DISQUS

Hi jim and Tim

The key problem for security is mentioned in the Princeton podcast: there is a shortage of skilled labor and a shortage of people who are cross-trained into having some security skills.

One thing I want to make clear: there is no return on investment for security. Security is a cost, and only in very rare circumstances is there a return on security costs. Instead, good security is cost reduction or loss prevention, an entirely different model.

We do have some industry self-regulation happening. PCI-DSS is a good example.

I do see a disconnect in Jim's article. Forensics do not equal liability, they equal the ability to track down the "real" evildoer, but you still might have an issue of negligence. Negligence is a better model for us to look at when we set public policy.

If you really want to push security in public policy, have a look at the various data breach laws that have been pushed. S.459 comes to mind. http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S495:

Hi Braden

We get to fixated on products and vendors when we don't know what the specific requirements are. In other words, for as much talk as there is about transparency, nobody knows what it really means so they want to get somebody else to define it for them. The downside is that if you're selling a service or product, you can make the requirements fit exactly what it is you're trying to sell.

Organizational Conflict of Interest.

Hey guys, your twitter stream gives me the same value as your RSS feed. I'll follow you on twitter when you do something different on it that I can't get out of a feed reader. =)

Hi Sonia

My theory is that the upcoming election is more about generational issues than anything: it's the political power of the Baby Boomers against Generation X and the Millennials. If the time for a changing of the guard is not this election, it definitely will be in 2012.

The interesting thing to me is that both candidates disguise the generational issue with words like "change" or "Internet literacy".

Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/...

Also, just so you know, the Government Accountability Office has nothing to do with accountability, they're just the auditors for Congress. It sounds loftier than it really is. =)

Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/...

Also, just so you know, the Government Accountability Office has nothing to do with accountability, they're just the auditors for Congress. It sounds loftier than it really is. =)

I can stop anytime I want to, I just choose to be like this. No, really. =)

Hi Jim

Do what they do in Big-4 accounting firms: since you cannot audit a company that you have a financial interest in, they have a database of holdings. It can work 3 ways: you can be notified when a conflict of interest exists, you can disqualify yourself from official business because you have financial interests, and you can remove your financial interests in order to avoid a conflict of interest.

Unfortunately, this carries yet another overhead burden for our beaurocrats. And then there's the practicality of it: everybody has an interest, even when it's an indirect interest (holdings of spouse or other family members).

Point is, there already are useable models out there in the accounting world that we can adopt.

Interesting to note that in rejecting to hear the Microsoft/Novell appeal, Justice Roberts abstained from the vote because he is a MS shareholder.

It's the Donald Kerr version of privacy, not the "Dining Cryptographers" version of privacy. =)

Hi guys

Check out Adam Shostack's thoughts on what good the government can do. You guys are very much inline with each other here.

I think the trick is to have the data behind the data, and that's where xml and other importable data structures come in.

Once again, it's not the technology that needs to change, it's the business model. The more that the message gets out, the better we all are in the end.

It's all about what we call "switch costs".

For a long time the tech industry has tried to avoid compatibility in order to lock users into their technology. IBM did it (think both mainframe era and the IBM PC), Microsoft sure does it (monopolistic behavior), Cisco does it sometimes (EIGRP), the "last mile" service providers do it (try running your own cable line and it gets cost-prohibitive really quick). Sometimes, the technology is cheaper because of the tight vertical integration, other times it's more expensive because the vendor knows that you can't afford the switch costs.

It also makes sense because as a vendor/contractor, you'll amortize the initial standup costs to average out over a period of time--say, a year. If your customers leave prior to that year, then you lose money on the whole deal.

The only people who want compatibility are users who like low switch costs and vendors who sell infrastructure that has to plug into everything else. Yes, that's the majority of the populace.

You're so right it hurts. Although you guys don't talk about my favorite subject of information security management, I'm rapidly becoming one of your fanboys. =)