Thursday, August 13, 2009

Build Visibility In

Visibility has been a constant cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me for this blog. Elsewhere I've used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phrase build visibility in to emphasize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to integrate visbility requirements into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 build and design phases of any technology project. Visibility should not be left as an afterthought. Building security in is required as well, but how can you determine how security is working if you have no visibility?

Based on my experiences with technology deployments since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 late 1990s, I've realized that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following cycle defines just about every project I've ever seen.

The cycle is Feature -> Management -> "Security" -> Visibility.



I am seeing this cycle at work in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mobile device space right now. Hardly anyone is thinking about how to determine if a mobile device (Blackberry, etc.) is compromised. The best we can do is imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of attacks that might be happening to our mobile infrastructure, without visibility regarding how those devices might already be under attack.

I call this operating only within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Decide -> Act part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OODA loop (Observe -> Orient -> Decide -> Act). We do it all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time in digital security. I called it Soccer Goal Security in 2005.

Does this cycle resonate with anyone?

4 comments:

John Ward said...

Ready, shoot, aim?

Sounds like software design patterns. Its "lets build something, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 define what we want to build after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first thing fails".

Alex Hutton said...

Great post, it very much resonates with me. I'd like to understand how we might be able to best measure "visibility" if not for particular InfoSec processes, but also in aggregate for threat, control, impact and asset landscapes in aggregate.

Unknown said...

I also concur, and it fits with microscopic apps as well as macroscopic global trends.

Every tech start-up does this. Great idea, get it working! Oh wait, poor mgmt/performance. Oh, crap, more time has gone by and we need to think about security...and so on.

Borsa said...
This comment has been removed by a blog administrator.