Visible Ops Blog

Do data breach disclosure laws reduce identity theft?

Paul Love — Mon, 16 Jun 2008 19:01:00 GMT

Suspense building... You have to click on the link to find out what our friend Sasha Romanosky over at Carnegie Mellon, has found through anaysis of emperical data!http://weis2008.econinfosec.org/papers/Romanosky.pdf Hint - these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices....(read more)

The importance of scalable, efficient security processes

Paul Love — Mon, 12 May 2008 20:59:00 GMT

The business world is getting faster and time to react is being reduced significantly. The days where Information Security could depend on processes that weren’t efficient or customer focused are gone, as the business won’t wait to capture an important business opportunity. An example of this is the expanded use of Virtual Machine technologies such as VMWare, XEN, etc. This technology allows the business to deploy new capabilities in a way that was unheard of 5-10 years ago....(read more)

What is your CFO reading about security?

Paul Love — Mon, 28 Apr 2008 18:24:00 GMT

CFO Magazine has a great article for a significant Information Security customer inside your organization. I suggest all security professionals read this non-technical, honest discussion on security controls and their importance.Enjoy,Paul...(read more)

Two nuggets of Wisdom

Paul Love — Wed, 16 Apr 2008 03:03:00 GMT

One of the other authors of Visible Ops Security recently sent the following two nuggets of wisdom while sitting in an airport that resonate with me more than ever:"1. Sustainable information security is not possible by exectuve mandate alone. Information Security must integrate with other functional groups to mutually achieve business objectives. 2. In the same regards that only Nixon could go to China, information security must take the initiative to reach out to these groups,...(read more)

Breaking Through Organizational Silos

Paul Love — Mon, 07 Apr 2008 22:16:00 GMT

The Visible Ops Security authors recently conducted a Webinar with Info Security Magazine with the following description “How can IT security practitioners break through organizational silos, removing the stigma associated with security controls and compliance projects, and enabling security across the organization? This difficult question will be addressed by Gene Kim, George Spafford, and Paul Love , the authors of the forthcoming book `Security Visible Ops' in Webinar roundtable discussion...(read more)

You Have Competition!

Paul Love — Tue, 18 Mar 2008 17:25:00 GMT

It's odd to think that as Information Security professionals, we have competition within our companies/organizations for the services we provide. One of the primary services most Information Security professionals provide is consultation on risk. In that area we have competition, but not in the manner that may initially come to mind. The choices for our internal customers for Information Security consultation include, but are not limited to: 1. Talking to other groups that may have some thoughts/input...(read more)

The power of NOT saying "No"

Paul Love — Wed, 12 Mar 2008 17:39:00 GMT

Find workables alternative - instead of saying "Nno......(read more)

Visible Ops Security

Paul Love — Mon, 03 Mar 2008 21:16:00 GMT

What will this blog cover? Not technology......(read more)

Visible Ops Security - new author blogging

kurtmilne — Mon, 28 Jan 2008 20:49:00 GMT

The IT Process Institute will soon release the second Visible Ops title. Please allow me to introduce Paul Love who is one of the authors of this new work, and a practicing Security Professional. Paul will be adding security related blogs to this forum. Welcome Paul! Visible Ops Security...(read more)

Process Culture

kurtmilne — Tue, 07 Aug 2007 22:18:00 GMT

In September, we’ll release the findings of our Change, Configuration, and Release performance study. One of the findings in that study, is that a focus on managing IT processes predicts performance variation accross top, medium, and low performers in the study, as much or more than change, config, and release practices recommended in industry frameworks. One of the key predictors of performance variation across the top, medium and low performers in the organization – was how much...(read more)

Process Maturity Matters

kurtmilne — Thu, 19 Jul 2007 19:47:00 GMT

One of the key findings or our most recent research study is that process maturity matters! That is, organizations with higher levels of process maturity for key IT controls got more measurable performance gain than those that implemented the same controls at a lower level of maturity. Download our most recent executive summary “Process Maturity Matters”. This is not a surprising finding for six-sigma black belts and other IT folks who have a process improvement approach to achieving...(read more)

Metrics That Matter - Part 4 Server to Sysadmin Ratio

Gene Kim — Thu, 28 Jun 2007 22:17:00 GMT

Fourth in a four part series on key metrics related to the IT Controls Performance Study. In virtually every vocation, there are simple organizational indicators that are used to benchmark effectiveness and efficiency. A sales organization may want to benchmark itself against competitors by calculating its revenue per quota-bearing salesperson. If company management desires to increase the revenue-to-salesperson metric, they cannot achieve it by merely firing salespeople! Instead, they must do myriad...(read more)

Metrics That Matter - Part 3 - Change Success Rate

Gene Kim — Wed, 16 May 2007 15:57:00 GMT

In my previous Metrics that Matter posts, I discussed how high performing IT organizations use mean time to repair (MTTR) and first fix rate (FFR). In this post, I'll excerpt from my recent article that covered another metric that stratified the high performers from medium and low performers that we have studied in the IT Controls Performance Study. This key metric is change success rate. The key finding from the study is that top performers have a more stringent definition of...(read more)

Egg and Chicken - George's point of view

kurtmilne — Wed, 25 Apr 2007 17:16:00 GMT

Here is an excerpt from an excellent recent article by George Spafford that highlights Change management's role in configuration management. Fundamentally, what groups don’t realize is that their challenge isn’t with Configuration Management. It is with Change Management. Change Management is the process by which an organization implements the necessary procedures to control changes to production and thus manage risk. It is very important to understand that Change Management governs Configuration...(read more)

Change and Config - Chicken and Egg

kurtmilne — Wed, 25 Apr 2007 16:31:00 GMT

I've recently completed interviews with 11 top performing IT shops about their change, configuration, and release practices. What struck me was how important configuration management was to these top performers. ITIL configuration management primarily focuses on collecting and managing information about configuration components (i.e. collecting and maintaining CI data in CMDB). But the top performers I talked almost all stressed that having a standard build...(read more)