Comments on: An Open Letter to the New Cyber-Security Czar http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/ The Blog Inspired By The Book Wed, 08 Feb 2012 09:21:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Adrius42 http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-772 Adrius42 Mon, 04 Jan 2010 22:32:02 +0000 http://newschoolsecurity.com/?p=1211#comment-772 @adrius42 There have already been a number of great comments added to this text already. Repeating /Hoff's offer, how can we help? As an active member of the Board of Management of the Jericho Forum ( http://www.jerichoforum.org ) I would clearly commend you to read "The Jericho Forum Commandments" http://www.opengroup.org/jericho/commandments_v1.1.pdf and understand the various concepts embedded in the Collaboration Oriented Architecture. One request: Please do not follow the path of the physical security world that is implementing "Full Body Scanners" as a response to the "Christmas Pants Bomber" in the clear knowledge that the same scanners would not have caught him. We have similar behaviours in the Information Security world. @adrius42
There have already been a number of great comments added to this text already.

Repeating /Hoff’s offer, how can we help?

As an active member of the Board of Management of the Jericho Forum ( http://www.jerichoforum.org )
I would clearly commend you to read “The Jericho Forum Commandments”
http://www.opengroup.org/jericho/commandments_v1.1.pdf
and understand the various concepts embedded in the Collaboration Oriented Architecture.

One request:
Please do not follow the path of the physical security world that is implementing “Full Body Scanners” as a response to the “Christmas Pants Bomber” in the clear knowledge that the same scanners would not have caught him. We have similar behaviours in the Information Security world.

]]> By: Rob Lewis http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-727 Rob Lewis Tue, 29 Dec 2009 15:42:07 +0000 http://newschoolsecurity.com/?p=1211#comment-727 @Tony, "One thing for sure, they can’t continue doing the same things and expecting different results." Shades of Marcus Ranum, you are right about that Tony, but of course the only answer they can think of is to pile more layers of what is not working now. @Tony,

“One thing for sure, they can’t continue doing the same things and expecting different results.”

Shades of Marcus Ranum, you are right about that Tony, but of course the only answer they can think of is to pile more layers of what is not working now.

]]> By: Tony http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-719 Tony Fri, 25 Dec 2009 00:50:34 +0000 http://newschoolsecurity.com/?p=1211#comment-719 I am pretty sure he reads these posts and not only appreciates the comments but takes them to heart. One thing for sure, they can't continue doing the same things and expecting different results. Standards, NIST 800 series and metrics have to evovle to keep pace with what is going on in the real world beyond the labs. Hoff and others like those that have posted here will be who makes the difference not a single office in DC. I am pretty sure he reads these posts and not only appreciates the comments but takes them to heart. One thing for sure, they can’t continue doing the same things and expecting different results. Standards, NIST 800 series and metrics have to evovle to keep pace with what is going on in the real world beyond the labs. Hoff and others like those that have posted here will be who makes the difference not a single office in DC.

]]> By: Christofer Hoff http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-716 Christofer Hoff Wed, 23 Dec 2009 22:12:11 +0000 http://newschoolsecurity.com/?p=1211#comment-716 Dear Howard: I'll keep it short. Let me know how we can help you be successful; it's a two-way street. No preaching here. Regards, /Hoff Dear Howard:

I’ll keep it short.

Let me know how we can help you be successful; it’s a two-way street. No preaching here.

Regards,

/Hoff

]]> By: Alex http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-715 Alex Wed, 23 Dec 2009 22:00:30 +0000 http://newschoolsecurity.com/?p=1211#comment-715 Hi Howard, Again, congratulations on your appointment. The one thing that I would hope you would drive during your tenure is the evolution of security standards. An expanded piece is here: http://securityblog.verizonbusiness.com/2009/09/22/re-imagining-information-security-standards/ In summary - Standards have limited use over time and incapable of evolving unless they include provisions for the collection and sharing of data, and their oversight/governance body uses that data to change the standard as the threat landscape changes. Your influence in this regard, on NIST especially, would ensure that however long your tenure, and whatever else happens, you will have significantly moved our industry forward. All the best, Alex Hi Howard,

Again, congratulations on your appointment. The one thing that I would hope you would drive during your tenure is the evolution of security standards. An expanded piece is here:

http://securityblog.verizonbusiness.com/2009/09/22/re-imagining-information-security-standards/

In summary – Standards have limited use over time and incapable of evolving unless they include provisions for the collection and sharing of data, and their oversight/governance body uses that data to change the standard as the threat landscape changes.

Your influence in this regard, on NIST especially, would ensure that however long your tenure, and whatever else happens, you will have significantly moved our industry forward.

All the best,

Alex

]]> By: jared pfost http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-714 jared pfost Wed, 23 Dec 2009 20:46:54 +0000 http://newschoolsecurity.com/?p=1211#comment-714 Hi Howard, I'm sure you have the new skool blog on your rss feed so I wish you the best. To continue the transparency theme, you have a great opportunity to be the carrot in this process. In addition to CERT related data and people metrics, advance the measurement work started at NIST SP 800-55 and wrap a measurement and communication process around it (measure the measurement (has a nice govt redundancy theme:)). You don't have to be accountable to celebrate those who have mature programs and spotlight those who don't. Perhaps you could use the GAO to scale, the OMB as a stick. Eventually you can tie program and measurement maturity to your breach data. You'll be sitting on an information goldmine. The public doesn't need to see all the dirty laundry, having each group understand their target metrics i.e. acceptable risk, and progress is a great step. ps. please don't include control checklists or employee certification requirements in legislation to manage risk. Use incentives to drive behavior e.g. OMB smack-down or leadership reassignment for breaches/failures. Hi Howard, I’m sure you have the new skool blog on your rss feed so I wish you the best. To continue the transparency theme, you have a great opportunity to be the carrot in this process. In addition to CERT related data and people metrics, advance the measurement work started at NIST SP 800-55 and wrap a measurement and communication process around it (measure the measurement (has a nice govt redundancy theme:)). You don’t have to be accountable to celebrate those who have mature programs and spotlight those who don’t. Perhaps you could use the GAO to scale, the OMB as a stick. Eventually you can tie program and measurement maturity to your breach data. You’ll be sitting on an information goldmine.

The public doesn’t need to see all the dirty laundry, having each group understand their target metrics i.e. acceptable risk, and progress is a great step.

ps. please don’t include control checklists or employee certification requirements in legislation to manage risk. Use incentives to drive behavior e.g. OMB smack-down or leadership reassignment for breaches/failures.

]]> By: Russell http://newschoolsecurity.com/2009/12/an-open-letter-to-the-new-cyber-security-czar/#comment-713 Russell Wed, 23 Dec 2009 19:40:14 +0000 http://newschoolsecurity.com/?p=1211#comment-713 Great suggestions. I might go further an suggest that Howard Schmit limit is his scope to <em>only</em> these items to avoid the tar pit of trying to be all things to all stakeholders. He should state clearly: "I don't own responsibility for cyber security, for the government or the nation. Each entity continues to own responsibility for cyber security, individually and collectively. My only contribution is to improve the quality of information to drive collective decisions, actions, and incentives." I would add just one more item: measures and metrics on the people side of security management and coordination, both within specific organizations (public and private) and between organizations (including collaborations, joint ventures, coordinating committees). This would include recruiting, performance management, organization, and also learning and knowledge management. Methods exist for this, but have never been applied to cyber security, to my knowledge. Great suggestions. I might go further an suggest that Howard Schmit limit is his scope to only these items to avoid the tar pit of trying to be all things to all stakeholders.

He should state clearly: “I don’t own responsibility for cyber security, for the government or the nation. Each entity continues to own responsibility for cyber security, individually and collectively. My only contribution is to improve the quality of information to drive collective decisions, actions, and incentives.”

I would add just one more item: measures and metrics on the people side of security management and coordination, both within specific organizations (public and private) and between organizations (including collaborations, joint ventures, coordinating committees). This would include recruiting, performance management, organization, and also learning and knowledge management. Methods exist for this, but have never been applied to cyber security, to my knowledge.

]]>