Thursday, February 22, 2007

TJ Maxx security lapse, PCI, and business value

eWeek has an article on TJX and its disclosures coming in bits and pieces. While the article has interviews from several industry fellows that indicate PCI compliance as the"ultimate" solver of the data theft problem, I honestly believe that many corporates use such "compliance" requirements to their disadvantage by being narrowly focused. All they want to do is get it out of their way so they have a stamp or seal from an "approved" PCI vendor. Proving that you meet 12 requirements in 6 areas is not going to bring value, but leveraging that and going the extra mile is what brings value. Hear again for the n'th time: "Compliance is not the end game! Leveraging compliance to support your business processes and bringing in shareholder value is".

2/22/2007 12:47:00 AM  

Tuesday, February 20, 2007

Stop & Shop Breach

I am little unclear on how the breach was executed! An "investigation" by Stop&Shop says that no insider participated. However, its a bit strange how this whole thing was carried out. I think its my first time seeing this happen! Perhaps they broke-in prior to wire the ETFs, and started collecting data over a period of time? Would be interesting to watch the progress on this theft!

News available on Boston Globe.

2/20/2007 05:21:00 PM  

Wednesday, February 14, 2007

Its about time...

PayPal announced the use of authentication tokens. I think PayPal will probably make money on this deal. Imagine 100 million accounts and $5 tokens sold to them! In any case, I think its a positive thing. I am not sure why all the banks have not done that!

2/14/2007 10:27:00 PM  

Saturday, February 10, 2007

RSA on Feb 9 2007

Finally, I am home after a week in San Francisco. I attended one session Friday by Ben Rothke. He took the "Stephen Covey" avatar to discuss the 5 habits of enterprises that treat security seriously.

Overall, the conference proved one thing - security is an issue due to: a) Lack of understanding of the requirements out there, b) People, and c) Processes. There are a ton of technologies out there that will solve a whole bunch of things, but they are defintiely not focusing on the challenges that the customers have. Bleeding edge technology in this industry is good, but not when it does not cater to the customer's real challenges!

2/10/2007 12:32:00 PM  

Thursday, February 08, 2007

RSA on Feb 8 2007

Today was an alright day at the RSA. A very good presentation on infusing security into SDLC by Jeff Bardin of IBT. If they do have what they presented, I must say that they have a stellar program.

The highlight of the day for me was the key note by Tom Kelley of IDEO on how we should be innovative! Our industry does support that, but never has promoted as much.

I am in my hotel room blogging instead of attending the "CodeBreaker Bash Party"... Well, I do have a dinner with my good friends . So I am off to my friends in a bit.

Tomorrow is the last day, and off I go home, back to NYC!

2/08/2007 10:41:00 PM  

RSA on Feb 7 2007

The day started off with a session around metrics. So they talked about Risk Circumvention. Interesting concept, but wonder how often that happens! Even if it happens, why would anyone want to re-brand "Risk Elimination" to "Risk Circumvention"? It almost sounds like you are trying to avoid dealing with risk!

The highlight was when Oracle's Larry Ellison did not show up for a key note due to flu. It was almost sad to watch everyone walk out of the key note delivered by Larry's VP of IAM.

In general, I have seen a handful of products around risk management and reporting, but yet to find something thats specific around defining, monitoring and reporting metrics in a proper manner!

2/08/2007 01:59:00 AM  

Wednesday, February 07, 2007

RSA on Feb 6 2007

So, here I am again at the RSA Conference. This morning started off with the key notes from Bill Gates, Craig Mundie, Art Coviello, Joe Tucci, John Thomson, etc. The theme was pretty consistent with what the industry is doing in terms of networks, data protection, identity management and consumer confidence. Microsoft made some annoucements around their collaboration with Open ID, while EMC announced the buy of an India-based DB encryption startup. The notions around moving from fortress security towards secure coding and passwords to smartcards were high notes. Do you think its time for a certificates/PKI to come back? I am sort of tired of hearing "this is the year of PKI" for the n'th time since I started in security/risk management!

2/07/2007 01:35:00 AM  

Friday, February 02, 2007

RSA Security Conference 2007

Yes, after a long time, I am back. Work has been busy and hence was out of the loop. I'm glad I'm still part of the first page on Google search! :-)

Anyways, I'll be at the RSA Conference Feb 5 through 9. I think I decided not to attend the Colin Powell thing, but definitely around for several other Keynotes and sessions.

2/02/2007 09:16:00 PM