Well, I spent the last two days in Chile and it was absolutely amazing! My experience with Latin America to date has been a 30-day stay in a Panamanian jungle during my Army Ranger days, and a short vacation in Cozumel. Neither of these were extremely pleasant. I never did adjust to the dining schedule here (most Chileans enjoy dinner around 10:00 PM), and I understand why the locals consume vast amounts of espresso and sugar.
Christian Lincare, the Microsoft Chile - IT Pro Evangelist/Community Manager (who I am giving the title of "Hardest Working Microsoft Employee in Chile".....right after Pia Fleischmann, who helped organize my agenda!!) did a terrific job of organizing several customer meetings (with both public and private sector CIOs), the Chief Security Officer council, and a meeting with the Chile CERT team. He kept me and Jose Eduardo Campos, the Microsoft LATAM Chief Security Advisor busy....but not so busy that we couldn't enjoy the visit. I also want to extend a very big thank you to the GM and NTO of the Microsoft Chile who made the trip a pleasure.
Espresso or SOX?
Security. Yes, that's the point of my trip (and often this blog). I find the more I travel, the more thing stay the same. Want to know what keeps a CIO/CSO in a major corporations awake in Chile? (Espresso is not the answer). It's things like reg compliance. Believe it or not, Sarbanes-Oxley is a concern here as well. They also worry about privacy issues....and here's one: too many darn event logs to read! Sound familiar? I really hope the new XML formatted event logs in Windows Vista and Longhorn Server help with the storage of these awful things. During my discussions, I tried to impress upon them the quality of auditing vs. the quantity of auditing, despite what all those auditors say. (Yes, I'm wearing a suit and tie. Hush it.)
Security Process That Works
The customers I spoke to were also very impressed with our new process changes in software development, specifically the Security Development Lifecycle. If you've not heard of how this is changing the world of software development, you need to get smart on this fast! You want to reduce the number of coding mistakes that lead to security vulnerabilities....you have security baked into the process...and that's what SDLC is all about. For more info, check out Michael Howard and Steve Lipner's authoritative reference on the subject. Microsoft SQL Server 2005 was the first application server to go through the entire SDLC process. Number of vulns to date? Zero.