the State of Security

Dwayne Melancon

Good resource on logging and retention practices – a legal perspective

Good resource on logging and retention practices – a legal perspective

by Dwayne Melancon

In the event of a data breach, law enforcement, regulators, payment card auditors, clients and others will ask about your log file management and your alerting protocols. Don’t be caught unaware.

Read More
Friendly pwnage? Or just a public beat down?

Friendly pwnage? Or just a public beat down?

by Dwayne Melancon

It seems some hackers (known as “MalSec”) are going around to security companies, defacing their web sites, and leaving “polite warnings” that they’d better get their act together or they face the risk of being hacked in a more malicious fashion. Are these “helpful” hacks really helpful or not?

Read More
Is information security like pollution?

Is information security like pollution?

by Dwayne Melancon

I’ve been catching up on my post-RSA reading, and ran across Elinor Mills’ article on the RSA conference, “Why the security industry never actually makes us secure.”  One comment she makes was interesting to me because, as much as I’d like to disagree with it, I just can’t: “Like pollution, security incidents are something everyone [...]

Read More
The best way to get business people to fund your IT security projects

The best way to get business people to fund your IT security projects

by Dwayne Melancon

I’ve written about the topic of infosec dashboards before: one of the emerging challenges in information security is how to effectively communicate what we do every day to why it matters to the business and non-technical executives.  As more and more IT Security organizations are reporting into non-technical executives and functions (CFO’s, COO’s, Legal, Compliance) this will [...]

Read More
What is the risk? (aka “Don’t overcomplicate risk modeling”)

What is the risk? (aka “Don’t overcomplicate risk modeling”)

by Dwayne Melancon

I’ve been talking with a lot of companies lately about risk.  Many of them want to formalize their approach to classifying systems, data, business processes, people, etc. using a more formal risk program, such as FAIR, OCTAVE, and the like.  These models often seem fairly complex, and the net effect I’m seeing is that lots [...]

Read More
Infosec and too much to do

Infosec and too much to do

by Dwayne Melancon

One of the most common concerns I hear about from the enterprises I speak with all the time is that of having too much to do.  There’s never enough [time, money, people] to go around. So, what are they doing that’s working?

Read More

← Previous Entries

Next Entries →