The FRSecure Blog

Your Security. Our Passion.

Secure360 Conference Presentation

It’s not very often that I get the honor of evangelizing to information security evangelists!

Yesterday (May 9th), I was honored in just such a way. I was afforded the opportunity to speak at the 7th annual Secure360 Conference. The conference attracts 1000+ information security professionals each year, and it’s held at the St. Paul RiverCentre (a great place to speak and attend a conference).

The topic of my presentation was “Ten Information Security Principles to Live (or Die) By” and it’s based on FRSecure’s governing principles that guide our everyday work. The conference was very well attended, and my presentation seemed to be well received.

An online copy of my presentation slides can be found here:

Ten Information Security Principles to Live (or Die) By

View more PowerPoint from FRSecure

Overall, it was a wonderful experience and opportunity. I caught up with some old friends, made some new ones, and hopefully made a small positive change for our industry. I’m looking forward to next year, and hopefully another opportunity to preach!

Share this article

FRSecure’s Information Security Principles

We all have a set of principles, or fundamental truths that guide us in our day-to-day lives. Some base principles on faith; some base principles on what they’ve been taught and for some of it’s a combination of influences and experiences.

For those of you who don’t know FRSecure, we’re an information security consulting company. We strive to be the best at what we do, and we’re passionate about it! Four years ago, soon after we started this company, we defined our principles (or fundamental truths) to guide and govern our approach to information security.

This article is the first in a series of articles where we’ll dissect each of these principles and explain what we mean.

Continue reading

Share this article

On a Positive Note

When was the last time you heard an information security professional or consultant tell you something positive? It’s probably been too long.

I have been blessed with the privilege to work in this industry (information security) with passion for a long time. I am blessed with leading a dynamic information security consulting company alongside a group of great people, and we’re growing by an astounding rate! Life is good, right? For me and our customers, the answer is yes. I can’t help but think how can we make things better?

A dear friend of mine stopped and talked with me this week, and what he said really resonated. He asked me why we tend to point out the negative things about information security so much. Why do we seem to stress what people are doing wrong, and how things don’t work?

Why ARE we so focused on the negative? Things like:

  • Information security is NOT an IT issue,
  • Compliance is NOT information security, and;
  • There is no “easy button” in information security

These are three of our core principles by the way. ;)

Continue reading

Share this article

Good Day with Medi-Sota

Today we were out in Montevideo, MN visiting with members of the Medi-Sota rural healthcare alliance discussing information security. We gave two presentations to members; “Meaningful Use and Security Risk Analysis” and “Information Security is NOT an IT Issue”. A copy of our “Information Security is NOT an IT Issue” presentation is now available online (see below).

We want to thank Medi-Sota and the participants from their member hospitals for having us out! It was well worth it!

Information Security is NOT an IT Issue
View more presentations from FRSecure.

Share this article

What Motivates You?

We all have motivations behind what we do, but have you ever given any thought to what motivates you with respect to information security?  Over the years, we’ve identified four primary motivations for information security actions, but only one is the best option.

The four motivations are:

  • Everybody else is doing it
  • We’ve been forced
  • Reaction to an adverse event (breach)
  • We understand the importance

Everybody Else is Doing It

We all have a herd mentality to some extent. We watch what other people are wearing, we pay attention to the cars other people are driving, and we emulate those people we admire. The tendency is to take this same herd mentality into the area of information security. We compare what we’re doing with what other organizations in our industry are doing. There are some real pitfalls in following this logic:

Share this article

Start the year off right

A Business New Year’s Resolution

It’s the time of year for New Year’s resolutions. Certainly, we all have areas in which we want to improve. How about areas of your business? One area of business where there is often plenty of room for improvement is information security. When managed effectively, information security can be a tremendous value to any organization.

So, why not make a business New Year’s resolution for information security improvement and stick to it?

Information Security Improvement

It doesn’t matter if you’re a large enterprise with millions of dollars in your information security budget, or if you’re a two-employee company with no budget; there is always room for improvement. What are some areas where you should improve your information security this year?

Some areas of improvement to consider:

  • Policies – Policies provide the rules and boundaries to your information security efforts, and are critical to success. Don’t assume that everyone knows what they should do to protect your critical information, state it plainly in policy.
  • Training & Awareness – Technology isn’t the most significant risk to your information, its people. The people you trust the most are the very same people who can do the most damage; often times accidentally.
  • Assessment – Take the time to understand what your risks are before spending thousands of dollars to remediate them. Approaching risks blindly is ineffective and costly. How well do you build something without first determining what you will build, where and with what?
  • Mobile Device Management – The past few years have brought an explosion in mobile device usage, and the amount of information leaving the office in employee pockets might scare you. Understand this risk, and do something about it.
  • Incident Management – You’ve heard the old saying “it’s not a matter of if, but when”. Be prepared for an information security incident. A poor response can cost more the original incident itself.

Take a look at your organization and come up with a list of four or five information security improvements that fit you best.

Stick to It

Once you have identified some areas of information security that you should (will) improve upon in 2012, resolve to stick to it!

According to statistics, only 20% of people who set out with a New Year’s resolution actually stick to it. Don’t let information security fall victim to these same statistics. Turn your New Year’s resolution into yearlong results by implementing these simple principles:

  • Commit – Just like anything worthwhile, information security requires a commitment and it requires a commitment from the top. Company executives must be familiar with their roles and responsibilities in respect to information security, and set the standards.
  • Document – Documentation provides direction, reference, and proof. Direction for everyone to get on the same page, reference for measurement and enforcement, and proof of due care and due diligence. For some; if it’s not documented, it doesn’t exist.
  • Measure – Measure how well you are doing in what you set out to do. If you wanted to lose weight, wouldn’t you check the scale every once in a while?
  • Review – As your organization changes, so should your efforts to protect the information your organization relies on. Things that are not regularly reviewed and updated and bound to die and fail.

So, look around and be honest with yourself. Do you have areas of information security that need to improve? Make 2012 a year that you resolve to do just that!

Evan Francen is the president of FRSecure, a full-service information security consulting firm. FRSecure has helped hundreds of organizations by providing cost-effective strategies and solutions to secure today’s challenging business environment. For more information about FRSecure or FRSecure’s services, visit www.frsecure.com.

Share this article

FRSecure Announces Spring CISSP Training Program

CISSP Training Program

Led by Evan Francen, FRSecure President and 20 year Information Security veteran, our training program is designed to not only help you prepare for the exam, but give you real world experience that you can put to use in your organization.

Our last class went 5 for 5 passing the exam on their first try!

If you are contemplating getting your CISSP certification, or if you have information security responsibilities, this class is for you.

Click here for more information or to register.

Share this article