Speaking of Security – The RSA Blog and Podcast

Welcome to my second in a series of blogs based on what I term “The Groove Theory of GRC.” As you may or may not know (or infer from this series), I have been a musician for much of my life. Starting in grade school playing in the school band, I have enjoyed the gift of making music over many years. While I am no longer a “gigging” musician, I still pick up my craft and noodle at home often. One aspect of making music that I have enjoyed is the debate between musicality and performance. Is a great musician guaranteed to be a great performer? Are all great musical performers talented musicians?

• 

In his #EMCworld keynote on Tuesday morning, Joe Tucci used the phrase “the sea of trust” to capture the pervasive role that security has to have in the success of the “third platform” of mobile, cloud and big data. It’s a great metaphor, reflecting not only the pervasiveness that security has to have, but also the dynamism and power that it needs to embrace.

• 

The landscape of governance, risk and compliance has evolved substantially and, I believe, is reaching an inflection point. In some respects, the discipline is enjoying the benefits of constant maturation. Companies have been on the journey for multiple years and, evidenced by many of our long-time customers, are profiting from this adventure in both tangible and intangible ways. In other respects, GRC, in some eyes, has become a bloated term – nebulous in its meaning and suspect in its value. It is hard to argue with any concept that advocates managing risk, maintaining effective compliance to laws and regulations and, ultimately, making intelligent data driven business decisions. But some detractors of the concept of GRC talk of immense, costly, protracted, delayed projects that rarely cross the finish line.

• 

In my earlier blogs on Transforming Security Analytics and Transforming Trust, I wrote about the strong focus we have on cybersecurity at this year’s EMCworld, previewing several of the sessions that will highlight security topics. In addition to those presentations, we’ll also once again have a Birds-of-a-Feather session, focused on Building your Trusted Cloud. It’ll [...]

• 

The application of Big Data analytics to security has resulted in a transformation not only in detecting and responding to threats. It also transforms how we establish and evaluate trust, based on understanding risk rather than expecting absolute security. This transformation doesn’t just affect security professionals. Understanding trust is critical for many of the topics that are explored at EMCworld, including cloud, virtualization, storage and document management. Understanding trust can help in enabling new business opportunities, finding more effective operational processes and working more effectively with partners.

• 

This has been a cool and exciting week in the RSA Archer Federal world. I made a couple trips to the National Institute of Standards andTechnology (NIST) this week. In terms of federal IA standards, NIST is obviously critical, and RSA Archer has taken the next step to build our relationship with them.

NIST is an existing RSA Archer customer and we are core partners in their National Cybersecurity Center of Excellence (NCCoE) lab. One of the main missions of this lab is to bring different types of vendors together in a collaborative way, with NIST moderating, to innovate and solve security problems. They call this effort the National Cybersecurity Excellence Partnership (NCEP). In a precursor as a test run of the NCEP idea, RSA Archer recently collaborated with the NCCoE lab staff to design a trusted geo-location solution and co-author a paper on the subject.

• 

by Patrick Potter, RSA Archer GRC Solutions Business Continuity Management (BCM) programs typically do a good job of evaluating business criticality through performing Business Impact Analyses (BIAs) to determine recovery priorities.  However, how many BCM and IT Disaster Recovery (DR) programs adequately assess risks starting at the overall program level down to the process or [...]

• 

Over the last few weeks I have outlined several elements of Security Operations that are bubbling to the surface in my blog series “Next Generation Security Operations”. The series really focused on the reactive side of security management and a key theme was the connection between nuts and bolts security with broader processes. A key point I wanted to communicate was not only the need for companies to remain vigilant and evaluate the detective side of security management but also look outside of the technical infrastructure for inputs to improve the reaction time within Security Operations. As most of my readers are GRC Practitioners, this connection stimulated some interesting conversations I had with customers from the GRC side of the house and I hope made some of the same connections from the security side.

• 

Over the last few blog entries, I outlined some of the dimensions that security operations need to think about during 2013 and beyond. In some respects, this is the tip of the iceberg – there is only so much you can cover in a blog. However, I think there are some important items to put on the radar.

• 

Years ago, companies had to worry about the “brick and mortar” threats – physical theft, property destruction, natural disasters. Next, it was the “bits and bytes” threats – intellectual property theft, website defacement, denial of service attacks. Now, there is a new element to our threat landscape – the “flesh and blood” threats. I don’t mean personal physical attacks but rather attackers exploiting an individual for nefarious purposes.

•