At long last it's time to unveil my "summer project." Back in May I really took stock of the entire industry. After talking and working with a lot of folks on the Pragmatic CSO [1] methodology and approach, it became clear that I needed to think differently about the problem.

We, as security professionals, know the score. We know what is vulnerable and we work every day to try to address those issues. Even [2]if we individually have small victories and stay off the front page of the newspaper, it's pretty clear that we are losing the war.

Suffocate the bad guys

I spent some time thinking about the root cause of the problem. Basically tens of millions of zombies are out there anonymously doing the dirty work of the bad guys. I've been beating the drum for a while that the ISPs need to step up and address this issue, even though it's going to be painful (especially from a customer support standpoint). It's be a while before they get there. A long while.

Yet I was still treating the symptom, not the cause. I'll describe the conversation that spurred my thinking of the solution tomorrow, but suffice it to say it was only by talking to someone NOT in the security business that I gained clarity about what needs to be done.

Basically we need a grass roots effort to suck the oxygen out of the system and suffocate the bad guys. We still get spam because people still click on links and buy fraudulent products from these shysters. We have identity theft because people remain gullible and will fall for some pretty sophomoric social engineering and phishing attacks.

If we stop more people from doing more stupid things and getting pwned, then we change the economics of Internet fraud.

A Bold and Audacious Goal

So that's what I'm aiming to do with Security Mike's Guide to Internet Security [3]. We need to change the economics of Internet fraud. Yes, it's a bold and audacious goal. Really bold and really audacious. But we are losing and doing the same stuff is not going to yield different results - that much I know.

Security Mike's Guide to Internet Security is a 10-step process to help consumers protect themselves (and their kids) from hackers, identity thieves and other online mayhem. The three main sections are: Secure the Foundation, Protect Your Identity, and Protect Your Kids. That's what it's all about.

Before embarking on an extensive new product initiative, I did check out what's out there. The good news is that there is a tremendous amount of information out there about Internet Security. The bad news is that it sucks. Really sucks. The information is disjoint and not specific enough for someone like my Mom to know what she should do. I was pretty disenchanted and annoyed by this. Even if my Mom wanted to address the issue, she'd have to spend weeks wading through all the crap to figure out what to do.

As I tend to do when I'm annoyed, I decide to fix the problem. Security Mike's Guide is a simple, step-by-step guide that is light on verbiage and heavy on screen shots and detailed instructions of what to do.

If you like it, then it's too hard

The fact is, since you are a security professional, there is a high likelihood that you'll hate it. It's intentionally simple. It's not designed for you. It's not even Security 101. It's kind of like Security Kindergarten. It's secure, but it's not complicated. Unfortunately the two are not mutually exclusive at this point. The sad truth is that anything too complex isn't going to get done. I had to intentionally get rid of the buzzwords and vernacular that dominate our security conversations. Soccer Moms don't care about zombies or IP spoofing.

It's designed for your family and/or your neighbors. Those folks that annoy the crap out of you by asking you to spend your weekends cleaning up the mess they made during the week.

Security Mike's Guide is not about making sure that the world class researchers can't break into their home networks. It's about making sure the script kiddie neighbor cutting his teeth doesn't manage to break into your network and get at your Quicken file. Or find your "private" pictures (ask Vanessa Hudgens about that).

How does Security Mike's Guide to Internet Security work?

The Guide will be delivered via Security Mike's Portal that will go live on (or before) October 15. In the meantime, folks that buy the product during the pre-sale period will get a great discount and will receive a few of the key steps over the next few weeks to get started.

Each step will be laid out in the Portal in excrutiating detail. Screen shots and a DO THIS, then DO THAT approach. If you can follow directions, then you can do Securit Mike's Guide. You'll be able to print the information if that is more comfortable for you. There will be Forums to ask questions and discuss security topics. And no this is not competing with the Catalyst Community. This is for CONSUMERS, not practitioners.

The product will also feature Security Mike's Update Service, which is exactly what it sounds like. Remember, unsophisticated users need step-by-step instructions in the event of a new attack that may require some workarounds. They need to be reminded to verify that the latest batch of patches were installed. That's what the Update Service provides.

Security Mike's Blog

Since Security Mike's Guide to Internet Security really addresses a different audience, I'm launching a new blog to talk directly to those folks. It's called Security Mike's blog (I know, original name there) and is at http://securitymike.blogspot.com [4]. It's kind of sparse now, but I'll be trying to post once a day on that blog as well.

So what? Why will consumers care?

It's pretty straight-forward. Consumers tend to be worried about a few things. Their identity, their kids, and their money. Security Mike's Guide addresses all three.

1) Identity Theft - Your identity will be stolen (it probably already has), so you better be prepared. This involves both technically securing your networks and devices, but also knowing what to do to protect your identity a bit proactively. Given the number of data breaches lately, this is one of the "hottest" issues out there.

2) Protect the Kids - All of our kids are at risk. These new social networks are unknown quantities and we are still figuring out what the real risks are. Until things shake out, we need to be able to more effectively govern what happens on these social networks.

3) Stop wasting money on unnecessary security software - Millions of people waste money on traditional security (read AV) every year and they aren't any more protected. Meanwhile, there are tons of free offerings out there that do as good, if not better, job of protection. To be clear, I'm not saying we don't need security software - we do. I just don't understand why a consumer would pay for it today.

Security Mike is going to ruffle some feathers, which I'm cool with. Big Security wants to maintain the status quo. They want everyone renewing their $80 suites year after year, so they can keep milking the cash cow. They don't really care if things get better. They have a DISINCENTIVE for things to get better.

Security Mike's Guide is about making things better

Feel free to check out the Security Mike web site to get more information about the program. Just to be very clear about expectations, the 10 Steps are very simplistic from a practitioners perspective. I can't wait for lots of folks to poke holes in it and say it's too simple to really work.

The fact is what we are doing now isn't working. So it's time to try something different. Security Mike is going to lead the way.