One question I get asked repeatedly as a consultant is "What makes your company different?" One of my answers is our approach to information security. Everything we do is based on managing risk from the use of technology. It's sad to say but even today, many security professionals still operate with the FUD (Fear, Uncertainty & Doubt) Factor. At Pratum we pride ourselves in helping organizations deal with the real risk of using information technology to further their business.
Business is all about taking risk. The idea is to do something that has enough risk that it keeps competitors out but where one can manipulate the variables enough to have a high probability of making a profit. In today's world, one of the big variables is technology. How it's utilized in the sales, marketing, design, manufacturing and other stages of a business venture can impact the probability of success.
As a security professional my job is not to tell a business leader they should or shouldn't use a specific technology. My job is to help them understand the risk that particular technology, used in the proposed fashion will bring to their organization. As a business leader, they must choose to accept that risk or consider other options that would reduce the risk to acceptable levels. When information security becomes a road block to business that's when the problems start.
So how is Pratum different? We understand our role as an enabler. We provide recommendations to business leaders to help mitigate risk to an acceptable level. Does regulatory compliance, industry best practice and plain old common sense come into play? Certainly. But we also look at what it takes to keep a business running and try to balance this with protecting the business in their technology operations.
I have a lot more to say on this topic so I'll close for now. My next few posts focus on managing the risk that businesses take on when they use technology in their operations. I'm always interested in feedback so drop me a note if you get a chance.
Google is a company but it's also a product. Gmail, YouTube, Google+, Google Earth. They are all Google. Merging your accounts and related information into one global identity for all Google product offerings was going to happen. It had to. There is no way the company could maintain the current system of multiple profiles.
What does this mean for you? It's good if you use lots of Google services and want the advertising on those services to be more targeted to the "holistic" you and not only the part of you that particular service knows. Maybe you only watch comedy clips on YouTube. That's who YouTube assumes you are...a comedy only person. Having a single expanded profile shows your interest in other areas and allows advertisers to market in a more targeted fashion.
The change though is bad if you try to keep some separation in different areas or are trying to limit the sources of consolidated information such as viewing habits, who your friends are, where you work, etc. This is especially true for those organizations which have standardized on Google Apps for their business. It will become much harder to distinguish between a person's business life and personal life. I mean really, are you going to sign out of your work Google account and into your personal account just to watch a couple of videos on your lunch break?
Whether we like it or not, it is getting more difficult to have the professional and personal life separation that was afforded to generations before us. I'm doing everything I can to maintain what little separation I have left. Are you?
Are you a college student majoring in Computer Engineering (CE), Computer Science (CS), Computer Information Systems (CIS), Management Information Systems (MIS), Network Engineering or other computer related field? Have you taken any classes yet where IT risk management, information security, privacy or regulatory compliance has been the focus? Do you know what SOX, HIPAA, PCI and FISMA are?
If not, you need to. Large portions of your first job out of college could be spent on issues such as writing secure code, designing a network to meet regulatory compliance, implementing 2 factor authentication and other security related duties. Do you feel prepared for this?
I just did some very quick and informal research on undergrad programs in Computer Science at large public research universities across the country. Shockingly one had an information security course in the core requirements. Even then it was one of 3 courses in a "pick 2" category so it wasn't required for graduation.