I’ve been a long time subscriber to SANS news letters. Most days I have too much to do to really read them, but today as I was wrapping up the day I came across this nugget:
—–BEGIN PGP SIGNED MESSAGE—–
A fascinating battle is taking place today in the struggle between those
who recognize the need to move quickly to continuous security monitoring
(of critical controls) and those who are clinging to the now discredited
practice of preparing out-of-date, paper-based reports about security.
A US Office-of-Management-and-Budget-led initiative to improve the
metrics by which agencies assessed cyber threats was 50% successful and
50% hijacked by the report writers. All the federal CISOs were asked
this morning to help shape the metrics. We’ll let you know week by week
how the battle goes. It matters because billions of dollars were thrown
away (according to sworn Congressional testimony) on the discredited
reports. Once the federal government makes the transition to automation,
the defense industrial base, and then the rest of the US critical
infrastructure will shift quickly. And that will radically improve the
job prospects for people who can reduce risk vs. those who just write
TOP OF THE NEWS
–FISMA 2.0 Advances in the US House of Representatives
A bill that transforms FISMA from encouraging paper-pushing to automated
monitoring of security advanced in the House. The bill also calls for
the jobs of the White House Cyber Czar and Chief Technology Officer to
be permanent and subject to Senate Confirmation.
Oh, how I would love to see the day come when Information Security wasn’t dominated by people who can’t do a damn thing to mitigate risk but do a great job talking the talk and writing the copy about it. I cannot count how many times I’ve run into a supposed “expert” who couldn’t even begin to pull apart a packet capture or tell me the difference between a Layer2 address and a Layer3 address. It is, as they say, Frustrating.