November 28, 2007 - Volume 2, #157
Good Morning:
The honesty and innocence of kids is truly inspiring. Every so often
one of my offspring will say something that simultaneously has me
cracking up and also really appreciating the fact that the world has
not beaten them down yet. Over the holidays we got to spend some time
with my Mom and step-father. We're having a nice lunch at a buffet and
the manager of the place brings each of the twins a little cup
of gummy bears and M&Ms. Lindsay tears into the M&Ms
and Sam has an affinity for the Gummies. They finish their respective
piles and Sam asks for some more Gummy Bears. "Nope" says Dr. No
(that's me).
Sam grumbles a little, but he'll get over it. He always does. Being one
to never let a buffet get the best of me, I head up to fill my plate
(once
again) with some healthy food (yeah, right). While I'm gone, Sam
jumps into Lindsay's seat and grabs a few of her Gummies. My
step-father Bobby tells Sam he shouldn't have done that. But then being
the great example of purity that he is, Bobby suggests that they can
keep it a "secret." Sam agrees that its a good idea to keep it a secret
and says he won't tell me about the extra Gummy.
I get back to the table, with my plate of vege slaw or something
(if you believe that I have some Las Vegas real estate to sell you).
Then Sam blurts out, "Dad,
I'm not going to tell you about the extra Gummy Bears I had. Bobby told
me not to tell you. We're keeping it a secret." I almost fell out of my
seat. Mental note - don't
entrust Sam with the family secrets just yet.
It gets back to honesty. I'm glad that even with some bad influences
(like his Grandpa Bobby), Sam still chose to tell me about the Gummy. I
know that won't always be the case, but I'm not going to complain while
the kids are still young and innocent. I didn't punish him because
he told me the truth. If I took a pound of flesh over the extra Gummy
Bears, then the next time he needs to tell me something - he may think
twice. That's what I'm trying to avoid as a parent. It's a fine line
because you can't just allow bad behavior, even if they come clean. But
you also can't provide a huge disincentive to being honest.
There is a bigger message here. We tend not to come clean about the
things we screw up. I totally agree with Dennis Fisher's take about the UK
Government's data loss [1]. They came clean. They accepted fault
and they are going to try to make it right. If they buried the issue
under layers of lies, obfuscation and mis-information, then the
citizens would be outraged. Instead, it's not an optimal situation, but
it's also not a 40 car pile-up.
Let's hope you personally are never tested and put in a place where you
have to come clean about something less than savory. But if it happens,
remember you always have a choice. Will you fess up about the Gummy
Bear?
Have a great day.
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
good data security overview by Network
Computing's (now InformationWeek's) Jordan Weins [10], I thought
of the movie "City Slickers." Great flick, but when Curly tells Billy
Crystal's character that the secret of life is "one." And he has to
find out what that one is for him, it kind of came full circle. I'm in
the business of genericizing decisions that are pretty important. I
track trends, I project outcomes and ultimately I try to use that
information to help organizations make better decisions. But every
decision ultimately have to be made within the context of your
business. When Jordan started looking at data security, there were over
100 different products that could "fit" the bill. How to you possibly
make heads or tails out of so many choices? You need to take a step
back and really focus on what problem you are trying to solve. It's
hard - I know it's hard. You have lots of distractions and reps calling
you all the time to get you to focus on the problems they solve. But
don't be deceived. Your success directly depends on how well you solve
the problems that are important to YOUR business. Data security is
something we all need to address, but
exactly how you address it is anything but generic.
Link to this [10]
SANS have published their Top 20 report on
Internet Security Risks [11]. Attacks are getting more targeted
and specific. No kidding. The users are still mostly the weakest link.
Right. Technology and complexity within web applications are making
things harder to protect. Absolutely. Evidently there were only 18 big
risks, so maybe next year we'll see 22 to make it all balance out. The
reality is these lists are interesting in that it gives the beat
reporters something to do for a few days, but I'm not sure it really
helps anyone do anything much better. Remember one of the keys to
success in being a security practitioner is to stay current with all
the activity happening out there. That means you have to read a lot and
figure out how what you read impacts your current list of things to do.
But you already know that because you read my drivel each day. I'm more
worried about the folks that don't stay current. Seeing what's
happening out there once a year just isn't good enough.
Link to this [11]
Webroot has decided to get into the
anti-spam managed services business, by acquiring Email Systems [12].
Huh? Who? For a first acquisition out of the gate, this is kind of
strange. Webroot had no managed service presence. Not even a UTM or a
vuln scanning thing. Just the various desktop security products. So how
do you get into an overcrowded market like anti-spam, where you have no
real differentiation with an offering that no one has ever heard of? I
guess you get ready to swim upstream for a while. And to spin Email
Systems as offering "unrivaled
SaaS technology that represents a tipping point in enterprise security."
Who writes this stuff, and how can I get some of what they are smoking?
Sure Webroot has some customers and they need more stuff to sell them,
but it would have made more sense to me to take out something a bit
closer to the desktop (maybe like a NAC thing, like Symantec did with
Sygate), as opposed to getting into a totally different
business.
Link to this [12]
The Laundry List
- Worried about the SANS Top 20? Qualys will scan you for free. Maybe you'll even like it and buy some more. - Qualys release [13]
- How should SMB's do security reporting? I covered that topic in my monthly SearchSMB column. - Rothman SearchSMB tip [14]
- Put up (the S-1) or shut up. Lumension pats itself on the back for 106% revenue growth. So they went from $100 to $206 in sales? I hate these "success" releases, which don't say a damn thing. I should know, I used to write them. - Lumension release [15]
Top Blog Postings
http://blogs.computerworld.com/the_coddled_and_shielded_executive [16]
Link
to this [16]
http://blogs.zdnet.com/Ou/?p=883 [17]
Link
to this [17]
http://sm-blog.securitymike.com [18]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [19]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [19]