June 29, 2009 - Volume 4, #29

Good Morning:
Being my first day back from a week of R&R, I thought I'd share some random thoughts. The first has to do with a trip back to my old stomping grounds in VA I took recently. It was like going to a high school reunion and seeing that most of the folks there looked terrible. The area was a mess with construction everywhere.

Given the congestion in the Northern Virginia area, any work they do is both necessary and required, but the place was in tatters. You can remember the good old days when the cheerleaders were cool and everyone had their best days ahead. Or you can focus on the fact that as time goes on, some areas (or people) wear better than others. 

Or you could focus on the fact that in one way or another we are all under construction. So you can appreciate what was, think about what's to come and understand whatever it is is just fine for right now. See, I told you - random stuff.

The Boss was quite kind to me when we were away and let me plow through a number of books. And no, I didn't read the latest marketing manifestos. I wanted some diversionary drivel, and I got it. First I read two of Daniel Silva's books from the Gabriel Allon series (The English Assassin and The Confessor). Good stuff. Fast paced, good plot. Not enough graphic hand to hand combat, but the plot complexities made up for it. 

Next up, I read Raymond Khoury's The Last Templar. This was basically a Dan Brown rip-off, which they made into a mini-series. The concept was intriguing, but the execution was a bit hollow and far-fetched. I know all thriller novels are far-fetched, but last few action scenes in this one stretched my imagination. Finally I tackled Harlen Coben's Deal Breaker, which was a total change of pace and dealt with a sports-tinged plot of intrigue. It was decent, a bit predictable, but Coben is pretty funny - so it was a decent read. 

Next we can also wish a freaky farewell to the King of Pop. Here is a great article about his early days at the world famous Apollo Theater. I read a number of places and my own family spent a bunch of time talking about the clear similarities between Michael Jackson and Elvis. But being in that kind of burning spotlight for decades definitely warps things, so I can only hope he finds the Dancing Machine in the great beyond. Though many folks never can say goodbye...

Have a great day.

Photo: "Under_Construction_Sign" originally uploaded by uberbeam
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Only having time to cover maybe 4 or 5 interesting posts a week has forced me to be pretty selective. Overall I think this is a good thing. But I'm sure none of you are bashful and will let me know if it sucks.

1. Cybercom is da shizzle - No, I have no idea what a shizzle is, but it was interesting last week to get the formalization of the US DoD's cyber-defense initiatives under a common banner. To be lead by the head of the NSA, but not within the NSA. Uh-huh. Anyhow, I do think that leverage is good and setting a common policy is good. Can you truly centralize anything with 15,000 separate networks and 7 million + devices, no frackin' way. But at least setting a set of guidelines isn't a bad thing. Though it'll be interesting to see how cyber-com differs in reality from NIST'.
   
2. The real auditing Top 10 list - The man known only as Shack has a wonderfully snarky analysis of the Top 10 things auditors aren't telling you, and it's dead on. Basically audit (and PCI assessment for that matter) is a very competitive business, which means it's all about cutting costs. So you'll see the bait and switch (#3) and also the auditor may likely back down if you yell loud enough. Unless you get the know it all (#9) or the one worried about being the next Arthur Andersen (#10) and then figure out how to go over the auditor's head. Of course, snark aside - there are cases where the audit can be productive and where you can treat the auditor as a peer, which is the Pragmatic way. Though to get to a productive place, you need to understand where the auditor is coming from.
   
3. Skeptics anonymous meeting at 10 - The Mogull has had too much time to think. And that's with a newborn. Maybe if there is a next go around, he (and the lovely Mrs. Mogull) can have twins so he doesn't have time to think all skeptical and stuff. But his series on Skepticism in security rung very true to me because part of every job is to make decisions with less than perfect data and we have to be skeptical about stuff. But that result in the business thinking us security folks are just "Dr. No" and that isn't productive over time. So I'd love folks to be more skeptical and get all New School and share data and be more scientifically rigorous, but we need to tread carefully. Because any credibility we are building taking a "Yes, but" position (as opposed to a NO! position).
   
4. CISO = DoDo bird? - Funny, there are a lot of folks questioning the long term viability of the senior security staffer position. I've certainly been one of them for a long time. Here are the Gartner Security show this week (follow my updates via Twitter @securityincite) and the first keynote is about how the CISO needs to evolve. And Shrdlu has a good post about how to evolve as a CISO, especially given there are very few formal education programs for a senior security folk. Again, I have to default to being Pragmatic. We are BUSINESS PEOPLE and that means we need to learn more about the business. Maybe spend a week in a factory. Or in the field with sales folks. Or in the customer support group. We need to have a firm understanding of how the business works and then we'll better understand how to protect it. So don't expect anyone (not even the pirates from SANS) to provide a curriculum to gain skills. The answer is right in your own house, you just have to get out of your easy chair to get it. 

Last week's Tweets of Note

Since I was off last week, I didn't do a whole lot of tweeting. But here is the stuff I pointed out. I'll be more active this week...

• Rothman (w/ @eiqnetworks hat on) does podcast with TechTarget's Andy Briney on SIM market. http://is.gd/12CbQ
• If you are vendor, you must follow @crankypm. She speaks the truth about how the sausage is made. And it ain't pretty. http://is.gd/12CgF
• Don't be too happy. It's politically incorrect (even with $36MM burning a hole in your pocket). Tom Peters rant: http://is.gd/13qJ1
• CSO role changing? Techie to business exec. http://is.gd/13rk2 Remember Deming: It's not necessary to change. Survival is not mandatory.
• No, you look great in that MooMoo. But if not, link from a TDI reader on a good eating plan from Texas Tech. http://is.gd/13rwJ
• IM Logic deal was such a success, #SYMC needed to launch a new IM Security Service. Back to 2004! http://is.gd/13rLS #lovetimemachine
• Cisco launches Flip Video Sharing Service. http://is.gd/13suI #watchuglypeoplescrewing
• Not much rumble about start-up Dasient. Seems like a feature to me. Other opinions? http://bit.ly/acNnG
• Off to do @andrewsmhay favorite SIEM panel with 5 other vendors. Should have had hemlock with lunch. http://bit.ly/iyzEI
• Heartland picks Voltage to build end to end crypto thing. Hopes this will subdue class action vultures. Not so much. http://bit.ly/rPnJi
• Been banging my head against wall for 90 minutes. Made a mess in conference room. #SIEMcast
• Google "considers" tightening web app security. http://is.gd/15nci <- Quick response, but a grin fookng nonetheless.
• RT @shrdlu: Checkpoint is advertising something called "WHALE pricing." <- Maybe they can call it "SUCKER pricing"
• I look at this post from @paperghost and I don't feel bad that idiots that fall for this crap get pwning they deserve. http://is.gd/15yhT
• June Fortune Cookie Advice from Matthew Rosenquist (http://is.gd/15zq2): Think strategic. Act competitive. Be secure. <- Kumbaya.
• Bad career advice from @mmurray @ljkush? Not Machiavellian enough. Feed boss hemlock and step over body on way to top! http://is.gd/15A52
• The real Grumpy Pete tries to take on Bejtlich relative to ROSI. This does not end well. http://is.gd/15FcX
• Mastercard initiates QSA stimulus package (on-site for L2 merchants). Methinks they'll all be qualified. (via @mckeay) http://is.gd/15Ftv
• My fathers day present is the realization that my kids will be able to work it out in therapy.
• Schneier shows the pre-cursor of the great Internet commerce backlash. If fraud is this prevalent folks will just stop. http://is.gd/19Cc5