God and Security

Recently (yesterday) I had the opportunity to chat over a meal with George Kurtz, a Senior Vice President and general manager in charge of McAfee's Risk and Compliance unit. (whew, that's a mouthful). In attendance were a small number of other CSO's (or equivalent) and we listened to George, also a co-founder of Foundstone, the premier vulnerability scanning solution. We also bounced some ideas back and forth and generally shared information like good stewards of our respective enterprises. So, keep in mind that McAfee is a vendor. They sell products and services. I found it fascinating that one of the most common themes to the questions was not technology, rather it was something relating to the "human" side of information security. Question such as: how can we justify headcount? who dictates policy? how do we show value to management? I find this interesting for two reasons. One: security people often tend to be caricatures of other IT folks. Even more ...

Okay, so after years of putting of taking the CISSP examination (read: trying to get someone else to pay for it) I finally scheduled my exam and took it in April. There are plenty of posts about it, and I don't want to duplicate what others have said, so I'll just put in this small bit: If you can regularly pass the FreePracticeTest exams online with an 80 or higher, then you are most of the way there. I don't think I ran into a single question on FreePracticeTests(FPT) that was on the actual exam, but they give a *great* fell for what to expect. This means, however, that just learning the answers to FPT won't do you any good. In my case, I had 10+ years of dedicated info security experience by the time I took the test, plus years of consulting and SA/SE work prior to that, so there was little on there to surprise me. What I did was go out and buy Shon Harris' excellent book and read the chapter titles to see what areas I seemed lacking in (based on the FPT)....