var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Saturday, October 7, 2017

CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises


I recently posted the 
below on the SANS Internet Storm Center.

Recently the Center for Internet Security (CIS) released the CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises (SMEs). The Implementation Guide is directly mapped to the CIS Critical Security Controls and is focused on actionable steps that can be taken right now to assess and improve the cyber security posture and preparedness, particularly in small and medium sized enterprises. Recently a webinar with some of the team members who helped develop the Implementation Guide was made recorded.  

The guide focuses on 3 key areas of
  • Know your environment
  • Protect your assets
  • Prepare your organization

I especially like the questions that are provided in the Implementation Guide
  • Do you know what is connected to your computers and networks?
  • Do you know what software is running on your systems and networks?
  • Do you set up your computers with security in mind?
  • Do you manage who has access to sensitive information or who has extra privileges?
  • Is your staff clear about their role in protecting your organization from cyber incidents?

When reviewing these questions, especially for the first time, you may not like your answers very much. I encourage you to use your answers as as motivation to apply focused attention to achieve better answers over the next 30 days. No matter the size of your enterprise, I believe there is something in the Implementation Guide for you!

Russell Eubanks

Friday, September 22, 2017

What is the State of Your Union?


What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What should you consider including?
* Effectiveness of your program
* Opportunities to improve your program
* Communicate recent achievements
* Demonstrate stewardship of your resources
* Show how your team supported objectives of your organization
* Possible actions that you want others to take
* Clear call to action to the leaders to increase support, funding, and staffing
* Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below.

Russell Eubanks

Saturday, June 10, 2017

An Occasional Look in the Rear View Mirror


I recently posted the 
below on the SANS Internet Storm Center.

With two new drivers in my home, I am training them to occasionally look in the rear view mirror of their car as an effective way to increase their situational awareness when driving. What if this principle were applied to the area of hardware and software inventory? Perhaps in the form of a quarterly reminder to consider CIS Critical Security Controls 1 and 2 that called for an objective look at hardware and software that might not be as shiny and new. Intentionally searching for this type of deferred maintenance could very well find unnecessary risk that is imposed on the entire organization.

Some organizations have an interesting approach - for every new tool purchased, two tools must also be retired. What a novel section to include in the business justification for the next new tool. Take a look in the rear view mirror every once in a while - particularly at the area of technology retirement to make sure you don't just continue to increase the collection of tools. Who knows what might be discovered.

What grade would you give yourself in the discipline of technology retirement? Please leave what works for you in our comments section below.

Russell Eubanks

Saturday, May 6, 2017

What Can You Learn On Your Own?


I recently posted the 
below on the SANS Internet Storm Center.

We are all privileged to work in the field of information security. We also carry the responsibility to keep current in our chosen profession. Regularly I hear from fellow colleagues who want to learn something, but do not have a training budget, feel powerless and sometimes give up. I would like to share several approaches that can be used to bridge this gap and will hopefully inspire a self-investment both this weekend and beyond. None of these ideas cost anything more than time.
 
I decided to borrow an idea from an informal mentor, something I generally give them credit for, but not always. I decided to wake up early each morning with the intent to learn something new every day. Maybe the something is a new tool, a new linux distribution or taking an online class. Having done this now for the last 7 years, I can say without hesitation or regret that it has been pivotal in making me a better me. I am convinced that applying just a little bit of incremental effort will serve you well as well.

Ideas to get you started:              
  • SANS Webcasts and in particular their Archive link                         
  • Serve as an informal mentor to a junior team member, while being open to learn from them 
  • Volunteer help out in a local information security group meeting
  • Read that book on your shelf that has a little more dust that you would like to admit
  • Subscribe to Adrian Crenshaw’s YouTube channel 
  • Be intentional by creating a weekly appointment with your team in order to learn something new over a brown bag lunch
  • Foster an environment that facilitates a culture of learning

After considering this topic for a long time, I want to ask this question - What are you doing to invest in yourself, particularly in ways that do not cost anything but your time? Please leave what works for you in the comments section below.

Russell Eubanks