Ever feel like a deer-in-the-headlights? This is Preventing Deer In the Headlights. (PDIH)

PDIH TOPIC:  Security Engineering – Why don’t we do it?

Is it really that difficult to design systems security engineering? Yes and no. Sorry, but it’s complicated. So is any engineering. We need to build process, instrument our work to prove it, and explain what it means.

Who? What? Where? Why? When? How?

Engineering doesn’t start off looking like engineering; it looks like project management or some form of SDLC. We start with taking inventory. Inventory is a fact-facing process. If your organization sucks at passwords, fine. Now we know. Requirements is another form of inventory. Start from the mission and move down to the end of the last business process asking: What do they do and what do they need from us to do it? Notice none of this uses the word security.

How can we get the mission done so that everyone has no idea we are doing our job?

When you look at your bank account and see that your paycheck is deposited, did the accounting department make you jump through hoops? Do you know that Janice in accounting had trouble with ADP? Do you care? At the end of the year when bonuses need to be processed… again it better be there on time no matter what. Now if we cut the accounting department and those checks did not flow, I am sure you can see what would happen. If we engineer security properly, it will look effortless.

Now the part that we will talk about in PDIH:

If “Janice in accounting” does not do her job, everyone knows.  We in security are different. If we do our job right and evil attacks us, nothing goes wrong and nobody knows. If no one attacks, nothing goes wrong, and nobody knows. How can we prove a negative? We cannot, but we can metricize  or instrument our effort. And that is the part of security engineering that is more possible today. Let’s talk about it.

Solution or STEPS

  1. Read the NIST800-160
  2. Get management onboard
  3. Execute the plan
  4. Build metrics to claw back money every cycle

Impact on security?

The data is clear. Organizations that plan long-term security are winning and the others are all complaining about how “the bad guys are winning the cybersecurity war.”

This is what we will talk about on Thursday. Come be a part of cybersecurity. Don’t be a deer-in-the-headlights.

Can’t make it?

If you are a past student, you will have access to the recordings.

CPEs – Yesssss!

Most CPE requirements have both a validation step and an audit-able requirement. We do both for our past students. Free. You must login. Use this link ONLY if you are a past student who has been given audit-able access. https://www.vmlt.com/mod/url/view.php?id=14166

I hope you attend – it will be fun.

CommercialCISSP starts Saturday October 27, 2018 ; please tell your friends! To see other start dates you can go to:


Categories: Learning