BYOD - not if, but when.

If your business is still locked into the "corporate desktop" model, you are losing competitive advantage over more creative approaches to device management in your organisation such as "Bring Your Own Device", while also ignoring the risk of BYOD already happening "under the radar" right now.

According to IBM, "Forbidding these devices from the enterprise might seem like a great option, but it's rarely effective. No matter how stringent the rules, some employees will fail to comply and put the organization at risk."

But the most telling rebuke for the CIOs that still think they are doing their business a favour by resisting own devices in the workplace is this survey from Decisive Analytics which says "Almost half of the [440] IT executives questioned in this study said BYOD gave their firm a competitive advantage, while almost 70 percent of CEOs were sure of the competitive advantage." Part of this competitive advantage comes from not paying for the devices, for staff training in the corporate apps, and from IT support savings; But more importantly some is down to the capabilities of the devices themselves, and the productivity that comes from letting the user select the device and apps that they like best. If someone can knock up a slideshow using Keynote on an iPad during a 1 hour train journey, why force them to spend 2 days wrestling with Powerpoint on their work laptop?

But if you're still wedded to the idea that a managed corporate desktop is more secure than a solution that involves your salesforce using their own iPads and Netbooks, think again. Polymorphic malware is making traditional anti-virus and anti-spyware controls inneffectual and the software to defend against it is becoming bloated and slowing down old PCs. There's nothing worse than security software that visibly slows the workstation. Except for security software that visibly slows the workstation and doesn't catch the malware anyway.

A new approach to IT architecture involving cloud-delivered services accessed via approved apps on the users own devices can deliver cost savings and increased security. But more importantly, the business wants it. So we'd better stop holding on to 90s thinking and figure out how to deliver it securely.

The Cloud Security Standard is out, and the ISO27001 author is unhappy.

What tangled webs we weave - http://pulse.me/s/3lxdt David Lacey

LulzSec - a wake up call?

Conflicted about "hacktivist" activity such as the current actions of LulzSec and Anon? There appears, anectodally to be widespread public support (or at the very least, an absence of unequivocal condemnation) of these semi-organised hacking groups, who seem able to bring down online services at a whim. And a layman's belief that they must have some serious kit, expert knowledge and access to enormous resources, right? According to Sophos Labs Naked Security blog, nothing could be further from the truth:

"LulzSec website break-ins look to have been languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online.
In other words, LulzSec is a timely wake-up call to better security if you are still asleep at the wheel. Your customers' data is important - both to them and to you."

We InfoSec professionals need to heed the warning. It's going to get worse before it gets better. The Advanced Persistent Threat is actually the "Simple Persistent Threat". The online organisation without any weak spots, the impregnable network is a fantasy. We need to wake up, improve security but also reduce the potential impact of a breach, with encryption, data cleansing and segregation, and a decent Incident Response plan.

But for now, back to Sophos' take on LulzSec, for those that are ambivalent to their activities:-

"But the end doesn't justify the means. Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering. If you consider yourself a hacker and you have time to spare, but you're tempted by "hacking" such as DDoSes or gratuitous break-ins, why not use your skills for active benefit instead? Follow the lead of a guy like Johnny Long and hackersforcharity.org"

David Lacey lays into Compliance. Again!

He co-authored BS7799, the forerunner of the now trendy ISO27000 family of documents that describe best practices in Information Security Management. And now he has disowned his own creation as not fit for purpose in the modern age. In his latest blog post The Three Faces of Information Security, David Lacey goes further and decries all compliance thus:-

"Unfortunately, it's all based on collections of ancient practices, with a heavy emphasis on documentation and audits. And if you don't want to pay for security, you simply accept the risk. Your security might be completely ineffective but your paperwork will gain you full marks."

Lacey then goes on to describe "Real Security" as distinct from both compliance and the "business enablement" view of security we sell to management. With a doom and gloom conclusion that "most organizations are sleepwalking into a future crisis" Lacey paints a grim picture of the current state of Information Security.

Is he right? Certainly the continuous stream of breach notifications and ever growing landscape of threats seems to bear this out. We once knew what we were dealing with, or at least thought we did. We don't, not if we are relying on standards written in the 80s and revised six years ago when the term "cloud computing" was still met with giggles and shrugs and "virtualisation" was a software tool fit only for development environments. The future of Infosec demands imagination, foresight, a step change fit for the 201Xs just as BS7799 was a step change in the 1980s. Because the if current trends show anything, it's that we're even worse prepared against the enormous imagination and technical skill of todays malicious agents than we thought we were. But in truth, no more than we deserve to be.