Consciere

Consciere Joins the Microsoft Security Development Lifecycle (SDL) Pro Network

Joel Scambray — Tue, 20 Apr 2010 17:41:03 +0000

Consciere is proud to announce our membership in Microsoft’s SDL Pro Network. For more information, see our SDL Pro page.

The Greatest InfoSec Threat of 2010: Restructuring

Joel Scambray — Thu, 25 Mar 2010 18:08:07 +0000

The industry is again abuzz, this time about the advanced persistent threat (APT) and other “new” sophisticated boogeymen lurking out there on the big bad Internet. Ironically, the greatest threat to the success and continuity of enterprise information security programs that I see strikes much closer to home, and isn’t nearly a sexy: re-orgs.

I can’t count the number of security leaders that I talk to who either are planning, implementing, or just coming out of a re-org, whether self-inflicted or due to upheaval in the ranks above or to the sides. And let’s not even mention the ongoing game of CISO musical chairs that decapitates entire programs and leaves them listless for months on end. I see far more damage to the infosec capability at these businesses from this ongoing restructuring than I ever do from malware outbreaks: management loses confidence and hard-won political capital vanishes, operations and key initiatives get whipsawed by shifting attention, budgets are unpredictable, infrastructure investments wither from lack of care and feeding, morale and cross-group perception ranges from cynical to downright bleak, and a sense of helplessness pervades a practice that is supposed to be enhancing visibility and control over IT.

Certainly, change is inevitable, and some restructuring can of course be good if done thoughtfully to improve clarity of mission, roles and responsibilities, or other fundamentals. But my sense is that we’re changing too much, too often, and it’s disrupting our focus, damaging our credibility and ability to get things accomplished in the long view.

It’s time to adopt a more cross-generational perspective, align around a few fundamental practices that must be sustained for posterity, and keep the eggs incubating in the nest for a little bit longer. Because whatever your opinion about APT, I think most would agree on the “persistent” aspect. What’s your infosec succession plan?

IANS Mid-Atlantic Forum 2010

Joel Scambray — Wed, 17 Mar 2010 23:18:04 +0000

Joel co-moderated the “Security Operations” roundtable track with Marcus Ranum at the IANS Mid-Atlantic Forum in Washington DC on March 16-17. The track included 3 sessions over 2 days on Proactive Threat Management, Use Cases for SIEM, and Best Practices in Response.

INTERFACE Portland Keynote Presentation

Joel Scambray — Tue, 09 Mar 2010 20:45:45 +0000

Joel Scambray presented “Hacking Evolved: The New Cognitive Style of Information Security” at the INTERFACE conference in Portland, OR on March 9. Consciere also had a booth at the conference, and engaged many existing and new clients in the Portland area in discussions of information security trends and initiatives over 3 days surrounding the event.

"Intelligent Vulnerability Management" discussion with IANS

Joel Scambray — Fri, 26 Feb 2010 16:46:06 +0000

Joel Scambray moderated ”Intelligent Vulnerability Management: The Art of Prioritizing Remediation” with Time Warner Cable, RedSeal Systems, and a group of information security leaders via IANS’ Interactive Phone Call series. More art than science, minimizing the expense of remediation requires ruthless prioritization, solid strategy, and proper tools. This recorded discussion addresses each of these factors as it applies to vulnerability management, discussing in detail the implications of specific patch management initiatives, techniques for setting priorities, and the best tools to guide the remediation process. This virtual discussion is ideal for risk, compliance, and security managers, as well as anyone looking for new approaches to reducing excessive security efforts. (Registration required).

Kevin Nassery presented at NANOG 48

Joel Scambray — Tue, 23 Feb 2010 02:07:01 +0000

Kevin Nassery presented ”Network Tapping Architectures” at NANOG 48 in Austin, TX on February 22, 2010.

Kevin Nassery speaking at THOTCON 0×1

Joel Scambray — Sat, 16 Jan 2010 02:02:38 +0000

Kevin Nassery will be talking about next generation network monitoring architectures, covering Data Access Network switches and Hardware Capture cards at THOTCON 0×1.

IANS Pacific Forum

Joel Scambray — Tue, 08 Dec 2009 19:56:24 +0000

Joel Scambray co-moderated the Application and Software Security track at the IANS Pacific Information Security Forum at the JW Marriott in San Francisco December 8-9.

Application Security Fundamentals Whitepaper

Joel Scambray — Tue, 01 Dec 2009 19:26:42 +0000

Orginally published in the online magazines Testing Experience and Security Acts, our Application Security Fundamentals whitepaper is now available here. We welcome your feedback, please send your comments and questions via our Contact Us page.

San Francisco Bay Area InfraGard Presentation

Joel Scambray — Thu, 19 Nov 2009 19:36:55 +0000

Joel Scambray presented “Maximizing the Business Value of Vulnerability Management” at the fall quarter chapter meeting of the San Francisco Bay Area InfraGard. Through the disclosure and examination of real data and lessons learned, and in collaboration with Kip Boyle (CISO at PEMCO Insurance), Joel showed how Consciere partnered with PEMCO to build and execute on a business case for increasing the capabilities of PEMCO Insurance’s existing vulnerability management program. The discussion covered how looking beyond scanning & patching tools, focusing on metrics, and effectively managing the relationship between InfoSec and other key stakeholders are keys to maximizing business value.