March 10, 2009 - Volume 4, #23

Good Morning:
For all the toys, gadgets and gizmos we've gotten for the kids, it's usually the simple mundane and classic stuff that they really gravitate to. For example, we have a room full of assorted toys, games and the like. The kid's stuff used to be all over the house, but we've made a concerted effort to contain it to one or two rooms as they've gotten older. So what do they play with?

Crayons. That's right, good old fashioned Crayolas. We've been tightening the belt a bit at Chez Incite, so when the Boss brought home a little carousel with a couple hundred crayons in it and a bunch of 11 x 17 coloring books, I was a bit steamed. Sure it wasn't a lot of money, but the kids have a bunch of stuff they don't play with - why buy them more?

The fact is, I had a point. We are very careful, but I still get the feeling that my kids are spoiled and don't appreciate how good they have it. They want for nothing. If they need it, they get it. Even if they don't need it, a lot of the time they get it. And don't get me started on controlling the grandparents, who believe they have a license to spoil.

But after a weekend with the new crayons and coloring books, I have to admit that the Boss made a good purchase. My boy especially loves to color. The focus and intensity he brings to the task is amazing. He painstakingly colors every square millimeter on these 11x17 pictures. It doesn't hurt that the coloring books are from Star Wars and the Incredibles (two of his favorite movies). He can sit and color for hours at a time.

Photo: "Crayon Fence" originally uploaded by laffy4k
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

1. #3 on the jobs you don't want to have list... - Clearly that would be Federal Cybersecurity czar. Probably right behind athletic cup tester and right in front of grease trap cleaner. Thanks to Adrian, who posted a quick update over the weekend, Beckstrom resigned after about a year on the job. It seems the NSA got in the way of almost everything he tried to do. Byron Acohido does a great interview with Beckstrom here as well on his new-ish blog. The take-aways here? The idea of coming up with a coordinated Federal cybersecurity process is pretty much a non-starter. These folks are professional beaurocrats and you think they are going to let some entrepreneurial soul get in the way of their 3 hour lunches? So we'll continue to get "guidance" from NIST and each agency will continue to blaze their own trail. Which given the scope of the US Government and the different requirements of the different agencies may not be an entirely bad thing. As opposed to trying to coordinate everything, maybe it's time to decentralize a bit and then give FISMA (or something like it) more teeth.
2. Technology is only the third stool - It's been said security is about people, process and technology. Though we in the industry seem to continue searching for magic bullets, potions or anything else that will give us a leg up on the bad guys. Yet, that mentality hasn't worked for the past 10 years and it's not going to work moving forward. Neil MacDonald over at Gartner makes that point on his blog, talking specifically about application security. He's right. Tools can help, but fundamentally it's a process and a people issue. And until we figure that out as an industry, things aren't going to get much better. I'll have more to say on that tomorrow.
3. PCI + Virtualization = ??? - Clearly given the drive towards virtualizing everything, there is a big hole in the PCI-DSS regarding what you can and can't do relative to virtualization. So the PCI Standards Council spun up a virtualization working group to figure it out. This is a good move, but the proof is always in the pudding. Will they put some real controls in place? Or will it just be more of the same? Of course, a bunch of vendors are praying they do a 6.6 redux and mandate a virtualization security widget. That's not likely, but these folks can hope, no? And more importantly, when will they force adoption of these guidelines? Virtualization is happening today and I suspect many organizations aren't doing it in the most "secure" fashion, whatever that means. Which will entail a retro-fit of the infrastructure. Retailers and banks don't like retro-fitting much of anything, especially in a global recession. So we'll see what kind of tight rope Russo & Co will walk on this one.
4. Cisco jumps on the email security SaaS bandwagon - I guess when you are Cisco, you don't need to be on the cutting edge. At least when it comes to mature markets and technology. About 3 years after everyone else, Cisco's IronPort group finally announces a hybrid offering encompassing appliances and services for email security. To be clear, most of the time trying to sell both appliances and services is a recipe for failure. Some companies do boxes well and some do services well. Not many do both well. But that's neither here nor there, the point is that customers will choose the right deployment model for their operational requirements. And the vendors need to figure out how to do both well, but only if they want to address the entire market.
5. Dumping on the CAG - Standards are tough, especially when there are no teeth there. It seems the industry has looked at the CAG (Consensus Audit Guidelines) and decided consensus sucks. That's because it usually does. Dan Philpott at the Guerrilla CISO blog talks a bit about why the CAG has become the Hindenburg of security guidance. But to be clear, anyone trying to develop the Rosetta Stone for security is going to have similar problems. I think everybody acknowledges that FISMA needs to be improved, and give some credit to the folks behind CAG (Gilligan and Paller) for getting some discussion going. But ultimately publishing a white paper and a set of slides doesn't not accountability make. Without teeth, a standard is pretty much useless.