Back from Infosecurity Europe

After talking to literally dozens of practitioners and vendors, what was most striking was the fact that the term ‘GRC’ is largely absent from the European security vocabulary. I watched a few US-based companies drop the term on attendees and they were met with puzzled looks. More than once, I overhead the attendees asking what the acronym stood for.

After interviewing countless attendees, we also discovered that the focus is different across the pond. Nearly every person  interviewed said they were either ISO 270001 certified, were actively working on it, or it was a project being mandated by their management. When pressed, the primary reason for the certification wasn’t to “be more secure”, “reduce their controls environment”, or other such US marketing nonsense. Instead, they saw the certification process as a step toward raising the bar on their competition. Having the ISO blessing, they felt, made them more competitive. This is shift we at Brightfly have been advocating in the US for nearly 18 months, and here they have already been pursuing it in the UK and beyond. It will be interesting to see which viewpoint prevails as the marketing engine continues to churn.

Only One Week Until SOURCE Boston!

We’re busy getting ready for SOURCE Boston next week. On the 10th, we’ll be hosting a FREE workshop centered around the Massachusetts Privacy Law. While this piece of legislation has been delayed, yet again, we feel that the community has a vested interest in a concerted and coordinated response and we couldn’t think of a better time to tackle it. With that in mind, we will be driving for consensus around a set of controls across industry sectors. Join us for this opportunity to have your voice heard. We’ll be presenting the Response Framework, among other things, on Friday, where we’ll also open The Consensus Controls Project up to the attendees for our beta.

More information can be found at the SOURCE Conference website.

We look forward to seeing you there!

Choosing Controls

To date, folks have chosen a best practice framework such as Cobit or ISO and then cherry picked specific controls to align along their audit and operational requirements. Unfortunately, there is a lot of mismatch between organizations with regard to what controls get chosen, how often they are tested, and in general, they have been struggling to figure out which controls are the right ones for them. This falls back to the basic concept of “due care”: loosely defined as “what a reasonable person in similar circumstances would do.” I fought with this while I was running InfoSec in the past, and we tried to fix the problem with the solution we developed and later sold off. I think we missed something though.

This brings us to The Consensus Controls Project, a free service for security and audit professionals whereby they can crowdsource compliance for themselves. You will be able to upload and share controls with peers, search for companies with similar risk profiles, and once and for all define due care by having access to what is both similar and reasonable based upon industry, auditor of record, geography, or other such company demographics.

The days of “off the rack” compliance are going away. Now is the time for “bespoke” control environments, custom tailored by company need. No more need to reply on any “academic” frameworks, instead, you can rely on the wisdom of your peers. Peer-reviewed due care.

Early press coverage of The Consensus Controls Project

Unbeknown to us at the time, Tech Target was covering the Bay Area ISSA chapter meeting where we mentioned The Consensus Controls Project. We are grateful that Marcia Savage circled back with us to make sure she had all the facts. The coverage can be found here.

Consensus Controls Blog is Live!

Welcome to The Consensus Controls Project blog. This blog will be updated regularly and will be a window into the The Project as it develops and an ongoing way for us to communicate our progress to the world. You can also follow us on Twitter where all of our blog postings will be forwarded, along with shorter snippets of information that we find to be relevant to the cause of peer reviewed due care.