Archive for March 2010

“Computer/Network Security Consultant” is the 8th best job in America

March 11, 2010

See this infographic on

Disagreements welcome in the comments section!


Desktop Virtualization a tool for mitigating third party risk?

March 9, 2010

According to a recent report published by the Infrastructure Executive Council, a majority of 100+ organization surveyed plan to adopt Desktop Virtualization in 2009-2010 time frame. Most members have stated that cost savings are the #1 driver, followed closely by security and mobility. What’s interesting is that over the long run security and mobility might become bigger drivers for adoption as some of the cost savings from hardware and software costs will be balanced by increased costs in the data center.

As of now most members are using the technology for certain categories of workers where there is low need of desktop customization: offshore, contract, outsourced, and call center. Since this is also the group that information risk cares about from a data leakage perspective, this would be a win-win situation for both infrastructure and security teams. We should see even more companies selecting this technology for targeted deployment in 2010.

Drivers of Desktop Virtualization

Should an Information Risk Manager Manage “Risk?”

March 7, 2010

Great Minds Think Alike

This post will summarize a provocative presentation at the RSA conference on Tuesday by long time security practitioner Donn Parker, and detail a similar approach that IREC has been recommending which we call Controls Maturity Assessment (CMA). We have previously referenced our CMA work in this blog, especially in this post. What is provocative about these approaches is that they both suggest making risk assessment a secondary consideration in your information protection strategy. (more…)

Where are the sessions on awareness at the RSA conference?

March 3, 2010

I’m attending the RSA conference in San Francisco this week.  We at IREC think a lot about the value of end-user awareness, and we argued recently that most security organizations should increase their awareness budget.  As I looked through the program for the RSA conference, I noticed there were not very many sessions that addressed awareness or the end-user.  In fact, even when you count sessions on social engineering, only 2% (5 of 242) of the sessions this year address the end-user!

Pretty poor representation for such an important topic.

However, it does correspond well to the 2% of our budgets we spend on awareness.

Click for larger