panel containing many of our most respected peers in the industry. Jennifer was incredibly sharp as she guided Jeff Moss, Bruce Schneier, Adam Shostack, and Marcus Ranum through several topics ranging from information sharing, critical infrastructure, future attacks, and cyber insurance.

The topic that caught my attention began with: You're the CSO. What are you going to spend your money on in the next 10 years?

Across the board, the answer was to spend your money on your employees... and that quickly folded into the types of skill sets needed. The answers given? Malware analysts, generalists, forensic analysis, response, cloud security, contracts, legal. You need people that can see the big picture and understand how the pieces fit together.

My takeaway for my customers? Invest in your people.

And a special note for my students. Continue reading, expanding, learning, pushing. Make yourself valuable and marketable. Love what you do. I've spoken with a few of you lately that have hit rough spots or failed in a big way. Don't quit. Don't give up. Don't you dare stop now. And in particular to one student who stepped up to the plate... I'm proud of you. Keep it up.

Monday, August 6, 2012

Re-post: Spreadsheet: ISO PCI HIPAA 800-53 FedRAMP CSA SANS SCSEM CESG

Re-posting this because this spreadsheet is a popular item. I've been pulled into so many directions over the last couple months that contributing here has been difficult. My apologies for that... here is the information about the spreadsheet:

Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

...There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA |FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST |ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA |ISACA | OECD | CSA | ENISA