Security Musings

Security Musings

Musings on Certifications

Collected musings on information security certifications.

Other Related Articles in Musings on Certifications

Interview with Laura Taylor (CISM), Author of the FISMA Certification & Accreditation Handbook

By Stephen Northcutt

Summary: Laura Taylor is Relevant Technologies' President and CEO. Her research has been used by the FDIC, the FBI, the IRS, the U.S. Federal Reserve, U.S. Customs, the U.S. Treasury, the White House, and many Fortune 500 companies. Ms. Taylor has provided information security consulting services to some of the largest financial institutions in the world including the U.S. Internal Revenue Service, the U.S. Treasury, the U.S. Government-wide Accounting System, and National Westminster Bank, a division of the Royal Bank of Scotland.

Q: Laura, could you tell us a bit about how you got interested in the information security field?
About 14 years ago, I was working as a senior system administrator at a large company that makes servers and operating systems and there was a huge security break-in. The break-in spanned multiple geographic locations and offices in North America. All the system administrators needed to stop what they were doing to work on getting the intruder out. It was a huge company-wide effort. After we finally got the intruder out, all of the departments were required to come up with a security standards guide. I volunteered to write it for my department, since it sounded like an interesting project. The guide was well received and seemed to help everyone. I am sure that today, they are much more secure than they were 14 years ago.
Q. What caused you to start Relevant Technologies?
Primarily I was looking for a website/forum to publish articles on information security. Brien Posey and I have sold many articles to outside media organizations over the years, but once we sell the articles, we sell all our rights to them and cannot control where or when they are published. Sometimes we like to own the rights to our own articles.
Q. How long have you been sending out your newsletter?
The Relevant Security News has existed in one form or another for about 10 years or so. Brien Posey and I merged our newsletters and then about 5 years ago we bought the security newsletter list from a company in Australia that decided to close down.
Q. If I am interested in subscribing to the newsletter, what do I need to do?
It is free. There is a button on the front page of that you click on to subscribe.
Q. Can you tell us a bit about your book?

The book helps you learn how to comply with the Federal Information Security Management Act of 2002 (FISMA). That said, you could really apply the principles in the book to any sort of security compliance audit. The most significant thing about FISMA is that federal agencies are required by law to get the security of their systems up to snuff. When FISMA came out, many IT security experts were not sure where to start. The book helps you understand one way of going about it. I wrote the book to serve as a guide for people who have never done security compliance before, but also as a handbook for people who already know what they are doing. Once you know how to do a security compliance audit, there is so much to consider that you could conceivably forget many things. Just like you know how to buy groceries, but you make a list when you go to the store so you don't forget anything. I have to use my own book to make sure I don't forget things. I don't know how anyone could possibly remember everything there is to know and what to do when it comes to security compliance without lots of resources to refer to. There are too many things you need to check and take into consideration.

At the time I started writing the book, there were no books on how to comply with FISMA. The best guidance available prior to the book came from various federal agencies but those guides really don't include practical examples and are somewhat limited in scope. My book will not tell you everything there is to know. I had to keep it to 500 pages. But the book will get you going and I think it touches on the most important topics.1

Q. Let's turn our attention to the future, what are the three most important coming trends in IT Security?
  • Security compliance is going to get bigger and bigger. Independent contractors and companies who have the ability to perform security compliance audits are going to become busy beyond belief. Information security laws are going to grind business in America to a standstill unless both private industry and government agencies can keep up. Companies aren't going public because they are concerned about liabilities related to security and financial compliance. Some companies that want to go public are registering their companies on foreign stock exchanges simply to get around having to come into compliance with things like Sarbanes-Oxley and Gramm-Leach-Bliley. Federal agencies can barely keep up with FISMA requirements. Health care organizations need to comply with HIPAA. Schools and libraries need to comply with COPPA. Every person I know in the security compliance business has more work than they can possibly take on. Security compliance though is not necessarily whiz-bang exciting. It is kind of like doing your taxes. Not a lot of people want to do it. You can't just push a button on a scanner and find out if your infrastructure is secure. There is so much more to it than that.
  • Microsoft has finally released an operating system that takes security seriously. I think folks will be surprised at some of Vista's security capabilities. Security compliance laws are going to drive Microsoft's revenues on Vista sales.
  • Security awareness is finally being taken seriously. There are many naysayers in the security field who say that security awareness and training doesn't work, however, I don't agree. My experience has been that it does work and it works well. Many universities are offering courses and degrees in information security which shows how mainstream it has become. People want to know why their bank accounts and private information are at risk. They want to learn and be a part of understanding how to prevent risks. Good people want to understand how to help their employer keep information secure. Most people welcome security awareness and training.
Q. If you were a technical person being promoted to manage the security function at an organization, what would your advice be?
My advice would be to ask a lot of questions, and also ask for supporting documents and information before putting together a plan of action.