Why do we need Information Management

    I am guessing most of the readers of this blog are in the University of Washington’s Masters of Science in Information Management (MSIM) program.  For those that aren’t, the MSIM program focuses on connecting Technology, People and Information.  I am sure you have heard the statistics about how much information is out there.  With the advancement of the internet, we have caused the amount of information in the world to explode.  All of this is well and good but the problem arises when you try to make sense of the information.  I was watching a TED talk recently that was basically an overview of what the MSIM program is without meaning to.  The talk is given by Thomas Goetz and it focuses on two things, first the use of fear to accomplish things and secondly the idea that more medical problems could be solved not by better medicine but by better information presentation. 

     As a security professional the  idea that fear wasn’t the best way to relay information was something that I hadn’t considered before.  If you have heard any sort of talk in regards to Computer Security you have heard that a hacker can steal you identity, your bank account and with a little effort your first-born.  Okay so I am exaggerating a little but every talk I have given or heard about Computer Security has been about the negative effects of not securing your network.  Then after giving presentations about how there is never a secure system they wonder why executives haven’t approved their expanded budgets.  I believe we, as security  professionals, are going about this all wrong.  Instead of focusing on how impossible security is, we need to start focusing on how we can make the network better overall with the enhancements that security brings.  In this realm I have found that UX people do a good job for the most part.  When they make a presentation about a new website design they don’t sit there and say how little traffic and how confusing the current User Interface (UI) is and then sit down. They quickly go over part of the problems the current UI and then go on to show how well their UI will work and what it can bring to the table.  Now this might just be an issue for Security professionals but I have a feeling it isn’t.  Overall, as professionals, we need to focus on the idea that has been thrown around this blog, and that is the Value Added principle.  Focus on what value you are going to add to the company and how much it will help in the short and long-term. 

     Now as a final statement, this doesn’t only apply to people working.  If you are looking for a job focus on what you can do for the company.  If you can get the other person even a little bit excited about what you could do for them or the potential you have to help their company you will stay in their mind.  And believe me the more good things you give the interviewer to remember you by the better. 

     Now I realize that this may not be new to most  of you but I found the talk incredibly interesting.  I have a link to it below in case anyone is interested.  What are you thoughts?  Is it better to go all positive?  Are there any drawbacks of only focusing on the Positive? Or is it better to talk about a combination of fear and potential?

What I should have practiced in college.

One of the things that every student worries about is what skills will help you become successful in the workforce.  Communication, writing, and presenting are some of the most emphasized skills in universities today.    Now that I’ve entered the workforce, I’m beginning to realize just how important they are  From my experience, two important skills in professional environments are, how to run a meeting and how to organize your own information.  When I started doing this post I was going to keep this to one post but I soon realized that because of the length and depth of this post I am going to break it up into at least two.

Meetings:

Meetings are something that can make or break a project and a career.  The people who succeed know the importance of having as well as not having a meeting.  This skill is one of the few that can’t be taught in a classroom but must be gained overtime.  As I have participated in good and bad meetings in the workforce, I have come to believe that success in meetings boils down to three things: knowing when to call a meeting, how to organize a meeting and how to manage a meeting.

When to call a meeting:

Meetings can eat up a lot of time that could be spent on more important tasks. Try considering alternative methods of communication. I would venture to say that if you are calling a meeting for 15 min or less you could probably say the same thing in either an email, phone call or by going by their desk.  Don’t fall into the trap of calling a meeting because you need to talk to a group of people.
Now having said that, I have also been in meetings that were 15 min that were more productive than those that were scheduled for an hour.  If the timing is right and the content is prepared then a meeting of 15 minutes can be very productive.  The rule of thumb I use is if there is a decision that needs to be made or discussed by more than 3 people and if they currently have differing opinions, or if the material needs to presented to 3 or more people urgently, then call a meeting.  Basically what I am saying is don’t be afraid to call a meeting or to not call a meeting, decide what is best for you and the business.

How to Manage a Meeting:

Before the meeting.

I have already talked about knowing when to call a meeting, but this is more about what to include in a the meeting invite and the pre-meeting work.   Most of the meetings I’ve seen either don’t have an agenda or have a loose agenda that isn’t followed.  This leads to things getting unnecessarily sidetracked and wasting time and can often result in another meeting to complete what should have been finished in the first one.  At least 24 hours before the meeting, and preferably when the meeting invite is sent, include the agenda so that people can decide how much of the meeting they need to be there for.

Presenting alternative points of view.

When you are in a meeting don’t be afraid to bring up an alternative view IF IT IS APPROPRIATE.  This is probably the hardest thing to do well.  If you argue or present different plans too often, you risk being ignored or making enemies.  Learn to phrase things in a way that doesn’t degrade other people’s points of view but rather raises your thought as a viable alternative without outright saying another persons option won’t work.

This is really one of my biggest pet peeves.  I want a discussion to happen in meetings but a relevant one.  When you make your point be short and quick, otherwise people won’t listen and will dismiss your point even if it is ground breaking.

After the meeting.

If you called the meeting send the notes for the meeting soon after and include anything people are specifically supposed to do.  This is for two reasons 1) because people forget and 2) you have a record of every ones action items.  The notes are also important  to verify that what you thought was agreed upon in a meeting was what everyone else thought as well.  Nothing kills a project worse than getting to a major junction and having a disagreement about the way something was supposed to be done.  Remember, better to have it and not need it then need it and not have it.

Now I realize that I am just out of college so feel free to disagree with me.  This is, after all, a type of virtual meeting.  What have you found useful in calling/organizing meetings?  Is there something you have seen people do that you think is better than others?

Photo used in conjunction with Creative Commons License.

Too many TLA’s

I had a teacher once say that IT is riddled with TLA’s (Three Letter Acronyms).  He thought it was hilarious.  It wasn’t until I started really looking into IT and security especially that I realized he was right.  In the realm of technology there are some acronyms that most people know HTTP, IP, and PC and so on, but when you add Security it turns into something you would expect in your alphabet soup.  PCI-DSS, SOX, FISMA, ISO, HIPAA, HITECH, UDP, TCP, CERT, IR, XSS, CSRF, PWN, IPSEC, SSCADA, and the list goes on.  I am sure that you could guess some of them but the first six are probably the most debated.  Payment Card Industry – Digital Security Standards (PCI-DSS), Sarbanes-Oxley (SOX), Federal Information Security Management Act (FISMA), International Organization for Standardization (ISO, don’t ask it doesn’t make sense to me either), Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health are some of the security standards that businesses have to worry about.

Aside from these are any internal audits that companies have to pass.  Many times all this adds up to one thing, confusion.  Take a company that handles their employee’s healthcare records as well as having a federal contract while being a publicly traded company.  This company has to deal with parts of HIPAA and HITECH as well as FISMA and SOX.  You would think that these standards would correlate and go hand in hand but they were all developed independently so they have different requirements.  This is where Security Professionals are the most challenged.  Whether they are securing their network or auditing a network using these standards, there is a challenge.

Most often what happens is that a company that is trying to meet the requirements of these standards does one of two things, they either do the bare minimum to meet the requirements right before the deadline or they essential put everything behind Security and do things that will make the company more secure from their point of view but do so at the cost of usability.  Now I have written about how usability and security need to go hand in hand so that isn’t the angle I want to take right now.

My main focus is that when companies think they have to choose between security and usability it creates not only a hard time for users but it creates a situation where users do things in order to  get  around the security measures, thereby creating security holes that weren’t accounted for.  Such examples of this are writing down passwords and usernames, saving usernames and passwords on the browsers, saving documents on a USB drive, and trusting links that may not be legit.  While this can be solved with good user training there is no need to put that burden on the users, especially when if a company is compromised because of the workarounds the company still ends up paying the fine which can amount to millions of dollars.

Basically my suggestion is for all companies to stop looking at security servers and networks and start securing Information.  That way it leads to looking at the data they are securing and not what is holding it.  This might force them to walk through what users are going to do once their applications and network is set up and working.  Hopefully this will allow them to start truly incorporating both usability and security into their business.

As a side note, if you are interested in the true cost of a security breach there is a research project that I was a part of a few years ago that was presented at a conference.  The video is kind of poor quality but the information is valid.  I didn’t present it but did work on the external costs, those aside from any possible fine that is part of a security breach. http://vimeo.com/5384048