The Emergent Chaos blog has a great post talking about the importance of marketing, not selling, to people on security. It touches on the common issue of how best to educate users to be more secure, and notes that if you can create passionate users, not by selling to them, but by convincing them that [...]

Last year, Kevin Reardon wrote about some of the security implications of outsourcing that companies need to consider. However, what he didn’t mention was that security isn’t just a feature of other outsourced functions (like payroll or application development), but it’s something that is increasingly outsourced itself. In many cases, it seems like companies are [...]

With the news that the latest breach of personal info from TJX (owners of TJ Maxx and Marshall’s clothing stores), it’s now coming out in the press that the breach is worse than previously thought. This seems to be fairly common in stories of this nature, which highlights an important point in security risk management. [...]

In an interview with News.com, the US government’s new cybersecurity czar lends his support to the idea of tax cuts aimed at stimulating security spending, as one of several possible measures for improving the state of corporate security. Some people feel that there currently aren’t enough incentives in place for companies to make the necessary [...]

I find it amusing when I hear stories about security budgets
that are sliced after a year – just because the organization wasn’t
decimated by a widespread worm or virus outbreak. While some
re-justification is relevant with each new cycle (or new management), I
would hate to think that companies would use the “clothing closet”
standard on corporate security. You [...]

ISO 17799 password best practices require that passwords be
changed every 6 weeks, at least 8 characters, unlike the last 12,
contain upper-case, lower-case, and special characters, and not contain
any words that are in a dictionary. Great concepts. But just like
sunlight, vitamins, exercise and just about everything, too much of a
good thing is bad. In this case, [...]

Andy, ITGuy, is rightfully shocked that the average large company uses 32 separate security vendors, and starts wondering how many other companies use. His small company uses eight different security products, though two more are apparently on their way.
Meanwhile, over at ITtoolbox, the Security Monkey has a related post that points out that too many [...]

Mike Rothman makes an excellent point about the Economic
aspects of the Symantec/Altiris deal. Unfortunately, the view is
somewhat myopic.
If McAfee’s plan were to keep Citadel as a stand alone company,
revenue would indeed be the primary driver for an acquisition. However,
the technology, and the ability to combine it with our existing
technologies, is what McAfee is presenting as [...]

For those in the risk management, risk assessment world, this cartoon probably rings way too true (warning: site’s URL is probably not work friendly, though the cartoon certainly is — unless, perhaps, you’re a fan of standard security risk assessment procedures).

Sometimes trying to comply with all of the various laws out there gets a bit ridiculous. Emergent Chaos has a blog post about how Sprint had to send a disclosure letter to a bunch of customers in New York after a laptop containing personal info of customers was stolen. They were doing so to comply [...]