ProjectVRM,
My apologies, it's my first post. In addition to projectVRM, I
subscribe to the CISSP (certified information system security
professional) list. Today's CISSP digest tied in with lastest
projectVRM email and gave an interesting perspective of the pull of
consumer consideration and quality from the security professional
perspective.
The discussion below illustrates how Sony's apparent favor of
compliance over quality turns off the security professional, and
their wallets.
The term "Security" in this context equates with quality.
I hope you find it interesting.
Karen
Sent from my iPhone
Begin forwarded message:
From:
">
">
Date: September 9, 2011 8:56:16 AM EDT
To:
">
">
Subject: [cisspforum] Digest Number 8476Messages
________________________________________________________________________
1a. Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Anton Aylward"
">
">
infosecaja
Date: Thu Sep 8, 2011 6:20 am ((PDT))
http://www.eweek.com/c/a/Security/Sony-Names-ExDHS-Director-to-Oversee-Security-Strategy-729811/
<quote>
Philip Reitinger, former director of the United States
National
Cyber-Security Center, a division of the Department of
Homeland
Security, will be joining Sony as a chief information
security officer,
Sony said Sept. 6.
The appointment is effective immediately and Reitinger
will become a
senior vice-president, reporting directly to general
counsel Nicole
Seligman, according to Sony.
</quote>
That Reitinger (not Ratzinger) is reporting to the
general council
rather than someone in IT Operations says volumes about
the stance Sony
is taking.
--
Amateurs hack systems, professionals hack people
-- Bruce Schneier
Messages in this topic (15)
________________________________________________________________________
1b. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Dain Perkins"
">
">
dain_perkins
Date: Thu Sep 8, 2011 6:31 am ((PDT))
"so legally speaking, exactly how lax can we continue to
be?"
/d
Messages in this topic (15)
________________________________________________________________________
1c. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Javed Ikbal"
">
">
javed_ikbal
Date: Thu Sep 8, 2011 7:53 am ((PDT))
Placing the CISO under someone in IT operations isn't
ideal either.
Been there, done the standing in front of rushing trains
bit, and it
gets tiring really quickly. By the time I sorted things
out to make
sure there were no more rushing trains without me knowing
about them
first, I was burned out.
If Reitinger reported to the CEO/COO, or the board, now
that would
have made a statement.
Other than that, I do agree that working for the general
counsel is a
bit iffy. During my days running a consulting company, I
had one
pre-engagement meeting where it was explained to me that
we will be
hired by the company's outside counsel, and any of our
findings will
be protected attorney-client privileged information.
That set the alarm bells ringing and I politely declined.
Hope that is not what's going on at Sony
Javed
Messages in this topic (15)
________________________________________________________________________
1d. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Jack Holleran"
">
">
Date: Thu Sep 8, 2011 8:34 am ((PDT))
I would think CISO is about compliance and corporate
lawyer is about
compliance (among other duties).
I wonder if Sony has a CIO which would have been another
logical place for
the CISO to report.
A CEO/COO might not know what to do with a CISO and when
told what the
duties should be thought that the legal department would
be a good home for
the CISO role.
Jack
-----Oorspronkelijk bericht-----
Van:
">
">
[
">
">mailto:
] Namens
Jack Holleran
Verzonden: donderdag 8 september
2011 17:34
I would think CISO is about
compliance and corporate lawyer is about
compliance (among other duties).
Well, in Sony's case, compliance isn't enough, I'd say.
--------
Frank Laurijssens
Messages in this topic (15)
________________________________________________________________________
1f. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Javed Ikbal"
">
">
javed_ikbal
Date: Thu Sep 8, 2011 9:07 am ((PDT))
I beg to differ. Compliance != Security. There are
hundreds of entities 'compliant' with various security
standards that get breached.
A CISO needs to do more than be compliant with some
checklist standard.
Just to cite one example, it is much easier to make the
enterprise move to SFTP instead of the current FTP when the
CISO is a peer of the CIO or CTO (both report to the same
person) instead of the CISO being subordinate to the CIO/CTO
Messages in this topic (15)
________________________________________________________________________
1g. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "David C Frier"
">
">
dcf_cissp
Date: Thu Sep 8, 2011 9:22 am ((PDT))
On Thu, Sep 8, 2011 at 12:06 PM, Javed Ikbal <
">
">
>
wrote:
I beg to differ. Compliance !=
Security. There are hundreds of entities
'compliant' with various security
standards that get breached.
A CISO needs to do more than be
compliant with some checklist standard.
Jack didn't say compliance == security, I think what he
meant to say was: at
Sony, a CISO will be about compliance. Really different.
--
--David Frier
Messages in this topic (15)
________________________________________________________________________
1h. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Michael Kaishar"
">
">
kaishar
Date: Thu Sep 8, 2011 9:37 am ((PDT))
CISO should fall under risk management. Under risk
management you would be
able to implement sound security through a cost benefit
analysis. You don't
want to go overboard spending gobs of money on solutions
that might not
work. All you can tally do is perform due diligence in
protecting company
assets. It's impossible to foresee everything.
A CISO needs to do more than be
compliant with some checklist standard.
Jack didn't say compliance ==
security, I think what he meant to say was: at
Sony, a CISO will be about
compliance. Really different.
Indeed.
Not operations.
Not customer satisfaction.
Compliance as reporting to the general counsel isn't going
to be about
IT security. "Security as PR" or "Security as CYA"
possibly.
--
Feynman's Maxim: An organization will fear and despise
loyal
vulnerability assessors and others who point out
vulnerabilities or
suggest security changes more than malicious adversaries.
Comment: An entertaining example of this common phenomenon
can be found
in 'Surely You are Joking, Mr. Feynman!', published by
W.W. Norton,
1997. During the Manhattan Project, when physicist Richard
Feynman
pointed out physical security vulnerabilities, he was
banned from the
facility, rather than having the vulnerability dealt with
(which would
have been easy).
Messages in this topic (15)
________________________________________________________________________
1j. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Anton Aylward"
">
">
infosecaja
Date: Thu Sep 8, 2011 9:51 am ((PDT))
Michael Kaishar said the following on 09/08/2011 12:37 PM:
CISO should fall under risk
management. Under risk management you would be
able to implement sound security
through a cost benefit analysis. You don't
want to go overboard spending gobs
of money on solutions that might not
work. All you can tally do is
perform due diligence in protecting company
assets. It's impossible to
foresee everything.
True, but beside the point.
The problem that Sony faced was more to do with arrogance
and disdain
for their customers than trying to foresee everything.
Don't forget the
rootkit incident.
There are measures, as Donn Parker keeps pointing out,
that we should
consider 'baseline'. Using firewalls; encrypting
passwords, making
backups; .. the list is not extensive. There really is no
point in
doing a RA or BI or CBA and deal with all the if-but-maybe
unbounded
sets that make up threats and vulnerabilities if you don't
have the
baseline in place. You can dress up the baseline by
calling it
'diligence' if you want, but that doesn't change the fact
that basic
security and basic business Ii.e. caring about your
customers) should be
starting points and not the result of 'incident
management'.
--
Leadership should be born out of the understanding of the
needs of those
who would be affected by it.
- Marian Anderson
Messages in this topic (15)
________________________________________________________________________
1k. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "David C Frier"
">
">
dcf_cissp
Date: Thu Sep 8, 2011 10:03 am ((PDT))
On Thu, Sep 8, 2011 at 12:41 PM, Anton Aylward <
">
">
>
wrote:
Compliance as reporting to the
general counsel isn't going to be about
IT security. "Security as PR" or
"Security as CYA" possibly.
Exactly. My distinct impression is that Sony doesn't care
what happens,
actually, as long as they can evade responsibility for it
properly.
(w/ apologies to 'enry 'iggins)
--
--David Frier
Messages in this topic (15)
________________________________________________________________________
1l. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Anton Aylward"
">
">
infosecaja
Date: Thu Sep 8, 2011 10:25 am ((PDT))
David C Frier said the following on 09/08/2011 01:02 PM:
On Thu, Sep 8, 2011 at 12:41 PM,
Anton Aylward<
">
">
>
wrote:
Compliance as reporting to the
general counsel isn't going to be about
IT security. "Security as PR"
or "Security as CYA" possibly.
Exactly. My distinct impression
is that Sony doesn't care what happens,
actually, as long as they can
evade responsibility for it properly.
Compare with Apple.
No, I'm not being sarcastic or ironic.
Both produce excellent hardware, but their attitudes are
very different.
--
"Context is everything"
Messages in this topic (15)
________________________________________________________________________
1m. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "David C Frier"
">
">
dcf_cissp
Date: Thu Sep 8, 2011 10:28 am ((PDT))
On Thu, Sep 8, 2011 at 1:25 PM, Anton Aylward <
">
">
>
wrote:
No, I'm not being sarcastic or
ironic.
Both produce excellent hardware,
but their attitudes are very different.
I love my Sony TV and BluRay.
Wouldn't touch a VAIO or PlayStation for less than a *lot*
of money.
--
--David Frier
Messages in this topic (15)
________________________________________________________________________
1n. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "Dain Perkins"
">
">
dain_perkins
Date: Thu Sep 8, 2011 1:26 pm ((PDT))
sold my PS3, won't buy anything sony ever again, period.
which is too bad - the PS3 is a pretty nice piece of
hardware, even if Sony
is a total PIA about how people use it...
/d
Messages in this topic (15)
________________________________________________________________________
1o. Re: Sony Names Ex-DHS Director to Oversee Security
Strategy
Posted by: "David C Frier"
">
">
dcf_cissp
Date: Thu Sep 8, 2011 1:51 pm ((PDT))
When I learned that PS3's could be gridded into
Linux-running
supercomputers, I was ready to fall to the ground and kiss
Sony's feet.
Then they patched the coolest piece of geekery out of
existence, THEN they
went after GeoHot for trying to restore people's right to
use the f*ing
hardware they paid for the way they want to.... I'm all
done w/ Sony also.
BTW this all happened AFTER I acquired the TV gear, so
that was a /fait
accompli./ No value I can see in giving some craigslist
reader a sweet deal
on some very nice gear. As long as Sony never gets
another nickel from me
I'm satisfied.
|