Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Joseph Menn’

“The Illusion of Due Diligence”: Another Cybersecurity “Must Read”

Tuesday, May 11th, 2010

After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.

As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors.

Throughout Jeff’’s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction.

Jeff’’s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silent. Still others fudge their compliance reporting.

In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.

Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent.

Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.

Tags: , , Cyberwar, , Jeff Bardin, , Richard Clarke, The Illusion of Due Diligence
Posted in Uncategorized | 2 Comments »

Cyber ShockWave Illustrates Why the Federal Government Must Lead the Cybersecurity Charge

Friday, March 12th, 2010

Last week, I wrote a blog suggesting that IT professionals and legislators read the new book, “Fatal System Error,” by Joseph Menn. This recommendation was based on my belief that most people don’t understand the scope of sophistication of current cyber threats and that we need more government and private sector action and cooperation immediately.

I received an interesting comment from someone who classified him- or herself as a libertarian. While this person suggested that he or she would read the book, they expressed great apprehension about “big government” getting involved. The fear is that the government will simply turn cybersecurity into a gravy train, spend inordinate amounts of money, and never meet its responsibility or mission objectives.

I certainly share some of this reader’s apprehension and can point to a number of government cybersecurity snafus that have gone nowhere and cost hundreds of millions of dollars. Nevertheless, I continue to believe that the federal government must lead the way. Why? Rather than write down my rationale, I suggest that readers do a bit of digging on a simulated exercise by the Bipartisan Policy Center called “Cyber ShockWave.” You can watch video of the proceedings on .

In this exercise, expert participants simulated a series of sophisticated cyber attacks on the U.S. If real, these attacks would cause massive economic damage while disrupting our daily lives in a big way. Pretty ugly.

In my humble opinion, attacks like these are the cyber equivalent of Hurricane Katrina. Yes, the government can totally screw up as it did with New Orleans and Katrina, but the private sector has no capacity to fill this void. It’s DHS or bust in both cases.

We citizens need to demand that the feds get their collective cybersecurity acts together and also hold legislators accountable for their actions and spending. We need the government to be prepared for an event like Cyber ShockWave and soon–before it actually happens.

Tags: Cyber ShockWave, , ,
Posted in Uncategorized | No Comments »

Fatal System Error: A MUST read for IT professionals, legislators, and law enforcement

Monday, March 8th, 2010

When I left home for the RSA Conference last Monday, I was already aware of the types of cyber threats we are up against. After speaking with security research leaders from Bluecoat, Symantec, and Trend at RSA, I am even more convinced that we are way behind the enemy and need to react quickly before we are completely overwhelmed.

Since one way to drive action is increased cybersecurity visibility and knowledge, I strongly suggest that anyone associated with IT, cybersecurity, privacy, national defense, or law enforcement read the new book, Fatal System Error, by Joseph Menn.

Now I have absolutely no financial interest in this book, nor do I know the author. In other words, I have nothing personal to gain by this recommendation. My goal here is to educate decision makers and the public at large about just how pervasive and sophisticated the cyber threat landscape has become.

Menn’s book demands some level of technical knowledge, but he does a great job of explaining things in a cogent and clear way. The book highlights:

  1. The evolution of the cyber underground. How crimes and the criminal network developed techniques, skills, and attacks over time. The bad guys are evolving exponentially while the good guys’ skills and tools follow a logarithmic curve.
  2. The challenges faced by law enforcement. The Internet opens criminal activity to dispersed adversaries across the globe. Many operate in nation states that have a vested interest in compromising the economic foundation in the west. In other words, we can’t touch most of the bad guys who openly laugh in our faces.
  3. The sophistication of the attacks. The bad guys know who we are, who we trust, and how to exploit us. Think you are protected by law enforcement, banks, and security companies? Think again.

My hope is that those who read this book (author’s note: again, everyone should) become as concerned as I am and demand immediate action. We need things like public awareness campaigns, K through 12 education, information sharing, and global law enforcement agreements, and we need them now. Time is not our ally.

Joseph Menn and those that helped him with this book deserve a lot of credit. I hope it drives immediate action. If it doesn’t, I’ll join Menn in saying, “I told you so” to the industrialized world as we struggle to rebuild our digital economy.

Many, including the DHS, believe that the damage from a cyber attack could be much greater than what we experienced from 9/11. We need to act before it is too late.

Tags: , , ,
Posted in Uncategorized | No Comments »

Search
About ESG | Register | Contact Us | Disclosure Policy | Terms of Use | Privacy Policy
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site