April 21, 2008 - Volume 3, #38
Good Morning:
There is comfort in ritual. For me, religious holidays are comfortable.
It doesn't matter which
holidays you choose to celebrate, but all the same it's an opportunity
to spend time with the people you care about. Or at least the people
with which you share a genetic link. Or married someone that is
genetically linked to you. Like my brother says, "you can pick your
friends, but you can't pick your family." Thankfully, I like my family.
That's probably unique.
Personally,
religion is important to me, but not in a dogmatic way. It's about the
cultural values that faith drives, not what the specific rituals are
supposed to mean. Or even the folklore that allegedly happened
thousands of years
ago. Maybe.
This past weekend was the beginning of the Passover holiday. The Last
Supper was a Passover Seder. We celebrate the liberation of the Jews
from the clutches of the Pharaohs in Egypt. Did any of that stuff
happen? I can't be sure, since I wasn't there - despite my mop of gray
hair. Do I believe? Sometimes
I do, sometimes I don't. I'm not so naive to think that the winners
don't write history how they want it to be remembered. Or based upon
what will make a great story.
At the end of the day, it doesn't matter. People can believe what they
want to believe. I believe that holidays are a great opportunity to see
friends and family, to catch up and to reiterate to my kids the
importance of spending time with the people we care about. Like many of
you, I get mired in the details of life, so having a couple of rituals
throughout the year helps force me to take a breath and remember what
is important.
At some
point, my kids will make their own decisions about what to believe, and
I'm going to do my best to let them. Would I really blame them if they
decided that eating matzah for 8 days
doesn't really do much to remember the plight of my ancestors in the
deserts of the Middle East? If they even toiled in the deserts at all.
I guess I'm letting my inner cynic get the best of me this morning. I
just realized that a lot of the holidays we celebrate are about getting
together, not about praying or dogma or anything besides family and
community.
I must have lost my mind, but I had 25 people over for a non-Seder
yesterday. No religion. No ceremony. No dogma. No plagues. No nothing
except some friends and family getting together and catching up. And no
bread either. So rituals are just too hard to break.
By the way, this in no way indicates dissatisfaction or anything in the
faith that I choose to follow. It just indicates a pragmatism that
I apply to every part of my life. I try to understand why I do things
and whether it's worth doing. Celebrating holidays with friends and
family gets a big thumbs up, but not because it's what we are
"supposed" to do. It's because it's something that I WANT to do. There
is a big difference.
Have a great day.
Photo: "mortuary
last supper #1"
originally uploaded
by ratterrell [1]
Technorati: Information
Security [2], CSO [3],Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
NetworkWorld
chat with Adam Gordon [10]
does a pretty good job debating some of the security certifications out
there. Personally, I'm not a huge fan of certifications, although for
overworked hiring managers and automaton HR personnel, certifications
are an easy way to separate what is probably a large number of
candidates. The advice I liked best in the piece is to "view your
resume as a pyramid." Right, you need a strong base and
then you can
specialize. So when I see folks wanting to get pretty specific
certifications when they first enter the business, it is the cart
getting ahead of the horse a bit. Basically you need to understand the
fundamentals before you try to progress to the advanced nuances of the
technology. It seems obvious, but it's amazing how many folks either
forget this or don't bother to remember.
Link to this [11]
the
recent CEO spear-phishing attack [12]
to get a meeting with the CEO to brief him/her on the stuff they need
to know? Or maybe you have your boss (presumably the CIO) do this with
you. I'm not so concerned about the specifics, but rather the general
commitment to get exposure at the executive level. You cannot do your
job if you aren't credible. If you don't build credibility, you are
lost. I know a lot of security professionals that are lost. Kind of
like being on death row. You know you are going to be strung up at some
point, you just don't know when. And you feel like there is nothing you
can do about it. You are also wrong. Pay attention and use news items
to further your agenda, where appropriate. It's OK. Just make sure you
have something to say when the executives take the meeting.
Link to this [13]
his RSA 2008 wrap-up in Wired [14] to
continue to hammer home the reality that security isn't really a
stand-alone business, and uses a controversial headline "RSA Conference
Will Shrink Like a Punctured Balloon" to make the point. Does he really
think that? Probably not, that wouldn't be good for business. But his
underlying point (which you need a machete to get to amongst all the
other hyperbole) is that security has a marketing problem. "The booths are filled with broad
product claims, meaningless security platitudes and unintelligible
marketing literature." Amen to that. I used to get
hammered because I favored descriptive marketing terms, not the sexy
one's that sound nice but no one knows what it means. It's kind of like
the difference between UTM and GRC. You say "unified threat management"
and people understand what that means. Governance, Risk and Compliance?
Huh? I don't believe RSA will go away and I figure it will probably be
bigger for the next couple of years, unless the global economy really
hits hard. Bruce is right, it's not security professionals looking to
find out what's new anymore. It's people trying to figure out how to
make money in the security INDUSTRY. And there are a lot of folks doing
that.
Link to this [15]
The Laundry
List
- Deal: Blue Coat snaps up Packeteer for $268 million. Remember I talked about "secure, accelerated access" about 18 months ago. Right. It's actually happening. It's also indicative of the blurring between networking and security in the perimeter. - Blue Coat release [16]
- Deal: TriCipher buys Sxip User Manager. Does that mean Ping Identity and TriCipher have joint custody over Dick Hardt's presentation now? Who gets the weekends? - TriCipher release [17]
- Check Point announces decent Q1 earnings. 17% growth in products and top line. - Check Point earnings release [18]
- BorderWare rebrands their reputation service, calling it a "second generation" solution. Uh huh. My thingy is better than your thingy marketing works pretty well nowadays in mature markets. - BorderWare release [19]
Top Blog Postings
man-love [20]
(not that there is anything wrong with
that...). Personally, I'd rather just link to Hoff and let him explain
all this hocus-pocus to you. At some point the threats will become
manifest, and then you'll need to start doing something about it. Or
the first wave of virtualized architectures won't cut the mustard and
the industry will need to retrench. Either way, the wonderful thing
about the Internet is that we can all come back to these posts and
figure out what we need to know. When we need to know it. Sure
we should have listened the first time, but who has time for that?
Right
now, I'll focus my small brain on the things that are real exposures
today. Folks that worry about security innovation need to think these
big thoughts. Paracites that regurgitate the news and mix Musketeer and
Horsemen analogies don't.
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html
[21]Link
to this [22]
http://1raindrop.typepad.com/1_raindrop/2008/04/rsa-debrief-11.html [23]
Link
to this [24]
Big Jeremiah [25] (even if Hoff tapped him out [26], he's still
big in my book) are all fired up about PCI Standards Council head Bob
Russo talking a bit about Requirement 6.6 and then publishing a 8 page
"clarification." To be clear, clarification is good. It's good that
some of the tool vendors will actually be able to wield a real PCI
hammer, as opposed to the "no, really, the auditor's recommend my
stuff." They've been making it up for 3 years now. Ivan believes this
clarification "end ambiguities," but I beg to differ. It's
still all about how the assessors interpret the rules and the guidance
and the clarifications. The biggest frustration the users of my PCI
sessions at RSA had was the inconsistency and variability of the QSA's
interpretation of the requirements. Unfortunately, there is no way to
really make anything so crystal clear that it will apply to all
situations. No way. So now the users can be even more confused, trying
to figure out how the guidance will actually be interpreted by the
assessors. Ain't compliance life grand?
http://blog.ivanristic.com/2008/04/pci-council-rel.html [27]
Link
to this [28]