{"id":981,"date":"2012-11-20T00:00:44","date_gmt":"2012-11-20T05:00:44","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=981"},"modified":"2013-09-01T23:36:18","modified_gmt":"2013-09-02T03:36:18","slug":"gabbing-to-the-gab","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2012\/11\/gabbing-to-the-gab\/","title":{"rendered":"Gabbing to the GAB"},"content":{"rendered":"<p>Earlier this month the\u00a0<a href=\"https:\/\/webmail1.telecomsys.com\/owa\/redir.aspx?C=4af444f0694f46428458bae5f32c191f&amp;URL=https%3a%2f%2fwww.isc2.org%2fGAB.aspx\" target=\"_blank\">(ISC)\u00b2 U.S. Government Advisory Board (GAB)<\/a>\u00a0invited me to present my views and opinions to the board.\u00a0 What a neat opportunity!<\/p>\n<p>The GAB is a group of mostly federal agency Chief Information Security Officers (CISOs) or similar executives.\u00a0 Officially it comprises \u201c10-20 senior-level information security professionals in their respective region who advise (ISC)\u00b2 on industry initiatives, policies, views, standards and concerns\u201d and whose goals include\u00a0<em>offer deeper insights into the needs of the information security community<\/em>\u00a0and\u00a0<em>discuss matters of policy or initiatives that drive professional development<\/em>.<\/p>\n<p>In terms of content, in addition to discussing my\u00a0<a href=\"https:\/\/webmail1.telecomsys.com\/owa\/redir.aspx?C=4af444f0694f46428458bae5f32c191f&amp;URL=http%3a%2f%2fwww.pdl.cmu.edu%2fPDL-FTP%2fStorage%2fCMU-PDL-04-108_abs.shtml\" target=\"_blank\">previous work on storage systems with autonomous security functionality<\/a>, I advanced three of my personal opinions:<\/p>\n<ol>\n<li><strong>Before industry can develop the \u201ccybersecurity workforce of the future\u201d it needs to figure out how to calculate the return on investment (ROI) for IT\/security administration.<\/strong>\u00a0 I suggested a small initial effort to create an anonymized central database for security attacks and the real costs of those attacks.\u00a0 If such a database was widely available at nominal cost (or free) then an IT department could report on the value of their actions over the past year: \u201cwe deployed such-and-such a protection tool, which blocks against this known attack that caused over $10M in losses to a similar organization.\u201d\u00a0 Notably, my suggested approach is\u00a0<em>constructive<\/em>\u00a0(\u201chere\u2019s what we prevented\u201d) rather than<em>negative<\/em>\u00a0(\u201cfear, uncertainty, and doubt \/ FUD\u201d).\u00a0 My point is that coming at the ROI problem from a positive perspective might be what makes it work.<\/li>\n<li><strong>No technical staff member should be \u201cjust an instructor\u201d or \u201cjust a developer.\u201d\u00a0<\/strong>\u00a0Staff hired primarily as technical instructors should (for example) be part of an operational rotation program to keep their skills and classroom examples fresh.\u00a0 Likewise, developers\/programmers\/etc. should spend part of their time interacting with students, or developing new courseware, or working with the sales or marketing team, etc.\u00a0 I brought up the\u00a0<a href=\"http:\/\/lifehacker.com\/5932586\/make-work-feel-less-like-work-with-the-8020-rule\">3M (15%) \/ Hewlett-Packard Labs (10%) \/ Google (20%) time model<\/a>\u00a0and noted that there\u2019s no reason that a practical part-time project can\u2019t also be revenue-generating; it just should be different (in terms of scope, experience, takeaways) from what the staff member does the rest of their time.\u00a0 My point is that treating someone as \u201conly\u201d an engineer (developer, instructor, etc.) does a disservice not just to that person, but also to their colleagues and to their organization as a whole.<\/li>\n<li><strong>How will industry provide the advanced \u201ctip-of-the-spear\u201d training of the future?<\/strong>\u00a0 One curiosity of mine is how to provide\u00a0<em>on-the-job advanced training<\/em>.\u00a0 Why should your staff be expected to learn only when they\u2019re in the classroom?\u00a0 Imagine if you could provide your financial team with regular security conundrums \u2014 \u201cwho should be on the access control list (ACL) for this document?\u201d \u2014 that\u00a0<em>you<\/em>\u00a0are able to generate, monitor, and control.\u00a0 Immediately after they take an action (setting the ACL) then your security system provides them with positive reinforcement or constructive criticism as appropriate.\u00a0 My point is that if your non-security-expert employees regularly deal with security-relevant problems on the job, then security will no longer be exceptional to your employees.<\/li>\n<\/ol>\n<p>I had a blast speaking.\u00a0 The GAB is a group of great folks and they kept me on my toes for most of an hour asking questions and debating points.\u00a0 It\u2019s not every day that you get to engage high-level decision makers with your own talking points, so my hope is that I gave them some interesting viewpoints to think about \u2014 and perhaps some new ideas on which to take action inside their own agencies and\/or to advise the government.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this month the\u00a0(ISC)\u00b2 U.S. Government Advisory Board (GAB)\u00a0invited me to present my views and opinions to the board.\u00a0 What a neat opportunity! The GAB is a group of mostly federal agency Chief Information Security Officers (CISOs) or similar executives.\u00a0 Officially it comprises \u201c10-20 senior-level information security professionals in their respective region who advise (ISC)\u00b2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/981"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=981"}],"version-history":[{"count":1,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/981\/revisions"}],"predecessor-version":[{"id":982,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/981\/revisions\/982"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=981"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}