Simple ~ Secure ~ Blog

TOP Technology Initiatives

An interesting reference to keep in mind is the 25th Anniversary North American TTI Survey; a joint effort between the American Institute of Certified Public Accountants (AICPA) and the Chartered Professional Accountants of Canada (CPA Canada).

The survey, conducted in November for the U.S. and March for Canada, was based on responses from 3,061 AICPA members nationwide and 256 Canadian respondents who are interested in information technology. 

1. Securing the IT environment
2. Managing and retaining data
3. Managing IT risk and compliance
4. Ensuring privacy
5. Enabling decision support and analytics
6. Managing System Implementations
7. Preventing and responding to computer fraud
8. Governing and managing IT investment/spending
9. Leveraging emerging technologies
10. Managing vendors and service providers

Flesch-Kincaid Index - How simple is your content?

Flesch Kincaid Index
There are easy tools you can use to check if your work is easy to read.  From informal email to formal policies, we all have a responsibility to craft easy to read content.  For example, how many times have you received an unsolicited email that doesn't state what the writer wants in the first sentence.  This is very frustrating to the reader.  To be effective, messages must tell the reader what is requested up front.  The language must be simple and brevity helps.

Enter the Flesch-Kincaid tests.  With these tests there is an simple way for you to check the readability level of your work.  There are several ways to check readability.  One is to use MS Word or Outlook.  Another is to cut and paste your content into an online word counter; or However, you will still have to calculate according to the following formula:

FI = 206.835 - (1.015 x ASL) - (84.6 x ASW) where: ASL = Average sentence length in words (average number of words in a sentence, calculated by dividing the number of words by the number of sentences).  ASW = Average syllables per word (the number of syllables divided by the number of words).  The calculated score is mapped to the standardize values indicating the readability level. 

Data Classifications - What are yours?

Data Classification

The Security Manager's Journal in the August issue of Computer Magazine got it right.   The days are gone where companies can protect all their data.  For those of us providing information/cybersecurity services this trend has been building for many years now.  What drives this point home further is Gartner prediction (see press release) that by 2017, half of employers will require employees to supply their own devices for work purposes.

What is your companies data classification policy? If its has not been updated in the past two years then you may have an unrealistic one in place today.  In the Journal's 'Data Classes Meet Real World' article, the particular company's mentioned experienced the limits of their existing classification policy.  For example, they had information that was classified as restricted and in doing so, made it more difficult for company employees to access the information from their mobile devices.  In other words, those devices had to be first connected via a virtual private network; an overly cumbersome burden.

This of course leads to the classic struggle between the business and IT.  Specifically, where IT's security department staff responsible for securing information are pressured to adopt an easier (simply) approach for accessing data. Often, this leads to compromise of a companies existing defense in depth security controls.  So what's the answer?  There is no panacea here but while advances in technology compound this problem, coupling the right technologies together can also solve these issues.

NSA's Spy Center

NSA Spy Center
Photo: Name withheld: Digital Manipulation: Jesse Lenz

Is the NSA's Bluffdale, Utah facility evil?  If so, does that mean the people who planned it, are involved with building it and who use the technologies for the purpose it was built also evil? 

History is filled with accounts of good people who turn evil.  In his book "Understanding How Good People Turn Evil" (Random House, 2007), Philip Zimbardo summarizes more than 30 years of research on factors that can create a "perfect storm" which leads good people to engage in evil actions.  He calls this transformation the Lucifer Effect.

His now-classic study conducted in 1971, found good people who were randomly assigned to play the role of guard or inmate for two weeks in a simulated prison, became so brutal that the experiment had to be shut down after only six days.  In only a few days, the guards became sadistic and prisoners became depressed and showed signs of extreme stress.

The Stanford Prison Experiment shows what happens when you put good people in an evil place. Does humanity win over evil, or does evil triumph?  What does this
tell us about the 1.5 million square foot facility that will be used for spying.  Will the leaders of this nation and others for example those who's livelihood depends on following orders, show the same turn toward evil nature as the guards?  In other words, will they think they are doing the right thing because their superiors told them to do it?

Innovative Technology - What's in your company?

Innovative Technologies
Many companies are looking for innovative ways to leverage technology.  But even small start ups find themselves quickly drowning in the sea of technology used to manage and run their business.  The people in "people, process and technology" are the main drivers of the proliferation.  And, the very nature of innovation means allowing people the flexibility to be creative, to innovate.  That means they often ask for and receive tools to make something happen.  It's this approach that quickly allows people to purchase, use and abandon entire technologies or only use a portion of their initial investment(s).

What company out there can say they have a full catalog listing of all the technologies they use in their environment?  Not many.  Yes, there are configuration management systems driven by the use of configuration management databases that inventory as many configuration items as can be capture. But often missing in those implementations is the business to technology mapping that provides the linkage between the business service and the technology that support that service.

Of course in some businesses, the technology is the service.  This is more so the case today then it was even five years ago.  For example, today, there is a good deal of emphasis on cloud computing.  And, in most of related articles you read about a path to the cloud, you will encounter, the difficulties companies face in making decisions about what to move, how to move, when to move and at what cost makes sense to move.

At each of these potential decision points there is an underlying concern.  What technologies do we currently have that we can continue to leverage or that makes sense to leverage and which if any do we abandon for something equal or better.  It all should begin knowing what you have, why your have it and does it make sense to continue to use it.

Stop ~ Think ~ Connect

Stop Think Connect

Do you remember the  Smokey The Bear campaign?  If so, your likely to remember the slogan "Only You Can Prevent Forest Fires".   For many years this public service announcement was broadcast on television.  In fact, its the longest running campaign in Ad Council history.  First introduced in 1944.

According to the Ad Council, this Forest Fire Prevention campaign has helped reduce the number of acres lost annually from 22 million to 8.4 million in (2000).  In 2000, the slogan was changed to "Only You Can Prevent Wildfires".

Enter Stop Think Connect a new kind of campaign targeting a different type of wildfire.  One which effects us all, one that connects us all.  Staying Safe in a Cyber World.

The official Introduction from Howard A. Schmidt, Special Assistant to the President and Cyber Security Coordinator made its way to cyberspace on March 18, 2011.  Views are no where near the number to make any significant impact (yet).  However, the point of the initial introduction of Stop Think Connect by Howard was to create awareness by calling for the marketplace to take action.  Specifically, use competition by asking for the public to  come up with a 30 second add about Stop Think Connect.

For example, see the 30 second commercial by Microsoft or Google Stop Think Connect on YouTube for more adds.

Stop - before you click on a link, open an attachment or reveal personal information online

Think - do all of my devices have accurate and up to date security settings

Connect - knowing your helping make the web safer for you and for everyone

Cybersecurity Cluster II - SoCAL


In an effort to help shape the San Diego's future, one of the many services the San Diego Association of Governments (SANDAG) provides is analysis and reporting on industrial clusters in the San Diego Region.  The last report was released for 1990 - 1996.  In October 2010, I met with SANDAG to determine why Cybersecurity was not listed on the previous Industrial Clusters in the San Diego Region report. 

The simple answer is SANDAG didn't look at Cybersecurity with the previous analysis.  This left all wondering, is it now time to consider how or if cybersecurity fits as a measurable industrial cluster.   To get to an answer requires  understanding cluster analysis.

While inquiring minds started to gather and probe this area of analysis, other initiatives where already underway to start building a cybersecurity cluster in Southern California (SoCAL).  Or, at least determine if it either makes sense to build or could be built.  Rather, better stated if enough nurturing could take place that would allow a cybersecurity cluster to form.  Well, and then there is one incentive that always seems to get the masses to respond ($$$ Money $$$).

CyberSecurity Cluster I - SOeC Initiative

Cyber Security Cluster
To support its mission and foster competitiveness and innovation, the Securing our eCity (SOeC) initiative established a cluster working group. This group would (by the end of 2011) make a recommendation to its stakeholders on whether a formal cyber-security cluster initiative should be initiated in San Diego, California. As a result, this article is used as a mechanism to prompt further discussion regarding the forming of a cluster working group.

Executive Summary: San Diego’s SOeC’s mission is to enable every San Diegan to live, work and play safely in
the cyber world. To support its mission, SOeC established several working groups including: Public/Private Partnerships, Policy, Security Metrics, Awareness, Education, Law Enforcement, Critical Infrastructure and Cluster.
The cluster working group is the only group that has not had its first meeting. The reason for this is fairly straight forward. Each of the other working groups is led by experts (co-chairs) in their associated field(s). These co-chairs initiated their first and subsequent meetings earlier in the year. However, understanding how clusters work, their dynamics and how they evolve over time is not a common expertise. Therefore, it has taken more time to identify experts in cluster initiatives and cluster management or facilitation.

Cybersecurity Bills - An analysis for 2010

Cyber Security

With the senate confirmation hearings dominating the news this week, there has not been much coverage about the Senate Committee on Homeland Security and Governmental Affairs passing the “Protecting Cyberspace as a National Asset Act of 2010”, S.3480 by voice vote this past Friday (video).

However, security companies and professionals as well as government agencies should be aware of the significant political debate that is underway.  The debate centers on the concern that a final Cybersecurity 2010 bill will expand government (presidential) authority over the internet in the event of a “cybersecurity emergency”.  Senator Lieberman an author of one proposed legislation attempts to alleviate this and other concerns by publishing a fact sheet indicating the bill actually limits the president’s authority as that authority currently exists under section 706 of the Communications Act of 1934.

This claim notwithstanding, the proposed comprehensive legislation must be reconciled with other cybersecurity measures introduced in the Senate before a final bill is presented to the President. For example, Senators Rockefeller and Snowe are proposing S.773 and still other committees (Judiciary, Arm Services, etc.) have non-comprehensive pieces of proposed legislation that may perhaps be included into a final bill.  But for now, S.3480 and S.773 seem to be the primary comprehensive pieces of legislation.

A CIO Agenda; Delivering in Changing Times

A Perspective by: Louis Ronzitti, Owner Simple Secure IT with special thanks to Fritz Hesse
for some of his notes and validation

On April 21, 2010 the San Diego Software Industry Council sponsored the ‘2010 CIO Agenda; Delivering in Changing Times.  The special keynote was provided by Ms. Barbara Gomoloski, Managing VP for IT/Finance at Gartner.  This event was a chance to hear about the challenges and opportunities facing Enterprise Leaders and meet face-to-face with top CIOs and learn about their plans for 2010 and beyond.

Keynote Speaker: Barbara Gomoloski, Managing VP of IT/Finance at Gartner

Ms. Gomolski is managing vice president in the IT Metrics and Finance team within the CIO Research group at Gartner. She works extensively with clients on issues of running the business of IT, specializing in IT financial and performance management. For the past nine years, Ms. Gomolski has worked with clients to help them set IT investment levels and optimize the return on those investments. She also spearheaded Gartner's primary research in the area of IT spending for many years.

Prior to joining Gartner, Ms. Gomolski was a research director at Gartner Institute, a Gartner-owned company that developed vendor-neutral IT certifications. Previously, Ms. Gomolski had a long career as a writer and editor covering topics such as databases, hardware, e-mail and IT services. Throughout her career, Ms. Gomolski has written and consulted for leading computing industry vendors.