January 16, 2009 - Volume 4, #6

Good Morning:
I'm on the road driving down the highway with one of my VP of Sales. He checks his email and blurts out, a plane went down in NY. Ditched in the Hudson River. Oh crap. The words a guy who flies as much as I do never want to hear. I understand statistics, I know it's a lot safer to fly than to drive. But you still hate to hear about an accident. 

Then I checked the news and read the story about how everyone survived. That's miraculous and the pilots are heroes. And why didn't those birds migrate down South? It's friggin' cold in the North East this time of year.

It got me thinking about control. The reason that I don't worry in the car is that I'm in control. That's misplaced confidence because there are a lot of idiots and bad drivers out there. And in the air, there are significantly less. But I'm not in control once I strap in. I have to trust the pilot, the air traffic controller, the maintenance people and the equipment. For a control freak like me, it's a lot of trust.

I have the same issues at work. I'm not really a good delegator. It's not that I don't have confidence in the people that I work with - I do. But I'm just used to doing everything myself, so half the time I don't think to delegate or outsource or anything but roll up my sleeves and get things done.

The problem is that it doesn't scale and my list isn't getting any shorter. So ceding control is really a survival instinct. You need to trust in your team, as much as you trust your pilot. Given my personality, it's a fight I'll need to wage daily, but it's one that is worth fighting. Life is too short to do everything yourself.

Have a great weekend.


Photo: "everything's under control" originally uploaded by Lorrie McClanahan
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

The RSA speaking slots are out and I'm happy to say that I was selected to sit on 4 panels and to do a Peer to Peer session. Oh crap. What the hell is that about? Sure the panels were good, but not that good. I wonder if there were as many submissions this year. Or whether they all just sucked. In any case, I wonder how many of you plan on attending RSA this year. I should do a survey or something, but I hate surveys. So just send me an email if you plan to be there. Hopefully none of my sessions conflict with the important stuff, like the Bloggers meet-up.

1. It's hot out there. AVG stokes an "inSana" fire sale - I was thinking about calling this one "Reality 1, Listwin 0" in honor of the great Listwin, who not even his sizable talents could save Sana. AVG acquired Sana Security for what must have been a Czech jig or something like that. Do the Czech's even jig? If you look at the press release, no one from Sana is even quoted. The reality is that we'll see a bunch of these deals and even a high profile executive cannot turn a feature into a company.
2. I guess they ran out of wishes - The folks at SafeNet can celebrate, they won the war of attrition to acquire Aladdin for less money than they initially offered. It's not a Yahoo!-like fiasco (what could top that?), but still the gravitas of the genies in a bottle cost their shareholders some coin. Great, now what the hell does SafeNet do with it? I hear there isn't much competition in the content security space, though some of the software security technology they have may fit nicely with SafeNet's business.
3. Sure they can run a pen test... - I was reading this piece by Michael Cobb on SearchSecurity about how to "increase security with a decreasing budget" and I was interested. That's clearly something that is top of mind for customers. Unfortunately, don't waste your time reading the piece. The big idea is to merge physical and logical security groups. Huh? I can just imagine the bruisers who patrol the building are well qualified to bust out a pen testing tool and take down the defenses. That approach allows you to cut one headcount (the manager of either group). The answer, my friends, is automation. And not just because that's what I pawn for a living. OK, probably because that's what I pawn for a living.
4. Midnight Express - AWESOME - So one of the guys that did the TJX hack is getting 30 years in a Turkish prison. WOW! It's been a long time since I've seen Midnight Express, but I think I need to watch it again. Just to see where the new bar is set for prosecuting a hacker. In Turkey anyway. In most other countries, that are as untouchable as MC Hammer. The hope is that this proves a deterrent to some, but the reality is it'll have no impact on most. Why? Because it's easy money, especially compared to what else would need to be done to make a similar wage in these emerging countries. That kind of stuff would land you 30 years in a Turkish jail.
5. Just what we need, another unenforceable mandate - So the great State of NY (my birthplace) is blazing the legislative trails in drafting some language that would require "secure code" if you want to sell software to any NY State agency. Yeah right. How do you enforce that? Let's see, maybe require a new set of assessments and spur a new industry, the secure code police. Give me a break. It focuses on the Top 25 programming mistakes and I think the list is good, the regulation is not. 
6. Speaking of the lowest common denominator - Yes, the CWE/SANS Top 25 Most Dangerous Programming Errors is quite a list. As mentioned above, the list is good - but only to the degree that developers give a crap about it. The challenge hasn't really been knowing what to do, it's in getting the developers to do it. Does this list help with that? Not really. But at least it will get the hackers to focus on whatever should have been #26-50, since those won't be addressed by 98% of the developers out there. Who am I kidding? Only a small minority of developers will give a rat's ass about 1-25...
7. 2009 To Do List (Gunnar style) - Though I'm sure it's cold in the Twin Cities, Gunnar is thinking oh so clearly. A few days ago, he put together a to-do list for security professionals. #1 on the list is to educate on software development state of the art. Remember, most of the attacks nowadays are directly on your apps. So understanding how these apps are being built is the first step in protecting it. Next up is to eat lunch with developers - another GREAT tip. Even pay for lunch, you'll learn far more than doing anything else. There are a few more, but ultimately success is about constant renewal and always learning. Gunnar reminds us how important that is.

Finally, I have a favor to ask all of you. Please give Hoff something to do. Seriously. We all know he's busy doing something architect-like for his overlords. He spends a bunch of time doing sweaty grappling with other guys, as well as P90x-ing for 90 minutes a day. Yet he still has time for some good, old fashioned potty humor. Literally. As funny as this is and as much as I appreciate it, I'm thinking Hoff has found some type of rift in the space-time continuum that allows him to fit 48 hours in a day. With all this time, I suggest we all just send Hoff random tasks to do and that will allow him to adequately fill his daily 48 hours. You know where to find him.