Friday Summary: March 22, 2013, Rogue IT EditionBy Adrian Lane
What happened to the guru? The magician? The computer expert at your company who knew everything. I have worked at firms that had several who knew IT systems inside and out. They knew every quirky little trick of how applications worked and what made them fail, and they could tell you which page of the user manual discussed the exact feature you were interested in. If something went wrong you needed a guru, and with a couple keystrokes they could fix just about anything. You knew a guru by their long hair, shabby dress, and the Star Trek paperback in their back pocket. And when you needed something technical done, you went to see them. That now seems like a distant memory. I have lately been hearing a steady stream of complaints from non-IT folks that IT does not respond to requests and does not seem to know how to get out of their own way.
Mike Rothman recently made a good point in The BYOD problem is what? BYOD is not a problem because it’s already here and is really useful. Big Data is the same. Somewhere along the line business began moving faster than IT could keep up. Users no longer learn about cool new technologies from IT. If you want a new Android or iPad for work, you don’t ask IT. You don’t ask them about “the cloud”. You don’t consult them about apps, websites, or even collecting credit card payments. In fact we do the opposite – we see what our friends have and what our kids are doing, Google what we need to know, and go do it! The end-run around IT is so pervasive that we have a term for it: Rogue IT. Have credit card, will purchase.
How did the most agile and technically progressive part of business become the laggard?
Several things caused it. High-quality seamless rollouts of complex software and hardware take lots of time. Compliance controls and reports are difficult to set up and manage. It takes time to set up identity and access management systems to gate who gets to access what. Oh, and did I mention security? When I ask enterprise IT staff and CISOs about adoption of IaaS services, the general answer is “NO!” – none of the controls, systems, and security measures they rely on are yet fully vetted, or they simply do not work well enough. The list goes on. Technologies are changing faster than they can be deployed into controlled environments. Their problems are not just a simple download away from being addressed, and no trip to the Apple Store will solve them.
It’s fascinating to watch the struggle as several disruptive technologies genuinely disrupt technology management.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s DR paper: Security Implications Of Big Data.
- Rich quoted on Watering Hole Attacks.
- Gunnar’s DR Post: Your Password Is The Crappiest Identity Your Kid Will Ever See.
Favorite Securosis Posts
- Mike Rothman & Adrian Lane: When Bad Tech Journalism Gets Worse. Totally ridiculous. The downside of page view whores in all its glory. Certainly wouldn’t want a fact to get in the way of the story…
Other Securosis Posts
- Services are a startup’s friend.
- New Paper: Email-based Threat Intelligence.
- Who comes up with this stuff?
- The World’s Most Targeted Critical Infrastructure.
- DHS raises the deflector shields.
- Incite 3/20/2013: Falling down.
- If you don’t know where you’re going…
- When Bad Tech Journalism Gets Worse.
- The Right Guy; the Wrong Crime.
- New Job Diligence.
- Preparation Yields Results.
- The Dangerous Dance of Product Reviews.
- Limit Yourself, Not Your Kids – Friday Summary: March 15, 2013.
- Ramping up the ‘Cyber’ Rhetoric.
Favorite Outside Posts
- Adrian Lane: Firefox Cookie-Block Is The First Step Toward A Better Tomorrow.
- Mike Rothman: Indicators of Impact. Kudos to Russell Thomas for floating an idea balloon trying to assess the impact of a breach. I’ll do a more thorough analysis over the next week or so, but it’s a discussion we as an industry need to have.
Project Quant Posts
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
Top News and Posts
- Critical updates for Apple TV and iOS available
- Ring of Bitcoins: Why Your Digital Wallet Belongs On Your Finger
- Subway Hit By The Ultimate Cyberthief Inside Job: A Double-Insider. Two opportunities to vet – both failed.
- Cisco switches to weaker hashing scheme, passwords cracked wide open
- Why You Shouldn’t Give Retailers Your ZIP Code
- Microsoft, Too, Says FBI Secretly Surveilling Its Customers
- The World Has No Room For Cowards. Krebs ‘SWATted’ in case you missed it.
- On Security Awareness Training
- Spy Agencies to Get Access to U.S. Bank Transactions Database
Blog Comment of the Week
This week’s best comment goes to Dwayne Melancon, in response to New Job Diligence.
Good advice, Mike. Surprised at how many people don’t look before they leap. If you apply some of your own “social engineering for personal gain” to this, you can avoid a lot of pain. Mining LinkedIn is a great shortcut, assuming the company you’re investigating has a decent presence there.
Not only can you talk with specific people (including the ones who’ve left, as you mentioned), you can get a feel for whether there is a mass exodus going on. If there is, it can be a sign of a) opportunity b) Hell, or c) both.
But at least you know what you’re getting into.