It’s been a while since I’ve posted anything of substance … being buried in transitioning a new 24-person software development contract, academic papers for the PhD program, and bid & proposal efforts, it’s likely to be a bit yet. Even so, I thought it worth posting that I’ve been invited to present at the 2014 Cyber Defense and Disaster Recovery Conference (CDDR) at the University of Illinois Springfield (UIS) on Thursday, March 13. There should be a mid sized (~225+) paid audience of practitioners, business people & academics. The event is sponsored by InfraGard Springfield with coordination and support by the FBI and UIS.
For more information on the conference, take a look at their archives – they’ve had a great list of presentations and speakers; and I’d certainly be privileged to be among them.
The theme I’ve been asked to present is on security incident and response as firms migrate to distributed storage technologies, and I just about proposed a presentation title of The bits be everywhere – keeping them in their tubes & cleaning up the mess when they spring a leak. I did come to my senses, and the actual topic is TBA after I’ve confirmed my availability, but the general subject remains the same & is something I’ve written around the edges of on this blog in the last year. The working title (at least for the moment) is a bit more professional, and is something on the order of Minimally intrusive governance & distributed storage systems: Considerations for disaster recovery and contingency planning in a mobile world.
Knowing that there will be small business leaders in attendance, and having been asked to make the presentation instructional; I’m tempted to fall back to the broader areas of governance, compliance & risk. When considering the ways that varied attendees might prepare for security and incident response, and the answer being “it depends”; I think a broader perspective of the criticality of good governance and orchestrated process of BCP/DRP specific to distributed data storage should be appropriate. If there’s one thing I know, it’s that awareness of security is insufficient, as is the presentation of a solid business case. The competing priorities of security and workflow efficiency must be addressed or people will work around the controls. Though a recent area of study, Albrechsten (2007) and Takemura (2011) both provide very good evidence of this, with an identified need to blend not only awareness, but the practical actions that can be embedded into process, without significant impact to the overall efficiency of operations.
Viewed from the broader perspective, these are not easy challenges to solve; and unfortunately the problem is less frequently technological in nature, and more often is tied to the behavior of the organization itself. Addressing change in technology, workflow, and culture (regardless of reason) require a more deeply rooted desire to change behavior patterns from those that must implement them. In a fashion similar to the myriad theories and models of change management and/or organizational behavior, it’s the individuals within the group that have to be effectively targeted. Throw in a twist of technological adoption and the typical fear, uncertainty, and doubt (FUD) normally used in areas of security & that are often seen as “keeping people from doing their jobs” … you’ve got the perfect storm of things that are tough to change. Focusing then, on the intersecting issues of storage management, IA, and the optimization of information security investments within a framework of process re-engineering & adoption strategies borrowed from the TAM (Venkatesh, 2000, 2003, 2008; Morris, Davis, G., & Davis, F., 2003); I’ll be pulling from other research and courses I’ve developed to combine as a one-hour session.
At the very least, it did force me to take a look at my short bio … which I haven’t done in far too long. While not fantastic, I think it still gets the point across & I’ve attached it here for my own entertainment. I’ll post more detail as this gets flushed out over the coming weeks, and as always I welcome any comments or input you have.
Albrechtsen, E. (2007). A qualitative study of users’ view on information security. Computers & Security, 26(4), 276–289. doi:10.1016/j.cose.2006.11.004
Takemura, T. (2011). Statistical Analysis on Relation between Workers’ Information Security Awareness and the Behaviors in Japan. Journal of Management Policy and Practice, 12(3), 27–37.
Venkatesh, V., Morris, M., Davis, G., & Davis, F. (2003). User Acceptance of Information Technology: Toward a Unified Veiw. MIS Quarterly, 27(3), 425–478.