Security and Risk Management Strategies Blog

Blogger: Dan Blum

This blog is created with the following in mind:

Industry perspectives: Whether it’s a denial of service attack on DNS servers, a rule covering electronic evidence or a hot vendor acquisition such as Cisco snapping up Reactivity in February, SRMS wants the option to weigh in. We have a unique perspective from many years of experience, many months of in-depth research on any number of topics, and hundreds or thousands of insightful customer interactions and probing vendor briefings.

Analysts unplugged: Have you ever sat down for 15 minutes to read your inbox, but an hour later you’re still at it? This happens all the time for me, but often as not it is a rewarding, not frustrating experience. Our analysts and consultants get into incredible discussions from time to time; I’ve often thought “I wish he/she would publish this!” Now we can, as a team. This blog won’t be like our architectural Technical Positions – where we bend over backwards to achieve consensus – it’ll be more of a backstage view.

Realism about security: SRMS promotes a systematic, comprehensive approach to security. However, we understand that information protection is more than a model; it must always happen within the larger context of the business. There are so many aspects to this that it’s hard to know where to begin. Even risk management - which is where we say to start - can be treacherous, and this has led us to addressing methodologies for both quantifiable and non-quantifiable risks.

Thematic focus: In our recent VantagePoint 2007 webcast, we identified five themes that we’ll be tracking closely: proactive security, de-perimeterization, raising the bar on OS (and endpoint) security, creating information-centric security architecture and achieving sustainable compliance. As important events or thoughts on these themes emerge, we’ll be sure to address them in the blog.

Make a difference: Information security is not a game; bad things are happening to people and organizations all the time. Yes, we’re in this business to make money, but what also keeps us motivated is the opportunity to score wins for the defense. Whether it’s improving the thought process, encouraging responsible behavior or promoting better practices, standards or better ways for information protection to work, we want to be on it. In keeping with current coverage themes, we’re very interested false positives reduction, reputation based trust, data redaction, endpoint and data virtualization, security event standards and other areas where breakthroughs are needed.

Feedback loop: Comments are turned on, and we’ll use them to have a discussion with the industry. If you have further ideas on what we’ve covered, or even if you disagree with something we wrote, please chime in. Time permitting, we’ll also to participate in ongoing blogosphere discussions, even if they occur on other blogs.