logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - January 2, 2008

By Mike Rothman
Created 2008-01-02 12:32
Today's Daily Incite

January 02, 2008 - Volume 3, #1

Good Morning:
It's 2008 and I think a guy like me needs a theme song. I'm doing a lot of public speaking now, and it would be great to have all sorts of pyrotechnics and a thumping theme song when I enter the room to do my thing. Kind of like when folks like the Undertaker enter the arena during a WWE extravaganza. If any of you've seen my panel moderating style - that is probably a good analogy, no? So what theme song should I pick?

The UndertakerWell, it needs to be angry, since most of the folks I speak to are security professionals, and they are a pretty grumpy bunch. It needs to be aggressive and in your face because that's my "persona." It needs to be hard rocking. No one is going to get excited to a speaker walking into the room to the Carpenters or Air Supply. And finally, it needs to bring you back to happier days. Even though the song is angry and in your face, it needs to remind you of simpler times, happy times. When you could be angry because it was fun and different, not because you had to.

I pick "Welcome to the Jungle" from Guns 'n Roses. Yes, I'm sure that was very predictable. You know me too well. There were a number of other songs I considered, like AC/DC's Big Gun and Van Halen's Hot for Teacher, but I thought Guns anthem was most reflective of the challenges that we security folks deal with every day.

So all of you conference organizers down there, check with the venues to make sure some fireworks in the conference facilities won't violate fire codes and makes sure you have a couple of kickin' amps to get the crowd feeling good when I go on stage.

But there is a deeper thought a work than stroking my oversized ego by defining a theme song. It's about themes. I saw this post on Andy Wibbel's blog [1] and I think it's a great thing to think about. What is your "theme" for 2008? Losing 25 pounds and not being such a prick all the time are good resolutions (yes they are on my list too), but that doesn't really give me an idea about how I should be weighing all of the personal and business decisions I face. What is my rallying cry for the year, my mantra?

It's actually pretty easy. In my old age, I'm getting kind of Zen. I'm trying to eat more naturally and I'm trying to enjoy the ride, as opposed to always being focused on what's next. For all I know, this is next. I'm starting volume 3 of the Daily Incite today and who knows, I'll blink my eyes and we could be on volume 10. So I may as well enjoy it, as opposed to always feeling bad about all the other stuff I "should" be doing.

I've always been in a rush. Since as long as I can remember. Even though I wasn't quite sure where I was going, I wanted to get there at a high rate of speed. At this point, things are moving fast enough. My kids are growing, my hair is gray, and my folks are now grand-folks. If anything, each new year is passing faster than the last.

So I'm going to make a concerted effort in 2008 to "BE SLOW." No, that doesn't mean I'm going to be inching along the highway at 40 mph. But I'm going to enjoy the ride, I'm going to be thankful, I'm going to let things happen - as opposed to be too preoccupied with making them happen.

I'm very lucky that I have the ability to slow down. It doesn't mean I'll be working less, but I'll be working on the stuff I want to do. That means I'll inevitably need to fire some clients and turn down some gigs that I probably would have done in 2006. If it's not fun, I'm not interested. If it's not going to engage my brain, make a difference, and if I won't feel good about doing the work - then I won't. I'm going to try some new stuff, but I'm going to focus on making all the stuff I already do more successful - as slowly as a guy like me can go.

I wish you all a slow 2008 and that you take some time to enjoy the ride.

Entrance - The Undertaker image originally uploaded by Jesus V [2]

Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

The Pragmatic CSO [7]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [8]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [9]
Security Mike's Guide to Internet Security [10]

Top Security News

Larry Dignan's "wishes" for 2008 [11], I think they are all good and well (like having real penalties for data breaches and moving away from the O/S monoculture) - but they don't have a snowball's chance in hell of actually happening. Like Apple is really going to take QuickTime security seriously. There will be lots of lip flapping, but those changes in big companies are like brain transplants. I'll get back to my ongoing evangelizing of the REACT FASTER doctrine. It would be great if even one on Larry's list actually happened, but that's not likely. So I focus my efforts on making sure I can recover from the next set of attacks targeting my devices, my people and my data. I guess I wish that REACT FASTER won't be every 2nd and 3rd word out of my mouth in 2008.
Link to this [12]

dominating the IT agenda in 2008 [13] as NetworkWorld covers, then we are screwed. Figuring out how to make more money or spend less money should be dominating the IT agenda EVERY YEAR. Yes, you want to do it securely. Of course, you want to protect your data. But ultimately when the job of the CIO is to protect data and not to add value to the business, then you may as well collapse the tents and buy a Subway franchise. Security needs to be built-in and transparent. Security really "arrives" when we stop talking about it. When it's just part of the fabric, when we actually do a threat model BEFORE we start building an application, when we stop focusing on stopping every new attack and start focusing on making sure we can withstand whatever attacks are coming down the pike. Yes, we are a long ways off that day, but since we are wishing for stuff, can't a guy wish himself out of a job?
Link to this [14]

Qualys is now pushing their PCI scanning service [15] pretty hard. OK, what does this solve like 1 or 2 of the PCI requirements? Listen, I'll be the first to say that scanning (and more importantly, pen testing) is critical to being secure. But does that mean you are compliant? I hope not, but in these days of cutting every corner, I'm sure a lot of organizations will just default to a scan and self-questionnaire and a good amount of prayer that today is not their day. I also thought this new offering from NSS labs [16] was kind of silly. They are going to "certify" network equipment in that it meets the PCI standards? What the hell does that mean? Everyone knows a firewall configured correctly meets a number of the requirements. But a firewall configured incorrectly? Right, not so much. But if a vendor has $45K sitting around, I'm sure I could help them spend it.
Link to this [17]

The Laundry List

  1. What's in security's Crystal Ball for mid-market CIOs in 2008? Check out my last column for SearchSecurity's SMB site to find out. - Rothman SearchCIO-midmarket column [18]
  2. Talk about weak differentiation, Fidelis figures that supporting IPv6 is the key to DLP. Maybe I'm minimizing the impact of IPv6, but outside the US Feds I haven't heard one end user say it's important. - eWeek coverage [19]
  3. 32% of SMBs suffering security breaches? Hmmm. Like they actually know what a security breach is...  - Dark Reading coverage [20]
  4. Yes, there will be more identity theft in 2008. Yes, it creates a market for these kinds of services, but it's like insurance - no one buys ID Theft services happily. - Tim Wilson's Dark Reading blog [21]

Top Blog Postings

Dennis Fisher also comments a bit [22] about consolidation and it's ultimate impact on the security market and he's right. We do have to see how all this stuff shakes out, but to think it'll be same old, same old means you aren't paying attention.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/12/is-security-the.html [23]
Link to this [24]

http://www.darkreading.com/document.asp?doc_id=141258 [25]
Link to this [26]


http://sm-blog.securitymike.com [27]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [28]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [29]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-january-2-2008

Links:
[1] http://andywibbels.com/post/1721
[2] http://www.flickr.com/photos/jvchuy/2097172252/
[3] http://technorati.com/tag/information%20security
[4] http://technorati.com/tag/CSO
[5] http://www.tecnorati.com/tag/Security%20Mike
[6] http://www.technorati.com/tag/Internet%20Security
[7] http://www.pragmaticcso.com
[8] http://www.pragmaticcso.com/
[9] http://tdi.securitymike.com
[10] http://tdi.securitymike.com
[11] http://blogs.zdnet.com/security/?p=771
[12] http://securityincite.com/TDI-2008-01-02#TSN1
[13] http://www.networkworld.com/news/2008/010208-crystal-ball-main.html
[14] http://securityincite.com/TDI-2008-01-02#TSN2
[15] http://www.eweek.com/article2/0,1895,2238356,00.asp
[16] http://www.networkworld.com/news/2007/121007-nss-labs-pci.html
[17] http://securityincite.com/TDI-2008-01-02#TSN3
[18] http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1287637,00.html
[19] http://www.eweek.com/article2/0,1895,2238457,00.asp
[20] http://www.darkreading.com/document.asp?doc_id=141124
[21] http://www.darkreading.com/document.asp?doc_id=141762
[22] http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1288436,00.html
[23] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/12/is-security-the.html
[24] http://securityincite.com/TDI-2008-01-02#TBP1
[25] http://www.darkreading.com/document.asp?doc_id=141258
[26] http://securityincite.com/TDI-2008-01-02#TBP2
[27] http://sm-blog.securitymike.com
[28] http://blog.securityincite.com/
[29] http://securityincite.com/security-incite-rants/daily-incite