Speaking of Security – The RSA Blog and Podcast

Welcome to my second in a series of blogs based on what I term “The Groove Theory of GRC.” As you may or may not know (or infer from this series), I have been a musician for much of my life. Starting in grade school playing in the school band, I have enjoyed the gift of making music over many years. While I am no longer a “gigging” musician, I still pick up my craft and noodle at home often. One aspect of making music that I have enjoyed is the debate between musicality and performance. Is a great musician guaranteed to be a great performer? Are all great musical performers talented musicians?

• 

The application of Big Data analytics to security has resulted in a transformation not only in detecting and responding to threats. It also transforms how we establish and evaluate trust, based on understanding risk rather than expecting absolute security. This transformation doesn’t just affect security professionals. Understanding trust is critical for many of the topics that are explored at EMCworld, including cloud, virtualization, storage and document management. Understanding trust can help in enabling new business opportunities, finding more effective operational processes and working more effectively with partners.

• 

by Patrick Potter, RSA Archer GRC Solutions Business Continuity Management (BCM) programs typically do a good job of evaluating business criticality through performing Business Impact Analyses (BIAs) to determine recovery priorities.  However, how many BCM and IT Disaster Recovery (DR) programs adequately assess risks starting at the overall program level down to the process or [...]

• 

It’s an increasingly common question these days, and not an easy one at that. That is, do you build your security operations capabilities in house, or do you go with a Managed Security Service Provider (MSSP)? There are certainly advantages to both and bottom line wise; it is hard to say which one actually is cheaper. Ultimately, as with all things, it is a business decision that is made with an acceptable level of risk in mind.

• 

Threat analysts, as a general rule, are often concerned with the minutiae of the day-to-day threat landscape. Who was hacked this week? Do we have malware involved for this incident? Do we have indicators for the incident? What about exploits? Do we need patches? This is all key information related to properly defending a network, but often, taking a step back and looking at the environment holistically PRIOR to the incident helps to understand where the gaps may be.

• 

The SBIC has produced a new report that is mobile centric called “Realizing the Mobile Enterprise.”  The council builds on data.  In this case, it builds on a fascinating series of online polls that show a rapid litmus-like test of the mobile landscape and, in particular, the degree to which “the enterprise” (an interesting notion [...]

• 

RSA recently launched its latest SBIC report titled ‘Information Security Shake-up – Disruptive Innovations to test Security’s Mettle in 2013’. It introduces some interesting food for thought on what organizations should have on their ‘to do ‘list for 2013. Four key innovations are highlighted which shouldn’t come as a big surprise to anyone, I think we have all been addressing some of these in the last year but it’s time to hunker down and really start focusing on these four key innovations which will test the true grit of our security systems.

• 

Are we trusting a third party with our data? Yes, we are, and have been for years. In the past many companies used bureau computing, where they sent out workloads on magnetic or paper tape, and got the results (usually a print-out) back a few days later. Sometimes this was Software-as-a-Service, sometimes this was Platform-as-a-Service, although we didn’t use those acronyms then. It was just service bureau computing.

• 

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. Reflect on that for a moment. For the past 10 years, the Internet has become a ubiquitous form of communication. Growth of digital content and use of mobile devices have soared, organizations have opened their infrastructures to enhance [...]

• 

On what basis do we make risk choices? When in an unfamiliar retail store, and facing a POS terminal whose design one has never seen before, what reassures the average person that it is safe to swipe their card and type their PIN into that machine? Worse, even if the POS machine is a familiar design, what is the rational basis for assuming it adequately protects card details? It certainly looks like a solid piece of hardware, but is it really?

•