Good Morning:
Some days I get to reflect on how lucky I am. I guess when you are sitting on the beach, watching your kids enjoying life, it's as good a time as any to appreciate all that I have. Of course, a unique "feature" of my personality is to never be satisfied - to always be striving for more. Yet, some days it just makes more sense to forget about all that crap. My goals and aspirations of world domination will be there when I return to the office and my daily rituals.

Until then, I think I'll just enjoy the fact that things could be a lot worse.

Have a great day.

Incite #2: It's time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Read the original Days of Incite post on this topic.

6-month grade: B-

I need to come clean. Sometimes I get what's right and what's realistic confused. Now there is no doubt that my ideas about how auditors and auditees can work together are right on the money. I've heard enough feedback from enough people I trust that not treating an audit or an assessment like a 15-round fight is a much more productive way to go about things. This approach is laid out in the Pragmatic CSO.

But then again, what's realistic tends to be constrained by people, and people don't really change readily - if ever. It reminds me of one of the great lines in You Don't Mess With the Zohan: "They've been fighting for 2000 years, it will be over soon." Unfortunately, that seems like the story we tell in the security business. We've always fought with auditors and not fighting with them is kind of like asking for peace in the Middle East. Except I do think it's possible.

Just keep in mind that we are all fighting for the same thing - and that's to protect the information and assets of the organization. The auditors want to be able to prove that things are happening. Is that all bad? Of course not, it's quite good - but it takes a different kind of security practitioner to realize that.

What about the whole compliance golden goose? It's still alive and well. As we look forward to the end of 2008 and into 2009, it seems the global economy isn't going to be improving much at all. So we will face even more budget tightening and scrutiny of our investments. Since security is still largely an overhead function, it's going to be even more heavily scrutinized. 

So using the compliance card is not a bad thing at all. But do you buy something that is purported to help with compliance? Of course not. After all, a smart guy figures that GRC is dead. Buy what you need to protect your stuff. That hasn't changed at all. You still need to focus on Security FIRST! If you do that well, you'll be in decent shape for your audits and assessments.

In terms of a grade, the long term trend is intact and the approach is solid. But it'll happen more slowly than I anticipated - so I get a B-. Or go hug your auditor and prove me wrong.

Photo credit: "Monster Hug" originally uploaded by Alberto+Cerriteno