IT@Intel Blog

IT@Intel

IT@Intel Blog : May 2008

Previous Next
Click to view Tim Casey's profile
0

Measuring the value of information security programs is difficult and a problem for the entire industry. Come join us for a 3 part series discussing the challenges, how Intel is taking a practical approach, and where the future may take information security metrics.

Last week, Matthew Rosenquist & I discussed why measuring ROSI is important, and the very difficult challenges in doing so. In this second of the three part series, we will discuss a practical approach to determine value of information security initiatives. Joining Matt & myself this week from Costa Rica is Enrique Herrera, who will discuss an actual Intel case study.

The show is 30 minutes, starting tomorrow (May 29) at 10:30 PDT. To listen in, go to the OpenPort home page, and a little ways down on the left side you'll find the BlogTalk Radio link. Take that link and follow the instructions. You don't need an account to listen or participate in the discussion. If you can't make it live, you can also find the recorded sessions there too, after the show.

See you there!

Return On Security Investment - BlogTalk Radio
Thursday, May 29, 2008
10:30 AM PDT / 1:30 EDT
http://communities.intel.com/index.jspa

0 Comments Permalink Tags: corporate_security, matthew_rosenquist, information_security, rosi
Click to view Matthew Rosenquist's profile
1

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.


Common Sense.
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.


Here is my Fortune Cookie advice for May:

Two types of victims exist...
Those with something of value, and those who are easy targets.
Therefore: Don't be an easy target, and protect your valuables.


Now if I can just figure out how to stuff these little cookies...


So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Click to view Laurie Buczek's profile
4

Are you considering social networking in your enterprise? Surprise! We are too. We started off the process with certain perceptions about what the application should do and shouldn't do. If you think that your employees (especially the younger ones) want social networking within the enterprise just to have "fun" - think again. If you think it is purely for improving collaboration and productivity - ponder more. How do we know? We did a focus group with employees who are recent college graduates. Here is what we learned.

  • Pulling in an existing external social networking application into the Intel environment is viewed very negatively. Even a "like" experience wasn’t well received. Gen Y'ers use social networking to connect with friends and to share outside-of-work experiences. They don’t want their personal life to become exposed in a work environment.
  • Fun in the work environment is more directly tied to “physical” spaces/experiences and not a social networking application. There was even an allergic reaction to the term “social” as applied to the networking application. Social = their life outside Intel. They said within a business environment it needs to be a professional network.
  • They expect to put a name to a face before they reach out to that person.
  • They want tools that will help them to find relevant & trusted information/people faster. An analogy they used to describe the tool is your school yearbook entry + phone book+ management hierarchy.
  • The application needs to be integrated with current destinations & other communication tools. Presence and a unified profile are very important to them. They want the ability to view another employee's profile in our internal Phonebook or email and within that application begin an instant message session with them. They explicitly stated that if we create another disparate application, they will not use it.
  • They want the power to personalize. They don’t want to be fed the information that an administrator thinks they want- they want to decide what it is they will receive. They prefer the "iGoogle" like personalization.
  • The application must be easy to use & not require a lot of time. Recently, a lot of them are getting turned off by some social networking applications because they are too busy- too much noise.

    Gen X and Baby Boomers – do you agree with the younger generation? Other IT shops, what are you seeing in your environments? I would like to hear from you. In my next post, I will share with you what some others in our work force said when I posted these results in our blog.

4 Comments Permalink Tags: social_media, social_networking, social_communities, enterprise2.0, social_computing, social_productivity, laurie_buczek
Click to view Matthew Rosenquist's profile
1

Good security conversations benefit all involved. The more we share, discuss, and challenge each other, the more we advance our industry. Thankfully, I have the benefit of working closely with a brigade of information security professionals and we banter at every opportunity, for the sheer pleasure and insights. In that same spirit, we hosted our first Blog-Talk radio session. This was a general discussion of the problems of measuring security.


http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1430/Blog+Talk+Radio+picture+Tim+and+Matt+May+2008a.jpg

The 30 minute discussion can be replayed here
Two other internet chats are planned. Everyone is welcome to participate or just listen in. Details can be found here.

1 Comments Permalink Tags: security, roi, value, measure, rosi, information_security, optimal_security, model, risk, tim_casey, matthew_rosenquist, rosenquist, casey
Click to view Ilene's profile
2

Come join us!

The success of a security program is measured by an event that doesn't happen, so how do you know if you were successful? Matt Rosenquist, Intel’s Information Security Strategist will do a three-part series on Blog Talk Radio discussing the difficulties of measuring a security program.

Segment 1: May 20th at 10:30 AM (Pacific): The Problem of Measuring Security Part 1 of 3

Segment 2: May 29th at 10:30 AM (Pacific): Return on Security Investment - Intel Cast Study Part 2 of 3

Segment 3: June 4th at 10:30 AM (Pacific): Future State of Security Measurement Part 3 of 3


Our Blog Talk Radio segments are interactive and we will be taking live calls from listeners (Call-in Number: (347) 326-9831) and live chat over the Web.


What are your questions for Matt around security metrics?

2 Comments Permalink Tags: security, roi, rosi, rosenquist, information_security, matthew_rosenquist, cost_savings, corporate_security
Click to view tamant's profile
3

Wouldn't it be great if we could buy an application and not have to worry about whether it was designed to run on Windows XP, Windows Vista, MAC OS X or some flavor of linux?

How about when you buy a personal computer you don't have to make a decison on whether it should come with Windows XP, Windows Vista, MAC OS X (don't you wish that was a choice today) or some flavor of linux - or nothing and you figure it out later?

What if every computer you bought came with a smal, highly efficient operating system that basically only acted similar to a virtual machine hypervisor, managing the allocation of resources to virtual machines (or applications). And by the way it was built into the "platform" supplied by the chip vendor and OEM's only aggregated components and added value where it counts - tools to better manage the virtual enviornments, as a peer process not as a "host" operating system.

This is the world that I would like to see evolve over the next couple of years (okay maybe 5).

Applications are compiled with the operating system extensions (purchased from today or tomorrow's operating system vendors) and sold as one package that runs on top of the thin/efficient operating system mentioned above. This way we as the consumers can worry about selecting applications and functionality and get out of the business of worrying about which operating system to buy - or worrying about which operating sytem the application will run on. We just buy the application!!! What a concept!!!

A nice extension to this would be to allow the ability to still have a more traditional "container" of applications for secure, managed interaction between applications and for providing a policy managed environment. But the applications should still be the same apps I buy to run independently - So how about an install option - standalone or in a "container" or ???

Now that would be cool.

3 Comments Permalink Tags: client_architecture, software_development, virtualization, alternate_compute_models
Click to view Tim Casey's profile
1

In the summer of 2002 I received a phone call from one of Intel’s senior information security experts, Brian Willis. Brian had just returned from an event in Washington D.C. that he was very excited about. Gartner and the U.S. Naval War College had hosted a three-day seminar-style war game called “Digital Pearl Harbor.” The purpose of the war game was to involve industry for the first time in investigating the possibilities for catastrophic attack of and through the U.S. internet system. They had invited a number of private corporations to participate in this new methodology, and Brian attended as Intel’s representative.

At the time I was working on some risk modeling techniques, so Brian figured I’d be interested in what he had learned. He called and started with, “We have to do this!” He described the event and the possibilities he saw for Intel. The event was very successful and provided much valuable information to the sponsors as defenders, but Brian saw a different aspect. As an “attacker” in the game, he saw how easily and dynamically the attackers in cyberspace were able to build their own systems, business as well as technological, and emphasize their own priorities. The visibility that the game gave into this process came as a bit of a surprise to him and other participants, and Brian recognized how valuable this perspective was to understanding risks facing any defender.

So we decided to stage something similar at Intel, but focusing on the attacker viewpoint rather than the defenders. Although this is somewhat different than a classical war game, we kept the basic process (and the name “war game”) to keep it different from other risk assessment methods. It wasn’t easy to come up with our own game. At the time, there was very little about war gaming that wasn’t based on military objectives, and it was almost all from the defender’s point of view. I even called the U.S. Naval War College; they were very interested and supportive but had little they could share. But through the collective effort of many people, by the summer of 2003 we had put together our own Intel Digital Wargame. The game event itself lasted for two days, and involved nearly every Intel business unit organized in six cells spread across three U.S. cities. It was wildly successful, beyond our expectations, and all the participants said it was exhausting but also both the most instructive and the most fun event they had attended in a long time.

Since then, we have conducted a number of smaller games and continue to have good success with the process. Along the way we have refined it, although we consider it still very much a work in progress. The paper published here is a detailed description of our current process. If war gaming sounds interesting to you, or you are already doing something similar, I hope this will be of use to you. In any case, I would like to hear of your thoughts or experiences or best practices in this area, as we are always looking to learn and improve.

Wargames: Serious Play that Tests Enterprise Security Assumptions

1 Comments Permalink Tags: war, game, wargame, information_security, corporate_security, security