Securitybeat Advisors LLC

Blog

  • Control System Maturity Through Quality Control

    This post is one in a series on Innovating Security Management practices.

    According to many standards for control systems, control activities involve proper business process design, information system design, and policy development.  Those same standards also suggest that each area be part of a broader and integrated architecture.  Auditors typically play outside the system providing feedback to management on their system and controls.  So where does “security” play?

    When the auditor identified a finding, it is given to the manager must responsible for the defective business practice.  The finding is not assigned to the CISO unless the CISO’s business unit was the subject of the audit.  Note no touch point yet for “security”.

    Those same frameworks also suggest that either Management or Personnel perform the control design and implementations.  In my experience, managers know how to manage people and budgets, and drive completion of their “functional” service activity.  Unless they are a CISO, they likely don’t know how to properly design their controls.  They assign the task to their staff to figure out. 

    It is no wonder that a recent survey suggests that a wide majority of executives and Board members don’t prioritize recruiting skilled “security” professionals.  They don’t use them.  Security is some other functional business process and activity, and doesn’t relate to risk management and control integrity, right?

    So who is at fault?  Someone has to be at fault for this broken control framework!

    Management is responsible to ensure that management decisions are based upon quality information and their actions evolve quality information and communication.  So bottom line, this is a “quality control” issue.  Time for a title change?

    When most reputable standards are fully implemented, information and communication must flow through security staff and certified technology.  Problem is, most organizations are not at that stage of maturity.  So how do we get there?

    In my opinion, it all comes down to maturity.  All key roles including Audit must recognize the maturity of the business and prioritize the appropriate entity level controls to:

    1. Establish a security-centric quality control SME
    2. Ensure they (and their respective organization) is plugged into the management decisions going forward. 

    References:

    1. http://www.esecurityplanet.com/network-security/75-percent-of-execs-board-members-dont-prioritize-recruiting-skilled-security-pros.html

  • Know Your Market

    The following post provides the rationale for and simple steps to realign your career with the job market.

    Every business worth its salt knows that survival demands discovering their market and maintain alignment with that market going forward. Progressive companies even take it a step further and lead that market by adopting innovative products and services. Why should your career be any different??

    Being aligned with your job market may be tomorrow’s reality. According to the Wall Street Journal more than 5 years ago, an average American will go through SEVEN careers in their lifetime – and that’s not counting how many jobs you will see within a given career. The trend is going up, by the way. Who knows that that average is now?

    Post-graduation I’ve had at least 3 careers and now 8 jobs – and I’m one of those loyal, establish-roots kind of guy. In early 2014, I thought I was in my last career and then the re-organization happened. Before long I was on the outside looking in – in the job market for the first time in over 18 years. Could you be next?

    Nearly 18 months later, I can say that I’m in a better place – thanks in part to Lee Hecht Harrison, and my job coaches Brian Coughlin and Pauline C. Fournier. You can be too, and avoid the hard lessons I had being on the streets underemployed. Try these four simple steps to connect you with your market:

    1. TAKE A LONG LOOK IN THE MIRROR – Most companies have a process for reviewing job performance and offering feedback. Get all of your performance appraisals together and start reading. Identify the skills and attributes you are consistently excelling at, and those that identify your warts. Don’t worry, we all have them. The key is accepting these issues and doing something about them.
    2. EVALUATE YOUR JOB MARKET – Go to your favorite job board and search for jobs similar to your current roll. Even better, search for where you want to be next. What skills and qualifications are they looking for? Now compare them with your credentials. See any glaring gaps? I know for me, one element was professional certifications. The job market valued certifications over my master’s degree. Why not demonstrate both to my next employer?
    3. DEVELOP A MARKETING PLAN – Most job seekers have just a resume. Don’t sell yourself short. Your network cannot help you with your job search unless they know your value proposition and where you think you fit in the job market. Create a separate marketing plan and clearly define your professional objective, positioning statement, competencies, target market, and target companies. Have those that know you best review it and provide feedback.
    4. MARKET YOURSELF – Positioning yourself for that next job is more than applying through the front door. Put yourself out there. Use social media like LinkedIn to showcase your strengths. Join professional associations and engage in the discussions leading your practice area.

    References:

    1. https://www.wsj.com/articles/SB10001424052748704206804575468162805877990

  • Tragedy in Paris – Call for Information Sharing

    I tell my students every day that security is as good as your listening skills.  Of course I am selfishly suggesting that these undergraduates read their assignments and listen to my lectures.  Recent events in Paris point as a Break Down Of Communication and Cooperation.  We should all apply this as lessons learned.

    Some believe that this recent failure lies solely on the French intelligence agency.  Many believe that recent disclosures through Snowden have nations questioning their trust in the US.  It is obvious that mutual trust enhances information sharing and security intelligence. 

    Calling on all of my friends and colleagues to get involved in InfraGard.  All members must be US citizens cleared through a background check process.  Sensitive information can be freely shared, strengthening the threat intelligence of all parties involved.  Don’t let this tragedy happen in the US.  Get involved today!

    References:

    1. https://www.ibtimes.com/paris-terror-attack-intelligence-failure-not-snowdens-fault-break-down-communication-2185255
    2. https://www.theguardian.com/world/2015/nov/14/french-intelligence-under-scrutiny-paris-attacks
    3. https://www.infragard.org/