Ian Yip's Security and Identity Thought Stream

Identity, Access, Security, Cloud, Mobility...
  1. Invisible Identity
    My Name Was Michael & The Rest Is History
    Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History
    In my previous post, I promised to explain the following:
    Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
    If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It
  2. Identity needs to disappear

    The disappearing machine
    Photo source: Paul Chapman - The disappearing machine
    In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation,
  3. Hey security managers, go hire some marketing people for your team
    This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.

    There were 2 key messages attendees should have taken away from the Gartner Security & Risk Management Summit in Sydney a few weeks ago:
    1. Security priorities tend to be set based on the threat du jour and audit findings.
    2. Security teams need to get better at marketing.
    Here's the problem:
    1. Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.
    2. People who hold the keys to budgets read headlines, which perpetuates the
  4. How to spot a meaningless contributed article
    What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've written a number for various publications and understand the process.

    Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.
  5. Doing business in Asia: five etiquette tips
    I contributed a piece in Australian BRW late last month that had nothing to do with IT Security, but I thought this may be of interest to those of you out there new to doing business with Asia and would like somewhere to start.

    It's quite general, but large mainstream publications want content that will appeal to the masses, not niche pieces that few people will care about. So, if you're an expert on Asia, none of what I've written will be new.

    Here's a teaser:
    "Business etiquette in western countries is similar enough that we get away with most things. The little quirks are normally overlooked or forgiven, using the “not from around here” explanation. Asia however, is a slightly different animal."
    Check out the full article on BRW.