September 18, 2007 - #28

Mike's Pep Talk:

"Parents must lead by example. Don't use the cliche; do as I say and not as I do. We are our children's first and most important role models."

- Lee Haney

I'm happy to tell all of you Pragmatic CSO's that my second product was announced yesterday. You can check out the post on my Security Incite blog. It's called Security Mike's Guide to Internet Security and it helps consumers protect themselves and their kids from hackers, identity thieves, and other online mayhem.

There is good news and bad news regarding the Guide. The good news is that this product is really needed. I did a lot of research to put together a list of resources to help consumers do security and I couldn't. It wasn't that there wasn't stuff out there, but it wasn't very good. The bad news? The project isn't really for Pragmatic CSO's. You should know all of this already. Hopefully you already communicate this information with the people important to you, and maybe even some that aren't that important. 

Yet, I've heard from some of you already (who are on the Daily Incite list) and you mentioned that you are buying copies for family and friends, so they stop annoying you to clean up their machines.

But that's not the point. Today I want to address whether we, as Pragmatic CSO's, have a responsibility to spread the gospel about good security habits, even though it's painful. I have to come clean and admit that I wasn't very good about this until I decided to do the Security Mike project. I pretty much kept my mouth shut because it was easier. I know lots of my friends probably have problems, but I don't like to talk about work with my social circle, so I kind of avoided the topic.

I'll be the first to admit that this was (and IS) the wrong thing to do. We have to lead by example (as described in the quote above) and we also have to evangelize good security practices in the home for all the people we know. Sometimes that's challenging because many of our friends and family aren't really technically sophisticated. You know, they don't get it, and it's painful to try to get them there.

But we have to press forward anyway and Security Mike's Guide is my attempt to do that. I'm actually giving copies to many of my friends, so they can go through the process. I'll be there to support them. It's the right thing to do. I'm also going to talk to many of their kids and reinforce what their parents should already be discussing. Finally, I'm going to start approaching local school districts to address middle schoolers and high schoolers to educate and talk about these issues.

Someone's got to do it, and it may as well be me.

You can't be just a half-assed security person. It's not enough to do the right thing for our jobs. We need to do the right thing for our neighborhoods. As I said on the Security Mike homepage, we need to start a grass roots effort to cut off the oxygen (read money) from the crime lords and change the economic model for spam, phishing and other attacks.

Join me and let's set the right example for our friends, family and kids. 

In this week's issue:

• This week's P-CSO Tip: Do I need to pay for security?
• Blog post: Recover and fly like an Eagle 

This week's P-CSO Tip

Do I need to pay for security?

One of the things in Security Mike's Guide to Internet Security that is sure to ruffle some feathers in Big Security-land is my position that consumers can implement as good (if not better) security using the configuration techniques and free security tools discussed in the Guide than buy paying $60 or $80 for your typical client security suite. I was doing a session for a Chamber of Commerce this morning, and the folks from Symantec there (SYMC was a sponsor) almost puked on their shoes when I went into my pitch. It was great.

But that raises the question for you as a Pragmatic CSO. Should you be paying for security software? The answer is a resounding YES, even old technologies like AV or a broader endpoint security suite. Security Mike's Guide is for consumers. A lot of the practices are very relevant to corporations, but those folks should be paying for their stuff. Or most of it anyway. Can you hear the sighs of release in Silicon Valley? 

Basically unless you have less than 5 employees (and odds are there isn't a role for a CSO in a 5 person company), you need to centrally manage policy. And the free tools that I suggest for consumers aren't going to get you there. Notice I didn't say you should pay a lot, especially since most of these products are commodity items now - so it's all about driving down the price.

So don't go giving your budget back to the CFO just yet. You've still got a lot of work to do and a lot of products to buy, integrate, operate and report on.

Article: Recover and fly like an Eagle

Step 8 of the Pragmatic CSO methodology is all about containing the damage of an incident. It's going to happen to you sooner or later, so you better be ready. That means having your plan documented, practiced and ready to go. Do you wonder if anyone actually does that and successfully? Of course they do, but it's usually hard to get security folks talk about it publicly because it rehashes old, bad memories about the incident in question.

Check out this NetworkWorld article, which covers a session at the recent Security Standard show presented by Boston College's CSO. It's good stuff. The fact that the institution is religious in nature means David Escalante didn't have to make too much of a case to do the right thing, but still. Reacting quickly, figuring out what happened, but most of all - COMMUNICATING quickly and effectively were keys to the success.

The CIO pulled together a cross-discipline team to manage the disclosure, clean-up and communications efforts. That is critical because legal, PR, and other senior management needs to be involved in the process AS EARLY AS POSSIBLE. Keep in mind that the clock is ticking and time is measured in HOURS, not months.

Take Monster, for instance, who waited for 5 days before notifying customers of the breach. They needed more information before they communicated anything, but they were also roasted in the press for it. 

So the faster you can get the word out and re-establish the perception of control - the better it's going to be for you (and your job).

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---