For those of you with young kids, the best practice is to spend some time every day reading to them. so they learn to love books. When our kids were little, we dutifully did that, but once XX1 got proficient she would just read by herself. What did she need us for? She has inhaled hundreds of books, but none resonate like Harry Potter. She mowed through each Potter book in a matter of days, even the hefty ones at the end of the series. And she’s read each one multiple times. In fact, we had to remove the books from her room because she wasn’t reading anything else.

The Boss went over to the book store a while back and tried to get a bunch of other books to pique XX1’s interest. She ended up getting the Percy Jackson series, but XX1 wasn’t interested. It wasn’t Harry Potter or even Captain Underpants, so no sale. Not wanting to see a book go unread, I proceeded to mow through it and really liked it. And I knew XX1 would like it too, if she only gave it a chance. So the Boss and I got a bit more aggressive. She was going to read Percy Jackson, even if we had to bribe her. So we did, and she still didn’t. It was time for drastic measures. I decided that we’d read the book together.

The plan was that every night (that I was in town anyway), we would read a chapter of The Lightning Thief. That lasted for about three days. Not because I got sick of it, and not because she didn’t want to spend time with me. She’d just gotten into the book and then proceeded to inhale it. Which was fine by me because I already read it. We decided to tackle Book 2 in the series, the Sea of Monsters, together. We made it through three chapters, and then much to my chagrin she took the book to school and mowed through three more chapters. That was a problem because at this point, I was into the book as well. And I couldn’t have her way ahead of me – that wouldn’t work. So I mandated she could only read Percy Jackson with me. Yes, I’m a mean Dad.

For the past few weeks, every night we would mow through a chapter or two. We finished the second book last night. I do the reading, she asks some questions, and then at the end of the chapter we chat a bit. About my day, about her day, about whatever’s on her mind. Sitting with her is a bit like a KGB interview, without the spotlight in my face. She’s got a million questions. Like what classes I took in college and why I lived in the fraternity house. There’s a reason XX1 was named “most inquisitive” in kindergarten.

I really treasure my reading time with her. It’s great to be able to stop and just read. We focus on the adventures of Percy, not on all the crap I didn’t get done that day or how she dealt with the mean girl on the playground. Until we started actually talking, I didn’t realize how much I was missing by just swooping in right before bedtime, doing our prayer and then moving on to the next thing on my list.

I’m excited to start reading the next book in the series, and then something after that. At some point, I’m sure she’ll want to be IM’ing with her friends or catching up on homework as opposed to reading with me. But until then, I’ll take it. It’s become one of the best half hours of my day. Reading is clearly fundamental for kids, but there’s something to be said for its impact on parents too.

– Mike

Photo credits: “Parenting: Ready, Set, Go!” originally uploaded by Micah Taylor

Recent Securosis Posts

1. The Securosis 2010 Data Security Survey Report Rates the Top 5 Data Security Controls
2. Attend the Securosis/SearchSecurity Data Security Event on October 26
3. Proposed Internet Wiretapping Law Fundamentally Incompatible with Security
4. Government Pipe Dreams
5. Friday Summary: September 24, 2010
6. Monitoring up the Stack:
   • File Integrity Monitoring
   • DAM, Part 1
7. NSO Quant Posts
   • NSO Quant: Clarifying Metrics
   • NSO Quant: Manage Metrics – Signature Management
   • NSO Quant: Manage Metrics – Process Change Request and Test/Approve
   • NSO Quant: Manage Metrics – Deploy and Audit/Validate
   • NSO Quant: Manage Metrics – Monitor Issues/Tune IDS/IPS
   • NSO Quant: Health Metrics – Device Health
8. LiquidMatrix Security Briefing:
   • September 24

Incite 4 U

1. Stuxnet comes from deep pockets – I know it’s shocking, but we are getting more information about Stuxnet. Not just on the technical side, like this post by Gary McGraw on how it actually works. Clearly it’s targeting control systems and uses some pretty innovative tactics. So the conclusion emerging is that some kind of well-funded entity must be behind it. Let me award the “Inspector Clouseau” award for obvious conclusions. But I’m not sure it really matters who is behind the attack. We may as well blame the Chinese, since we blame them for everything. It really could have been anyone. Though it’s hard for me to see the benefit to a private enterprise or rich mogul of funding an effort like that. Of course we all have our speculations, but in the end let’s just accept that when there is a will there is a way for the attackers to break your stuff. And they will. – MR
2. Are breaches declining? – One of the most surprising results in our big data security survey is that more people report breaches declining than increasing. 46% of you told us your breaches are about the same this year over last, with 12% reporting a few more or many more, and 27% reporting a few less or many less. Rsnake noticed the same trend in the DataLossDB, and is a bit skeptical. While I know not all breaches are reported (in violation of various regulations), I think a few factors are at play. I do think security has improved in a fair few organizations, and PCI has actually helped. A dedicated attacker can still get through with enough time, but a lot of the low hanging fruit is gone. Of what’s left, many of them are so small that the breaches aren’t detected, because they don’t have the security resources in the first place, but they don’t lose enough data to draw attention. Finally, we’ve really reduced the number of losses due to lost tapes and laptops, which were two of the biggest categories in the DataLossDB. Your web apps may still be easy to hack, but they are less obvious than a lost or stolen laptop. – RM
3. SIEM climbing up the ladder… – Given the number and types of attacks on applications, clearly our defense mechanisms need to start understanding layer 7. In fact, a large part of our research on Understanding and Selecting an Enterprise Firewall focused on how these devices are becoming application aware. Now we are seeing folks like Q1 talk about being able to monitor applications with deep packet inspection (DPI – what, are we in 2003 here?). Nitro has been talking about application monitoring as well. I appreciate the additional data provided by application monitoring, especially once we figure out how to correlate that with infrastructure data. There is nothing bad about SIEM platforms looking at additional data types (that’s the focus of our Monitoring up the Stack series), but let’s not confuse application visibility with application control. SIEM is a backwards looking technology, so you need someone watching the alerts in order take action. It won’t happen by itself. – MR
4. It’s not how much, but on what… – How much should you spend on security? As much as you can, but less than you want to, right? The folks at Gartner surveyed a mess of end users and found the average of security spend is 5% of the total IT budget. Is that enough? No. Will it change? No. So the question is now how much should you spend, but what should you spend on? Of course, some percentage goes towards mature and entrenched controls regardless of efficacy (hello, firewall and AV) and a bunch goes to generating compliance documentation. But the real question is whether you are spending more than the bare minimum. We recommend you develop a few funding scenarios ahead of budget time. The first is what you really need to do the job. Yes, it’s too much. The second is what you need to have any chance. Without that much, you may as well look for another job because you can’t be successful. And then you have something in the middle, and hopefully you get close to that. – MR
5. Yes, another item on Stuxnet – I think we need to accept that Stuxnet is an example not only of what’s coming, but what’s happening. Based on some ongoing research, the only things surprising about Stuxnet are that it’s become so public, and that it doesn’t appear to come from China. Most large organizations in certain industries are fully penetrated on an ongoing basis by (sometimes advanced) malware used for international espionage. I’ve talked to too many people in both those organizations and response teams to believe that the problem is anything short of endemic. The AV firms have very limited insight into these tools, because the propagation is generally far more limited than Stuxnet. Yeah, it’s that bad, but it isn’t hopeless. But we do need to accept a certain level of penetration just as we accept certain levels of fraud and shrinkage in business security. – RM
6. Your successor will appreciate your efforts… – The fine folks at Forrester came out with a bunch of pontification at their recent conference. One was talking about this zero trust thing. Yeah, don’t trust insiders. That’s novel. But another that piqued my interest was the idea of a simple, two year plan for security program maturity. I actually like the idea, but they reality is 2 years is way too long. The average tenure of a CSO is 18 months or so. So a two year plan is folly. That said, there is nothing wrong with laying out a set of priorities for a multi-year timeframe. But you had better have incremental deliverables and focus on quick wins. I don’t want to pooh-pooh a programmatic approach – it’s essential. But we have to be very realistic about the amount of time you’ll have to execute on said program. And it ain’t two years. – MR