The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: risk management

“Ask the Expert” Special Event Webinar

InfoBubblez22

“Ask the Expert: Cyber Security” 

Led by Matthew Rosenquist, Cybersecurity Strategist and Evangelist at Intel Corporation

Wednesday, October 21st at 7pm via Adobe Connect

Matt’s areas of expertise include :
  • Security industry advocacy
  • Security strategy and planning
  • Security operations management
  • Platform security product/service development and sustaining operations
  • Emergency/Crisis response command, control, and communications
  • Security policy development, training, and compliance oversight
  • M&A information security strategy and management
  • Security product strategic planning
  • Technical and behavioral risk assessment and threat analysis
  • Determination of security business value and ROI
  • Threat Agent Risk Assessment (TARA) methodology
  • Internal and external investigations
  • Corporate consulting for risk management and strategic alignment
  • Security industry outreach, evangelism, speaker, and champion

 

RSVP here

 

MatthewRosenquist-Oct.21Webinar

Matthew Rosenquist joined Intel Corp in 1996 and benefits from over 20 years in the field of security. Mr. Rosenquist specializes in security strategy, measuring value, and developing cost effective capabilities and organizations which deliver the optimal level of security. Currently, a cyber-security strategist for the Intel Security Group, he helped in the formation of this industry leading organization which brings together security across hardware, firmware, software and services.

The community can connect with Matthew via Twitter @Matt_Rosenquist, Intel Blog and LinkedIn.

 

20 Mantras Great Leaders Live By Every Day

Written by James Curtiss | @

Original post

flock_of_birds

This post originally appeared on the Sales section of Inbound Hub. To read more content like this, subscribe to Sales.

Leadership can be a difficult characteristic to understand. Which qualities make someone a good leader? Do those same qualities translate to all aspects of life, or can a person successfully lead a sports team but fail in the boardroom? Are people born leaders, or can anyone inspire others to follow them?

I won’t pretend to know the answers to these questions, and I doubt that many people do.

But when I think about what it takes to be an effective leader, I am invariably reminded of late summer conversations with my grandfather on the deck of his home on the island of Martha’s Vineyard. We talked about anything and everything together — from the current state of Red Sox Nation to the most effective technique for shucking the cherrystone clams we collected earlier that day. But, on occasion, the discussion would drift towards more business-oriented topics and I got a free lesson in leadership studies from one of the very best.

To provide a little background, Don Davis, my grandfather, left a distinguished career in corporate America in 1988 to pursue his “retirement” as a professor at MIT’s Leaders for Global Operations program. During his 22-year tenure at the school, he shared the lessons he learned from his time in business and inspired more than a few of today’s most influential leaders.

As I am sure any of his former students will tell you, it would be nearly impossible to boil down all of his lessons into a single blog post. Fortunately, those same students were kind enough to compile a Memory Book after he passed away in order to share some of his most important teachings, namely the 20 leadership mantras that were core to his curriculum.

Here are those 20 mantras, along with some insight from our Martha’s Vineyard discussions. (For a more personal explanation of how these mantras helped various students succeed in business, you can find the Memory Book in its entirety here.)

1) Leaders don’t choose their followers. Followers choose their leaders.

One cannot simply choose to lead a group of people. You may be a leader in title, but you’re not a legitimate leader if your followers do not believe in you and your vision.

2) Followers choose leaders they trust, respect, and feel comfortable with.

If you don’t have the trust and respect of your followers, how are you supposed to make the connection necessary to inspire them to achieve great things?

3) Be yourself. The number of leadership styles is limitless.

There is no scientific formula for what makes a good leader, only a belief in your own ability as well as the ability of your followers to be successful.

4) Leaders need a base of power and authority — but the more they use it, the less there is left.

Needless to say, effective leadership requires a certain amount of authority. Like most forms of capital, that power is finite. Use it sparingly and only when necessary.

5) The best leadership is based on persuasion.

Anyone can have a vision. Leaders have the ability to persuade others to believe in their vision.

6) Leaders set the ethical standards and tone of their organizations by their behavior.

As a leader, you set the example. Don’t do anything that you wouldn’t want printed on the cover of the New York Times. Your followers are avid readers.

7) Integrity is the bedrock of effective leadership. Only you can lose your integrity.

Unethical behavior is a slippery slope. Avoid the slope at all costs because everyone slips.

8) “Selfship” is the enemy of leadership.

A true leader cares more about the success of his/her followers than their own success.

9) Be quick to praise, but slow to admonish. Praise in public, but admonish in private.

If you’re going to praise someone, do it big. If you’re going to reprimand, make sure it is warranted and do so in a respectful manner.

10) One of a leader’s key responsibilities is stamping out self-serving politics when they emerge.

As a leader, your job is to inspire the entire group. No single person is bigger than the group, not even the leader.

11) Be sure to know as much as possible about the people you are leading.

How can you inspire someone if you don’t know what motivates them?

12) One manages things, but people lead people.

It may be a bit cliché, but at the end of the day, followers are human beings. Don’t lose sight of that reality.

13) Diversity in an organization is not only legally required and socially desired — it’s also effective.

Every problem, obstacle, or issue has a different solution. Different perspectives make it much easier to identify the right solution.

14) Leadership should be viewed as stewardship.

Leader and teacher are synonyms, even if the Thesaurus tool in Microsoft Word doesn’t agree.

15) Don’t make tough decisions until you need to. Most will solve themselves with time.

Procrastination isn’t always a negative tendency. Don’t jump to conclusions. Sometimes you just have to give the problem time to work itself out.

16) When making decisions about people, listen to your gut.

Believe in your ability to identify the right talent. It’s your vision, so you should be able to recognize when a person embodies that vision.

17) People can see through manipulation and game-playing. Everyone can spot a phony.

This goes back to the mutual respect and trust that must exist between a leader and follower. Don’t undermine that mutual respect via manipulation. You’ll lose followers.

18) Learn to say, out loud, “I was wrong” and “I don’t know.”

You may be a leader, but you’re not omniscient. Don’t pretend to be.

19) If you know a plan or decision is wrong, don’t implement it. Instead, keep talking.

Don’t try to jam a square peg in a circular hole. Work with your team to figure out a way to round the edges of the peg so it fits properly.

20) Each of us has potential to lead, follow or be an individual contributor.

Potential is limitless and everyone has the ability to contribute to the success of a particular vision. It all depends on how strongly they believe in that vision.

There is no recipe for what makes a good leader, but these mantras can provide valuable guidelines. I wouldn’t trade those talks on the deck for anything.

Click here to subscribe to our blog!

Footerindesign

Watch Your Language: How Security Professionals Miscommunicate About Risk

Author: Derek Brink

Original Post: https://blogs.rsa.com/watch-language-security-professionals-miscommunicate-risk/

What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.

“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.

riskWe could try speaking louder, and more slowly—the comedic memes for how we instinctively try to communicate with someone who speaks a different language.

Of course, we could start trying to speak the same language. That would probably yield better results.

The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include

  • Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).
  • OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.
  • Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)
  • Rootkits: This is not a risk. It’s a type of exploit.

As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.

So, what is the right language? What is risk?

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.

Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:

  • Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.
  • There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.

internet-security1Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)

Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.

In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.

By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)