PDCA is Dead

I have to admit that I have never really understood the PDCA concept as it applies to information security.  I do know that PDCA stands for Plan-Do-Check-Act, but I have never understood the difference between Do and Act, other than there is a Check step in between.  Also, I can never remember which way the…

Read More

LEARNING FROM PAST MISTAKES

I tend to read any legal cases about information security, because they are one source where accurate root cause information on breaches can be found.  Two very interesting decisions on security at banks were recently published.  One is the May 27 US District Court decision on Patco v. People’s United Bank.  An even more recent decision…

Read More

How Better Security Can Create Shared Value

A recent article by Michael Porter and Mark Kramer, Creating Shared Value (Harvard Business Review, January-February 2011) makes the point that a focus on  “shared value” can help give birth to a new capitalism and move business beyond its short-term profit focus.  Shared Value, as defined by Professor Porter is not giving money away, but rather…

Read More

DDOS Tutorial

A very good tutorial on DDOS attacks, much in the news in the past few months, was posted by the Berkman Center at Harvard University in December.  The research is entitled:  “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites”, December 2010.  The first part of this report outlines DDOS attacks in general, while…

Read More

The future of information technology

We live in a time when information technology is turning everything inside out.  This presents challenges and opportunities for information security professionals.  I had the pleasure this week of listening to a presentation by Michael Rogers at LegalTech in NYC.  The subject of his talk was information technology in 2020.  Mr. Rogers designates himself as…

Read More

Data Governance Anyone?

I recently had a scary experience with Amazon.  I regularly order items on this site, and have not had significant problems.  However, yesterday was different.  I was ordering an emergency flashlight and four way travel powerstrip and about to complete my order, when I noticed that the shipping charges totalled $1055.44. See the screenshot to…

Read More

Learning from the oil spill disaster

I believe that information security professionals can learn from disasters reported in other areas.  After all, the basic security mission of prevent, detect and respond is the same whether the assets being protected are bytes of data or barrels of oil. Yesterday the National Oil Spill Commision released its final report on the Deepwater disaster…

Read More

Down the Rabbit-Hole…Again?

The New York Times ran an interesting story on January 5 about a House Republican inviting input from businesses on which regulations were impeding economic recovery.  I am sure the House will get at least a few comments on this topic.  Since I had just finished reading Professor Tim Wu’s new book–The Master Switch–I had…

Read More

Ideas on Risk Management

The recent financial meltdown has led me to give some thought to information security risk management processes.  After all, these originated in the financial community in the distant past.  So where does this leave today’s security practioner?  Are risk management processes for IT security valid?  Are we putting our businesses at higher risk for failures? A recent article…

Read More