The year is slowly winding up and I got to thinking if much changed in 2008. PCI DSS compliance continued to raise awareness of good practice more than anything else out there, but aside from that, did many organisations, our industry and the IT Industry as a whole make much headway into the IT security problems we face? Looking at my December 2007 post, I could almost just repeat everything word for word and just change the dates.
Great timing I am told for me to have setup a job ads site, all my mates in recruitment have been telling me with a sarcastic tone. “12 months ago, it would have been a brilliant idea to tap into the community around the site to promote jobs within the industry”. Oh well….we can only hope that things do pick up again for everyone.
Anyway, that’s not going to stop us for now so please do check out the site (link above and off main page here) and until the end of January, all job postings are free of charge. If you have a role going, do send the details through on the contact form.
We’re going to post a more detailed analysis of this shortly. Background: iiNet is in some bad legal action as reported here at ZDNet, and some support for iiNET as reported here at ComputerWorld. One wonders if the dudes going after them don’t have the balls to go after the bigger guys and are hoping to win against someone without the billions behind them to be able to set a legal precedent. (And thereby, law sets the rules for the bigger guys to then comply later). It just smells. I wish iiNet all the best with this and hopefully you kick some arse.
As an aside, iiNET have been open with their anti-filtering stance and cred to them to have put their name and reputation on the line in support of things that are wrong!
(Open disclosure: yes, they are a client of ours but our position would be the same regardless!)
I don’t know much about the ACS (have read about them but never really had any urge to join – if they’d even have me), but any initiatives if done well can only help. I am not aware of their expertise in the field of Information Security so it’ll be interesting to follow. Anyone here part of the ACS or know much about them and this new initiative?
Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”
SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.
Web Developer: “Well nothing has ever happened so it’s just you guys!”
SG dude: “You have no logging”.
Web Developer: “We’ve never been hacked!”
What do you do? Scenario repeats every week – new developer, next website, next web app. See you then!
It’s getting to that time of year where we are seeing an influx of PCI business and a constant stream of phone calls and emails from organisations who are only now either hearing about it or have realised that they’ve dropped the ball on it and their compliance deadlines are only a few months away.
The majority of the people we talk with for the first time are shocked to say the least when we explain how tough compliance is going to be if you’re starting from a base of pretty much nothing. (As an aside, this highlights how bad business IT security practices have been all along – across all sectors and all sizes of business). Bottom line is that any business who has had good security practices in place should find PCI DSS compliance relatively not that daunting, as there is not much in the standard itself that is not just plain good ol’ security practice. Why many are under the misconception that the PCI DSS is some radical set of requirements imposed upon poor businesses is still beyond me!
Following in the footsteps of Malcolm Turnball, Kevin Rudd seems to have signed up also.
People have questioned recently whether it really is Malcolm Turnball here: http://twitter.com/TurnbullMalcolm. If it’s not, the guy’s going to a lot of trouble. If it is, and I believe it is, he’s doing well. Even exchanged a few posts with him recently. Good on him!
Now is this our PM here: http://twitter.com/KevinRuddPM?
May have to test how he responds soon. Well we have a direct forum on issues like Internet Filtering. (http://twitter.com/big_galoot).
The danger here is that I may well cop some posts here myself (though hopefully I rarely fall into this category).
Talking to a friend who I know is an awesome Infosec guy and also delivers. He’s been marked down somewhat in his performance appraisal because he’s; “not putting in above and beyond….”. (Read: he’s not coming in at 7am and leaving at 7pm). But all his work is delivered on time and quality. Colleague X whose projects are always late and generally troubled receives a good appraisal (as usual). Yeah, he’s one of those guys who’s in at 7am, leaves after the boss, and talks up his “successes”.
I always wonder what some of these bosses are thinking. Is it just their own belief that you need to be spending half your life in the office to show your worth or are they part of a monkey delivery system (where each link works on this premise)? (No relationship to the monkeynet). Saw a damn lot of this in my time in the Big 4 and investment banking world.
I don’t normally get into quotes, but I like this one:
“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.” – Ralph Waldo Emerson.
It’s no different to looking at managing Information Security in an enterprise. (Gees, this is deep).
The Strategic Security Management Framework approach for example can be considered the guiding “principles”. The “methods” – how those guiding principles are used in the development of methods is key. Flipping it the other way is always a guarantee of ongoing systematic failure.