26 March 2012

VERIZON DBIR 2012 - some context...

Google
The Verizon DBIR 2012 was released last week and I am sure you have seen a lot of blog posts, articles and tweets on the subject... So let me try and put a different perspective on it: many of you will have heard me say that the DBIR is the “gift that keeps on giving”, and yes, it is! But as with every report, statistics and opinions always have to be put into the right context... The conclusions are not surprising, but there are quite a few little nuggets in the report that are worth examining...
To start with, I am glad to see that the analysis now offers some separate insights in relation to SMEs and larger organisations, as some of the issues can be different depending on size. The case load is also bigger this year (855 incidents compared to 761 in 2010) and known compromised records studied were also greater (3.8 million in 2010 compared to 174 million in 2011 - mostly due to the return of the “mega breaches” in 2011 after a relatively quiet 2010).

18 March 2012

THE INFOSEC INVESTMENT EQUATION: CAN YOU SOLVE IT?...

Google
I can’t believe my last post was on 4th March! I am positively thrilled that my most popular entry so far is the one about incident response... This means that we must be coming to terms with the fact that data breaches are a statistical certainty and how we handle them is what matters. Good news: this means we’ve got the attention we need. Now we need to convert this attention into the investment it requires. External statistics may give you the hook but, as abundant as they are, do not however make it relevant to your business when trying to secure the infosec investment you require...

4 March 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART TWO...

Google
In the previous post, I spoke about the importance of having an asset register and how crucial asset classification is. After all, not many of us have unlimited resources, therefore focusing investment where it matters most is the way to go. Whilst I was thinking about this, the link between changing the CISO traditional attitude and the necessity for risk management became even more apparent and I would like to expand on the trinity of “Asset, Technical Services and Business Need”...