Why do we need Information Management

    I am guessing most of the readers of this blog are in the University of Washington’s Masters of Science in Information Management (MSIM) program.  For those that aren’t, the MSIM program focuses on connecting Technology, People and Information.  I am sure you have heard the statistics about how much information is out there.  With the advancement of the internet, we have caused the amount of information in the world to explode.  All of this is well and good but the problem arises when you try to make sense of the information.  I was watching a TED talk recently that was basically an overview of what the MSIM program is without meaning to.  The talk is given by Thomas Goetz and it focuses on two things, first the use of fear to accomplish things and secondly the idea that more medical problems could be solved not by better medicine but by better information presentation. 

     As a security professional the  idea that fear wasn’t the best way to relay information was something that I hadn’t considered before.  If you have heard any sort of talk in regards to Computer Security you have heard that a hacker can steal you identity, your bank account and with a little effort your first-born.  Okay so I am exaggerating a little but every talk I have given or heard about Computer Security has been about the negative effects of not securing your network.  Then after giving presentations about how there is never a secure system they wonder why executives haven’t approved their expanded budgets.  I believe we, as security  professionals, are going about this all wrong.  Instead of focusing on how impossible security is, we need to start focusing on how we can make the network better overall with the enhancements that security brings.  In this realm I have found that UX people do a good job for the most part.  When they make a presentation about a new website design they don’t sit there and say how little traffic and how confusing the current User Interface (UI) is and then sit down. They quickly go over part of the problems the current UI and then go on to show how well their UI will work and what it can bring to the table.  Now this might just be an issue for Security professionals but I have a feeling it isn’t.  Overall, as professionals, we need to focus on the idea that has been thrown around this blog, and that is the Value Added principle.  Focus on what value you are going to add to the company and how much it will help in the short and long-term. 

     Now as a final statement, this doesn’t only apply to people working.  If you are looking for a job focus on what you can do for the company.  If you can get the other person even a little bit excited about what you could do for them or the potential you have to help their company you will stay in their mind.  And believe me the more good things you give the interviewer to remember you by the better. 

     Now I realize that this may not be new to most  of you but I found the talk incredibly interesting.  I have a link to it below in case anyone is interested.  What are you thoughts?  Is it better to go all positive?  Are there any drawbacks of only focusing on the Positive? Or is it better to talk about a combination of fear and potential?

Advertisements

Information Security Improving with time?

   I ran across two interesting articles today on a website called bankinfosecurity.com.  One was an Interactive Timeline to Breaches at US Financial Institutions so far this year.  When I came across this article I wondered how it compared to a similar timeline for 2009.    The biggest breach in 2009 for a financial institution was the Heartland Payment breach in January of last year where 130 million records were lost, while the  biggest number of records lost so far this year, is 1.2 million.  If you take out the top two breaches, then it was interesting to see that January and February had about the same number of breaches but it looks like in terms of number of records lost 2010 wins.

    This brings to mind a couple of questions.  First, with security becoming more recognized why are breaches happening at the same rate?  This could be for multiple reasons, the first of which being that the hackers are getting more advanced.  While I don’t doubt this I believe the answer is much simpler.  If you talk to any security professional they will say the biggest threat to any company is people or Social Engineering.  You can have the most advanced security controls in but if people write their password on sticky notes and put them on their desk or computer then no security controls will ever help. 

     Now I am not saying people are the downfall of security and you should never trust your employees, but it is something that needs to be considered in any business.  Businesses need to educate people on not only basic security practices but why these practices are important.  Train people not only how to create a secure password but how to recognize someone trying to talk their way into a business.  Social Engineering causes more problems for companies then someone hacking their way into a companies secure servers because it is easier.  With just a phone call you can try to get someone to reset a password on an account and therefore give you access into a system.  If you want to learn more about social engineering Kevin Mitnick has a great book out called The Art of Deception: Controlling the Human Element of Security.  

   Now I am not the most experienced security person so any thoughts or suggestions are appreciated.  What do you guys think?  If you are in the security field, how do you combat this problem and if you aren’t in security how do you think about being trained on basic security practices by your company at regular intervals?  Do you think it helps? Why or why not?