Branden Williams' Security Convergence Blog

RSA 2009 has been in the can for over a week now, and I've had some time to reflect on the state of security since the economy broke it's nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were:

1. Non-essential security spending was cut (but things you have to do like SOX and PCI are fine)
2. Headcount was cut
3. No change
4. My hair is on fire

Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of us want to command a SOC that is significant in both size and value to our company, our companies' executives look at the expenditure required to build said SOC and have to decide if they are in the security business or not.

Most are not.

So in order to meet the mounting threats that our overworked teams deal with every day, we need to figure out what elements of our program are best outsourced to people in the business of security, and which ones are not. Many companies start immediately looking at things like IDS management/monitoring, firewall management/monitoring, and log management. Those are excellent choices for sizable environments supported by a small team. Not only does it allow you to delegate these tasks to outside experts that do hundreds, if not thousands daily, it also allows you to re-deploy YOUR experts to focus on strategy and building value for your company.

Sounds great, doesn't it?

With the right company, it sure is great! Don't stop reading here--I'm not going to suck you into a drawn out pitch for VeriSign's MSSP services (but feel free to inquire about them!). But I want to caution any purchaser of managed security services... you are not buying a light switch!

I've recently figured out that most companies that purchase managed security services think they should work like a light switch. They just flip it on, and magically things start working.

The reality is that managed services require tuning and up-front investment to make them work well. This means that your first year costs will be dramatically higher than future years for the same scope of systems. It also means that any time you change the scope, you must account for the same type of startup costs for the new scope. Managed services can work like a light switch, provided you install that switch properly.

So remember, if you are considering outsourcing parts of your environment, you will have to invest some time and money up front to make sure you get the most value out of the service, and keep long term costs in check. Focus less on the monthly recurring cost and focus more on total cost of ownership over multiple years¹, and be sure you invest in the future!

________________________________________
¹ Kind of like buying a car, right? If you are getting a loan, focus less on the monthly payment and more on the total cost of the car. Oh, and reject the first offer.

Posted by Branden Williams at 7:31 AM | Permalink | Comments (0)

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn't have to visit too many after hours parties or exhibitors at RSA to see that.

Most of the criticism of PCI comes from people who really don't understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box.

Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. There is training available from a couple of industry sources, though my personal preference is that any training on payment security should not stop at PCI. I have a solution for the card companies to address the latter group directly, but more importantly, address the industry at large to demonstrate that you really do focus on information security.

I propose that the founding members of the council (Visa, MasterCard, Amex, Discover, and JCB) consider two ways to demonstrate PCI Compliance. The first of which is to complete the PCI DSS just like they would do today. Nothing new there.

Here's the twist.

The second method should be met by demonstrating a mature ISO 27000 security program, potentially certified under BSI America. That serves two purposes. The first purpose is to accomplish the intent of PCI DSS, protecting the data. The second is to combat the nay-sayers who say things like "I can't wait until this PCI crap is over so I can get back to security¹." In reality, those nay-sayers were doing a poor job at security before by only focusing on problems that interested them, not ones that were in the best interest of the customers, shareholders, and employees of the company.

If the card brands gave merchants and service providers the option, I think you would see the majority choosing PCI DSS, and only the most savvy choosing the ISO route. The best thing is that the card brands could fight the fires on two fronts. They can continue to coddle the laggards, and improve corporate information security for those that wish it. Most security professional agree (four out of five dentists?) that PCI is not the scariest thing out there, by FAR. But if you use what you learn from PCI and improve upon its required baseline, you can use the ankle-biting nature of PCI to also subdue his bigger, more ornery cousins PII and the State Data Breach Laws².

_______________________________
¹ This is an ACTUAL QUOTE from one of my retail contacts!
² Sounds like a great name for a band!

Posted by Branden Williams at 7:39 AM | Permalink | Comments (7)

I hope to see you there! I arrive on Monday and will be at the welcome reception about halfway through, and am leaving at lunchtime on Thursday. You can find me at the VeriSign ESS Booth (not the big one up front) at Booth #1454. It's in the back, so you have to look for it!

I will be manning the Retail Security area of our booth on Wednesday from 11:00 to 2:30. Come by and see me! Also, if you have not done so already, follow me on Twitter (http://twitter.com/BrandenWilliams/), I'll be tweeting from the conference and the booth! Who knows, maybe we'll end up at the same crowded bar filled with people arguing the merits of DLP!

Posted by Branden Williams at 6:00 AM | Permalink | Comments (0)

Were you planning on returning to RSA this year but were caught in a RIF? RSA wants to help!

They recently announced a scholarship opportunity targeting unemployed security practitioners that have recently attended the RSA conference. In order to receive this scholarship, you must:

• Be an information security professional (practitioner, security architect or similar role);
• Have attended the 2007 or 2008 RSA Conference as a full conference delegate;
• Complete a 1000 character explanation on "Why I need to attend RSA Conference 2009"; and
• Complete a 750 character biography

Thankfully, no video submissions are required.

For more info, go here: http://www.rsaconference.com/2009/us/scholarship.htm.

Posted by Branden Williams at 4:56 AM | Permalink | Comments (0)

Well, even the FAA's nit picking couldn't keep me away!

I'm sitting at the InterContinental waiting for some associates. There's a very interesting crowd here at the conference. I'm looking forward to getting out to the city later on!

Posted by Branden Williams at 9:23 PM | Permalink | Comments (0)