The InfoSec Blog

The Truth About Best Practices

Posted by Anton Aylward

An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepticism and the observations of the author of the article.
One asked

And Anton aren't the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

An “11th Domain” book.

Posted by Anton Aylward

http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm

Gary Hinson makes the point here that Rebecca Herrold makes elsewhere:   Rebecca Herold
Awareness training is important.

I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:

First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths.  "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...

The Decline of the Physical Desktop

Posted by Anton Aylward

http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/

What's interesting here is that this isn't preaching "The Cloud" and only mentions VDI in one paragraph (2 in the one-line expanded version).

Also interesting is the real message: "Microsoft has lost it".

Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes - it *HAD* to be to have survived that long. (One could say the same about sharks!)

"Keeping desktop systems in good working order is still a labour of Sysiphus .."

Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.

A prediction, however.
The problem with DOS/Windows was that the end user was the admin and  could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same 'end user in control' model that we had with Windows. Its going to be a malware circus.

Enhanced by Zemanta