David has over 18 years experience in information security, privacy, and compliance. He also has extensive experience in IT operations and management. Currently, David is the Chief Security Architect for Dell/Enstratius. Additionally, he is an author for emergentchaos.com and newschoolsecurity.com, and regularly presents at RSA, Blackhat and Defcon as well as other conferences both foreign and domestic. Prior to Dell, David ran Operations and Security for C3 and before that was the CISO for Siebel Systems where he ran information security and privacy and was heavily involved in compliance as well.
When he’s not working, David plays with his kids, runs swims and putters heavily in the kitchen or with the outdoor pizza oven. He can be reached at dmortman (at) securosis (dot) com.
David currently holds Advisory Board positions with Qualys, Lookout and the Virtuosi Group, and will not be participating in activities with potential conflicts of interests with those organizations.
Nothing makes my day like getting to argue with my colleagues here at Securosis. Sadly today isn’t that day. The only thing that I love almost as much is when Mike and Rich think they are arguing with each other, but I get to point out that they are actually saying the same things, but from different angles, and therefore with different words. The fact is that both of them highlight a very important point: for security groups to be effective, they need to be much more engaged with the business. Security is in fact always reactive in the
Rich Mogull recently posted a great stream of consciousness piece about how we are at an inflection point in information security. He covers how cloud and mobility are having, and will continue to have, a huge impact on how we practice security. Rich mentions four main areas of impact: Hyper-segregation
Closing the action loop The post is short but very very dense. Read it a couple times, even – there’s a lot there. I would add another consequence of these changes that has already begun and will continue to manifest over the next five to ten
It’s almost RSA time again. Which means one very important thing: I need to finally post the review of the very slick TPM-based Windows bootable thumb drive Jeff Jones (@securityjones) gave me at RSA 2011. I have been promising him this review since last March, and it would be just too embarrassing to not get it done before RSA 2012. So here we go. As I said above, this slick little device provides a full self-contained Windows install protected by TPM. The entire thing is encrypted. When I was still doing ops, I kept it in my car for when I
Yesterday Lori MacVittie posted another thoughtful article, Cloud Computing: Architectural Limbo, where she highlights percived problems with the NIST description. I usually agree with her cloud posts, but this is a rare case where I think she is wrong. Consider, for a moment, the stark reality of a realm with no real network boundaries offered by AWS in “Building three-tier architectures with security groups”: “Unlike with traditional on-premise physical deployments, AWS’s virtualization of compute, storage, and network elements requires that you think differently about how to build network segregation into your projects. There are no distinct physical networks, no
There has been plenty of discussion of what HP’s recent acquisition of Fortify means in terms of commoditization and consolidation in the market. The reality is that most acquisitions by large vendors are about covering perceived holes in their product line. In other words this is really just the market acknowledging the legitimacy of the product or feature set. Don’t get me wrong – legitimization is very important, but it doesn’t necessarily mean either consolidation or commoditization, though they both indicate some level of legitimization. Commoditization is actually at odds with consolidation. Like legitimization, they are both important
Recently Michael Zalewski posted a rant about the state of security engineering in Security engineering: broken promises. I posted my initial response to this on Twitter: “Great explanation of the issue, zero thoughts on solutions. Bored now.” I still stand behind that response. As a manager, problems without potential solutions are useless to me. The solutions don’t need to be deep technical solutions – sometimes the solution is to monitor or audit. Sometimes the solution is to do nothing, accept the risk, and make a note of it in case it comes up in conversation or an audit. But as
One of our readers recently emailed me with a major dilemma. They need to keep their website PCI compliant in order to keep using their payment gateway to process credit card transactions. Their PCI scanner is telling them they have vulnerabilities, while their hosting provider tells them they are fine. Meanwhile our reader is caught in the middle, paying fines. I don’t dare to use my business e-mail address, because it would disclose my business name. I have been battling with my website host and security vendor concerning the Non-PCI Compliance of my website. It is actually my host’
Today Verizon released their Supplement to the 2009 Data Breach Investigations Report. As with previous reports, it is extremely well written, densely loaded with data, and an absolute must read. The bulk of the report gives significantly more information on the breakdown of attacks, by both how often attacks occurred, and how many records were lost as a result of each attack. While the above is fascinating, where things got most interesting was in the appendix, which was all about comparing the Verizon data set from 2004 through 2008 to the DataLossDB archives from 2000-2009. One of the big outstanding questions from past
My Friday post generated some great discussion in the comments. I encourage you to go back and read through them. Rocky in particular wrote an extended comment that should be a blog post in itself which reveals that he and I are, in fact, in violent agreement on the issues. Case in point, his first paragraph: I think we’re on the same page. As an industry we need to communicate more clearly. It wasn’t my intent to fault any information professionals as much as I’m hoping that we all will push a bit harder for the right
Rocky DeStefano had a great post today on FudSec, Liberate Yourself: Change The Game To Suit Your Needs, which you should read if you haven’t already. It nicely highlights many of the issues going on in the industry today. However, I just can’t agree with all of his assertions. In particular, he had two statements that really bothered me. Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure - or if you prefer