January 13, 2009 - Volume 4, #5

Good Morning:
"If I knew then, what I know now..." is a common refrain from folks that have learned many hard lessons through the years. I'm no exception and it seems I have to keep learning the same things over and over again. I'm going to revisit the concept of expectations yet again today, because I keep screwing it up.   

Proper expectations are the key to being happy. Seriously. Think about it. Every time you get pissed off, it's likely because you are disappointed. Something happened that you didn't expect. Maybe somebody did something or didn't do something, or maybe you did something or didn't do something. It's all the same, something happened that you didn't expect and it pisses you off.

I was very pissed off this weekend. The Giants lost and now they can spend the entire off season thinking about how crappy they played in the playoff game. The problem was that I expected them to win. And they didn't. So I was pissed.

It was an entirely different story last year. Sure, I expected them to beat Tampa Bay on Wild Card weekend. But going into Dallas and winning? I didn't expect that, so it was truly great when it happened. Then going into Green Bay and winning? Very unlikely, so I had low expectations. And I don't even need to mention the likelihood of them beating the undefeated Patriots in the Super Bowl. I was just hoping for a competitive game.

I think there is something to this Zen thing. Those folks don't seem to get wrapped up in these details and they don't seem to carry angst all day, when that unexpected thing happens. I'm sure many Zen masters are sports fans, but they likely have made a conscious decision to get wrapped up and feel angst when their teams lose. Then they probably meditate for a little while and all is good in the galaxy again.

I couldn't have meditated on Sunday if I tried. I was too pissed off... But at least I can look back today and pinpoint my failure to manage expectations. And next season, I'll probably make the same mistake again. I'm good like that. Have a great day.


Photo: "Expect Nothing (and You'll Never Be Disappointed)" available on Amazon.com
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I'm slowly, but surely working my way through the bubble that was the news during my hiatus last month. Then I'll actually have to start reading again... Oh crap, how am I going to find the time to do that? Like everyone else, I have to find out how to do more with less, since that is the behavior that is called for today. Which is a good segue to our first snip of the day:

1. Goldman's IT Survey say... Save Money! - That's the title of a post on the eIQ blog I wrote yesterday, which highlights a recent Goldman IT spending survey. 72% say projects that reduce operating expenses (including personnel costs) will get funded in 2009. Only 46% say compliance projects will make the cut. That means you as security professionals need to figure out how to position pretty much anything you are doing as cutting costs. I'm writing a blog series over there (it'll start on Thursday of this week) to take you through my thinking of how to do that. SO, what are you waiting for, subscribe to eIQviews now (RSS or email).
2. You know you have too many people on an email list when... - Hitting Reply All causes a DoS attack on your own email system. No I'm not kidding. The State Department is outlawing the Reply All button because enough folks use it that it clogs up their email system. I know covering your ass is a science in Government, but this is ridiculous. Productivity will probably skyrocket now, given that all those folks won't have to wade through all those useless email threads anymore.
3. These guys watch, so you don't have to - From a disclosure standpoint, I used to work at TruSecure (now called Verizon Business Security Services, or something like that), so I became very familiar with their research team and how they tried to figure out what was happening out there. I still hold to the idea that you can't really predict the next attack, but you can narrow the attack surface a bit and that's what these folks try to do. In their 2008 wrap-up post, the RISK team tells you a bit about what to look for in 2009. Nothing really ground-breaking, which means more of the same.
4. Security strategy renewal - Shrdlu talks a little about the process of renewing in the New Year and revisiting all those things that need to get done. It's really about prioritizing your key issues and then focusing on them. And not everything can be a key issue. The best advice is "let's start at the top and look at overall security management strategy." Then dig down. In this kind of environment, whatever budget you think you have is not safe. Thus contingency planning and understand what ISN'T going to get done is ever more critical.
5. Why buy the cow, when they think their milk is worth a lot - I noticed the Trend Micro/BigFix integration that was announced last week. The BigFix folks will integrate some Trend goodness into their endpoints for web protection initially. But over time, this is really trying to be an ePO killer to steal some enterprise market share from Little Red. It's something they needed, so why not just buy the company and be done with it? Likely because the investors think it's worth more than the market will pay now. So they make the bet that OEM deals and other ways to broaden market adoption are the ways to maximize return. Maybe they are right. But probably not... Looks like M&A in 2009 will be fire sales, since anyone that can make it through the downturn probably won't want to sell at a depressed valuation.
6. 5 ways to justify security spending (none will work) - Jeremiah is probably hearing the same thing anyone on the vendor side is hearing nowadays. How can I justify your product/service? Big J talks about risk mitigation, due diligence, incident response, regulatory compliance, and competitive advantage. Look at snip #1. The only one with a snowballs chance in hell of getting any money is to focus on regulatory compliance. Or figure out how the things that help you do the other four can ALSO save you money and let you keep headcount level (or even cut some). Even funded projects will be scrutinized, and you better have an answer or figure out how to do more with nothing.
7. You know what they say about low hanging fruit - The first weekend of the year brought a number of attacks on Twitter. Yes, that seemingly useless micro-blogging thing. Maybe that's a bit harsh. The mostly useless micro-blogging thing. First they figured putting an admin application out on the web was a good idea. It wasn't. Then the bad guys figured out how to send phishing messages through compromised accounts. So a bunch of these Twits got pwned. Nice. It just highlights that most of these applications are not built to be secure. In fact, it's going to be very hard to secure them now that they are out in the wild. It doesn't mean we shouldn't or won't continue to use them. It just means we need to make sure we can contain the damage when they get hit. And they will.