Day 3 was a partial-event for me. Following a dinner with Hugh Thompson on Wednesday evening and a particularly cheesy scallop, I was out of action. Whilst the dinner was fun and we much enjoyed splitting the bill 14 ways as per RSA's instructions, I think next time I hit a conference I will be avoiding the seafood.
I managed the WOMBAT session from Marc Dacier at Symantec. Their approach to threat analysis was simple and effective. On the basis that everyone needs to register a domain to serve up a website, some interesting patterns around malicious websites and domain registrars have surfaced, enabling them to be blacklisted. It's a pity the law isn't flexible or fast enough to actually take these sites down.
Symantec offer a free honeypot application (SGNET) that they encourage everyone with a reasonable internet presence to install (at the perimeter). This acts as a monitoring agent and picks up whatever attacks are thrown at it (written deliberately insecure in 3x VMWare instances) and sends the information back to HoneyPot Central, or whatever they call it.
It's a good example of how we can all offer help to combat the global problem, but when Symantec absorb this information and punt out commercial services based around this research, I think it's more for the good of Symantec, rather than the community as a whole.
Nick Leeson's final keynote was entertaining. Ed Gibson reckoned Nick was just blaming everyone else for letting him make mistakes, but on the other hand, if his activities were properly regulated, then Barings would probably still be here. Barings as a whole were almost certainly negligent, and pinning the blame directly all on one man did sound a little unfair. I suppose technically, Nick was the only employee to have committed a real crime, whereas those guilty of corporate negligence got away with it. I note the DPA/CMA of these days actually makes negligence an imprisonable offence.
So we move more and more to a blame culture. If people make mistakes, then the more law there is, the more likely people are to hide such mistakes and no-one will ever learn.
Nick did hope that we all learned from his mistakes, which I suppose we did, but whereas all the other RSA presentations were all pats-on-the-back and shameless self-promoting, Nick's was the only one that focussed on what we can learn from a mistake, and a very big one at that. Which was a humbling experience.
Anyway. A big pile of business cards to go through, mostly with names on I cannot pronounce. My next post may take a while.
Friday, 23 October 2009
RSA Conference Europe 2009 - Day 2
The RSA Conference has come to an end. A very worthwhile three days and an interesting mix of high-level, low-level and the just plain bizarre. You sort of have to ask yourself what some of these speakers are doing here.
Day 2 raised a few interesting concepts I'd not heard of before and I heard Uri Rivner's presentation again (how to be a Cyber Crime Oligarch (that he still can't pronounce!)).
The interesting thing here is that Cyber Crime is becoming more and more business like. Cashing out is always the big problem for criminals and this is achieved through setting up apparently legitimate shop front ends or businesses and employing naive people whom will happily launder money for you, thinking they are working for a legitimate business.
Amy Barzdukas from Microsoft, whom I think is the most senior employee at Microsoft with anything to do with Internet Explorer, delivered a hefty underhand blow to Google Chrome. Apparently it's insecure because it sends Google back search strings key by key (to make keywords work), rather than sending search strings in their entirety (a la Bing).
The good news is that Microsoft have released free AV - Microsoft Security Essentials. This is aimed at the millions of computers around the world whose security updates stopped working when Microsoft's Genuine Advantage component came out.
There was some irony in her last comment, implying that 'we as security professionals' have to work together to stop people using browser based hacks and stealing money and/or personal data.
I was hoping Microsoft might start working together and write a secure browser.
The SOCA/FBI talk was as to be expected (Andy Auld and Keith Mularski). This was pre-ambled by a 'please no photos' as some of the material was considered confidential and too dangerous for the public domain. Well bollocks to that. Chances are the criminal fraternity already know what you're doing and have orchestrated ways around this.
They are spending a lot of time and money on combatting credit card fraud. Surely Visa / MasterCard should be footing the bill for coming up with an insecure card scheme in the first place? Roll on one-time card numbers! :)
I much enjoyed Anne Claydon's talk from Lloyds Banking Group. As one of the smaller banks (she came from Bank of Scotland), they've been able to react very quickly (in banking terms) to credit card and account fraud and have done a great job in reducing it. If only the banks would bother talking to each other and sharing this technology, the world would be a better place.
The downside to this is as payment card and account fraud become increasingly difficult, criminals are going to the individual. Identity theft saw a marked increase (38%) year on year, whereby payment card and account fraud saw a drop (approx -25%).
So as banks shore up their defences, criminals find it more economical to target us as individuals. Speaking on behalf of 67m UK residents, we're no way prepared for this. We have been encouraged to use our identity as means of online authentication for the past 15-20 years now. Our identity is in the public domain. We are easy targets. Can't the banks put their insecure systems back? HELP !!!
The last session on Collateral Hacking put Hugh Thompson, Andre Nash (PayPal), David Ostertag (Verizon) and Ira Winkler (ISAG) on stage. A bun fight ensured, but I did want to take note of certain comments:
"You get what you pay for". David implied that the more you pay, the better the service and the more secure it is. However, in my opinion, "you get what contract you've agreed" is far more apt. Some of the more expensive contracts specifically avoid security inclusions to avoid any large-scale corporate liability. Also look at AntiVirus 2008. People paid $49.50 for that and it was scare ware. Free AVG would have done a better job.
"There is no penalty for individuals". David implied that individuals should be more responsible for not letting their identity fall into the public domain and not taking a click through mentality that ends up with malware being installed on their machines. Well excuse me, but I think Identity Theft is a pretty severe penalty and whilst there may be no fines for individual negligence, having your bank account dead for a few weeks and not being able to put gas in your Hummer is punishment enough.
"If you don't know what you're doing, outsource". Ira implied that companies with no idea about security should outsource. Well this is part of the problem. If you've no idea about security, then you've probably no idea how to securely outsource. What contract are you signing? Do it's contents shift liability to your service provider for any breach? Does actively encouraging businesses to the cloud improve security?
How about some sort of industry kite mark that recognises secure service providers. For example, Visa and MasterCard's list of service providers that process credit card information is pretty darn secure. Each provider needs to undergo an annual audit to remain on the list. How could we introduce such a scheme to cloud providers as a whole. I wonder...
Day 2 raised a few interesting concepts I'd not heard of before and I heard Uri Rivner's presentation again (how to be a Cyber Crime Oligarch (that he still can't pronounce!)).
The interesting thing here is that Cyber Crime is becoming more and more business like. Cashing out is always the big problem for criminals and this is achieved through setting up apparently legitimate shop front ends or businesses and employing naive people whom will happily launder money for you, thinking they are working for a legitimate business.
Amy Barzdukas from Microsoft, whom I think is the most senior employee at Microsoft with anything to do with Internet Explorer, delivered a hefty underhand blow to Google Chrome. Apparently it's insecure because it sends Google back search strings key by key (to make keywords work), rather than sending search strings in their entirety (a la Bing).
The good news is that Microsoft have released free AV - Microsoft Security Essentials. This is aimed at the millions of computers around the world whose security updates stopped working when Microsoft's Genuine Advantage component came out.
There was some irony in her last comment, implying that 'we as security professionals' have to work together to stop people using browser based hacks and stealing money and/or personal data.
I was hoping Microsoft might start working together and write a secure browser.
The SOCA/FBI talk was as to be expected (Andy Auld and Keith Mularski). This was pre-ambled by a 'please no photos' as some of the material was considered confidential and too dangerous for the public domain. Well bollocks to that. Chances are the criminal fraternity already know what you're doing and have orchestrated ways around this.
They are spending a lot of time and money on combatting credit card fraud. Surely Visa / MasterCard should be footing the bill for coming up with an insecure card scheme in the first place? Roll on one-time card numbers! :)
I much enjoyed Anne Claydon's talk from Lloyds Banking Group. As one of the smaller banks (she came from Bank of Scotland), they've been able to react very quickly (in banking terms) to credit card and account fraud and have done a great job in reducing it. If only the banks would bother talking to each other and sharing this technology, the world would be a better place.
The downside to this is as payment card and account fraud become increasingly difficult, criminals are going to the individual. Identity theft saw a marked increase (38%) year on year, whereby payment card and account fraud saw a drop (approx -25%).
So as banks shore up their defences, criminals find it more economical to target us as individuals. Speaking on behalf of 67m UK residents, we're no way prepared for this. We have been encouraged to use our identity as means of online authentication for the past 15-20 years now. Our identity is in the public domain. We are easy targets. Can't the banks put their insecure systems back? HELP !!!
The last session on Collateral Hacking put Hugh Thompson, Andre Nash (PayPal), David Ostertag (Verizon) and Ira Winkler (ISAG) on stage. A bun fight ensured, but I did want to take note of certain comments:
"You get what you pay for". David implied that the more you pay, the better the service and the more secure it is. However, in my opinion, "you get what contract you've agreed" is far more apt. Some of the more expensive contracts specifically avoid security inclusions to avoid any large-scale corporate liability. Also look at AntiVirus 2008. People paid $49.50 for that and it was scare ware. Free AVG would have done a better job.
"There is no penalty for individuals". David implied that individuals should be more responsible for not letting their identity fall into the public domain and not taking a click through mentality that ends up with malware being installed on their machines. Well excuse me, but I think Identity Theft is a pretty severe penalty and whilst there may be no fines for individual negligence, having your bank account dead for a few weeks and not being able to put gas in your Hummer is punishment enough.
"If you don't know what you're doing, outsource". Ira implied that companies with no idea about security should outsource. Well this is part of the problem. If you've no idea about security, then you've probably no idea how to securely outsource. What contract are you signing? Do it's contents shift liability to your service provider for any breach? Does actively encouraging businesses to the cloud improve security?
How about some sort of industry kite mark that recognises secure service providers. For example, Visa and MasterCard's list of service providers that process credit card information is pretty darn secure. Each provider needs to undergo an annual audit to remain on the list. How could we introduce such a scheme to cloud providers as a whole. I wonder...
Tuesday, 20 October 2009
RSA Conference Europe 2009 - Day 1
Today I took on Day One of the RSA Conference, Europe 2009.
Firstly, the place is huge (Hilton Metropole). I wasn't sure if the heaving lobby was full of delegates, or just transient airline pilots. Or maybe a good disguise to what didn't really look like a well attended conference. At the price tag of £950, maybe that's just the way things are.
On the subject of price, at £4.45 for a coffee, the Hilton's Costa Coffee was a little excessive, especially where the Costa Coffee over the road served the same thing for £2.50.
The RSA keynotes were great. Their presentations were seriously pimped up and I was privileged enough to be in the front row. I could even see the presenters' autocues (doesn't anyone just wing it anymore?).
Arthur Coviello and Chris Young set the scene nicely, followed by an entertaining talk by Hugh Thompson, whom talked about some interesting research around Amplification and Collective Intelligence as means to 'borrow' somebody's identity. In short - people post too much information about themselves onto public forums without being educated as to the risks.
I popped into Guy Bunker's talk on Cloud Computing. I was a little disappointed this was rated I (Intermediate) as this was clearly a beginner's presentation. Within 15 minutes I hadn't learnt anything new so I went next door to listen to Howard Schmidt and Roger Dean. They were pretty brave to take on Cyber Security and its take up by Governments worldwide. As professionals, we're pretty much all of the opinion that although the UK Government has created a Cyber Security Office it is clearly a policital organisation providing a PR role, and doesn't have the power to actually do anything (especially with a general election coming up).
A sea of brown paper lunch bags awaited, that were eagerly devoured by fans of motorway sandwiches. Not the best. Gave us the chance to pop into the vendor expo, which, bizarrely enough, was closed (until Wednesday lunchtime, apparently).
For something a bit different, I listened to Alexei Proskura's talk about Information Security Shadows, which gave interesting insight in how to build and balance an information security team.
Next up was the Privacy Concerns with Adopting DLP (Data Loss Prevention) Technology session, presented by Katie Curtin-Mestre, Stewart Room and Yngve Sunnanbo.
What struck me is why companies are waiting before they implement DLP solutions before they even consider employee privacy? Pardon me, but if a DLP solution is picking up personal data, then isn't that personal data already on your network, regardless of DLP?
DLP is such a misnomer. Much in the same way where firewalls were touted to be the be all and end all to security 10 years ago (and let hackers in), Intrusion Prevention Systems about 5 years ago (and let hackers in) and now DLP (you get the picture!). Plus whatever vendors have decided what security is about in between.
DLP is not about sticking in a piece of technology. It's about reducing excessive access control and not letting employees look at data they don't need to. This is a basic security principle and DLP's sticking plaster approach is, at best, a 2 or 3 year old fad, depending how far vendor marketing budgets stretch.
It also became apparent that RSA's DLP solution is a 'monitoring' solution, that would alert you if sensitive data actually left your organization. Nobody seems brave enough to implement it in active mode.
My DLP solution? ISO 27001!!
To top the day off, Marcus Murray and Bjorn Brolin delivered an excellent demonstration showing how to break Microsoft's driver signing model and put, in essence, any driver you wanted on a Windows server system. Just because a driver is signed, it doesn't mean it's secure... I had absolutely no idea what they were doing, but it looked good and I believed what they said.
On to day 2. More to report tomorrow...
Firstly, the place is huge (Hilton Metropole). I wasn't sure if the heaving lobby was full of delegates, or just transient airline pilots. Or maybe a good disguise to what didn't really look like a well attended conference. At the price tag of £950, maybe that's just the way things are.
On the subject of price, at £4.45 for a coffee, the Hilton's Costa Coffee was a little excessive, especially where the Costa Coffee over the road served the same thing for £2.50.
The RSA keynotes were great. Their presentations were seriously pimped up and I was privileged enough to be in the front row. I could even see the presenters' autocues (doesn't anyone just wing it anymore?).
Arthur Coviello and Chris Young set the scene nicely, followed by an entertaining talk by Hugh Thompson, whom talked about some interesting research around Amplification and Collective Intelligence as means to 'borrow' somebody's identity. In short - people post too much information about themselves onto public forums without being educated as to the risks.
I popped into Guy Bunker's talk on Cloud Computing. I was a little disappointed this was rated I (Intermediate) as this was clearly a beginner's presentation. Within 15 minutes I hadn't learnt anything new so I went next door to listen to Howard Schmidt and Roger Dean. They were pretty brave to take on Cyber Security and its take up by Governments worldwide. As professionals, we're pretty much all of the opinion that although the UK Government has created a Cyber Security Office it is clearly a policital organisation providing a PR role, and doesn't have the power to actually do anything (especially with a general election coming up).
A sea of brown paper lunch bags awaited, that were eagerly devoured by fans of motorway sandwiches. Not the best. Gave us the chance to pop into the vendor expo, which, bizarrely enough, was closed (until Wednesday lunchtime, apparently).
For something a bit different, I listened to Alexei Proskura's talk about Information Security Shadows, which gave interesting insight in how to build and balance an information security team.
Next up was the Privacy Concerns with Adopting DLP (Data Loss Prevention) Technology session, presented by Katie Curtin-Mestre, Stewart Room and Yngve Sunnanbo.
What struck me is why companies are waiting before they implement DLP solutions before they even consider employee privacy? Pardon me, but if a DLP solution is picking up personal data, then isn't that personal data already on your network, regardless of DLP?
DLP is such a misnomer. Much in the same way where firewalls were touted to be the be all and end all to security 10 years ago (and let hackers in), Intrusion Prevention Systems about 5 years ago (and let hackers in) and now DLP (you get the picture!). Plus whatever vendors have decided what security is about in between.
DLP is not about sticking in a piece of technology. It's about reducing excessive access control and not letting employees look at data they don't need to. This is a basic security principle and DLP's sticking plaster approach is, at best, a 2 or 3 year old fad, depending how far vendor marketing budgets stretch.
It also became apparent that RSA's DLP solution is a 'monitoring' solution, that would alert you if sensitive data actually left your organization. Nobody seems brave enough to implement it in active mode.
My DLP solution? ISO 27001!!
To top the day off, Marcus Murray and Bjorn Brolin delivered an excellent demonstration showing how to break Microsoft's driver signing model and put, in essence, any driver you wanted on a Windows server system. Just because a driver is signed, it doesn't mean it's secure... I had absolutely no idea what they were doing, but it looked good and I believed what they said.
On to day 2. More to report tomorrow...
Tuesday, 30 June 2009
VPNs. Does Anyone Ever Ask Why?
I was reading an interesting thread today, namely around the necessity of VPNs in general and the role of public telecommunications companies.
What struck me is that no-one has really taken a step back and asked why we are still using VPNs and what fears we sought to overcome by employing them in the first place.
From a risk-based perspective, encrypting traffic before you send it over an untrusted network and decrypting at the other end only serves to protect you if somebody is in a position to intercept or divert such traffic. Otherwise what's the point of obfuscating what you send?
I can perhaps see a valid role for client VPN technology for remote workers sat in a hotel in Beijing, but what's the worst that can happen if such traffic does get intercepted? Surely if data is that sensitive, then individuals would not be storing it electronically and sending it on the wire in the first place.
Hence when I see a multi-million pound VPN being deployed locally in the UK, I ask why.
What's the point of encrypting all this traffic to mitigate the risk of somebody breaking into your ISP, installing monitoring equipment and intercepting your data? It's no easy feat to get into a data centre in the first place and interfering with comms links just isn't going to happen.
Are companies throwing money away by investing in mesh-like VPN infrastructures for fear of the unknown? Shouldn't money be spent more appropriately, such as in data encryption technologies and user awareness?
VPNs are an established constant - you all know what you're going to get and how much you're going to pay for it, but just because you can negotiate a good contract doesn't mean you actually need it. Banks have been transmitting sensitive data in the clear since their electronic beginnings, so why should your average company encrypt day-to-day communications - is this extra expenditure really worth it.
What I believe companies should be doing is improving internal user awareness to a point where sensitive data is treated with the respect it deserved and not pumped over the internet in VPN or non-VPN form at all.
VPNs are perhaps giving us all a false sense of security and are encouraging users to take shortcuts "because the system's secure and it doesn't matter what we do".
With the advent of Web 2.0 and Cloud Computing back in the 1990s (some people still think it only all happened this year... sigh...), point to point hardware based encryption becomes even more irrelevant. Web pages can easily support browser based encryption which absolves the need for VPN meshes altogether.
Yet still, there's another multi-million pound tender for a VPN network sitting in my Inbox, which no doubt will get awarded to the smallest bidder, whom will skimp on security features and just end up selling wire.
Security is not a commodity. It's psychology...
What struck me is that no-one has really taken a step back and asked why we are still using VPNs and what fears we sought to overcome by employing them in the first place.
From a risk-based perspective, encrypting traffic before you send it over an untrusted network and decrypting at the other end only serves to protect you if somebody is in a position to intercept or divert such traffic. Otherwise what's the point of obfuscating what you send?
I can perhaps see a valid role for client VPN technology for remote workers sat in a hotel in Beijing, but what's the worst that can happen if such traffic does get intercepted? Surely if data is that sensitive, then individuals would not be storing it electronically and sending it on the wire in the first place.
Hence when I see a multi-million pound VPN being deployed locally in the UK, I ask why.
What's the point of encrypting all this traffic to mitigate the risk of somebody breaking into your ISP, installing monitoring equipment and intercepting your data? It's no easy feat to get into a data centre in the first place and interfering with comms links just isn't going to happen.
Are companies throwing money away by investing in mesh-like VPN infrastructures for fear of the unknown? Shouldn't money be spent more appropriately, such as in data encryption technologies and user awareness?
VPNs are an established constant - you all know what you're going to get and how much you're going to pay for it, but just because you can negotiate a good contract doesn't mean you actually need it. Banks have been transmitting sensitive data in the clear since their electronic beginnings, so why should your average company encrypt day-to-day communications - is this extra expenditure really worth it.
What I believe companies should be doing is improving internal user awareness to a point where sensitive data is treated with the respect it deserved and not pumped over the internet in VPN or non-VPN form at all.
VPNs are perhaps giving us all a false sense of security and are encouraging users to take shortcuts "because the system's secure and it doesn't matter what we do".
With the advent of Web 2.0 and Cloud Computing back in the 1990s (some people still think it only all happened this year... sigh...), point to point hardware based encryption becomes even more irrelevant. Web pages can easily support browser based encryption which absolves the need for VPN meshes altogether.
Yet still, there's another multi-million pound tender for a VPN network sitting in my Inbox, which no doubt will get awarded to the smallest bidder, whom will skimp on security features and just end up selling wire.
Security is not a commodity. It's psychology...
Wednesday, 21 January 2009
HPY - The latest breach.... 100 million credit cards stolen
Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:
http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf
QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.
I'm hoping this wakes companies up to the risks of dealing with credit cards and it highlights the fact that just because they've ticked all the boxes in an audit doesn't mean they can slack off for the rest of the year, play golf and let hackers help themselves to valuable customer records.
Especially in times of recession, criminals will always be one step ahead. Point security solutions don't necessarily help, but ensuring the integrity of core systems and ensuring a full independent audit trail is essential to help combat the ever increasing likelihood of successful intrusion.
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:
http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf
QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.
I'm hoping this wakes companies up to the risks of dealing with credit cards and it highlights the fact that just because they've ticked all the boxes in an audit doesn't mean they can slack off for the rest of the year, play golf and let hackers help themselves to valuable customer records.
Especially in times of recession, criminals will always be one step ahead. Point security solutions don't necessarily help, but ensuring the integrity of core systems and ensuring a full independent audit trail is essential to help combat the ever increasing likelihood of successful intrusion.
Monday, 15 December 2008
Bleeding Edge
Bleeding Edge Technology and PCI DSSOf recent note are several case studies where retailers have employed bleeding edge technology to meet specific PCI DSS controls.
For example, Marks & Spencer have purchased 16,000 copies of Bit9 parity (in order to partially meet the requirements of section 5), Sainsbury's look set to invest in 3rd Brigade's state-of-the-art host IPS system and there are many others.
The question is, why are stable, tested options being overlooked?
In some cases additional solutions are not even required to meet the PCI DSS and processes can be addressed manually.
There are added risks of using bleeding edge solutions - they may not work, they almost always involve substantial training and deployment overhead, plus typically they're quite expensive.
I just don't get why companies get suckered into buying these things, often at the expense of other areas of PCI DSS that actually present greater risk.
Actually, I do partially understand as bleeding edge technology is often wrapped up with a 'fantastic' discount and positioned in a way that gullible companies feel there is no other way to become compliant, but this doesn't say much about the purchasing and risk analysis processes that aren't in place!
Don't feel pressured into buying technology. If you do feel pressured there's evidently something amiss, as technology procurement should be a painless, natural fit to be adopted when your company needs it, rather than when the vendor needs you to buy it.
Tuesday, 2 December 2008
Beware PCI DSS Compliant solution vendors
There are many security vendors in the marketplace that all claim to be able to help you reach PCI DSS Compliance at minimal cost and management overhead.
Taken in isolation, many controls for PCI DSS can indeed be addressed by 3rd party technology, but more often than not I'm finding customers have been making ill-informed decisions to go ahead and procure technological controls without taking into account in house skills, overlap with other controls, risk, cost and management overhead.Whilst the vendors aren't doing anything wrong, after all most are niche and can indeed address controls in isolation, it's important to take a balanced, holistic view to the whole of your project and move toward addressing controls in conjunction.
A recent customer approached me having purchased a web application firewall for section 6.6, an IPS system for 11.4, a source code scanner for section 6.5, a penetration testing suite for 11.3, a file integrity tool for 11.5 and a vulnerability management tool for 11.2.All of a sudden, that company now has 6 different technology vendors on their books. Although all purchased with the best of intentions, addressing PCI DSS controls in isolation is the wrong way to go and actually creates a more complex, unmanageable environment then the one you started out with in the first place.
The purpose of PCI DSS is to reduce risk. Risk can be reduced by reducing complexity. Increasing complexity increases risk. Strike a balance, perform a proper Risk Assessment exercise and only invest in 3rd party technology if you have no other choice.
With a recession in full swing, businesses should be spending money internally, beefing up existing security systems, training staff, reviewing policies/proceures and the last thing you should be doing is investing in 3rd party technology. If you see a PO on your desk for an obscure technology that you don't quite understand, chances are this is cash that's available for internal spend.
Subscribe to:
Posts (Atom)
