I know that this is a very provocative question but it is one I looked into since a few months. If you follow my Twitter account, you will have realized that I dramatically reduced the number of Tweets. I currently only tweet, once I posted on my blog. But let’s start at the beginning:

I think I started to use Twitter a little bit more than 18 months ago. Initially I tried to understand how this works and how you gain followers. I understand that you have to tweet regularly and that you should focus on a theme. That is fairly easy for me as Information Security is my core competence and there is always something say. I learned as well that “following back” is the key activity on Twitter. If somebody follows you, you follow back. And then my first problem started. I checked my Twitter account approximately once a day and I got some many DMs saying “thank you for following” that I missed DMs really being targeted to me.

Then the swine flue broke out and I learned my next lesson: Speed is everything on Twitter – accuracy is second. There was so much nonsense on Twitter that it could not be used at all to gain information.

And finally the volume: Today I have approx. 23’000 followers. Interestingly, it seems that growth just stopped now even though I am not too active since about May/June:

However, the number of people clicking on the links I post on Twitter is around 20-30 at max. So, 23’000 followers– lets say 25 clicks on average (and this is high), means around 0.1% of my followers seem to be interested in what I tweet. Maybe that I tweet the wrong things? I do not think so as more than 23’000 people said that they like my Twitter profile and therefore they followed me – no?

I then looked at some of my followers: The first thing I realized is that everybody is in the race for as many followers as possible. As everybody is just “following back” and additionally uses tools to find the people who could be interested in the message to be spread – it is like a self-fulfilling prophecy. People focus on getting more followers and measure just that. Measure the click-through rate : I get much more from Facebook or LinkedIn than from Twitter and honestly I read the status updates on Facebook and LinkedIn much more as well.

And I understand why: Let’s say you follow 5’000 people, which is not too much. Let’s say, everybody tweets 5 times a day, which is a low figure. This means, you get 25’000 tweets a day, 1041 an hour, 17.4 a minute. This means there is a tweet every 3.5 seconds coming in. If you see 17 tweets on your screen, you would have to look at your screen the same minute I am pushing my tweet out… Otherwise the new messages will simply cover mine.

The sheer volume of information on Twitter is overwhelming. Does it still make sense? Is there value in there? Do you find the information you are looking for? Is this really a trusted source for information? Is it worth spending your time?

Let me know your view. I would be really interested to hear

Roger

If you look at current discussions between cloud providers and customers, I see it too often that the customer leaves with the impression that the Cloud fixes all their problems. In fact – it does not. Too often I see the Cloud provider telling the customer that they should not care about security anymore – they will do it for the customer. That’s only part of the truth.

In order to shed some light into this discussion, Doug Cavit (a Principal Security Strategist at Microsoft) and me published a paper a few months ago called Cloud Security Considerations, addressing the key areas to consider, when moving to the Cloud. I used this approach very often when talking to customers, regulators and government elites. It works extremely well and seems to cover the story end to end.

Now, Doug stayed busy . He just published together with Javier Salido (a program manager in Trustworthy Computing) a paper called A Guide to Data Governance for Privacy, Confidentiality, and Compliance - Part 5: Moving to Cloud Computing. Behind this long title, there is actually a lot of good content which complements the above mentioned paper.

If you know what the Cloud is, you could skip the pages following the summary. When I talk to customers, I always tell them, that there are a few fundamental things to be in place when you consider the Cloud: Compliance and Risk Management, Identity Management, Data Classification. Fairly early in the paper, Doug and Javier draw the conclusion:

Organizations should implement a data classification policy and procedures for deciding which data is ready for the cloud, under which circumstances, and using which controls.

Usually people smile if I tell them this. And at the same time, we all know that the policy is in place but it is often not really implemented nor is the user given the technologies to really easily implement it. From a technology perspective, I love Rights Management Services and especially its implementation in Office called Information Rights Management. The corresponding templates help to attach the right classification and protect the document with just a few click.

However, this is often an awareness and process problem. Much more than technology! But back to the paper. When it comes to responsibilities, the paper is fairly clear:

Delegation does not discharge the organization from managing risk and compliance, or from having to prove compliance to the appropriate authorities.

I could not agree more! You have to manage your data – it is your data, even if you move to the Cloud! Therefore:

Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency on the part of the cloud service provider.

Make sure you have the team in place and then ask your Cloud provider (make sure you follow this sequence ).

There is a lot of additional content in there to consider. But then they move to the point of recommending what you could do or as they call it: Elements to Consider When Moving to the Cloud:

• Viability of the Cloud Service Provider and Potential Switching Costs
• Transparency
• Compliance and Related Issues

And finally, they help to bring the Cloud related issues into the context of the Data Governance for Privacy, Confidentiality, and Compliance framework, something which can give you real hands-on tools and techniques to make it happen.

From my point of view, this is a really good paper, where you can take the parts you need at the moment: Being it a high-level understanding of the problem space or more hands-on tools. Is it simple? No, not really as the problem by itself is complex but it helps you to understand much better, how to approach it

Roger

In Off to See the World I told you that we are growing the Chief Security Advisor Community and then I updated you on the UK and Sweden.

Now it is time to update you again. Just before the summer vacation, we could hire the Chief Security Advisor in South Africa who is Khomotso Kganyago. Khomotso started already and I am looking forward to do a week of customer meetings with him soon in Johannesburg and Pretoria.

And last but definitely not least, we were able to fill the first of the three time zone positions: Monika Josi will join us from Novartis for the EMEA Chief Security Advisor position starting January 1st. This is the third time in our career we will be working together and I am definitely looking forward working with Monika again as she will be a great addition to our team

Roger

I know that they are very old but I did not know them. The oldest post I found was from 2004. People are saying that they are from Bill Gates but it seems that he used them during a speech in front of high-school students. I love them:

RULE 1: Life is not fair - get used to it.
RULE 2: The world won't care about your self-esteem. The world will expect you to accomplish something BEFORE you feel good about yourself.
RULE 3: You will NOT make 40 thousand dollars a year right out of high school. You won't be a vice president with car phone, until you earn both.
RULE 4: If you think your teacher is tough, wait till you get a boss. He doesn't have tenure.
RULE 5: Flipping burgers is not beneath your dignity. Your grandparents had a different word for burger flipping they called it Opportunity.
RULE 6: If you mess up,it's not your parents' fault, so don't whine about your mistakes, learn from them.
RULE 7: Before you were born, your parents weren't as boring as they are now. They got that way from paying your bills, cleaning your clothes and listening to you talk about how cool you are. So before you save the rain forest from the parasites of your parent's generation, try delousing the closet in your own room.
RULE 8: Your school may have done away with winners and losers, but life has not. In some schools they have abolished failing grades and they'll give you as many times as you want to get the right answer. This doesn't bear the slightest resemblance to ANYTHING in real life.
RULE 9: Life is not divided into semesters. You don't get summers off and very few employers are interested in helping you find yourself. Do that on your own time.
RULE 10: Television is NOT real life. In real life people actually have to leave the coffee shop and go to jobs.
RULE 11: Be nice to nerds. Chances are you'll end up working for one.

I love rule 11 – it is kind of true for me

Roger

I am just preparing my trip to South Africa next week. Our Chief Security Advisor in South Africa, Khomotso Kganyago does an outstanding job keeping my busy. He put together a great agenda – I just hope I can cope with everything he is expecting from me.

Part of it is a public lecture at the University in Johannesburg. And now, he just sent me this Facebook link: Cyber Security Agenda for South Africa with a Reference to the Cloud. Wow, I will click on “I’m Attending”, I guess…

I would be interested to see, how much impact this post has. Do you think that this drives attendance? Will be really good to see! During the preparation for this trip (and for this presentation), I was heavily impressed what I learned about the state of country regarding Cybersecurity. If you are interested in my learning – you have to join the public lecture mentioned above…

Roger