One of the most interesting and challenging security issues that can only be addressed by governments and large organization’s is the actual integrity of the computer products being purchased. While most of the world has worried about what American spy agencies might have embedded in systems over the years, the tables were turned several years ago when IBM sold it’s portable computer business to the Chinese. Since then, this issue has been festering with far greater stakes than ever before.

The House Permanent Select Committee on Intelligence last month, issued a report indicating that computer components and communications manufactured by two Chinese companies might have been altered to allow the Chinese government to spy on US enterprises. The report recommended that US government systems not use any component manufactured by Huawei and ZTE, both in the top 5 of the world’s … Read More »

There has been a lot of attention and push toward integrating technology into healthcare and the requirement for staffing positions that can’t be filled from those already working in the field. If you are looking to make a move from another sector, this could be the perfect opportunity.

The biggest challenge is breaking into the industry – getting your foot in the door, without any medical job experience or advanced education in a medical related area. Many companies often want to recruit people who already have healthcare experience, especially for more senior roles. There has also not been a lot out there on skills requirements and a path to acquiring the skills needed. However, in doing research on this we did come across a report by the University of California San Diego Extension. The report “2011 Hot Careers for College Graduates” aimed to reveal … Read More »

When you get it wrong, the signs are painfully clear, but the reasons may not always be obvious.  Making that all-important connection with your learners does not happen by accident. When you are putting together any security training program – from general awareness training to specific certification training solutions, you need to make it not only interesting but also RELEVANT.

If the learner already has knowledge on security topics/issues, why do they then need additional training on the areas they already understand?  The mistake often made is that content is developed from the assumption that the learner knows very little and therefore needs to drink from the proverbial “fire hose”.  This does not have to be the case.  Constructing a well thought out quiz delivered prior to content or training to be developed or delivered can eliminate repetitive, boring content that … Read More »

There are three reasons why we fail at leveraging technology in education. First, we are undoubtedly missing the root cause of the systemic failure. It’s not content, it’s context. The content must be made meaningful to the learner. Second, we’ve failed to apply the fat tail principles of mass customization. Anchoring a concept for a learner is unique to each student. While Kahn Academy and the edX initiatives show how expansive the net is for provisioning content, we’re still missing the point that technology must address.

Finally, learning occurs at specific moments in specific context – and this includes space/time issues. Simply put, if my screen and keyboard are the source of massively complex communications systems including email, Facebook, alarms, alerts, notifications, etc. it is by definition, the worst possible tool for isolated and focused attention to a complex subject. If … Read More »

What do we mean by context exactly and why do we believe teaching contextual based is better than content?

By context, I mean three things. First, we need to understand the where/when for studying. We should all know and understand that the “interrupt machines” that drive our always-on communications (PCs, smart phones, tablets) are the very worst possible devices for a learning context until we redesign the flow to function in this context.

Second, context is the reference point, and anchoring that provides relativity and explains new ideas in relationship to things the learner already knows. Third, context is the application of ideas, terms or concepts to situations the learner understands.

When EdX can provide learner context, the claim of “revolutionary” will once again belong to Boston. I’m not trying to argue that we do a better job than MIT in our boot … Read More »

Over the past month, thoughts about the education paradigm have been something like the modern 4th of July fireworks — always a big bang and a new twist. I’ve followed the MIT/Harvard EdX online class of 155,000 students. I even thought about the incredible process of trying to grade the exams and student authentication challenges. If you’re not familiar with this project, you should be. MIT launched their intro to electronics class online with 155,000 enrollments! That’s a BIG classroom. Sounds like we’ve hit on an educational breakthrough!

Well, maybe it’s not a complete breakthrough. It turns out that 7,154 completed and passed the course. Our own pass rate on CISSP boot camps is dramatically better than MIT and Harvard’s. In fact, the real fallout came between the open enrollment period and the first exam. If you’ve ever taught college, you … Read More »

So, what is risk? What does it mean? We can define risk as the possibility that bad, unplanned or unexpected things happen. It implies, most often, after the fact, that something could have been done about the “risk” to prevent the bad things. In many of the most disastrous events, there were clear warnings and a multitude of actions that should have been taken.

Risks can be mitigated. Risky activities can be reduced and safeguards can be implemented.  Why then do we continue to see disastrous events in the papers that could have been avoided? Simply put, Western societies seem to have forgotten about it. We ended the twentieth century with a growing belief that all of the critical issues of the world had been solved. Resources would be efficiently allocated through free competitive markets and social issues resolved by the … Read More »

…Applying a triad methodology for risk management.

Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:

Plugging the known holes.
Posturing to plug holes based on historical data and not overreacting to an acute event.
Making educated guesses where to reinforce the infrastructure to minimize potential risk.

Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.

There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog … Read More »

For anyone with roots along the Gulf Coast - if have learned anything through the years, it’s that the impacts of weather can frequently far exceed expectations. For those of us who have been impacted by these tropical systems, it is not uncommon to refer to the storms by name as a kind of mile stone. “Yeah, after Betsy we had to” … or “during Camille”… and all too frequently “well with Katrina ….”.  This year’s entry into the short hand will be Debbie.  Although barely a Tropical Storm, she has lingered along the northern Gulf of Mexico for the better part of a week, dumping record amounts of rainfall in Alabama and Florida – and that’s saying something. This flooding has had significant impact upon ground transport in the area; impeding the local distribution of commodities, freight deliveries, and … Read More »

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There’s something more clinical and more considered in the diagnosis of insanity.

I’ve spent over a decade delivering executive summaries on issues in information assurance and IT security. I’ve worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies.

For example, when cars become “wired” systems with steering and breaking being driven by software rather than direct physical linkages, there are certain risks that should be understood and analyzed. We framed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of … Read More »