Amrit Williams, CTO of BigFix, Inc. talks to long time secure payments consultant Michael Dahn about whether the current Payment Card Industry (PCI) standards, by their prescriptive nature, lead to organizations focusing on standards compliance at the expense of more effective security measures. Dahn believes that one way to reduce the cost of PCI compliance lies in taking a need-to-access approach to sensitive data. I.e., if an organization cannot access data, due to its encryption or other controls, this removes the need for PCI-prescribed methods to protect it. Dahn concludes the talk with a brief mention of the BSides conference—a event where the audience chooses the speakers and topics based on a wiki-based speaking proposal selection system. For more about this, visit www.securitybsides.com

Podcast

Amrit Williams, CTO of BigFix, Inc. and Rich Mogull, Founder and Chief Analyst of Securosis discuss Project Quant, a Microsoft-sponsored research effort to better understand the software patch and update process from both the software vendor and software licensee points of view. Microsoft has agreed to make all survey data accessible to the public and it will cover patch processes supporting products from a wide variety of software vendors–not just Windows. Rich and Amrit invite listeners to participate in the survey posted on www.securosis.com

Podcast

Amrit Williams, CTO of BigFix, Inc. and Joshua Corman, Security Strategist at IBM Infomation Security Solutions (ISS) contend that the only way to fight the escalating cost and complexity of IT security is to embrace change and leave outmoded practices and technologies behind. Ironically, even as agile security professionals make change, they discover that many compliance regimes and other “best practices” force them to dedicate scarce resources to address yesterday’s threats.

Podcast

Amrit Williams, CTO of BigFix, Inc. and Scott Crawford, Managing Research Director of Enterprise Management Associates (EMA), continue their conversation on the relationship between IT service management and IT incidence response management. Crawford believes that the general desire for management and security convergence breaks down when dealing with real world server and PC infrastructures. Crawford believes that new generations of tools often impact processes when they reduce the cost and complexity of infrastructure management while improving its overall quality.

Podcast

Amrit Williams, CTO of BigFix, Inc. and Scott Crawford, Managing Research Director of Enterprise Management Associates (EMA), begin a two part discussion on security and system management convergence by looking at what keeps the two disciplines siloed from each other although both sides recognize the benefits of seamless collaboration. In particular, Crawford has identified a balancing act between the understanding that disciplined, proactive approaches to system management result in strengthened immunity from security incidents at the potential cost of reducing responsiveness to incidents that do inevitably occur.

Podcast

Amrit Williams, CTO of BigFix, Inc. speaks with Mike Rothman, founder of Security Incite and Senior Vice President of eIQ Networks on the need to secure information wherever it resides or travels, and a pendulum shift away from log management back to situational awareness. According to Rothman, the emphasis on log management trend stemmed from organizations taking a “check off” approach to information stewardship compliance programs. The renewed interest in situational awareness results from realization that log management alone is not enough to understand, respond, or prevent security breaches–in short, what’s really at stake in information security.

Podcast

Amrit Williams, CTO of BigFix, Inc. and Aaron Bawcom, VP of Engineering of Reflex Systems discuss Bawcom’s new book “Virtualization for Security.” Bawcom believes that virtualization represents the most profound technology shift since the introduction of the IP protocol and will have a double impact on enterprise information security. First, vitualized systems simplify security by reducing the number of physical assets and inherently automating many security policy and configuration processes. Second, as they do this virtualized systems are different enough from conventional environments to require distinctly different processes and disciplines to assure their security. As as listening to the podcast, audience members can find out more about Bawcom’s book at http://tinyurl.com/pd3ryj

Podcast

Amrit Williams, CTO of BigFix, Inc. and Ron Bennatan, CTO of Guardium note that as  security attacks increasingly emphasis theft of financially valuable data, this puts databases in hackers’ cross hairs. Since many databases can trace their lineages back 20 years or more, this often presents the technical and cultural conundrum of how to protect 20th century assets against 21st century attacks. This podcast also mentions Bennatan’s new book “How to Secure and Audit Oracle 10g and 11g, with more information on this work at http://tinyurl.com/pgzbvj