Be Yourself. By Yourself.
A few weeks ago at our annual Sales Kickoff, we recognized five partners as our 2015 Global Partner Award Winners. While at the event, we grabbed some time with these best of the best partners for 2015 and asked them to talk about the value of their partnership with Palo Alto Networks. Here’s what they had to say:
[Palo Alto Networks Blog]
Palo Alto Networks broke ground this week on the site for our new headquarters in Santa Clara, Calif.
The new office will be able to accommodate more than 5,000 workers, giving us the space we need to keep growing. Our headquarters will be bound by Scott Boulevard, Garrett Drive, Tannery Way and Lakeside Drive and on the south side of Highway 101.
Big things are coming for Palo Alto Networks, and we can’t wait to share more with you.
Take a look at some of the photos from the groundbreaking below.
[Palo Alto Networks Blog]
Last week I spent a few days at VMworld 2015 in San Francisco, California. If I had to summarize the experience, I would say applications available via the cloud are forever changing how business is done, but what isn’t changing is the critical role security will play in enabling this transformation. I left VMworld more optimistic than ever about the VMware and Palo Alto Networks partnership and the tremendous growth opportunity it represents for you, our valued partners.
VMworld featured video:
Palo Alto Networks on Value of VMware Partnership
The reason for my optimism is simple. Together with VMware we are offering you a solution (VMware NSX platform combined with Palo Alto Networks next-generation security platform) that addresses a real business pain point. This is a challenge that every enterprise customer has today, securing the software defined data center to realize its full efficiency and cost benefits.
The Palo Alto Networks and VMware NSX partnership is ramping up quickly and we are already seeing increased revenue and deal size as well as enhanced margin for those partners selling the combined platform. These partner benefits are driven in large part by an immense professional services opportunity, which both companies understand is critical to your long-term profitability.
If you are interested in learning more about the VMware NSX plus Palo Alto Networks offer we have extensive resources available, including dedicated NSX and Palo Alto Networks next-generation security platform training, NFR licenses and on-demand labs. You can also contact your VMware Partner Business Manager (PBM) or Palo Alto Networks Channel Business Manager (CBM) for more information and to ask if a regional NSX roadshow is coming to a city near you.
Ron Myers,
VP Global Channels
[Palo Alto Networks Blog]
I took the CISA Exam for the first time in December 2014. My preparation for the December 2014 exam included reading and studying the following material:
I did not pass the December 2014 exam—I was disappointed about that, but I did not give up! I dusted off the above study materials, began studying again and registered for the June 2015 exam. In addition to the above study materials, I purchased ISACA’s 2015 CISA Review Manual (CRM) that contains 1,100 sample questions, joined ISACA’s CISA Study Community Discussion and joined ISACA’s Official LinkedIn Group.
I obtained many online resources via the CISA Study Community that helped enhance my knowledge and understanding. I also gained some resources from the LinkedIn Group. I read the ISACA 2015 CISA Review Manual three times. The first time I read each question slowly and thoroughly and studied why each correct answer was the correct answer and why each incorrect answer was the incorrect answer. My second and third readings consisted of reading each question to try and select the correct answer based upon knowledge and understanding—not memory. Whenever I selected the wrong answer, I re-read and reviewed why the correct answer was correct and why the incorrect answer was incorrect.
The important thing to remember to be successful on the exam is to focus on the key words such as “best,” “most,” “first.” I knew this when I took the exam the first time, but although I felt like I was prepared, I was very nervous and anxious. I think that negatively affected my performance. I felt completely different when I took the exam for the second time in June 2015. I was not as nervous and anxious. I felt that I was much better prepared, and my score demonstrated that—I scored in the top 20 percent during my second sitting! Now I am looking forward to applying for the CISA certification, as I continue my CISA studies, so I will be a successful Certified Information Systems Auditor.
[ISACA Blog]
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Ben Rothke: Measuring and Managing Information Risk: A FAIR Approach (2014) by Jack Freund and Jack Jones
One is hard pressed to go a day without encountering some sort of data about information security and risk. Research from firms like Gartner are accepted without question, even though they can get their results from untrusted and unvetted sources.
Panic around Ebola and other rare events shows how people are ill-informed about risk. While distressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like.
When it comes to information security, the situation is not much better. With myriad statistics, surveys, data breach reports and costs, global analyses and the like, there is an overabundance of data but an under abundance of meaningful data.
In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change (for the better) the way you think about and deal with IT risk.
The book details the factor analysis of information risk (FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity.
An Open Group standard, FAIR is a methodology and a highly effective, quantitative analysis tool. The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.
FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that, and communicating in their language, can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics. FAIR takes the risk professional out of the realm of dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.
For those who are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those who are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won’t find a better guide than this book.
Measuring and Managing Information Risk is an incredibly good reference that will force you to look again at how you view risk management. As Jones writes in the preface, the book is not about checklists and formulas, but about critical thinking.
The authors note that information security and operational risk have operated for far too long as art, without enough science. This is the gap that FAIR attempts to fill. The authors also write that risk decision-making quality boils down to the quality of information decision-makers are operating from, and the decision-makers themselves. The book does a remarkable job of showing how a person can become a much better decision-maker.
A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess on Ebola-like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.
The book spends a few chapters going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.
The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.
The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lies its power. Setting up a common framework for risk management becomes an invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.
In Chapter 5, the authors address the biggest objection to quantitative risk management: it can’t be measured or is simply unknowable. They agree that risk can’t be measured at the micro level, but it can be effectively measured to the degree to reduce management’s uncertainly about risk.
They also, importantly, note that risk is a forward-looking statement about what may come to pass in the future. With that, perfect accuracy is impossible; but, effective quantitative risk management is very possible.
The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.
Chapter 8 is an extremely enlightening one, in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.
In Chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The five, high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.
FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.
But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed become a risk management game changer.
There are plenty of security books that will give you a basic overview of risk management. It is sort of like giving a person a fish. For those who are looking to master the art of risk management, and learn how to fish, Measuring and Managing Information Risk: A FAIR Approach is one of the best books you can add to your library.
The book is flawless in its execution and description of the subject. The only critique is that the authors should have been a bit more transparent in the text when (especially in Chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.
For those who are willing to put in the time to understanding FAIR, this book will make their jobs much easier. It will help them earn the trust of senior management and make them much better risk management professionals in the process.
This is a book that will stand the test of time and be valuable to risk management professionals for years to come, which makes it a worthy entrant into the Cybersecurity Canon.
[Palo Alto Networks Blog]
