2 min
Security Strategy
Just a little more may be all you need for great security
The following is a guest post from Kevin Beaver. See all of Kevin’s guest
writing here [/author/kevinbeaver].
Thomas Edison once said that many of life's failures are experienced by people
who did not realize how close they were to success when they gave up. Thinking
about this in the context of security, the success that you're looking for could
just be a day's worth of work away. Or, maybe just a few weeks’ worth. But how
do you know? Will you be able to figure that out without falling into t
3 min
Compliance
HIPAA Security Compliance Fallacies (And How To Avoid Them)
Health Insurance Portability and Accountability Act (HIPAA) compliance hasn’t
been what I thought it was going to be. When I first started out as an
independent security consultant, I was giddy over the business opportunities
that I just knew HIPAA compliance was going to bring. Around that time, I
learned something from sales expert, Jeffrey Gitomer, that has had a profound
impact on my career. He said that if you work for yourself and are in sales,
which I am, that you must write and speak if
3 min
SecOps
Stop aiming for security perfection—just do what's right
Guest author Kevin Beaver discusses 'relentless incrementalism' in building out and improving security programs.
2 min
Security Strategy
Filling big gaps in security programs
Guest author Kevin Beaver talks about helping organizations bridge policy-practice gaps in their security programs.
3 min
Why you have to move beyond "We have a policy for that"
I've never been a big fan of – or have believed in the value of – security
policies. Sure, they're necessary for setting expectations and auditors want to
see them. They can also serve as a sort of insurance policy to fall back on when
an unexpected security “event” occurs. But, at the end of the day, security
policies often contribute minimal value to the overall information security
function. As I've seen time times before: many organizations have great
paperwork but their security program sti
2 min
User Behavior Analytics
Want to bolster your security program? Keep users from making decisions.
How many times have you witnessed security problems caused by a user making bad
decisions? I'd venture to guess at least a few dozen if not hundreds. We've all
seen where the perfect storm forms through weaknesses in technical controls,
user training, and – most often – common sense and the outcome is not good. Best
case it's ransomware or a similar malware infection. Beyond that, the sky is the
limit. Before your organization suffers a breach and is having to answer to the
news media and lawyer
2 min
Endpoint Security
Addressing the issue of misguided security spending
It's the $64,000 question in security – both figuratively and literally: where
do you spend your money? Some people vote, at least initially, for risk
assessment. Some for technology acquisition. Others for ongoing operations.
Smart security leaders will cover all the above and more. It's interesting
though – according to a recent study titled the 2017 Thales Data Threat Report
[http://www.prnewswire.com/news-releases/2017-thales-data-threat-report-security-spending-decisions-leave-sensitive-dat
4 min
Rapid7 Perspective
Why Security Assessments are Often not a True Reflection of Reality
Inmates running the asylum. The fox guarding the henhouse. You've no doubt heard
these terms before. They're clever phrases that highlight how the wrong people
are often in charge of things. It's convenient to think that the wrong people
are running the show elsewhere but have you taken the time to reflect inward and
determine how this very dilemma might be affecting your organization? I see this
happening all the time in terms of security assessments. In organizations both
large and small, I se
2 min
Vulnerability Disclosure
A very predictable vulnerability on most networks – are you looking for it?
I've always believed that information security doesn't have to be that
difficult. It's really not when you focus on the essentials. The problem is,
many people continue to ignore the basics
[http://securityonwheels.blogspot.com/search/label/back%20to%20basics]. In
search of something bigger, better, and sexier, they look past the small number
of flaws that are creating the majority of the business risks. The mindset is
“Surely we have to spend tens of thousands of dollars on the latest products
3 min
Security Strategy
What's the root cause of your security challenges?
This is a guest post from our frequent contributor Kevin Beaver
[https://twitter.com/kevinbeaver]. You can read all of his previous guest posts
here [/author/kevinbeaver/].
My favorite lyricist, Neil Peart of Rush, once wrote “Why does it happen?
Because it happens.” Some deep lyrics on life that many people, unfortunately,
apply to their information security programs. These people go through their
days, months, and years, letting things “happen”. It could be a user unhappy
about the security h
2 min
Security Strategy
The One Aspect of Selling Security That You Don't Want to Miss
This is a guest post from our frequent contributor Kevin Beaver
[/author/kevinbeaver/]. You can read all of his previous guest posts here
[/author/kevinbeaver/].
When it comes to being successful in security, you must master the ability to
“sell” what you're doing. You must sell new security initiatives to executive
management. You must sell security policies and controls to users. You even have
to sell your customers and business partners on what you're doing to minimize
information risks. Thi
2 min
SMB Security is so Simple - Take Advantage of it Now.
This is a guest post from our frequent contributor Kevin Beaver
[/author/kevinbeaver/]. You can read all of his previous guest posts here
[/author/kevinbeaver/].
Small and medium-sized businesses (SMBs) have it made in terms of security. No,
I'm not referring to the threats, vulnerabilities, and business risks. Those are
the same regardless of the size of the organization. Instead, I'm talking about
how relatively easy it is to establish and build out core information security
functions and o
2 min
Authentication
Passwords and the Devolution of Computer Users
This is a guest post from our frequent contributor Kevin Beaver
[/author/kevinbeaver]. You can read all of his previous guest posts here
[/author/kevinbeaver].
Recently, I wrote about my thoughts on why we feel like we have to force
short-term password changes in the name of “security.”
[/2016/04/28/why-do-we-keep-forcing-short-term-password-changes] Since that
time, Microsoft made an announcement to step in and help set its users (and
itself) up for success
[https://blogs.technet.microsoft.com
2 min
Authentication
Why do we keep forcing short-term password changes?
This is a guest post from our frequent contributor Kevin Beaver
[/author/kevinbeaver/]. You can read all of his previous guest posts here
[/author/kevinbeaver/].
I'm often asked by friends and colleagues: Why do I have to change my password
every 30 or 60 days? My response is always the same: Odds are good that it's
because that's the way that it's always been done. Or, these people might have a
super strict IT manager who likes to show - on paper - that his or her
environment is "locked down."
2 min
Security Strategy
Never Underestimate the Power of Relationships in IT & InfoSec
This is a guest post from our frequent contributor Kevin Beaver
[/author/kevinbeaver]. You can read all of his previous guest posts here
[/author/kevinbeaver].
2016 marks the 15th year that I have been working for myself as an independent
information security consultant. People who are interested in working for
themselves often ask for my thoughts on what it takes to go out - and stay out -
on your own. Early on, I thought it was about business cards and marketing
slicks. In fact, I spent so mu