Cyber Security Defense Failures Due To A Lack Of Project Management Skills

Posted on August 24, 2011 by Joey Hernandez

Having performed assessments on organizations with multi-million dollar budgets and managing projects to the same, I have been able to see a trend. In the beginning I wasn’t quite sure what “it” was and I always focused on believing it was a lack of Policy understanding by Technical people and the lack of technical objectives from Policy writers. I realized stepping back that the problem existed outside the understanding. There continues to be failures in this area and it is no longer a finger pointing game.  For those in the industry long enough you know Cyber Security people for the most  part – are biased. They believe that anything that appears before them having a familiar stench – can be cleaned up “the same way they handled it last time!” This is a falsity, as there is never an exact duplication in dealing with Cyber Security activities.

So what is the fix action – Not Re-creating The Wheel:

Project Management has been around for a while and although Security is a process, you will achieve more success handling it in a projected manner.  There is success in structure, Fluidity is not the same as Flexibility, it is a sign of a lack of professional experience.
I have seen too often smart infrastructure and system administrator types move forward on installation, upgrades, and initiatives with no direction. They don’t know there customer, they don’t know the operational impact, and they don’t have an idea where the requirement began and where it will end.

The reason, they have never formalized the processes. Understanding the risk, will ensure you researched all of the previous. The “Who” in who is going to perform the work is based on who knows the most about something similar – failure.  Funny thing, is the argument is always that the input required for project planning takes too long. Incorrect, recovering from an outage, handling customer complaints, saving face to external agencies & reputation recovery take much more time and are overall more detrimental than stratifying efforts.

Handling incidents is the same. According to ENISA Incident Handling, has been refocused to Incident Management. The organization produced the latest guidance in 2011. In it, the document references frameworks, workflow, and lifecycle – interestingly enough these are commonalities in Project Management Bodies Of Knowledge.  A Security Operations Center assessed in the past would take in tickets from customers and “that ticket” became case law. By this I mean any ticket that came in with a similar feel went straight to the conclusion/recovery stage. Relating it to Project there was no real initiation, planning, execution and the only control came through a ticket management system.  The team also relied heavily on creating metric by review rather than utilizing the systems established metric capabilities.

Turning Cyber Security  Processes into projects will be a difficult sell to many members of a security team, but I believe the long term benefit will better help organizations in SOP creation and moving forward.

I would like to know of incidents where you saw success or failures using this approach.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Security+ & Certified Information Systems Security Professional CISSP Instructors needed

Posted on January 22, 2011 by Joey Hernandez

The iSCSP is seeking Certified Professionals to instruct the curriculum and Bodies of Knowledge for both the CISSP and Security+ Certifications. iSCSP will provide the course materials to the instructors and assist in support. Instructors must have experience in and must be able to convey knowledge in the following focus areas:

Access Control
Application Development Security
Assessments & Audits
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigations and Compliance
Network Infrastructure
Operations Security
Organizational Security
Physical (Environmental) Security
Security Architecture and Design
Systems Security
Telecommunications and Network Security

Posted in Uncategorized | 1 Comment

First Annual Cyber Warfare Summit Philippines

Posted on October 20, 2010 by Joey Hernandez

iSCSP is a proud contributor and co-sponsor of the 1st Annual Cyber Warfare Summit,  Mandaluyong City, Philippines, December 10, 2010. The increased threat to the Cyber Commons demands cyber security professionals elevate the thought process and actions taken to mitigate attacks against the enterprise. The summit will provide industry professionals the tools and knowledge required to understand these threats. A few topics covered will include:

  • Cyber Intelligence
  • Forensics Investigation Supporting Cyber Warfare Program
  • Cyber Warfare Capacity of the Philippines
  • Defensive Cyber Warfare Capability and Strategy

More information and registration available @ http://www.cyberwarfaresummitph.com/

Posted in Outreach | Tagged , , | 2 Comments

Cyber Security Training & Professional Development Work Group

Posted on October 16, 2010 by Joey Hernandez

Over the past few weeks Ron Mehring an iSCSP member has been working to create the direction for the CSTPD working group.  This WG will contribute on a quarterly basis or as needed articles, commentary and guidance to the business community, community leadership and other organizations requiring or requesting assistance in these particular areas. The emphasis of the working group would be discuss, develop and harmonize cyber security training practices across international boundaries. This working group will focus on the entire training and development continuum, from the beginner to the seasoned professional. Progression in this WG may generate new direction for the Cyber Security Training & Professional Development Work Group.

We look forward to your participation and any comments regarding this effort.

Posted in Training & Education | Leave a comment

Cyber Patriot: National High School Cyber Defense Competition

Posted on August 23, 2010 by Joey Hernandez

Multiple leaders from the Cyber Security arena in the United States will be reaching out this year to support local Cyber Patriot teams/participants.

CyberPatriot is the National High School Cyber Defense Competition created by the Air Force Association (AFA) to excite, educate, and motivate the next generation of cyber defenders and other science, technology, engineering, and mathematics (STEM) graduates our nation needs.”

If your team requires sponsorship or you would like to support a local team on behalf of iSCSP please contact us. For independent support of a local team: call Jessica Archer, Senior Network analyst UTSA CIAS @210-458-2128

Posted in Outreach | 2 Comments

iPhone Application for Cyber Security Professionals

Posted on August 22, 2010 by Joey Hernandez

Free Click Here

The iSCSP application was built to provide you information, in conjunction with http://iscsp.org, from multiple resources covering the latest standards, developments, research, and thought pieces.

Documents:
In addition the iSCSP application allows you to send the documents through email with a push of a button. Feedback has shown that Professionals can have guidance with them at all time to reference or provide proof of concept. We will work to keep the documents updated based on inputs from YOU the user community. Currently the application contains documents from ISO, NIST, DASD, ITU, CERT, ENISA and others.

Feeds:
We follow the best and the brightest in the industry and will stream to you their ideas, thoughts and conversations concerning Cyber Security, Information Security, Risk Management and Incident Management. We will continue to add to this feed ensuring YOU get the best and most relevant news related to Cyber Security.

Featured:
The iSCSP application provides Professionals with the ability to quickly access additional resources from the areas and topics covered in both the Documents, and Feeds area. This area provides YOU connectivity to Professionals, Organizations, Think Tanks, Businesses, Education Institutes, and other users. We will continue to update this area based on relevance and user input.

The iSCSP application is your resource for the Bodies of Knowledge required for all Professionals.

Posted in Uncategorized | 2 Comments

A different approach

Posted on August 21, 2010 by Joey Hernandez

Most organizations created have agendas around individualistic intent. We do not want to follow that path. In an effort to work together internationally we continue to reach out to members and colleagues from around the globe. Our approach is to deal with the cyber threat from multiple visible angles. We are first raising awareness through relationship and partnership building with organizations such as the International Multilateral Partnership Against Cyber Threat , The Information Security Group of Africa and The Knowledge Transfer Networks Cyber Security Group. We don’t want to say we are international we want to BE international.

Posted in Uncategorized | 2 Comments