The Daily Incite - 11/14/08 - Positivity

Submitted by Mike Rothman on Fri, 2008-11-14 14:42.
::
Today's Daily Incite

November 14, 2008 - Volume 3, #89

Good Afternoon:
I got a question a while back from a reader about staying positive. As I'm mentioned about a hundred times, I tend to be cynical and pessimistic and I need to really work hard to keep a positive attitude. I've made a conscious effort to be more positive and that means I have very little tolerance for Chicken Little types that only want to focus on the bad.  I think positivity is a word. Right?

So how do I do it? The truth is some days are better than others. But I surround myself with "can-do" folks, who look for ways to get things done. Not reasons why they can't. When you work in a group environment, it's absolutely critical for the leaders to build a positive culture. Folks that don't fit into that need to find somewhere else to work.

Recently I had to make a change on my team for that very reason. We all deal with challenges every day. Sometimes decisions don't go your way. Sometimes people screw up. But once something is done, it's done. Move on. Let it go. Tomorrow is a new day and a new opportunity for things to be better.

Besides the philosophy, I'm training my mind to let things go. I try to take at least 15 minutes each day to not think. That's been a huge tactic of mine to deal with the stress of existence and to not get all caught up on negativity. Some meditate, others pray, but I don't much care for definitions. Given the reality that my mind races at all times, I need to take a few minutes each day to not race. To slow down. To focus on not focusing. Yes, it sounds very Zen and part of it is.

Learning to quiet my mind is the hardest thing I've ever attempted. And I'm pretty crappy at it. But I'm getting better every day. I've found this quiet time allows me to leave things behind. Once I'm done, I don't have the baggage and I can be productive and jump into whatever challenges await me that day. I find that when I don't have time to not think, I am far less productive and far more irritable.

That works for me. Others like to think about how lucky they are. Some exercise to relieve the pressure. I know folks that make themselves laugh. Either at the futility of it all or about how others could be so dim-witted to make an ill-advised decision. But it's important to find a technique to get past "it." Whatever "it" is. Because if you can't, you'll be sentenced to a lifetime of angst and grumpiness. I'm fortunate that I've been paroled from that sentence. But my rehab continues every single day.

Have a great weekend.


Photo: "positivity" originally uploaded by lanqui
Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4U

TGIF. This week we had a sales meeting at my day job, and as fun as those are - it's exhausting. The rush to get ready, the rush of the training, and the rush of the parties all equal exhaustion. I know I'll sleep well tonight.

  1. Shrdlu goes to town here about the counter goals of security, privacy and compliance. The conclusion is that these groups really should be separate because they all have different objectives that will conflict with each other. In a perfect world, where we all have tons of resources, that's absolutely right. But in the real world, we are likely not staffed to do that. But we can factor in those objectives when setting our success criteria and allocating resources. You need to be a bit schizo to do security anyway, and this is one of the reasons. Another gem in the post is the conclusion that compliance is a LOWEST COMMON DENOMINATOR and if you aren't out ahead of compliance requirements then there is no way you're either secure or compliant.
  2. Seltzer wonders if Government networks can be secured. His answer? Theoretically they can. The reality, no they can't. But it's not anything they are doing right or wrong. No large network with the scale of the US Federal Goverment can be secured. There are just too many ingress and egress points and too many different folks configuring, changing and reconfiguring things. But that's the same for any large enterprise as well. The goal shouldn't be to "secure" the networks. If that's the success criteria, then we can't be successful - so why bother? Defining success is the most important task for a senior security professional, and being perfect (which is what "security" requires) isn't practical. So manage those expectations with care.
  3. Microsoft talks about how they've evolved their SDL (security development lifecycle) to support web applications and the Agile development process. Once again kudos to Microsoft for using their own sausage machine as a way to both illustrate what to do (and sometimes what not to do), and use that experience to educate the rest of us. The reality is that things need to happen faster on web time, but the SDL necessarily make you take more time to ensure the right controls and tests have happened. It's definitely a bit of an impedence mismatch, so there is no wonder that most web applications are crap from a security perspective. It'll be an ongoing battle, but at least you can point to Microsoft and maybe jump over the inevitable potholes.
  4. Do not fight fire with fire. This quick little answer on NetworkWorld's community answers the question of whether it makes sense to auto-respond to sp*m. The answer? Not so much. Those messages are sent using spoofed addresses, so the only thing responding will do is clutter the network with more crap. So hope that your filter catches things, and if not send it to the circular file. Richi Jennings has a similar answer on the Ferris blog, but focusing on out of office messages.
  5. Deal: CA acquires Eurekify to add to their role management capabilities within the identity suite. This deal was actually pretty predictable since CA has been selling the solution for a while based on an OEM. And the consolidation train continues down the tracks.
  6. There is no free lunch. Techdulla talks a bit about Microsoft's new BizSpark program, which helps startups by giving them an MSDN license for 3 years. This is all about priming the pump and remember there are very few incremental costs to stamping out a few more DVDs. Sure a little support, but Microsoft is so massive, it's a rounding error. And given that a lot of start-ups use open source tools (because the price is right), presenting a threat to Microsoft over time - this approach makes sense. Just be clear, they do intend on making it up on the back end.
  7. Is DLP a nice-to-have or a must-have? That's the hundred million dollar question. Code Green moves to attack the enterprise DLP opportunity, but I'm still not a fan of this market. Not that the technology isn't required, but it isn't a stand-alone. I've been hearing that the Symantec folks (former Vontu) are doing well in DLP, but the remaining stand-alone companies are struggling. McAfee taking out Reconnex won't be the last fire sale we see. And as the economy tightens, I don't think it's going to get better for the vendors. Someone get some fire wood. We're going to throw a bunch more DLP companies on the pyre in the near term.
  8. Check Tim Green's latest NAC column out to see an example of good marketing. A bunch of NAC vendors are now starting to look at additional use cases for the technology and to expand it's relevance. They chirp in Tim's ear and he goes and validates it. It's exactly the right thing to do, since unless there is a clear COST CONTAINMENT aspect to any new project, it's going nowhere fast in a down economy.