Details

Written by Dave Nelson

Category: Blog

Created: 29 November 2011

Yesterday at the ISSA chapter meeting here in Des Moines we began with a discussion of mobile devices and how organizations are developing policies around use of personal devices for work purposes.  As expected it ranged from only company devices are allowed for limited functions to any devices is allowed for anything it can access.  We quicly moved into discussions on the impact newer generations of workers, social media, regulations such as HIPAA and mobile devices have on how we approach data security.

One member made the comment that a new CISO was brought in a few years ago to their organization that made a big difference.  This executive had the ability to articulate risk to the other executives in a fashion they understood.  They now have more money to fix issues than they've ever had in the past.  For this organization, pitching the security needs in terms of risk and quality improvement made all the difference.  I've been expousing this philosophy for years and can attest to it's impact.  If you can't articulate the need in a way that ties into the business objectives you're simply rambling.  Helping executives see how security and IT risk management goals tie into the larger organziational goals and you'll find the path is often paved before your very eyes.

If you're in the Des Moines area and intersted in information security, IT risk management and compliance, I'd encourage you to check out the Information Systems Security Association (ISSA) chapter meetings.  We meet monthly in West Des Moines, IA and will be adding web conferencing in the near future for those of you in other areas of the state.  Feel free to contact me or check out the chapter website (http://www.issa-desmoines.org) for more details.

Details

Written by Dave Nelson

Category: Blog

Created: 21 November 2011

I see it time and time again. The guy in front of me grabs his phone and with a quick flick of his thumb pays his bill with a smartphone enabled app like Dwolla. A woman pulls a phone out of her purse and unlocks the door and starts her car using the new GM OnStar app. You know what’s the same about both situations? Neither of them see the need to use a PIN, password or biometric security function on their “phone”.

The arguments are all the same. “It’s just a phone, chill.” “I buy the insurance in case it’s lost or stolen.” “Do you know what a pain it is to enter a PIN just to make a call?” Yeah…I get it. Security is quite a pain. Imagine for a minute you’re sitting at your favorite coffee shop. The phone in your pocket is uncomfortable so you take it out and sit it on the table. 

After a minute you jump up to get another cup of coffee. The phone remains on the table. Would you do this with your checkbook, your debit/credit card? How about your car keys? What about a printed piece of paper with all of your passwords? How many of those are on your phone? What else wouldn’t you leave unattended on the table if it were in its “original or non-virtual” form.

I know security is a pain. As a consultant I have more VPN key fobs, building access cards and other security stuff than most of you. Trust me, I get it…security is not always convenient.  Growing up our parents taught us to protect things like our wallet, keys and other personal items that had value to others. It’s time we stop thinking about the relatively low cost of our smartphone hardware and the irreplaceable cost of some of the data on that smartphone. BTW…Watch out during this holiday buying season. Pickpockets aren’t as interested in your wallet anymore. Your phone has access to way more purchasing power that a couple of $20 dollar bills.

Details

Written by Dave Nelson

Category: Blog

Created: 14 November 2011

I started watching a movie the other day called Erasing David.  It was not autobiographical but it does raise some interesting points.   Could you disappear for 30 days?  A British man decides to test the degree to which he has lost his privacy by attempting to "unplug" from daily life and hiring two private detectives to locate him.  Where can he live, eat, shop?  How does he gain access to information, money and other necessities without compromising his privacy?

I deal with these issues on a daily basis.  How to limit the information that is collected and stored by researchers, marketers, vendors, governments and hackers.  We Americans do not value our privacy enough these days.  We'll gladly give up our email address for a $5 coupon and sometimes even for less.  I'd encourage everyone to spend some time and take inventory of who has what information about you.  Do it for your children too.  Many of the marketing and research companies make their databases available for sale, rent or trade.  What seems like trivial information becomes less trivial once compiled hundreds of times over with other databases.  By the way...Facebook, Google+, LinkedIn and every other social media outlet is a gold mine of personal information.  If you haven't read their privacy practices recently...you should.  I'm not saying don't use them; just use them with the full knowledge of their true cost.