Some advocate compliance while others blame it for many of the problems having an impact on the insecurities of today's organizations. What's your take on the good and bad sides of compliance?

Compliance is very good at getting the executives attention and receiving proper funding. But it is important to remember that blindly trying to meet compliance by doing the minimal amount that is required will not necessarily lead to security. However, if compliance is the stick to receive the proper focus, proper security can lead to compliance. For it to work effective compliance can be the sales pitch and an objective, but risk based security needs to be the focus in order for an organization to receive the desired results.

With the current recession and shrinking budgets, what are the most challenging aspects of managing information-related risks in the enterprise? Are there any corners practitioners are allowed to cut?

With less resources organizations are required to do more with less. The biggest challenge is trying to accomplish too much and not properly focus in on the highest risk items. In order to be successful in these challenging times it is critical that organizations make sure everyone is on the same page.

Security should have a single chart that everyone agrees to that identifies the critical assets (based on business process), threats (based on likelihood), vulnerabilities (based on impact) and overall risk. If everyone in the organization is focused and aligned to the same items, this will allow common metrics to be defined across the organizations.

Everyone can than focus on their respective areas -security can define the metrics, IT can implement the metrics, auditors can measure the metrics and executives can understand the metrics. The way to cut corners and to do more with less is through automation. Now computers can automatically do the repetitive continuous monitoring which would allow the limited staff to focus on analysis.


What does your SANS training course look like? What skills can attendees expect to acquire?

SANS SEC401 takes the student on a journey, showing how all of the areas of cyber security fit together. The following are some of the skills that attendees can acquire:

1) Understand the principles for designing a security network architecture.

2) Decode and analyze packets going across a network.

3) Integrate security throughout an organization that includes effective policies, access control and incident response.

4) Understand how the offense operates to build better defensive measures.

5) Map defensive solutions against risk to deploy the right security solutions for an organization.

6) Deploy cryptographic solutions that provide confidentiality, integrity, authentication and non-repudiation.

7) Build, analyze and security Windows and Unix operating systems that can defend against the APT.