BSidesSF preview: Letting someone else's phone ring at 3 a.m.

At a NAISG meeting awhile back, my friend Andy Ellis, CSO of Akamai, gave a talk about building an incident management program that cuts chaos down to a minimum. At BSidesSF next week, he'll give an updated version of the presentation.

His talk is scheduled for 5 p.m. Monday.

We chatted about it by phone Friday morning, and I started with the obvious question: Why doesn't his phone ring at 3 a.m. anymore?

"Because I hired someone and told him his success would be judged by how little my phone rings at 3 a.m.," Ellis said. "I always have someone on call who is amazingly competent."

The breakthrough comes when the CSO stops trying to keep bad things from ever happening and instead builds a program around the expectation that things will break from time to time.

"Things are going to break," he said. "If you don’t plan for incidents then incidents will plan for you. You’re always caught with your pants down in that scenario. You need to have really smart people, give them the authority to deal with the problem and then get out of their way."

Call it Ellis' "Breakable But Effective" security to Larry Ellison's "Unbreakable" security, which, as we know by now, is very breakable.

We're just admitting the breakable part now, and admitting the problem is the first step in solving it, right? ;-)

--Bill Brenner

Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.