For those of you who don’t know, this is a blog with an editor. Chris Pepper is a long-time friend, UNIX wizard, web host, and tech writer himself. You can track his work at Extra Pepperoni, his somewhat-recently revamped blog.
If you read the security blogs, you may have seen that I have a stalker- Rob Newby over at IT Security, The View From Here. Rob’s a data security weenie like myself.
There’s been a lot of debate lately on quantitative vs. qualitative risk, frameworks, models, metrics, certifications, standards, and all sorts of other organizational junk we seem to burden ourselves with. Oh, I’m no better, having authored a risk management framework, data security hierarchy, and similar tools in my past.
Since most of you blog readers don’t care about how I feed myself I don’t intend on using the blog for boring corporate updates, but I’m going to indulge myself for a moment.
I had a little back and forth with rybolov in the comments on my military post, and he introduced me to something called the Business Reference Model right out of some government publications and NIST 800-60.
Back when I started this blog one of the only security blogs I knew about was Martin McKeay’s Network Security Blog. As can happen in the blogging community, Martin and I eventually got in touch and developed a friendship. Heck, anyone I’ve gone drinking with in 3 different cities in less than a year is definitely a friend.
Just a day after I talked about how it takes sustained failures for consumers to leave a company and go to a competitor, we have an example where switching isn’t really an option.
Stepping between Hoff and Curphey.
Consumers always lie in surveys and claim that if a company loses their credit card or other personal info, they’ll go someplace else. In reality, they almost never do.
I haven’t met Richard Bejtlich yet, but I have a feeling we’d get along just fine. We’re both fans of the History Channel, have backgrounds in martial arts, love the show Human Weapon (martial arts AND the History Channel!), and have a background in the military (four years on a Navy ROTC scholarship, but I ended up becoming a paramedic instead of going active duty).
Over at the Network Security Blog, Martin’s been doing a great job of putting the CISSP certification (Certified Information Systems Security Professional for you non-security-geeks) in proper context.