paulmudgett.com

The demand for a trained and educated information security workforce here in the U.S. continues to grow.   Creating a pipeline of information security professionals has to start early.   A national campaign to develop the next generation of “Cyber Defenders” has been happening without the fanfare or kudos that it needs.

The Collegiate Cyber Defense Competition has existed since 2005 where, according to a USA Today article, has grown from five competing schools to 83 teams from colleges and universities.  A similar high school competition has also been established and is seeing great participation.   This is exciting!  An environment where talent merges with enthusiasm for the the information security field is the right environment to recruit professionals.

I hope these events continue to grow and inspire similar local and regional “cyberwar games” for high school and college teams.  I hope they become common recruiting grounds for both the public and private sector.     Well done.

A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings.  It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.

In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat.  Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.

Policies, procedures, guidelines, standards.  Most organizations have these in some form or another but how the organization manages these important “documents” is quite telling.

The Story Teller

These organizations rely on word of mouth.  People just “know” what the procedure is or what they are “supposed” to do.  Just like nomadic tribes passing down their history from generation to generation through the use of stories, these organizations pass down standards from new hire to new hire through the proverbial grapevine.  Policies, procedures, and standards are only as good and consistent as the story.

The Stone Tablet

These organizations go through the process of creating and documenting policy, procedure and standards but once written, these documents are never visited again.  They sit on the shelf gathering dust and if they are ever reviewed, they tend to be years or even decades out of date.  These documents lose their relevance and efforts to update them become a monumental task with little payback.

The File Clerk

The organizations keep their documents filed either physically or electronically on a file server.  They may even have a numbering system and a process to review and renew the documents.  These documents are sometimes difficult to find due to multiple storage locations and the review process is sometimes overlooked because there is relatively little control or ownership.

The Document Management System

These organizations are using a system that manages review cycles, has an approval work-flow, keeps version control, and supports multiple file types.  Policies, procedures, and standards are kept current as the process becomes part of the organizational culture.  Documents have owners and responsibility.  Standards for systems are documented and current as the single system provides a central repository and process for updating.

Where does your organization sit in the evolution of policy & procedure management?