Over the past couple of years the conversation of CyberSecurity has exploded from a term we’ve used as practitioners to one that is top of mind of most people in the U.S. The media frenzy, initiated by the Snowden event, has created a multi-year news cycle that continues to today. As a result we have a lot of commentators on the threats, compromises, budgets, skills, etc that are devoid of actual facts. I’ve taken some time to try and apply some data to this overall “Threat” landscape that is talked about for so long. While this is clearly not "scientific" and open to debate, I feel it does bring some data to the conversation as opposed to the faceless statements that echo in industry. So much in fact, that a resonating chamber effect is starting to take hold well outside of practitioners since the media has focused.Read More
I found this Infographic online, yeah it's been a while since I posted one, and thought I would send it out. I'm a big believer that the birthing pains of Bitcoin will subside over the next couple of years and we will see it take hold as an international currency. Fascinating to watch to see if that actually plays out. If it does, it's a huge investment opportunity for those getting in early.
You can find the original post here: http://www.businessinsider.com/bitcoin-economy-infographic-2014-2
There are a bunch of things that I really enjoy and one of them is good economical analysis. I found a really interesting writeup by "The Atlantic" on the inequality that is developing in 16 slides. Pretty direct and easy to grab so I thought I would pass it along here.
For those of you that remember what an "E" ride was it's telling of your age. I had a really good conversation with someone the other day on what questions I would ask in looking at security roles. I thought I would list them out for discussion points and thoughts. Mostly these are from lessons learned in past organizations where the hurdles are not discovered until I landed and uncovered them.
1) What is the current project spend in relation to IT spend (CapEx/OpEx)?
Note: generally, a company will spend about 5% of it's IT spend on Security. This can very from industry to industry but can be used as a rule.
2) What are the current process maturity levels of IT (CM, PM, SDLC)?
Note: A company with little to no maturity in the core processes will never get out of the firedrill mentality. This can be evidenced by audit reports, etc. The main discovery point is if they can explain how it's mature, if it's distributed or centralized, etc.
3) What is the current staffing of security relative to the overall company?
Note: this is a big varience and can drive a lot of questions. Most companies with a overall employee base of 10-20k will have a security group of 30-40. There can be more if operational functions are included or if it's in a unique industry. There could be less (25-30) if it's a true governance role and any compliance is separate. It could also be less if it's a distributed model. Too many people is a demonstration that their processes are not mature and they are just throwing bodies at it. Too few and it could be Security is not really supported.
4) What is the attrition rate?
Note: technology roughly ranges in the 10-15% annual attrition. Above that, say 30%, can be an indicator of a problem in the company and/or the team.
5) What is the average "open req to butt in seat" time?
Note: This should be within 30-60 days. Remember, this is subjective to the location as well. It's really hard to find good security people to begin with but it's even harder to find them in areas such as the Bay Area or Bangalore. Even with that, the lack of attracting new talent is something that can cause problems. It can also be an indicator that the talent acquisition construct in the company is way to big of a hurdle and it's limiting hiring.
6) Is there a documented company and technology strategy for the company?
Note: without this you're fighting an uphill battle. A company that can't articulate where their company is gong or how technology supports it will find little ability to understand a security strategy and accept it. Also, since most of security is attaching to the business processes and functions, without that concept of a strategy to attach to there's no clear directin.
7) Not really a questions but you need to map the company's fiscal and business health out. Read the 10k and 10Q's. Understand their revenue growth, PEG, industry growth and overall macro environment.