NCSAM has been shaken up this year, part of which I absolutely disagree with, but the main topics are defined as “Own IT” “Secure It” & “Protect IT”; the first of which being the main issue that plagues the world today, no one wants to “own” anything. If people would stop complaining, hash tagging, rage canceling everything, and OWN their personal problems and insecurities, we would be in a much better place as a society. The next time you’re about to do something/anything ask yourself “does my action, or inaction, directly affect someone/anyone else?”, “how would I feel if someone’s actions directly, and negatively had an impact on my life”; have you ever cared about those questions? I would hope these questions are rhetorical and “no-brainer” in nature.

     OWN IT (this is a play on words here, OWN “information technology”) is the very beginning of any work/responsibility/ duty; I need to recognize, accept, and take responsibility for what my objectives are and what the expected outcome should be. The main hindrance in the way of trying to OWN IT is insight into the network, applications, procedures, and infrastructure as a whole. If I don’t know what I need to secure, how can I protect it? Another important vocabulary word to consider here is PWN. if you have been PWNd' (pronounced powned) that means you have been "hacked" or someone has gotten something (SS#, CC#, mothers maiden name, home address, etc.) form you.

The next pain point is directly tied to not having insight, that’s lack of respect for Security budget; which always seems to be put on the back burner. See the issue here? If I need an SNMP monitor on your network so I can accurately access the nodes on your corporate infrastructure in real-time, but you don’t want to invest in the tools to get there, doesn’t that seem like an incredible glaring hole?

Let's roleplay:

YOU:“MAKE ME SECURE.

ME:“ok, we’ll need to invest in x,y and z tools, to provide monitoring, management, and behavior analytics.”

YOU:“WELL, I DON’T WANT TO BUY ALL THAT.

ME:.... ;O

     But you want to be "secure"!?

Security is not an investment you make money on, unless you count not having to pay regulatory fines, customer damages for breaches, and potential law suites; security is a necessary evil (expense) that could quite possibly fail, but should at least be attempted, for the good of your clients and customers. If you don't wanna' get PWNd', take the time to understand your environment, and OWN IT

Security Bites, Don’t Be Next

Jim Howard