I told you July was going to be a busy month. Since it’s nearly the end of the month, let’s revisit that initial July post:

• A moderated, online debate about Common Criteria (referenced in this post)
  Thomas P and I got all spun up and even wrote our opening statements. I’ve been way too busy to chase it, and I’m sure Thomas has been in the same situation. We’ll try to get this kicked off in August.
• A short piece to educate folks on the value of the ICSA certification program
  Of course, I could just point you to various places online to read about this, but I’d like to give my own personal overview and experiences here. It’s all in my head; it’s just a matter of writing it. This is very important to me, because I know a lot of folks (even some who read this blog) don’t understand what ICSA is or realize its value.
• A response to a research paper regarding the economics of information security (something of which I’ve taken great interest in lately)
  This is pretty low on the priority list unless I hear otherwise (offline or online)
• A debrief of my sessions at the Institute for Applied Network Security’s New York Metro Information Security Forum
  Done! Look here and here.
• Hints (and possibly a formal announcement) of a new service offering from Apex Assurance Group
  We’ll be announcing services for purpose-built products for a particular end-user segment that requires a substantial amount of assurance. That’s the only hint we’ll offer until we make things public.
• Hints on a possible major announcement from Apex Assurance Group in mid to late August
  A select few folks know about this already. But it’s going to be awesome for our customers, our potential customers, as well as our corporate strategy.

I’m not even going to try to set expectations for August blog topics because we’ll be ten times busier than July.

I’m suffering from one of the worst headcolds I’ve ever had, so I’ll have to keep this short n’ sweet.

The second day of the forum started out with a little improvisation. Our keynote speaker had a car accident and was not able to make it, so we decided to have a faculty panel to discuss various topics related to information security. Overall, I think the discussion went well, and I think it’s worth including this in future forum events (as long as, of course, the delegates think it’s a good idea). We discussed what Microsoft should be doing about security, what keeps us awake at night, what we anticipate/fear in five years, and what new technologies excite us.

Later in the day I led a discussion on assurance/compliance programs in the Federal government and their benefits/issues as they map to the private sector. The audience was comprised of end users/managers in the financial sector, and we had some fantastic conversations about the role of security compliance in organizations.

A financial analyst from Cowen and Company gave a great talk at lunch. He gave an excellent breakdown of the security marketspace and talked about the recent M&A activity. He talked about where he sees the security space going and also addressed fundamentals concepts to employ when selecting a product or solution. Very interesting and eye-opening stuff.

I’m in New York to lead the Security Operations track for the Institute for Applied Network Security’s New York Metro Information Security Forum. In today’s sessions, we discussed some of the most pressing issues that information security professionals face from an executive management perspective. Here were a few of the highlights of what we discussed:

• Where security falls in the organization
• How to address productivity and define success metrics for the infosec team
• How to motivate middle managers and individual contributors
• How to build security into business processes
• How to gain executive recognition and approval for budget, headcount, equipment, etc.
• And many other exciting (and very difficult!) topics

In the interest of the IANS team and the delegates who attend the forum, I won’t go into detail of the sessions. But the discussions were engaging, enlightening, and even entertaining. The attendees included senior managers and CSOs/CISOs from several market segments, including financial, telecommunications, pharmaceutical, education, and others. I enjoy talking to, listening to, and learning from such a diverse set of experienced folks and working with some of the best and most influential people in the information security space.

You’ll see a lot more from Apex Assurance on these subjects in the future…

The saga still continues. Apparently the OpenSSL FIPS 140-2 certificate has been reinstated. I have a hard time believing this was just an “oops” on the part of NIST CMVP. Nevertheless, it’s back up there. Hopefully this didn’t cause too much confusion in the end-user community.

The saga continues. For a while now, the Security Policy for OpenSSL has been marked as “Not Available.” I have been asked literally four times today by different people about the situation and several other times during the past two weeks. It’s worth a blog post, though this post won’t directly answer all the questions.

A colleague sent me this news article, which actually provides little insight.

Here’s my favorite quote:

NIST is not saying why the certificate was removed.

“The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary,” Easter said in his statement.

What about this case? I can go download the entire source code, so what is proprietary? Why isn’t NIST talking about this?

I have heard a lot of different things about the OpenSSL validation from various entities, and I have made a few of my own estimates. I believe there are other factors at play, but I don’t want those rumors to propagate here.

Sorry for the recent drought in posts. I told you it was going to be a busy month.

I can’t tell you how many times I’ve heard folks talk about how Common Criteria favors large vendors because they are the only ones who can afford it. Come on… you’ve heard it. You’ve maybe even said it.

I don’t agree with it.

Some background… One of my responsibilities at Cisco Systems was to build a program and a process for evaluating business case to justify the monetary and resource expense of security certifications (including, of course, Common Criteria). Apex Assurance does some strategy work with a few small vendors, and I can tell you that I think organizations of all sizes feel the pain when it comes to making the commitment.

Budget in a large or small company is usually there; it’s a matter of justifying the need before getting access to it. In a large company, you may be justifying business case to executive leadership. In a small business, you may be justifying business case to venture capital groups. Either way, these folks (hopefully) keep close track of P&L and sets standards for accountability. And they are balancing the costs with the 1,237 other priorities they have. Money doesn’t grow on trees for any company. If you think it does, then we need to talk about how to run a business.

I’ll give you an example from the large company perspective. I was in charge for delivering business case justification for a very large evaluation effort at Cisco. Of course, part of that responsibility included the provision of a ROI analysis (partially discussed in this post) and much, much more. I made the pitch up the corporate ladder, and eventually I had 30 minutes to convince two senior execs (Cisco’s SVP/Chief Development Officer and Cisco’s Chief Technology Officer) that this was the right move for the company. For what it’s worth, I was successful and received the corporate commitments I needed (funding, resource allocation, additional headcount, etc.), but that’s not the point. The point is that Cisco wouldn’t just write a check. Nor should they.

As a consultant, small companies are a part of our customer base. And you know what? It’s almost exactly the same situation.

So how is it done? Hire us and we’ll tell you. It’s not as simple as going down to Barnes & Noble and picking up a book on business case justification. But don’t believe that larger companies have it easier than smaller companies. Sure, the pockets of the small company may not be as deep, but there is likely more potential upside and less risk. Small companies can and do make it happen. It all comes back to fundamental business principles and clear, effective communication.

Here is an article discussing some much needed improvements for the PIV program.

No long weekend for me. I’m heading overseas for a quick consulting engagement, and I may not have much time to update the blog this week. Here are a few upcoming posts to look forward to in July:

• A moderated, online debate about Common Criteria (referenced in this post)
• A short piece to educate folks on the value of the ICSA certification program
• A response to a research paper regarding the economics of information security (something of which I’ve taken great interest in lately)
• A debrief of my sessions at the Institute for Applied Network Security’s New York Metro Information Security Forum
• Hints (and possibly a formal announcement of) a new service offering from Apex Assurance Group
• Hints on a possible major announcement from Apex Assurance Group in mid to late August

Well, these are just a few of the posts I have planned; who knows what else will come up. July is going to be a very busy month, but it should be a good month.