Sunday, June 9, 2013

Richard Ramirez and the 'ain't gonna happen to me' syndrome

Richard Ramirez is remembered all across southern California for the terror he invoked during the early 80's. He was nicknamed the 'Night Stalker' and was known for the ease with which he entered his victim's homes. He did not break and enter, he didn't break windows or climb down the chimneys. For the most part, Richard 'walked' into homes either through screen doors left unlocked or windows left open. Many of his crimes I've heard, were committed close to freeway ramps to facilitate a fast getaway.

What was very interesting to note about Ramirez's victims is that even though the city was aware of a serial killer on the loose, people still left their windows open or the screen doors open. I know I would batten down the hatches and take extra precautions until I heard the killer had been caught. So what makes people be lax and laissez-faire, in the face of a known and omnipresent danger? 

Enter what I coin as the 'aint' gonna happen to me' syndrome. It's the opposite of  the 'safety in numbers' effect. It's when people think that's its such a big situation that they cannot possibly be the target. It's when individuals think that 'its a big city and there's thousands of homes and hundreds of thousands of people, surely nobody's going to stop by my house and single me out'. But yet Ramirez did just that and time and time again he found homes with little or no security and he walked right in with minimal effort.

Does this ring a bell now folks?

Fast forward to today and the Advance Persistent Threats (APT) that are an omnipresent and clear danger. There's probably very few IT and business people who have not heard of the chinese hackers attacking our systems and stealing valuable business intelligence through APT. And yet in the face of this very clear danger, there is still a lot of work to be done to close those open windows and open doors. There is still a lot of the 'ain't gonna happen to me' syndrome in our business environment. Systems that are unpatched, privileged accounts that are inadequately protected, a reliance on anti-virus alone for security - these are all examples of open windows and doors that allows an attacker to easily 'walk' into our network and take way all the that is dear to the business.

The 'ain't gonna happen to me' only works until someone attacks you and by then it is too late to do anything about it.

Tuesday, June 4, 2013

Why this Blog

As I go about my daily job, which is anything but routine, I do often contemplate on what does it take to be an effective Security Manager. What does it take to be an IS manager and how is that skill set diferent from operating at a Director IS level and to take it up to the highest notch, what does it take to operate at a CISO level for a large multinational company?

Books do not teach you these skills, information security conferences are heavy on technology but, not surprisingly, light on the management side. In this blog, I hope to write about the skillsets required to do the job and the challenges a Security manager must overcome in order to build and run an effective security program. In the process, I also hope to understand better what it is that drives me and my colleagues in chasing that elusive goal of a secure enterprise!