Communication

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Some interesting documents have been published recently. This article points out a couple of them. Both have been added to my reading pile.
    Techworld.com - Risk assessment guides launched
    Tags: ( risk-management metrics )
  2. Jack offers some alternatives to saying "No." Very good ideas and we (not the royal we) should use them.
    Uncommon Sense Security: Don't say "No"
    Tags: ( communication )
  3. Want to know more about Johnny Long. Here you go.
    Sunbelt Blog: Johnny Long's story
    Tags: ( hackersforcharity )
  4. Chris works through an interesting exercise in quantifying loss. He then offers some thoughts on communicating loss. I need to read it again, but it strikes me as very useful. For those FAIR fans out there, it is very applicable to using FAIR.
    The Risk Is Right. << Risktical Ramblings
    Tags: ( risk-management )
  5. Lori has once again nailed it.
    The IT Security Flowchart
    Tags: ( general )
  6. This breaks things down very succinctly. As Rich says, that doesn't mean it's easy.
    Securosis Blog | The Pragmatic Data (Information-Centric) Security Cycle
    Tags: ( security-lifecycle )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. We will be seeing more and more drives that support this.
    Full disk encryption comes to SSDs for mobile devices, laptops
    Tags: ( encryption ssd )
  2. Interesting perspective regarding awareness vs. enforcement/controls.
    The Difference Between Awareness and Enforcement
    Tags: ( awareness enforcement )
  3. A good article by Jeff about language and how we use it.
    Use Your Words : The Security Catalyst
    Tags: ( communication )
  4. Completely agree with everything Graham says about this situation.
    Firm hires Twitter worm author Mikeyy Mooney | Graham Cluley's blog
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Sorry for the late post folks. Been a busy, busy day. Below you find a post by RSnake begging for discussion, EFF pushing for modification to DMCA, a method to secure BGP, how we communicate to our users is important, the final part of an risk assessment using FAIR, SQL firewalls, and the fact that BeanSec is next week. Have a great weekend.

  1. Crime and Punishment ha.ckers.org web application security lab
    Tags: ( general opinion )
  2. This would benefit everybody.
    EFF pushes for legal handset jail-breaks - vnunet.com
    Tags: ( cellphone drm )
  3. This will be a definite improvement. There have been several cases of BGP errors causing significant problems in the year or so.
    U.S. plots major upgrade to Internet router security - Network World
    Tags: ( bgp bgpsec )
  4. David reminds us that how a message is delivered just as important as why the message is delivered.
    The Power of Positive Rethinking : The Security Catalyst
    Tags: ( communication )
  5. Part 4 of Chris's latest FAIR assessment is posted.
    Risk Scenario - Hidden Field / Sensitive Information (Part 4 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  6. It was only a matter of time before we started seeing SQL firewalls. Not saying it's a bad thing.
    /dev/random >> Blog Archive >> Databases Protection with GreenSQL
    Tags: ( firewall sql )
  7. Beansec next week.
    Rational Survivability: BeanSec! Wednesday, January 21st, 2009 - 6PM to ?
    Tags: ( beansec meetings )
  8. Yes, indeed. I and others have said it more than once, compliance does not equal security.
    Network Security Blog >> "Security first" please!
    Tags: ( security pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Meaningful Conversation

by kriggins on March 24, 2008

in Awareness, Educational

Scott Young over at PickTheBrain writes in this post about a couple of ways to improve the quality of the conversations we have with people.

He points to two basic rules that can help make conversations more meaningful.

  1. The conversation is not about you.
  2. You need to give trust to get trust.

I will leave it you to explore his take on these two tenets from a general conversational perspective. However, it strikes me that if we, as Information Security professionals, would incorporate these rules into our conversations with our respective constituents, we might be met with a little less resistance. Of course, I am speaking from the perspective of being a corporate drone.

Having a conversation with the Information Security dude or dudette is viewed with a certain amount of trepidation by many who are "forced" to deal with us. In my experience, most of this trepidation is caused by us and not the poor supplicant 🙂 Why do you think they feel this way? Let's look at number 1 above first.

1. The conversation is not about you.

Pretty simple statement. Harder to put into practice than it appears though. Let's change it a little; the conversation is about them. They are looking, whether they know it or not, for the best method of accomplishing their goal in the most secure manner available that is appropriate for the business risk they have chosen to accept. Which, by the way, is a topic for another post. If we approach things from this perspective, it becomes a collaborative endeavor, not an adversarial one. Of course, I am not suggesting that there will not be times when we are required to tell people they can't do something in the manner they desire. But as long as we avoid just saying no and try to help them find a way that is also acceptable from an infosec perspective, we have still remained their helper and not their roadblock.  If they view us as their helper, they will be less concerned when they need to talk to us.  They will involve us earlier and finally will be more likely to share more information with us.

2. You need to give trust to get trust.

This one is even more difficult. Why should they trust you? Do they know you? We have to build relationships with the people we work with. For those of us who work in the corporate world, this is a little easier. I talk to the same folks day after day and we have the opportunity to get to know each other and build trust.  I have to trust that they believe I have their best interests at heart and they have to trust that I am not out to "get them" or stop them for being successful.  Following rule 1 above goes along way towards building this trust.  Those who don't have the luxury of long term relationships with the folks you are dealing with have to find some way to establish that trust quickly and right at the beginning.  Again, approaching it from a rule 1 perspective will help a great deal.

So there is my two cents worth about something that has been a problem in several companies for which I have worked.

I have not done the subject matter justice, but it was on my mind so here it is.

{ 0 comments }