The Advancement of Security - Catalyst Approach

Web/Media 2.0 influence on security

simplified design

intuitive presentation to user

any user has control over presentation

can user data be trusted?

Can it be moderated?

specific elements

tagging, Searching, Sharing/Linking

blogging

audio/podcasting

Video

Wiki

central management

Transparency

single sign on identity across different site

rich content

Security integration with Web/Media 2.0 to protection information

need for frameworks to guide & evaluate security

academic/theoretical models, qualitative methods, quantitative methods

pragmatic methods, COBIT, ITIL, ISM3

share "good practices" for information protection

standards, ISO 27000-series, NISP SP's, RFCs

professional practice guides, GAISP (? defunct ?)

government directives, NIST 800.x series, DoD 8500.x series, DCID 6/3

security/protection of information as a differentiator

business benefits of strong security, doing business safely, understanding the risks, preparing for contingencies, building confidence & trust, enabling business process, supporting business prioritization

Security IS the business

security considered in design (not bolted-on)

formal (security) methods

security training & awareness for design & development professionals

security architecture, not 'security through obscurity'

competent security testing

Skills, tools and experiences needed by professionals

communication

speaking, telling security stories, Presentation Skills

writing, persuasive/motivational writing, copy writing

multimedia, combining written & spoken advice, videos plus briefings, website plus plus

bidirectional, gathering feedback, responding positively, engaging hearts & minds

collaborative clusters, academic, industry, professional bodies, standards development

stewardship

custodianship

governance

selling

influencing the purchaser

closing the deal

marketing

internal, the value of security

external, security as differentiator

networking

establishing & building relationships

bringing people together on common interests

special interest groups

collaborating

problem solving/thinking

non-linear thinking, mind mapping?, hyperlinking

critical

structured/scientific analysis

'open source'

cyncism, caution

seeing downside risks as well as upside opportunities

Training

Other elements to consider or work on

water cooler learning

integrated security practices

people

process

technology

history

remember where we have been

reuse / not reinventing the wheel

risk management

current risks, threats, vulnerabilities, impacts

risk management methodologies, quantitative, qualitative

projected/future risks, trends, emerging issues, political, economic, social, technological, new technologies

security memes

information security elements

confidentiality

integrity

availability

how to measure it?

government regulation/oversight

Gramm-Leach-Bliley Act

Sarbanes-Oxley Act

HIPAA

Privacy Act

Foreign Corrupt Practices Act

FISMA

CLERP9

Directive 95/46/EC

Bill 198 (CSOX)

PIPEDA

DPA (Europe)