April 21, 2008 - Volume 3, #38

Good Morning:
There is comfort in ritual. For me, religious holidays are comfortable. It doesn't matter which holidays you choose to celebrate, but all the same it's an opportunity to spend time with the people you care about. Or at least the people with which you share a genetic link. Or married someone that is genetically linked to you. Like my brother says, "you can pick your friends, but you can't pick your family." Thankfully, I like my family. That's probably unique.

Personally, religion is important to me, but not in a dogmatic way. It's about the cultural values that faith drives, not what the specific rituals are supposed to mean. Or even the folklore that allegedly happened thousands of years ago. Maybe.

This past weekend was the beginning of the Passover holiday. The Last Supper was a Passover Seder. We celebrate the liberation of the Jews from the clutches of the Pharaohs in Egypt. Did any of that stuff happen? I can't be sure, since I wasn't there - despite my mop of gray hair. Do I believe? Sometimes I do, sometimes I don't. I'm not so naive to think that the winners don't write history how they want it to be remembered. Or based upon what will make a great story.

At the end of the day, it doesn't matter. People can believe what they want to believe. I believe that holidays are a great opportunity to see friends and family, to catch up and to reiterate to my kids the importance of spending time with the people we care about. Like many of you, I get mired in the details of life, so having a couple of rituals throughout the year helps force me to take a breath and remember what is important.

At some point, my kids will make their own decisions about what to believe, and I'm going to do my best to let them. Would I really blame them if they decided that eating matzah for 8 days doesn't really do much to remember the plight of my ancestors in the deserts of the Middle East? If they even toiled in the deserts at all. I guess I'm letting my inner cynic get the best of me this morning. I just realized that a lot of the holidays we celebrate are about getting together, not about praying or dogma or anything besides family and community.

I must have lost my mind, but I had 25 people over for a non-Seder yesterday. No religion. No ceremony. No dogma. No plagues. No nothing except some friends and family getting together and catching up. And no bread either. So rituals are just too hard to break.

By the way, this in no way indicates dissatisfaction or anything in the faith that I choose to follow. It just indicates a pragmatism that I apply to every part of my life. I try to understand why I do things and whether it's worth doing. Celebrating holidays with friends and family gets a big thumbs up, but not because it's what we are "supposed" to do. It's because it's something that I WANT to do. There is a big difference. 

Have a great day.

Photo: "mortuary last supper #1" originally uploaded by ratterrell

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Build a pyramid the Pharaohs would be proud of
So what? - I'm not sure why, but a lot of folks ask me for career advice. Maybe because I've had a lot of career twists and turns and I can be pretty objective about where someone is and where they want to be. Maybe because I have no vested interest and some folks just want someone to work through the decision points, without bias. Whatever the reason, I'm happy to do it. Ultimately I just ask questions and challenge assumptions. Most folks know exactly what they want to do, they just need to overcome their own biases and fears. This NetworkWorld chat with Adam Gordon does a pretty good job debating some of the security certifications out there. Personally, I'm not a huge fan of certifications, although for overworked hiring managers and automaton HR personnel, certifications are an easy way to separate what is probably a large number of candidates. The advice I liked best in the piece is to "view your resume as a pyramid." Right, you need a strong base and then you can specialize. So when I see folks wanting to get pretty specific certifications when they first enter the business, it is the cart getting ahead of the horse a bit. Basically you need to understand the fundamentals before you try to progress to the advanced nuances of the technology. It seems obvious, but it's amazing how many folks either forget this or don't bother to remember. 
Link to this

Here's an excuse to sit with the CEO
So what? - One of the biggest issues I hear about the Pragmatic CSO methodology is the need to get face time with executives. It's hard, they don't return calls, they are not responsive. Waaaa Waaaa. Can I get you some cheese with that whine? Sometimes you have to think a bit more creatively and overcome those obstacles because it's the right thing to do. How many of you take data points like the recent CEO spear-phishing attack to get a meeting with the CEO to brief him/her on the stuff they need to know? Or maybe you have your boss (presumably the CIO) do this with you. I'm not so concerned about the specifics, but rather the general commitment to get exposure at the executive level. You cannot do your job if you aren't credible. If you don't build credibility, you are lost. I know a lot of security professionals that are lost. Kind of like being on death row. You know you are going to be strung up at some point, you just don't know when. And you feel like there is nothing you can do about it. You are also wrong. Pay attention and use news items to further your agenda, where appropriate. It's OK. Just make sure you have something to say when the executives take the meeting.
Link to this

The security business goes pssssssss....
So what? - You do have to hand it to Schneier, he does write a lot. Like someone else I know, but if I was a quarter of the promoter that he is, I'd be living large. But it's all good because when you write a lot some stuff will stick and other stuff won't. Bruce uses his RSA 2008 wrap-up in Wired to continue to hammer home the reality that security isn't really a stand-alone business, and uses a controversial headline "RSA Conference Will Shrink Like a Punctured Balloon" to make the point. Does he really think that? Probably not, that wouldn't be good for business. But his underlying point (which you need a machete to get to amongst all the other hyperbole) is that security has a marketing problem. "The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature." Amen to that. I used to get hammered because I favored descriptive marketing terms, not the sexy one's that sound nice but no one knows what it means. It's kind of like the difference between UTM and GRC. You say "unified threat management" and people understand what that means. Governance, Risk and Compliance? Huh? I don't believe RSA will go away and I figure it will probably be bigger for the next couple of years, unless the global economy really hits hard. Bruce is right, it's not security professionals looking to find out what's new anymore. It's people trying to figure out how to make money in the security INDUSTRY. And there are a lot of folks doing that.
Link to this

The Laundry List

Top Blog Postings

I'll be D'Artagnan
The Hoff gets out his dogma books and talks about the "Four Horsemen of the Virtualization Securty Apocalypse" and continues to show why it hurts my brain to hang out with Hoff. It's not the mojitos either, it's his ability to see how things come together when we aren't even sure which end is up. Of course, this level of intellect does attract a certain level of man-love (not that there is anything wrong with that...). Personally, I'd rather just link to Hoff and let him explain all this hocus-pocus to you. At some point the threats will become manifest, and then you'll need to start doing something about it. Or the first wave of virtualized architectures won't cut the mustard and the industry will need to retrench. Either way, the wonderful thing about the Internet is that we can all come back to these posts and figure out what we need to know. When we need to know it. Sure we should have listened the first time, but who has time for that? Right now, I'll focus my small brain on the things that are real exposures today. Folks that worry about security innovation need to think these big thoughts. Paracites that regurgitate the news and mix Musketeer and Horsemen analogies don't.
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html
Link to this

What is "enterprise quality?"
Gunnar goes on a tirade here about the mismatched expectations between enterprise pricing and value received. He rants about vendor's overselling what they can do and ultimately disappointing customers. He sums it up: "In a nutshell: here is the problem with enterprise security products - they charge enterprise prices, but they do not deliver enterprise quality." Let's go back to how these products are priced. It's not about value or pretty much anything else. It's about how much the customer will pay. Pure and simple. How can Baracuda sell an anti-spam gateway for $3000 and other vendors sell a similar product for $50,000? Is the other product 15 times better? Of course not. But the enteprise customers in an early market can afford $50K per box, so that's what you charge them. Until you can't do that anymore. As markets mature and as some companies have proven that you can disrupt using price, distribution and "good enough" technology, we'll see Mr. Market wield his ugly hammer on those with overly fat margins. But you need a volume business to see Mr. Commodity Market in action. Most security markets are far from volume businesses.
http://1raindrop.typepad.com/1_raindrop/2008/04/rsa-debrief-11.html
Link to this

How long before PCI guidance makes it to the field?
So Sir Ivan and Big Jeremiah (even if Hoff tapped him out, he's still big in my book) are all fired up about PCI Standards Council head Bob Russo talking a bit about Requirement 6.6 and then publishing a 8 page "clarification." To be clear, clarification is good. It's good that some of the tool vendors will actually be able to wield a real PCI hammer, as opposed to the "no, really, the auditor's recommend my stuff." They've been making it up for 3 years now. Ivan believes this clarification "end ambiguities," but I beg to differ. It's still all about how the assessors interpret the rules and the guidance and the clarifications. The biggest frustration the users of my PCI sessions at RSA had was the inconsistency and variability of the QSA's interpretation of the requirements. Unfortunately, there is no way to really make anything so crystal clear that it will apply to all situations. No way. So now the users can be even more confused, trying to figure out how the guidance will actually be interpreted by the assessors. Ain't compliance life grand?
http://blog.ivanristic.com/2008/04/pci-council-rel.html
Link to this