Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > 2009 > February
Up to Blog Posts in IT@Intel
Previous Next

IT@Intel Blog

February 2009
Matthew Rosenquist
0

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Fortune Cookie advice for February:

 

A worthless metric is one which fails to drive decisions, even when the metric result radically changes.

 

The world of information security is full of metrics.  Sadly, many are worthless.  A valuable metric is one which drives decisions.  Unfortunately, our industry also persists in publishing metrics which may nicely fill graphs and catch attention with flash, but in the end are meaningless.  The true test: can it facilitate change.

 

One of my favorite metrics to pick on is a graphic which shows the percentage of internet attacks by country.  Provided every year, this metric presentation is visually stunning, usually consisting of a background of the globe with offending countries in vibrant colors.  It is clear, attention grabbing, and even interesting in a sublime way.  Media outlets love the eye candy.  But at the end of the day, the data is meaningless.  It does not really matter where attacks initiate from.  Organizations will not change their course of security if the numbers shifted drastically over time.  The proximity and country of origin simply does not matter.  The number and types of attacks are far more relevant, but not the division of origin based upon international borders.

 

Whenever we are presented with metrics, we must think critically to understand their value.  Don’t get caught up in beautiful graphics or catchy titles.  Challenge everything.  Would you do something differently in your approach to securing your environment if the data changed radically?  If not, then move along, nothing here to see.

 

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

0 Comments Permalink Tags: optimal_security, rosenquist, metric, risk, value, matthew_rosenquist, threat, data, corporate_security, security, information_security, model
Matthew Rosenquist
2

The security industry has spent an inordinate amount of effort focusing on defense against vulnerabilities.  But there are other opportunities.

 

Listen to the Audiocast: Targeting the Attacker(4:54 minutes)

 

The concept of targeting attackers has merit.  It is another path to undermine attacks and may make sense as part of a comprehensive security package.  It is time our industry recognizes the potential and put thought into developing such security programs.

2 Comments Permalink Tags: attacker, optimal_security, threat, model, matthew_rosenquist, value, rosenquist, threat_agent, risk, security, information_security
Laurie Buczek
8

In my post Testing Business Value in Social Networking I shared our results of extensive exploration to determine if there is value in adding professional networking for employee use. The exploratory results moved us forward to creating a modular and integrated social framework to consolidate current "islands" of blogs, forums and wikis and add new capabilities such as the people connection that professional networking brings.  We are 1.5 weeks away from launching the first phase of bringing robust social tools in-house to augment and improve the way our employees connect and collaborate today.  I get asked a lot about "Why" we are doing this and the value we believe we will bring to Intel.  I wanted to share with you the reasons.

 

  • Employees Want to Put a Face to a Name: We are a large (~85k employee) globally dispersed workforce.  Global teams of people work together, but in many cases wouldn't recognize a team member if they passed them on the street.
  • Too much time is lost to find people & information to do your job:  The average Intel employee dumps one day a week trying to find people with the experience & expertise plus the relevant information to do their job. We have calculated some of the $$ impact due to lost productivity & opportunity.  Let me just say that it is motivating us to take action.
  • Getting work done effectively in globally dispersed teams is challenging: There is usually a window of 2 hours a day that team members can communicate real-time with each other.  Work in progress collaboration is often done in email, passing back and forth edited presentation decks and crossing discussion wires. Task hand-offs from one team leaving work and another entering are very rough.
  • New hires want to have a way to integrate into Intel faster: This isn't a generational thing.  Think back to your first day at your company.  How did you learn about the company?  How did you put a name to a face or discover who you needed to connect with?  Did you feel isolated and lost?  I bet you answered yes to most or all.  It's a fact that if you can improve the integration experience you will get faster engagement, happier workers and quicker delivery of solid results.
  • Restructuring and employee redeployment impacts Organizational Health: The last two years Intel has spent restructuring and reducing our workforce. With the current economic conditions, now all companies are faced with and embarking upon the same venture.  This leaves employees feeling disconnected, isolated and disengaged.  We are finding value in providing opportunities for Intel to feel small, give employees a voice and build a sense of community.
  • We reinvent the wheel over and over again: Need I say more?  Stovepipes and silos breed redundancy.
  • We learn more via on the job training, then we do in a classroom:  Providing employees opportunities to share their knowledge and their expertise allows other employees to organically discover information to help them do their jobs.  Your organization becomes a learning organization with "wisdom of crowds" at its core.
  • We need to deliver radical innovation in a mature company:  It is challenging for mature companies, like Intel, to find a parallel innovation vein to the current incremental innovation. However, it is essential in order to power future growth.  In Judy Estrin's book "Closing the Innovation Gap:  Reigniting the Spark of Creativity in a Global Economy", she states the five core values of innovation are questioning, risk taking, openness, patience and trust. Intel has these values at our core but organizational stovepipes get in the way of ideas.  Social tools can unleash those ideas.
  • When the mature workforce starts to retire, they carry knowledge out the door:  Have you thought about the bottom line impact that the large amount of retiring baby boomers will have on your company? Or better yet, our economic future?  Tacit knowledge is imperative to transfer knowledge.  To date, there aren't any solid tools to effectively extract the tacit knowledge.  Social tools show real promise. See These Knowledge Boots are Made for Walking.

 

I'll keep you posted as we robustly launch and capture the success stories.  We believe these tools have the potential to be transformational.  This isn't our mother or father's information workplace any longer.

8 Comments Permalink Tags: social_media, laurie_buczek, social_computing, social_networking, enterprise2.0, it@intel
John E. Simpson
0

If you read the 2007 and 2008 Intel IT Annual Performance Report, you will see a few sections describing the contributions we were able to provide towards effective software application inventory control.

 

In 2007, some of the quotables are:

"To prevent our application environment from becoming highly complex and inflexible, Intel IT established an end-of-life program to remove outdated and redundant applications."


We had quite a few items which were ripe for picking. Our goals were easy to achieve and through the implementation of some simple algorithms comparing usage with cost with other parameters, we were able to identify our low-hanging fruit.


As explained in previous posts, we created a software application in order to capture and maintain our software metadata. The architecture, development and maintenance of this solution keeps me busy on a day-to-day basis.

 

Our goals for 2007 were achieved.

In 2007, IT and its partners EOLed 468 applications, exceeding our goal of a 15 percent annual reduction. The estimated net present value savings from EOLing these applications is USD 66 million.


One of our largest wins was the removal of the older data warehouses

 

As we moved into 2008 our cost savings continued. We expanded the metadata captured and pulled some existing functionality into the solution in order to remove redundant capabilities on the enterprise.

We are continuing our initiative to significantly reduce costs by retiring applications that are outdated or no longer needed. This work began in 2007, when we identified that many of these applications still consumed platform or maintenance resources. We now have an ambitious plan to reduce IT-owned applications by 50%, from about 1,500 to 800, over four years.

As we increased our scope beyond IT, our real installation base was closer to 3,000 applications due to the custom solutions needed to support our factory operations and tools. We continue to save money and get closer and closer to our goal every day.

By the third quarter 2008, we had reduced the number of applications by 37 percent since the start of the program. Based on progress to date, we expect to achieve our 50 percent target by the third quarter of 2009, more than a year ahead of the original schedule. We expect that retiring applications will result in a NPV of more than USD 50 million.

 

We are definately on track. At the end of 2008 we met (and actually exceeded) our goals.
Every day it is becoming more difficult to find the solutions no longer needed and the resources to help remove them from the environment.

Two of our biggest wins for 2008 was the removal of the mainframe from the environment and the inclusion of e-Discovery information into our inventory solution.


What advice can I give you?

  • Be specific with your goals.
  • Hold people accountable.
  • Do the inventory early and often.
  • Know when you reach a goal and celebrate it!
  • Be vigilant so not to just add more software once you remove the old. Net-zero inventory is not a reduction.
0 Comments Permalink Tags: cost_savings, application_inventory
Diane Bryant
1

The economic environment is obviously consuming all of our attention.  No one is sheltered from the unprecedented and unpredictable times.  However, facing this environment, we know one thing; companies are relying on their IT groups to increase corporate competitiveness.  These times create an opportunity for the IT organization to shine and deliver business value and a financial return.  In this podcast, I talk about what Intel IT is doing in the face of the current economic environment.  We are extremely focused on programs that increase employee productivity.  These programs range from refreshing our mobile clients for added compute performance, to driving collaboration solutions through social computing and video conferencing capabilities.  Additionally, we cannot slow the momentum of our IT efficiency programs.  We must continue to drive down the cost of running IT.

 

I hope you find this video pertinent and I encourage you to respond and share your ideas on how IT can drive increased company-wide competitiveness during these tough times.

 

Thank you,

Diane Bryant, Intel CIO

 

 

.

1 Comments Permalink Tags: diane_bryant, client_refresh, employee_productivity, economy, efficiency, server_refresh, vpro, productivity, reducing_it_operational_costs
Heath Buckmaster
1

Let's Jam!

Posted by Heath Buckmaster Feb 9, 2009

*** Originally posted on the IT @ Intel blog in 2007. Bringing it over to Communities site for the benefit of those who are developing professional communities of their own. ***

 

Last time I talked about how we were  building communities within IT, more specifically, how I had built a technical  community by using various social media tools like blogs, wiki’s, and forums.

 

Near the end of the article I mentioned that we were about to try something different -  a Web Jam. This concept is not new, and is something that IBM has been doing for years,  but we wanted to see if it was something we could do at Intel.

#

Even here, it’s not completely brand new - our Sales and Marketing Group had already done two web  jams for the entire organization, with great success - so I wanted to see if we could do  it at a community level. I had excellent help from Jeff Moriarty (another corporate blogger), and our other partner  in crime, Barbara McAllister. We put together tons of communications and we facilitated  the jam November 13-15.(Note that as of this current reposting, we have now done jams at multiple levels of the company, including an IT-wide web jam at the end of 2008.)

 

Here are some of the actions, results, interesting learnings, and thoughts for next time.

 

Pre-Work

  • Heavy communications on the blogs, forums, newsletters, and email distribution lists. We made sure our reach was as broad as possible, even having an article posted on our employee intranet home-page, and a jam home page on the wiki. We wanted people to participate even if they were not formal members of the technical community.
  • Created the forum shell. The web jam exists on the forum environment, so we created a  new “Web Jam” forum, seeded it with some questions/topics, and then left it inactive until we were ready to start the jam.
  • Created a kickoff announcement. I made a 5 minute audio announcement and one-slide  presentation that I replayed over and over again during the first hour of the jam. That  allowed people to call into the audio meeting at any time during the hour and hear the  message.
  • Enlist a sponsor/senior manager who will commit to participation - the more, the better
  • Develop a short list of Goals for the Jam. No more than 2-3 things you want to get  out of the session, and make sure people know about them.

  •  

    Running the Jam

    jam_stock1.jpg
  • Do not get frustrated if participation starts out slowly. Encourage where you can,  and pre-stock the forum with a few questions to get the discussion going. It will pick  up.
  • Don’t try to run a jam for a small group of people. You need size to be effective  for a jam. The collective wisdom of hundreds of people will get broader and deeper  discussion on the topics that you’re interested in.
  • Make sure you have the senior manager / sponsor actively participating. It’s not enough  to sponsor, they have to add questions, answer questions, and encourage usage.
  • Make sure questions don’t sit unanswered. If people start to see a question is being  ignored, they will be hesitant to ask more. Find someone who can answer it and send them  an offline email, point them to the forum to answer.
  • Keep it going around the clock. Make sure participants from all geographies are  participating - but remember there may be cultural barriers to this type of public  question/answer.
  • Keep the communications going during the jam. We did ours for 48 hours, and it’s  important to use your distribution lists to keep people interested and engaged the whole  time. Summarize interesting messages from each day to show you are actively  reading.
  • Wrap it up well. Warn people when the Jam is about to close - set a deadline for  getting their questions posted so people have time to answer before you lock it  down.
  • Lock it down. Once the jam period is over, stop new posts. You need to be able to  look at metrics from the session and if people are still posting, the integrity can be  harmed. Take the forum offline temporarily and let people know that it will be back in  read-only status once you pull your reports.

  •  

    Post-Jam

  • Run your reports fast, and get the forum back online in read-only format. This way,  people can look through the discussion if they could not keep up with it during the jam,  and if there are interesting topics left open, they can start new discussions in your  normal forums, or contact people directly with questions.
  • Run reports on views, posts, users, comments, anything you can depending upon what  your forum environment provides. If you don’t have access to do it yourself, make sure  you are working with an administrator to do it for you. This data will be valuable for  your report-out.
  • Build a summary - highlight the most viewed posts/topics, and recognize the most  visible users.
  • Create a post-jam survey. Make sure people have an opportunity to provide feedback  on the value they received from participation - and what they would like to see changed  for the next time.
  • Measure yourself against your goals. Did you achieve what you wanted to achieve?  Were there any barriers? How will you solve those for the next time?

  •  

    Some of our results

    jam_stock2.jpg
  • Total Topics Posted: 35
  • Total Comments across all topics: 219
  • Active Participants (posted at least 1 item): 74 (of ~330 target)
  • Approximate Total Views: 6296
  • Average Views per Topic: 251
  • 52% Actively Participated, 43% only Viewed, remainder did not participate
  • Geo Participation: 94% Americas, 2% Asia Pacific, 4% Europe and Middle East
  • 98% of participants felt it was worth their time and 96% said they would participate  again
  • Reasons for not actively participating: Inability to post anonymously, concerns  about using a public forum to ask questions, concerns about possible impact to career  and job security, concerned about whether answers would be honest

  •  

    What people found to be most valuable from their participation

  • Sense of team
  • Ability to have discussions about concerns, and a chance to ask questions to senior  managers
  • Realization that management is out of touch
  • Like the hard questions being asked and the honesty of the answers
  • Seeing dialogue on priorities, roadmap, senior management insight
  • Helped create positive energy within disparate teams
  • Great place to ask technical questions and get detailed answers
  • Creates documented responses from senior managers and technical representatives
  • Watching senior management address very tough questions in a public forum

  •  

    What do people want to see changed for next time?

  • Make sure unanswered questions get answers
  • People want to see more involvement from all levels of management
  • Create an opens list from the previous Jam, and use that to start the next one
  • Be able to post anonymously - this may be a limitation of your forum  environment
  • Kickoff should come from senior sponsor
  • Make it very easy for people to find links to the forum and how to get help
  • Use the jam to let people get to know each other - post job titles, locations,  background, experience - use it for social networking
  • Publish FAQs based on the learnings from the Jam
  • Use podcast (video) technology to create a summary message from the senior sponsor  about they evaluation of the jam
  • Recognize the most active participants

  •  

    So what are we doing now? Coming off a very successful IT-wide jam at the end of 2008, we're wondering how soon it will be before we follow in the footsteps of IBM for a company-wide jam. It's not unheard of, and it's not unmanageable, but it's harder to focus on a small number of topics when you have a potential audience of 80,000+ people. We'll see where it goes, but for now doing these at the division and department, and even program level, is having a great value to our teams - in fact I'm setting up a finance department web jam for later next week.


    If you have any questions about the process or want more detail, please add a comment  and I’ll try to provide it!
    Cheers!

1 Comments Permalink Tags: social_media, jam_session, professional_networking, social_networking, webjam, social_computing
Heath Buckmaster
0

*** This post was originally published in 2007 on the old IT @ Intel blog - I am reposting it for the benefit of this new community site , with some updates to bring it up to date. ***

 

Back at the beginning of 2007, the managers of my organization had a dilemma and they  needed someone to help solve it. Now, I’ve got 13-16 direct reports which is already a full  time job, but their need was something I found pretty interesting, and since I have a  passion for social media it seemed right up my alley.

#

Here was their problem - how could they help a group of developers in another country learn  everything that our US resources knew about an enterprise software we’ve been using for  over a decade? Keep in mind, these US resources had stayed mostly static for the last 10+  years…the people who implemented it are the same people who engineer it today. They have  significant “tribal knowledge”, and are intimately familiar with how we have configured and  modified the software through the years to adapt to changing business needs.

 

But the new teams in other countries did not. Not only were many of them new to the  technology, but they had no idea what we’d done over the last ten years, or why we’d done  it in the first place. So I was chartered to go off and “build a community“…and that’s  what I did.

Here’s where we are today, then I’ll tell you how we got there (keeping in mind that we  still have more work to do)…

 

Today

  • Over 500 people on the community email list, with participation from senior managers,  first line managers, project/program managers, analysts, developers, customer support,  infrastructure teams, and business reps.
  • Monthly newsletters with technical and business topics, including featured articles on  external blogs and forums (meetings and the newsletter are the top value areas rated by  community members)
  • A wiki-based knowledge center of technical content about product features, projects,  infrastructures, “tribal knowledge”, etc.
  • 11 discussion forums, an online calendar of events, and fully archived meeting and  training materials (including video replays)
  • Weekly video podcasts presenting updates on major program and project status
  • Technical and Business related blogs, presented by community leaders and guest  bloggers
  • 40+ technical training brown-bags, quarterly “Town  Hall” meetings for the entire community (meeting attendance averages 10% - with many  meetings repeated off-hours to accommodate geographical attendance)
  • Quarterly community health surveys to identify areas of improvement and gather ideas from the group

  • All that came from 8-10 different sites across multiple countries, who used to only talk to each other if they happened to be on a project together - and even then, only when time zones overlapped (which in many cases they don’t), or if someone worked early mornings or late evenings.

     

    All of that started from no common distribution list, no newsletter, no blog, no consolidated wiki  (only a few scattered pages), no forums, no global community.

     

    So here’s how we built it…

    First, I created a global distribution list. I needed a way to get the word out that we  wanted to build a community, and I wanted a mechanism to have ongoing communications with  whomever wanted to sign up. It’s a voluntary community, and people can opt-in and opt-out  just by sending an email. I scoured some existing distribution lists and org charts, then  came up with my first target audience. They received an email blast from me explaining that  we were creating a community and I wanted them to be a part of it.

     

    Out of that initial blast to about 40-50 people, exactly one person declined. Everyone else was ready to go and wanted to sign up right away. The distribution list grew over time - people forwarded it to their friends who were interested, and people even saw posters in the hallway telling them about the community (I was using every communication medium at my disposal from posters, to personal blogs to word of mouth). For about six months, I was getting sign-ups almost every business day.

     

    Next it was time to build a “portal”. I wanted a single website that I could send everyone  to that would give them access to all community offerings. This was built on the wiki. I  started to consolidate a bunch of existing material, then created one main jumping page  that listed everything we had to offer. I created a quick and easy to remember URL alias  (using an internal system that does things like tinyurl), and started sending people to the page.

     

    After the wiki started, it was time for discussion forums. I selected a few topic areas, created the forums on our internal systems, and added that to the portal page. Pretty soon, people were posting technical and business related questions, and eventually, people started answering. Now, I will tell you that I sometimes have to track people down to answer the questions that sit for a few days without a response. I don’t have to do that too often though, because now people are subscribing to alerts and if they see something new that they want to talk about, they usually do.

     

    Four months went by and I thought it might be time to see how the community was doing - in  the form of a “health survey”. So I created a survey of about 10 questions and sent it out  to the list (which was around 200 at the time) - I even offered one lucky respondent the chance to win a $10 gift card. The responses indicated that we were on-track, but could do more. People wanted to see podcasts! So in less than a week, we kicked off our first video podcasts with topics about major program status. The podcast continues, and is produced by two of my peers, and they have enjoyed great feedback on the content and quality. Instant turnaround on the survey.

     

    I continued the monthly scheduling and facilitation of technical and business brown-bag discussions, and then kicked off a quarterly Town Hall meeting for the entire community. These meetings gave members an opportunity to hear about community metrics, updates from senior managers about important programs, or other events of interest. The mailing list steadily grew toward 300, and new people began authoring pages in the wiki and participating in forums.

     

    Soon it was time for the next health survey (September 2007). This time around, people wanted to see technical blog posts…in less than a week we published the first, and now we have guest bloggers who have stepped up to provide discussions of a more technical nature.

     

    That brings us to end of 2007…and we launched the next exciting offering from the  community - the Web Jam. It’s not a group of people getting together to make holiday fruit  puree - it’s a 2 day event, housed in our forum environment, to get people talking about  technology and interacting with each other. With sponsorship from senior management (and  not just sponsorship - committed active participation), we have discussions  that are community driven about any topic they can think of. There are people out there who  question what we’re doing, and we want to hear from them and give people a chance to  respond. We have technical resources who want to gather BKMs from peers in other countries  - so they will start that conversation going.

     

    In two days we gathered an insane amount of feedback about what concerns people, what  interests people, and what they want to see next. It’s going to be pretty exciting to see  what happens next (more about the web jam in a subsequent blog post).

     

    2008 was a continued flurry of activity, with even more technical brown bags, web jams, project video contests, community logo contests, and more. We built off a wildly successful start into the largest professional networking community at the company, and we've still only just begun. In 2009 we're kicking off a technical mentoring program and a leadership/steering committee. Upward and onward!

     

    So that is the story of how one person kicked off a global community, then signed up more  and more people to continue the creation.

     

    But it’s never that simple is it?

     

    Here’s the big challenge…and I don’t have an answer for you yet on this one… How do you make the move from awareness, to participation. In other words, if you’ve got  thousands of people reading your content every day, how to get those thousand people to  actually reply to, change, or add to your content? How do you get more people to create pages  on a wiki, or add/answer questions in a forum? How do you turn visibility into action?

     

    That’s where I’m focusing now. And if it’s a journey you want to hear about - let me know  in the comments!

     

    - Heath

    P.S. if you haven’t already seen this amazing video about social media / communities / Web 2.0, it’s a great introduction to where information exchange is headed… http://www.youtube.com/watch?v=NLlGopyXT_g

     

     

0 Comments Permalink Tags: social_computing, social_networking, technical_community, social_media, professional_networking, community, creating_a_community
Heath Buckmaster
3

I was heading to bed the other night and pulled out my iPhone for a bit of application spelunking. I hit Facebook and updated my status, opened Twitterific and posted my 140 characters of content, flipped over to Yelp to see if anyone had rated my latest restaurant review, checked AroundMe to see if any new places showed up, checked my elevation and long/lat in GPS Tracker, then finally played a word game or two and went to bed.

 

In less than 5 minutes I had provided personal information into not even 1% of the potential applications out there that consume something “Heath”. Whether it was incidental detail about what I’d had for dinner, or GPS positioning centered on my bedroom, or a record of restaurants that I frequent, there was a bunch of stuff out there that could be used for mischevious purposes.

 

Now, I don’t have any problem telling people that Hana Tsubaki is my favourite sushi place, or that I ate a bowl of low fat Wheat Thins last night while watching American Idol – these are rather inconsequential things about me. But what if I had posted that I was going away to Bodega Bay for the weekend, or that I had accidentally left my credit card and sunglasses at El Fiesta Mexicana at lunch? That information could be used by someone to show up at my house knowing I’m not there, or to go impersonate me at the restaurant and grab my credit card.

 

Granted, we hope to live in a world where private information isn’t misused, but let’s get real – how many weeks go by before we hear about another stolen laptop with millions of people’s SSN’s or other personal information on it? That’s a blatant security situation, but what about the billions of bytes of data that people share on their blogs, websites, twitters, Facebook or myspace accounts, and pretty much anywhere else they interact online?

 

It seems like people are sharing a lot more information these days than they used to. And I mean things that you wouldn’t even hear in a verbal conversation. Do I really need to know that you have athletes foot going on between two of your toes? Probably not – but guess what, I blogged about that very topic not long ago. What are the “new” personal boundaries with all this social media and “living online” stuff? I'm not sure there are any!

 

I don’t need to know if my coworkers are circumcised or not, but in a recent discussion on our internal diversity forums that topic came up in the Parents Network. Perfectly appropriate conversation in the context of that employee group, but some pretty personal information being shared.

 

Where do you draw the line? At what point do you say "I don’t think anyone needs to know where I am and what I’m doing every moment of the day"? Do you really want someone following your GPS map online, or do you want them to just call you up and say “Hey where are you?” Is it ok for us to not know every move you make?

 

So I’m on a charge to reclaim some of that personal privacy for myself, right after I open this pack of Orbit raspberry mint gum and enjoy this delicious diet Pepsi while sitting in my office in Folsom and awaiting 6:30pm when I’ll be at Hana Tsubaki drinking sake and enjoying some fresh unagi after which I’ll head back to my house and update Facebook, myspace and Twitter about what I’ve just done.

 

* I use a lot of company and product names, and they are all trademarks and/or copyrights of their respective companies. All credit goes to them.

3 Comments Permalink Tags: privacy, social_media, social_networking
Matthew Rosenquist
1

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Fortune Cookie advice for January:

 

Insider threats will always outpace external threats.

 

Insiders, those people you trust at some level, represent a significantly greater risk than outsiders.  External threats may have a numerical advantage, but insiders have the access to cause staggering losses.  They possess the permissions, system and process knowledge, authority, visibility to critical systems and valuable resources, and can more easily circumvent existing behavioral controls.  Overall, insiders are tougher to detect, investigate, interdict, and prosecute.  Security organizations may inadvertently reinforce this disproportional risk by focusing on thwarting external threats, leaving insiders more latitude to conduct undesired activities.

 

It is a frustrating problem for security to address.  There are complex political, business, technical, legal, and behavioral aspects which plague efforts.  Due to their nature, insiders have an advantage, can be stealthier, and easily overlooked.  Security organizations may discount this slippery threat or lose sight of this aspect and exclusively focus on more noisy external threats.  I believe insiders represent the greatest challenge in the security industry.

 

Every security organization should purposely put in mechanisms to keep the ‘insider threat’ in the equation.  Regularly talk about it.  Do an annual risk assessment for senior staff.  If it makes sense, launch projects to manage the risk.  Anything!  Just don’t let it slip from memory.  Don’t overlook the risks.  The challenge is tough and may appear insurmountable, but that is not just cause to ignore the problem.  This is a battle worthy of fighting.

 

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

1 Comments Permalink Tags: rosenquist, model, information_security, risk, matthew_rosenquist, security, insider, threat, optimal_security, corporate_security

Popular Blog Posts