At the last ISSA meeting in Des Moines, we reviewed the 2010 Data Breach Investigations Report published by the Verison RISK Team in cooperation with the US Secret Service (USSS).  This was the first year the USSS provided data for the report.  The additional information expands the scope of the report and only helps to add credibility.  Not that the report wasn't credible in the past, but Verizon's client base is going to favor those larger clients who can pay for their services.  The USSS data helps to broaden the scope.

Two things caught my eye this year.  The first was the 26% increase in breaches caused by insiders.  The addition of USSS data helps reveal what we've known for a long time.  Inside threats are very real and we must be prepared to prevent or detect them. 
The second interesting fact was that 96% of all breaches were avoidable through simple or intermediate contols.  This means it's not difficult or expensive to stop this epidemic.  Why does it continue?

I believe the biggest reason is risk management.  IT leaders are not proving their case well enough. When asking for budgets to mitigate risk we're not providing the detail or clearly communicating the risk.  I'll bet if you asked every executive involved in that 96% of breaches if they would rather have paid for the controls up front you'd get a 100% affirmation rate.

This week make a concerted effort to ensure you are clearly communicating risk to the organization.  Don't pull a "chicken little" routine but spend the time to have facts and numbers which show the entire picture to your management.  You might be surprised how quickly they respond.

I'll add some additional thoughts on the report next week.  If you are local to central Iowa and are interested in joining us at the next ISSA meeting, plesae check out our website at www.issa-desmoines.org

Integrity is looking for a commissioned Account Manager. If you are intersted in this position please send your resume and cover letter  This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Job Purpose: Grow the market share for and company profitability.

Duties:

(50%) Responsible for the sales of IT risk management, security and compliance services by sourcing and developing client relationships and referrals.

(20%) Develops a database of qualified leads through referrals, telephone canvassing, face to face cold calling on business owners, direct mail, email, and networking.

(5%) Develops annual business plan in conjunction with President, which details activities to follow during the fiscal year, which will focus Account Manager on meeting or exceeding sales quota.

(5%) Maximizes all opportunities in the process of closing a sale resulting in the taking of market share from larger competitors.

(5%) Sells consultatively and makes recommendations to prospects and clients of the various solutions the company offers to their business issues.

 (5%) Creates and conducts effective proposal presentations and RFP responses that identify prospects business problems, the effects of the problems, and the Integrity solutions to their problems.

 (5%) Build trust, value others, communicate effectively, drive execution, foster innovation, focus on the customer, collaborate with others, solve problems creatively and demonstrate high integrity.
(5%) Maintain professional internal and external relationships that meet company core values

Skills/Qualifications:

Strong understanding of customer and market dynamics and requirements.

Willingness to travel within the Iowa, Minnesota, Nebraska, Missouri, Kansas territory.

Proven ability to achieve sales quotas.

Demonstrates technical selling skills and product knowledge in IT risk management, information security and regulatory compliance.

Complete understanding of pricing and proposal models including the ability to adequately respond to client RFP.

Demonstrates the ability to carry on a business conversation with business owners and decision makers. Maintain a professional appearance and vocabulary

Educational Requirements:
Bachelor’s Degree or equivalent work experience )

I’m pleased to announce that we will be partnering with the Electronic Crime Institute (ECI) at Des Moines Area Community College to present a CISSP Boot Camp May 17th - 21st at the DMACC campus in Ankeny. This course is designed to provide a solid learning environment for anyone wishing to pursue the Certified Information Systems Security Professional (CISSP) designation from ISC2.  It is also an excellent course for those who have IT security or risk management responsibilities and would like to broaden their scope of knowledge in these areas.

I will be the instructor for the course and along with the course materials, we are including a free copy of the CISSP LabSim product from TestOut. This additional learning tool includes video based instruction, written study guides and practice tests which will supplement the in class learning experience.

The cost for this week long boot camp is just $1,495 per person. Considering the TestOut product is a $695 value, this is a great price for in-person, instructor led training right here in Iowa. You can register at ce.dmacc.edu or contact me.

ISSA Des Moines Chapter Meeting
DATE: 2/22
TIME: 11:30 (Please RSVP for a box lunch - cost $9.00)
LOCATION: BCSSI West Des Moines (www.issa-desmoines.org for directions)
TOPIC: "Oracle Security Risks" by Stephen Kost, CTO Integrigy Corporation

For most IT security professionals, the Oracle Database is a security challenge due to the complexity of the database and lack of database experience, especially as these databases often contain an organizations most critical data. This presentation will focus on a few of the highest risk and most difficult to solve security risks in an Oracle Database environment including security vulnerabilities, password weaknesses, and generic privileged access. To highlight the unrealized risk of security vulnerabilities in the database, a number of actual patched and un-patched security issues will be demonstrated. In order to mitigate these risks, resources and best practices for securing an organization's database will be discussed.

Stephen Kost is the Chief Technology Officer for Integrigy Corporation. He has been writing about and presenting on Oracle security and auditing for the past 11 years. He has worked with Oracle products since 1994 in many roles including database administrator, technical architect, IT security auditor, and applications administrator.