Roger Halbheer on Security
Unfortunately, we do not see too many women in security – even though there are huge opportunities irrespective of the gender. Over the years, I had the pleasure to work with great women in this business. We will run an event on Thursday, April 28, 2016 at 6.30pm at the Accenture Office in Zurich with…
Dear CEOs, I know that you feel that security is important – something which was not always the case in all the years I am working in the industry. But you changed your mind and this is great. But I know as well that you rarely feel comfortable, when it comes to working with your…
Quite a while ago, I provocatively asked the question, whether Anti-Malware Technology is dead. Back then it caused quite some reaction. Honestly, I still see little value to be added by classical anti-malware products if we would finally be willing, able and ready to use the technology, which is built in today’s operating system. Unfortunately,…
When I look at the recent events and data exfiltration cases, it really looks like we are at the losing end of a battle. It seems to be fairly simple to compromise a network and exfiltrate data nowadays. Now you may claim that you deployed all kinds of cool technology like hardened clients, data loss…
Measuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
I am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
Managers often do not understand the engineers – and engineers do not understand what drives a manager. A typical conflict, which gets worse when we enter the world of agile development methods. Control and processes lose importance, speed and therefore “gut feelings” need more focus. Günter Dück, former CTO of IBM Germany had a very…
One of the key challenges in the every day’s world of a CSO is reporting. How and especially what do we report to the board and how do we make it relevant to the people there? We all know that finance has a fairly clear and standardized reporting scheme as the subject matured over time…
This is kind of interesting: IDC reports endpoint security market is booming, but isn’t antivirus dead? I am still deeply convinced that Anti-Virus by itself does not add a lot of value. You can use better technology to protect against malware (see Is Anti-Virus Technology Dead?). If I see that this market is still predicted…
When I look at the way security is treated in a lot of companies, I see two fundamental challenges: Security is seen as a compliance function only. In other words, security people tend to hide behind policies. This is fairly simple for us, isn’t it? We can take the policy and tell somebody to follow…
Let’s assume for a second, that the content of this article is correct: Google’s backward step on Android app privacy. Then it shows – once more – that Google is a very innovative company with a very limited view on user’s privacy and security. When you look at the new security user experience in the…
A lot has been written about the European court decision and the right to be forgotten. It seems that about 12’000 people now asked Google to get something deleted. There are different aspects now, when we look into this: I guess it would cause a wrong sense of security – well better privacy – if…
To start with the way I look at the answer of the question above: Yes, I think so. Basically, when you talk with people knowing the industry, the classical signature-based approach never even worked. It was able to detect a certain number of viruses, which typically is a just small percentage of what the technology…
It is obvious: Less admin privileges reduces the risk of successful attacks. This is not really news, isn’t it? That this reduces the attack surface dramatically, well, not new either: Time to drop unnecessary admin privileges What I am really wondering: We are all talking about Bring Your Own Device scenarios, where it is to…
I came across this article this morning: 5 Ways Event Log Management Makes You More Secure. The claim there is, that adding 5 additional tasks will make you more secure: Centralized logging makes it possible to review all the logs SIEM is French for “locked down” Event correlation helps you find bad things Search and…
Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into…
I am following Shoaib’s blog since quite a while – actually due to the beauty of the Internet, we only met virtually so far . He just posted on his blog: 5 Common Types of Security Professionals I really like this post. The way he categorizes them is: The NO-MASTER The By-The-Book Preacher The Dinosaur…
l am still sitting in the parliament room of the Council of Europe at the celebration event for the Budapest Convention. It was another very good event advancing the challenges fighting Cybercrime. Let me try to summarize a few thoughts: The Budapest Convention is probably the best convention out there allowing a wide adoption of…
This is actually a great speech but very, very, very scary:
and the scariest part is that I never looked at it that way but he is right
Roger
This paper by the Geneva Centre for the Democratic Control of Armed Forces (DCAF) was just brought to my attention. A piece of work, which is definitely worth working through. It lays out the problem space and then does a deep dive into the different sections: Governments Legislative Bodies The Armed Forces Law Enforcement Judges…
