Last week I was with IANS in Boston delivering my Security Management sessions and two focus topics: Managing Insider Threats and Security Assurance Management. I love these sessions because I can work with end users and senior managers to talk about real information security issues (and their possible solutions).

My Insider Threat presentation was a lot of fun. The room was packed, and when time was up, we reached one important conclusion: this is a very hard, very overlooked problem.

The Security Management sessions are always interesting and informative. Corporate security programs face several challenges:

1. They are a cost center, which often makes attaining budget and resources difficult
2. They face uphill battles, especially for organizations that lack in security awareness.
3. They are under considerable pressure to address all elements of risk (a problem compounded by the previous two points).

In the future I’ll be blogging more on security from a management perspective. It’s an important, necessary, sometimes unappreciated and always changing field.

I can’t believe some of the garbage I’ve read and heard about this latest CCEVS policy. Here are a few summaries:

• One individual claims to have known about this “months ago”
  
  The real story: Talk is cheap. I doubt even NIAP CCEVS knew about this months ago. What’s this person trying to prove? That’s not the way to build credibility. Offer some solutions! If you’ve known about it that long, then the community expects to see some detailed and thoughtful solutions.
• One company claims to have already shifted their consulting efforts to support evaluation with non-US labs because they anticipated a scenario such as this one.
  
  The real story: no US lab will work with this company, and they were essentially forced to work with non-US labs. But I guess marketing and truth rarely collide.
• One individual claims that NIAP CCEVS implemented this policy to “stick it to the labs”
  
  Puh-lllleeeeeeeaaaaasssssseeeeee.

I am preparing a formal statement on the subject. But in the meantime I’m working with several customers to submit evaluations to NIAP CCEVS ahead of the deadline. Obviously that has priority.

And I’m not worried about NIAP’s increased scrutiny over schedules and evaluation progress for one simple reason:

We don’t miss deadlines.

More to come after we get through the short-term urgency.

By now, I’m sure most of you in the Common Criteria community are aware of the new CCEVS policy:

Due to fiscal constraints, beginning on October 1, 2006, for FY07, the NIAP CCEVS will only accept Medium and High Robustness PP compliant products in support of National Security customers. Product submissions meeting the above criteria will be queued and validation resources will be allocated as they become available. As a condition of acceptance, detailed letters of intent that identify the intended DoD or IC customer (containing POC name, organizations, email, phone number) will be required.

I don’t have time to blog further on this right now, mainly because I’m helping customers to urgently position themselves against this new policy. We have some very aggressive deadlines, and each one will be met.

I am very pleased to welcome Robin Roberts to the Apex Assurance team. Robin has over 20 years experience in information security, assurance and information operations as a security architect, program manager, and subject matter expert in the Intelligence Community and IT industry.

Robin will hold the title of Director and will lead engagements for systems assurance, security architecture, strategy, and other areas in government and private industry. She comes from Cisco Systems, where she held several strategic security positions, including Senior Advisor in the Critical Infrastructure Assurance Group and Information Security Architect in the Government Systems Unit / Global Defense & Space Group.

Many readers of this blog know Robin and know the experience, intelligence, cluefullness*, and many other strengths that she brings to the information security space. Robin is a tremendous asset, and she will undoubtedly advance the mission of our existing and future customers. I have known Robin for years, and I am truly looking forward to working with her. It’s going to be awesome.

*Yes, “intelligence” and cluefullness” are two different characteristics that do overlap, although very rarely.

Fred Avolio’s post on experts in security prompted me to finish this post (which I actually started a few weeks ago). Fred added the following to his top reasons why he hates network- and computer-security:

The field is full of pseudo experts who are not really experts or who talk like they are not

I absolutely agree with this point. People are too eager to label themselves as experts, perhaps because they’re trying to justify their place in the world, or they’re just using the term as a marketing toy. In the case of the latter, I’d like to offer this quote from Marcus Ranum:

Whenever someone tells you that there’s a novel, easy, solution to security, it’s either because they don’t understand security or they’re trying to sell you something that isn’t going to work.

How many “experts” have you worked with that have promoted themselves as an easy solution to a problem? And how many times have they actually lived up to that expectation? I worked with a small company to develop a security / risk management strategy, and they showed me a deliverable from a previous “expert” consultant. I have to say, it was one of the sloppiest pieces of work I’ve ever seen.

Fred and I aren’t the only ones who have experienced this problem in the security community. Even NIAP CCEVS addresses the situation regarding Common Criteria consultants in their FAQ:

Q: Is there an accreditation process for consultants?
A: No. Although it is not uncommon for individuals and companies to bill themselves as Common Criteria Experts, there are a relatively small number of consultants who have the expertise that is needed to provide useful assistance during an evaluation.

I’m of the opinion that no one should label themselves an expert. Including the term in your company slogan or putting it on a shirt doesn’t make you an expert. Achieving CISSP doesn’t make you a computer security expert. The title of expert is earned, not self-proscribed. And Fred is exactly right. There are too many pseudo-experts out there.

Happy Labor Day, everyone. And that’s exactly what it is… a day of labor. Apparently I’m not the only one though!

So many people have asked me about ICCC the last few weeks. Unfortunately, I will not be there. But I will be doing my share of travel that week; I have a customer meeting early in the week and a talk at the end of the week, both of which have been scheduled for quite a while (hence the reason I did not submit a talk). It’s kind of a shame, because parts of the program look quite good.