Brandeis GPS Blog Articles in April, 2014

Month: April 2014

Watch Your Language: How Security Professionals Miscommunicate About Risk

Original Post: https://blogs.rsa.com/watch-language-security-professionals-miscommunicate-risk/

What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.

“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.

We could try speaking louder, and more slowly—the comedic memes for how we instinctively try to communicate with someone who speaks a different language.

Of course, we could start trying to speak the same language. That would probably yield better results.

The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include

Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).

OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.

Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)

Rootkits: This is not a risk. It’s a type of exploit.

As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.

So, what is the right language? What is risk?

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.

Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:

Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.

There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.

Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)

Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.

In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.

By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.

About the Author:

Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/ and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Just Announced: Eric Siegel as GPS Commencement Speaker

April 24, 2014 / cchatell / 0 Comments

eric_med_3 Brandeis Graduate Professional Studies is pleased to announce our 2014 Commencement speaker for the Rabb School of Continuing Studies Diploma Ceremony, Eric Siegel, PhD.

Eric completed his undergraduate degree from Brandeis University in 1991, and subsequently earned his PhD from Columbia University. Eric is the founder of Predictive Analytics World and Text Analytics World. He is the Executive Editor of the Predictive Analytics Times, and he makes the how and why of predictive analytics understandable and captivating. Eric is the author of Predictive Analytics: The Power to Predict Who Will Click, Buy, Lie, or Die and a former Columbia University professor who used to sing to his students. He is a renowned speaker, educator, and leader in the field. He has appeared on Bloomberg TV and Radio, Fox News, BNN (Canada), Israel National Radio, Radio National (Australia), The Street, Newsmax TV, and NPR affiliates. Eric and his book have been featured in Businessweek, CBS MoneyWatch, The Financial Times, Forbes, Forrester, Fortune, The Huffington Post, The New York Times, The Seattle Post-Intelligencer, The Wall Street Journal, The Washington Post, and WSJ MarketWatch.

My Student Experience

April 22, 2014 / cchatell / 0 Comments

by: Daniel Mongeon

Twenty-three years. That’s the length of time that has eclipsed since I last enrolled in a “for credit” course. I earned my undergrad at that time and never looked back, until recently. I had been contemplating taking a course for both professional development and as a possible gateway to applying to a Masters program, but I didn’t really want to do it.

My two sons are 5 and 3. Seeing them when I arrive home from work is the best part of my day, but it’s still stepping from one job to another. The second best part of my day is when they’re tucked into bed and I can indulge in some “me” time. I guard that “me” time jealously and I didn’t want to have my vigorous schedule of TV and reading interrupted by coursework. Thankfully, my wife and my mother, an educator, wouldn’t allow me to rest on my laurels and I enrolled in RCOM 102 Professional Communications for the Spring 2014 term.

As the opening day for GPS courses approached, my dread increased but I tamped those feelings down with hollow sounding (to me) platitudes about “stepping outside of one’s comfort zone” and prepared for the 10 weeks to follow. After reading through my syllabus and posting my initial introduction, I mapped out a schedule that seemed doable. Wednesday would be my day for required readings. Thursday would be for researching and posting my response to my instructor’s discussion post. Friday would be for working on assignments and responding to posts by my classmates. Saturday would be a day off, a break from schoolwork. Sunday, Monday and Tuesday would be for completion of any tasks that needed to be wrapped up by the end of the course week.

It was a good plan, but what is it they say about the best laid plans of mice and men? Right. Life happens. Sometimes a buddy I hadn’t seen in a while would only have Wednesday night free to hang out. Perhaps I had a commitment on Friday. There was that wedding to attend in Brooklyn on the weekend of Week 8. There were times that I just couldn’t wrap my head around getting my work done and would stare at my computer screen, trying to will an idea to pop into my head.

I got through it, however. Mores to the point, I enjoyed it. I enjoyed reading posts from other students and constructing a decent response. Through the research I had to do for my discussion posts and assignments, I learned things that could assist me in not only my job but my day to day life. Our instructor was excellent at keeping our discussions moving if they bogged down. I found satisfaction in logging in to the class and seeing if there were any responses to what I had posted. Getting my grades back and reading my instructor’s feedback pushed me to shore up the areas that needed strengthening.

Mostly, I found that stepping outside of my comfort zone wasn’t just an empty platitude; it was a way of “exercising” unused mental faculties and coming out the other side having discovered that I have the capacity to fit more education into my hectic life. I found that you can come to like something you initially dreaded.

I got an ‘A’ in the course and plan to continue my studies. Although for now, I have some Red Sox games to enjoy, an instructional baseball team to coach and waves to catch. See you in class.

About the Author:

Daniel Mongeon is a Brandeis Graduate Professional Studies Student Advisor. He has been with GPS for over 3 years and knows all there is to know about your student experience. He is a graduate from Emerson College and loves to surf, watch the sox and spend time with his family.

Following Your Storyboard: Key to Effective Presentations

April 17, 2014 / cchatell / 0 Comments

By: Phil Holberton

Original Post from: http://holberton.com/sol_vol-3-no1.html

Putting your storyboard together is one of the most important activities of preparing to give a presentation. Each storyboard should contain the following elements.

Opening
Main Points
Supporting Points
Details – For Clarity
Closing

I’m often amazed when I see corporate business plan presentations. They look like the preparer took all the information in his or her head and dumped it into a PowerPoint® presentation. Not only do they seem just a data dump, but they don’t communicate the necessary information–they prevent the audience members from comprehending what is important. Our job as leaders is to convert/translate data into information, adding our interpretation and wisdom to the content.

Many corporate presenters are communicating very complex information–much of it scientifically — or technically-based. Sometimes the information is so technical and complex that it is over the heads of audiences. The first activity that every presenter needs to focus on is, “who is your audience?” Understanding the capacity of your audience will help you design your storyboard. The real challenge comes when the audience capacity is so broad that you have equal risk of speaking down to people as you do of speaking beyond them. One gifted presenter I have the pleasure of knowing and working with will spend time developing a simple primer of the subject to be covered, starting out with simple statements and examples, and escalating the degree of complexity, thereby bringing his audience along. Less skilled presenters will start right in on their subject without any warm-up–and they lose their audience at the very beginning. This is especially common when a presentation builds upon preceding theories. Once you lose your audience, it is difficult to get their attention back.

From the list of storyboard elements, start with the last one, developing your closing, first. Always begin with the end in mind. What do you want your audience to take away from this presentation? Is it information? Do you want them to move to action? Knowing this in advance will help you build your presentation. After you are clear about the outcomes, then you can begin to put your main points into place.

“In the beginning…” Isn’t this a famous saying? Well, in the beginning of your presentation, you need to set the tone of what you intend to cover and lay out the framework of where you are headed. Establishing a bond with your audience is key to gaining their confidence in you as the presenter of the information. Look audience members in the eye, use pauses effectively, and open strongly by sharing with them the scope of your subject and what your approach in presenting it will be. At some level, you are “selling” them on listening to you. And, let’s face it, we are all nervous when we begin a presentation, but don’t use jokes to fill an empty space and don’t set expectations that you can’t fulfill. All along, we want a style of presentation that establishes credibility with the audience–not by telling them how good we are, but instead by sharing examples that support our material and demonstrate our expertise. Being perceived as an expert is paramount to delivering an effective presentation. This convincing can be quick for some, but for other audience members, it may take some time.

In our presentation, we want to identify the two or three main points that we would like our audiences to remember. These main points must be reinforced throughout our presentation. Repetition does not necessarily hurt. Many times, presenters are so enamored with all the material they know about a particular topic that they just carry on with so much detail that it is impossible for the audience to absorb all the content. This data dump, as opposed to the communication of relative information, adds confusion instead of clarity. Details should add clarity to the subject, not burden the audience with superfluous data.

As presenters of information, you should add your “spin” or “wisdom” to the content. Part of the presentation objective is to communicate content with color and part of the color is your opinion. Just make sure that your opinions are supported with information. Opinion is the value add that we provide as the deliverer of the content.

Unfortunately, we (me included) often feel so pressed for time, that we bypass the important step of building the storyboard, moving directly to creation of the presentation. Take an hour or so of quiet and map out your presentations. Like most important activities in our lives, if we take the time to plan, we will be happier with the outcomes.

Now ask yourself… “Am I a Leader?”

About the Author:

Philip Holberton, BA, CPA, is the founder of Holberton Group Inc – Speaking of Leadership, a business advisory firm specializing in strategic, organizational, and executive coaching. He is an adjunct faculty at Brandeis University Graduate Professional Studies and serves on our Professional Advisory Board.

Mr. Holberton is the author of the popular blog – Speaking of Leadership.

My Student Experience

April 14, 2014 / cchatell / 0 Comments

by: Rebecca Weiss

I cannot believe the term is already over! While it seems like these past ten weeks flew by, I can remember there still being so much snow on the ground the first week and now we finally have beautiful weather outside.

This was my first course with GPS as well as my first graduate course since I graduated from undergrad at Brandeis almost two years ago, so it certainly was an exciting new experience. I was enrolled in Foundations of Data Science and Analytics, one of the required courses for the newest master’s program, Strategic Analytics. I was definitely intimidated when I first began, as an Enrollment Advisor at Brandeis, I had very little formal experience working with analytics. I found as I worked through the course, I could apply the principles I learned into many facets of my day-to-day job and the operations of the university as a whole. Our instructor, Leanne Bateman, was great at making sure we related each week’s discussion back to our own experiences at work. I particularly enjoyed one of our assignments where we had to write a job description for a data scientist in our own office.

It was an adjustment to get back into the mindset of doing schoolwork. My first week I left all of my reading and videos for Saturday afternoon and I sat in Starbucks for almost 8 hours! But after the first few weeks, I got into a rhythm of setting out times on particular days to do readings and postings. After these ten weeks, I am very glad that I took the course and I think it will greatly benefit me at work. I plan on taking the summer off, but maybe I will enroll in my second GPS course in the fall!

About the Author:

Rebecca Weiss graduated from Brandeis University in 2012 with a Bachelor of Arts in Politics and Sociology. Currently, she works with Brandeis Graduate Professional Studies as an Enrollment Advisor.

Who Solves Which Problems?

April 10, 2014 / cchatell / 0 Comments

by: Johanna Rothman

Many years ago, I was part of a task force to “standardize” project management at an organization. I suggested we gather some data to see what kinds of projects the client had.

They had short projects, where it was clear what they had to do: 1-3 week projects where 2-4 people could run with the requirements and finish them. They had some of what they called “medium-risk, medium return” projects, where a team or two of people needed anywhere from 3-9 months to work on features that were pretty well defined. But they still needed product managers to keep working with the teams. And, they had the “oh-my-goodness, bet the company” projects and programs. Sometimes, they started with a small team of 2-5 people to do a proof-of-concept for these projects/programs. Then, they staffed those projects or programs with almost everyone. (BTW, this is one of the reasons I wrote Manage It! Your Guide to Modern, Pragmatic Project Management. Because one size approach to each project does not fit all!)

The management team wanted us, the task force, to standardize on one project management approach.

In the face of the data, they relented and agreed it didn’t make sense to standardize.

It made a little sense to have some guidelines for some project governance, although I didn’t buy that. I’ve always preferred deliverable-based milestones and iterative planning. When you do that, when you see project progress in the form of demos and deliverables, you don’t need as much governance.

There are some things that might make sense for a team to standardize on—those are often called team norms. I’m all in favor of team norms. They include what “done” means. I bet you’re in favor of them, too!

But, when someone else tells you what a standard for your work has to be? How does that feel to you?

I don’t mind constraints. Many of us live with schedule constraints. We live with budget constraints. We live with release criteria. In regulated industries, we have a whole set of regulatory constraints. No problem. But how to do the work? I’m in favor of the teams deciding how to do their own work.

That’s the topic of this month’s management myth, Management Myth 28: I Can Standardize How Other People Work.

If you think you should tell other people how to do their work, ask yourself why. What problem are you trying to solve? Is there another way you could solve that problem? What outcome do you desire?

In general, it’s a really good idea for the people who have the problem to solve the problem. As long as they know it’s a problem.

How about you tell the team the outcome you desire, and you let them decide how to do their work?

Original Post: http://www.jrothman.com/blog/mpd/2014/04/who-solves-which-problems.html

Bigger than “Cloud Computing”

April 7, 2014 / cchatell / 0 Comments

by: Ari Davidow

It’s textbook season once again. That’s the time of year when I go through new textbooks for next semester’s course.

The good news is, “Cloud Computing,” a subject so out on the edge when it was first offered four years ago that it was a “special topic,” is now relatively main stream. The bad news is, the textbooks still focus on how to teach network administrators how to set up cloud services. Which wouldn’t be a bad class, and it is certainly useful to IT professionals, but it isn’t the class that we teach here at Brandeis.

My course focuses as much on how “Cloud Computing” is changing how we do our jobs, as it does on the practicalities of using common Cloud infrastructure. We don’t neglect becoming familiar with common Cloud “Infrastructure as a Service” components such as: storage, queue servicing, database and web servers and the like. But that is a limited corner of the field.

I first realized how far ahead of the times our course was when I saw one of the computing consulting groups, IDC, refer to the topics we address as “The Third Platform.” Turns out, by focusing on the different types of Cloud Computing platforms, spending time considering related issues (“Big Data” and how “mobile computing” affects it all), we were focusing attention on what IDC feels is a major shift in computing. A shift so large it is comparable to the switch from mainframes to personal computers not so many years ago.

Additionally, the IDC report accidentally highlights how we create courses. Sometimes, when we’re teaching a language or computing system, we focus on the basics of just learning that language or platform. If you take a Ruby class, or a class in Analytics, you’ll get a good grounding in those disciplines. But with Cloud Computing we are talking about changes in technology that are changing everything around them.

Software as a Service (SaaS) has radically changed how Enterprise applications are purchased and maintained. Infrastructure as a Service (IaaS) has changed the way start-ups work and thoroughly changed the economics of putting new ideas to the test. The proliferation of mobile devices has similarly destroyed the likelihood that network security is as simple as thinking in terms of one person/one device, most of which are physically hooked up to the network. This is a paradigm already challenged by the need to integrate SaaS services with the rest of the network.

When you sign up for “Cloud Computing” this summer, you are signing up to explore the entire “Third Platform.” We’ll also walk you through some bare metal Cloud Computing basics and have some big fun with Big Data. I look forward to seeing you soon.

P.S. As with all Brandeis GPS classes, you can participate with whatever computing device is convenient to you—your computer, your tablet or smartphone. We like to practice what we teach.