You may not know it, but lots of folks you know are zombies. It seems that life has beaten them down, and miraculously two weeks later they don’t say ‘hi’ – they just give you a blank stare and grin as the spittle drips out of the corners of their mouths. Yup, a sure sign they’ve been to see Dr. Feelgood, who heard for an hour how hard their lives are, and as opposed to helping to deal with the pain, they got their friends Prozac, Lexapro, and Zoloft numb it. These billion dollar drugs build on the premise that life is hard, so it’s a good idea to take away the ability to feel because it hurts too much. Basically we, as a society, are increasingly becoming comfortably numb.
I’m not one to be (too) judgmental about the personal decisions that some folks make, but this one gets in my craw. My brother once said to me “Life is Pain,” and there is some truth to that statement. Clearly life is hard right now for lots of folks and I feel for them. But our society values quick fixes over addressing the fundamental causes of issues. Just look at your job. If someone came forward with a widget that would get you compliant, you’d buy it. Maybe you already have. And then you realize: there are no short cuts. You’ve got to do the work. Seems to me we don’t do the work anymore.
Now, to be clear, some folks are ill and they need anti-depressants. I’ve got no issue with that – in fact I’m thankful that these folks have some options to lead normal lives and not hurt themselves and/or others. It’s the soccer mom (or dad) who is overwhelmed with having to get the kid’s homework done and getting them to baseball practice. That doesn’t make sense to me. I know it’s easier to take a pill than to deal with the problem, but that doesn’t make the problem go away.
I guess that’s easy for me to say because thankfully I don’t suffer from depression. Yet, to come clean I spent most of my 20’s medicating in my own way. I got hammered every weekend and sometimes during the week. If I had invested in the market half of what I spent on booze, I wouldn’t be worrying about the mortgage. But I guess that I worry at all about anything is a good sign. Looking back, I was trying to be someone different – the “party guy,” who can drink beer funnels until he pukes and then drink some more. I was good at that. Then I realized how unfulfilling that lifestyle was for me, especially when the doctor informed me I had the liver of a 50 year old. Which is not real good when you are 30.
Ten years later, I actually enjoy the ups and downs. OK, I like the ups more than the downs, but I understand that without feeling bad, I can’t appreciate when things are good. I’m getting to the point where I’m choosing what to get pissed off about. And I do still get pissed. But it’s not about everything and I get past my anger a lot faster. Basically, I’m learning how to let it go. If I can’t control it and I didn’t screw it up, there isn’t much I can do – so being pissed off about it isn’t helping anyone.
By the way, that doesn’t mean I’m a puritan. I still tip back a few per week and kick out the jams a few times a year. The funnel is still my friend. The difference is I’m not running away from anything. I’m not trying to be someone else. I’m getting into the moment and having fun. There is a big difference.
– Mike
Photo credit: “Comfortably Numb” originally uploaded by Olivander
Incite 4 U
One of the advantages of working on a team is that we cover for each other and we are building a strong bench. This week contributor David Mortman put together a couple of pieces. Mort went and got a day job, so he’s been less visible on Securosis, but given his in-depth knowledge of all things (including bread making), we’ll take what we can get.
I also want to highlight a post by our “intern” Dave Meier on Misconceptions of a DMZ, in which he dismantles a thought balloon put out there regarding virtualized web browser farms. Meier lives in the trenches every day, so he brings a real practitioner’s perspective to his work for Securosis.
- It’s About the Boss, Not the Org Chart – My buddy Shack goes on a little rampage here listing the reasons why security shouldn’t report to IT. I’m the first to think in terms of absolutes (the only gray in my life is my hair), but Dave is wrong here. I’m not willing to make a blanket statement about where security should report because it’s more about being empowered than it is about the org chart. If the CIO gets it and can persuade the right folks to do the right thing and support the mission, then it’s all good. If that can happen in the office of the CFO or even CEO, that’s fine too. Dave brings up some interesting points, but unless you have support from the boss, none of it means a damn thing. – MR
- Rock Stars Are a Liability – It looks like Forrester Research now requires all analysts to shut down their personal blogs, and only blog on the Forrester platform. I started Securosis (the blog) back when I was still working at Gartner, and took advantage of the grey area until they adopted an official policy banning any coverage of IT in personal blogs. That wasn’t why I left the company, but I fully admit that the reception I received while blogging gave me the confidence to jump out there on my own. In a big analyst firm the corporate brand is more important than personal brands, since personal brands represent a risk to the company. The rock star analyst wants more pay & more freedom, and most of them then start believing their own hype and forget how to be a good analyst (which is why so few succeed on their own). The company also needs to maintain their existing business model, and can’t give away too much for free. From that perspective, the Forrester (and Gartner) policies make a lot of sense. Where they fail is that it will eventually be very difficult to attract and retain talent without letting them blog, since that’s where many thought leaders are now incubated. I also think it reduces trust, since blogs are powerful platforms to build personal connections with a wide audience. We have a totally different business model, but I fully respect and understand the reasoning behind the large firms. They’ll change when they have to, and not one second sooner. – RM
- Just a Little Tap (on the Noggin) – I wish I had gone to Black Hat in DC this year, as it appears there were half a dozen really cool presentations. One was Christopher Tarnovsky demonstrating how to crack TMP Smartcard Encryption through a hard-wire attack on the chip. By interrogating the data bus he was able to tap into the unencrypted data stream. Pretty cool and looks very complicated. While the scientist in me finds this interesting, I am betting people who really need to know what is going on will employ ‘lead pipe’ cryptography instead. Yes, thumping the owner of the device with a lead pipe on the noggin. This type of brute force attack is generally easier than getting breaking into the hardware. Sure, not as elegant as interrogating the system bus, but faster and more cost effective. – AL
- APT – Risk Management by a New Name – – An awesome rant by Greebo on why APT isn’t new, and also a great primer on how to design a security program. This says it all: ‘I hate APT and all the FUD surrounding it. Scaring the punters is chicken little or crying wolf. Get with the “do something” program. If you’re a news org, instead of talking about folks who got pwned, let’s talk about folks who through good management and effective IT Security programs have survived such “advanced persistent threats”.’ – DMort
- Is Application White Listing Coming of Age? – There is still significant resistance to application white listing in the minds of security professionals. Personally, I think the concept makes tremendous sense, especially given the fatal flaws in the way we detect malware today. But the risk of breaking applications is real and must be managed effectively. Another issue is the entire weight of the status quo (that means you, big AV vendors) has a vested interest in keeping AWL down. SCMag considers both sides of the equation and decides…well…nothing. Most organizations are starting small and that’s the right approach. I’m starting the Endpoint Security Fundamentals series next week, and I’ll be talking a lot about how malware detection needs to evolve – to be clear, it involves changing the way we look at the problem. – MR
- A “No Show” at Your Funeral – I was joking with a vendor today that participation at RSA is sometimes a must for small companies. Even if you don’t realize value and generate leads, not attending can create all sorts of speculation, rumor mongering, and competitive slurs. “They must not be doing very well” whispered over coffee to prospects clearly hurts sales. It’s a fact. I was reading Larry Suto’s “Analyzing the Accuracy and Time Costs of Web Application Security Scanners”, which I found to be an nice overview of issues with App Scanners, I could not help but wonder why WhiteHat had declined to participate. What was going on? Having been in the startup community for so long, I could not help but speculate (in the negative) before I caught myself. Jeremiah Grossman’s responses made me laugh out loud because I was guilty of this unfortunate trait. So I understand the post as saying: you must respond to these issues or FUD will fill the void for you. Logical or not, a response is not optional. And I am glad he did because the second half of the posts references some discussion points and history of the web application scanning space I was frankly unfamiliar with. He does a good job of documenting the issues with comparing web application scanners and not just issues of product functionality, but some of the surrounding issues of the craft in general. If you are considering investment, his list of references should help augment your evaluation process. – AL
- Take Your Patent and Shove It – I get a lot of stuff in my inbox from lots of vendors about why they are great and why their product is innovative, disruptive, game changing, next-generation, and the like. It’s all crap, but the releases that make me laugh the hardest are patent announcements. Listen, I’m a patent author from my days in vendor-land and I know what a joke it is. So when I see nebulous patents from start-ups (LogRhythm and NetWitness, for example), it’s more of the “enrich BusinessWire” conspiracy. The reality is none of these folks are going to enforce their patents, so it’s really just a waste of time. And I’ve wasted enough of yours ranting about this crap. – MR
- Are You Ready for the Risk of Mobile Malware? – This article on BankInfoSecurity is asking the completely wrong question. It doesn’t matter if you are ready or not. Either the risk exists or it doesn’t. Regardless, we have to assume that our users are going to continue to invest in mobile computing and we have to figure out a way to deal with securing those devices. Fortunately, there’s not a lot of mobile malware out there yet, largely because there isn’t a large enough footprint to warrant investing the time and effort when you can instead go after lower hanging fruit, like desktop browsers. But that will change soon enough. Wouldn’t it be nice to be ahead of the curve for a change? – DMort
- Prius Clouds – Websense announced their new “Triton” platform to combine their web, email, and DLP platforms, plus offer hybrid cloud/on-premise solutions (triton makes me think of irradiated gun sights for some reason). I’ll wait for some customer testing before I render an opinion on how well it works, but conceptually these models make a lot of sense for the mid-market. These days it doesn’t always make sense to pump all remote users and locations through a central pipe via VPN, so using the cloud to cover remote users and branch offices when you don’t want to install boxes seems pretty reasonable. But we are still in the early days, and when you are evaluating these approaches make sure you understand which policies work where, since all is not equal in the cloud. (Note, I’m a little out of it today, so I can’t think of a good stuck accelerator joke. Make up your own). – RM
- Marlboro Man Visits AppSec Land – Josh Corman is a big thinker. He, David Rice, and Jeff Williams posted a thought balloon about a concept called Rugged Software, ostensibly to appeal to the he-man developers out there. It’s a bunch of statements about what secure software should be. And it’s as yummy as blue skies and apple pie. Unfortunately it’s also irrelevant until there is a verifiable economic advantage for companies in supporting security software development. For what I’m hearing, it’s still pretty hard to make a buck selling tools to help companies build secure software and that’s not surprising. In this case, inertia is powerful and no amount of Marlboro Man positioning is going to change that in the short term. So I applaud the Rugged dudes. I look forward to saddling up and riding our horses off into the sunset… of continued insecure code. – MR
Reader interactions
9 Replies to “Incite 2/10/2010: Comfortably Numb”
Nice to know you can stir the pot, fish stew or what have you. And if writing isn’t to self-serve, why write? Spice is the variety of life, or it’s seasoning for the soup. Your choice, my choice and everybody’s choice thus making my point.
@smithwill
I’m not in the habit of wasting time as there are thousands of blogs out there and generally Securosis is the best. I have plenty of distraction and perspective, it’s not something I need in a blog I use solely as a tool for learning about security concepts, and following industry news / trends. I think you’re the one who’s lacking perspective, if you need to comment on a comment relating to a blog… there is life beyond fish/ing analogies and stirring up arguments on blogs – really. My comment was meant constructively (although, perhaps a little blunt) as a lot of blogs that cite ‘research’ and are meant to be informative go downhill due to self-serving authors. I accept what Rich says and have built a bridge (no, you cant fish, watch fish, cook fish, eat fish, touch fish or do anything fish related on it) and gotten over over quite a while ago now. I suggest you do the same :o)
“Is this REALLY necessary or relevant to security?” HOLY COW BELL! If two minutes of one’s life is so valuable that it’s wasted reading a “Sub-100%-SECURITY-FOCUSED BLOG POST”, then why are you in the IT Security business? A single event can consume HOURS and DAYS of one’s life! Distraction and perspective can go a long to build context and balance. Get some, Lawrence. It’s a blog.
Which prompts me to swerve into the IT Security Professional realm. There’s no CISSP in TEAM. I don’t deny anyone’s right to earn a living. I do take exception, however, to security professionals and industry groups that promote “giving a customer a fish”, versus teaching them to fish. This unholy act occurs every quarter during the year where said fish-giver anoints their humble flock, thusly “Thou art certified PCI secure and compliant, by holy verses 800-41 in the book of NIST.” In the professional fish-giving vernacular, it’s called “flocking the customer.”
Management is a process. Security is a sub-set, a facet, a sub-element of the bigger picture and overall IT/business management process. All the parts, human, machine and paper policies have to all mesh to achieve their intended purpose. Security, availability, productivity are one continuum, resources that help businesses do business better and more cost-effectively. I appreciate more than most what skilled IT professionals can make happen on a network thru melding disparate technologies. My beef, as in red meat offering of the day, is that all the latest-greatest security tools in-place DON’T MAKE A NETWORK SECURE!
To successfully manage, everyone needs to be on the same page: execs, admins, users all must understand the organizational goals, the function and purpose of the network, why it’s there and how it’s be used and then use it responsibly. Much can be accomplished when all the internal forces are pointing in the same direction. Fish-giving is temporary. It feeds only for the moment leaving one dependent on the fish-giver. I’m all for hiring a fishing guide when I go on a vacation, but I’m talking about feeding the business family needs now, daily!
It’s time that everyone stops complicating and bifurcating the technology fish market! Arrogance breeds ignorance and ignorance breeds arrogance, so let’s elevate management process to its proper place. Everyone can embrace security and acceptable use because they understand the importance and how it effects them, their co-workers and the entity that pays their wage.
Stop the IT sec whining and become part of the management solution. Remember, a fish rots from the head first. So either start sharing and teaching everyone to fish or get the flock outta here. Figuratively speaking 😉
@Lawrence
Okay, you get credit for citing Godwin’s law before we degraded to that point 🙂
We do appreciate the feedback and keep it coming.
To be honest- we purposely include some personal bits on the blog. Part of what we try and do differently here is open up more so people have a better idea of who they are reading/trusting. You’ll notice we have 2 specific places where we usually include the personal bite- the Incite and the Friday Summary. We structure it that way to make it easy to skip over it and get to the meat if you want (you probably notice that the way those posts are built it’s easy to scan past the introductions).
We mostly have positive feedback on this, but you also aren’t the first person to complain. We think our structure strikes a good balance, but you are always free to call us on it if you think we’re full of shit or losing focus. We do read (and post) all of that feedback and take it seriously.
@Mike
I’m not telling you what to write at all (**Ahem** **Godwin’s law**), in general I think the blogs are great and a must-read for security professionals. However, you do encourage criticism, and I don’t think writing about non-security pet peeves falls within the remit of a security blog. I find it slightly self-indulgent, and this particular post was really badly written. As an avid reader of the blogs I found it a bit annoying – maybe I should start a blog to document my feelings… or take Prozac to cheer-up and annoy you further. When a blog becomes more about the author than the content, I think it starts to get boring. I don’t know how anyone else feels about it… but I was invited to feedback, and did so thusly unto you.
Rich –
As to analyst exposure. I believe George Colony is the best ‘businessman’ in the research business. He recognizes that it is the Forrester brand that must be built up, not the analyst. If you recall there has always been a debate about whether an analyst’s name should appear on anything. The theory goes that if you do that, the analyst becomes the brand. Another aspect is that if a customer likes a particular analyst he may not buy or believe anything from others, conversely if a customer doesn’t like the analyst he wouldn’t buy anything with that analyst’s name on it.
Mike –
I think you might be considered a depression ‘carrier’. One who transmits the disease, but never contracts it.
Take care see you at RSA,
Larry
@lawrence, I’m glad you liked the piece. This is the kind of thing I talk about in the post. I could choose to get pissed about such an absurd comment. But I won’t, there is no point to that.
We do appreciate the contributions, feedback and opinion that our community shares with us. It makes our research better and that’s a good thing. But to be clear it’s our blog, and that means we get to choose what we write. Pet peeves, rants or anything else that strikes our fancy.
Now, you don’t have to read it. You have the power to click onto something else. But you certainly can’t tell me what to write.
@Adrian, LOL. Thanks for the link.
Coincidentally we’ll not be having a booth at RSA 2010 either. Money better spent elsewhere. *continue speculating about funeral* 😉
Re: Comfortably Numb
Is this REALLY necessary or relevant to security? I don