By Adrian Lane:

I learned something from the e10+ session during RSA. Usually it’s my least favorite event but this year was different – it was most favorite, and not just because Rich and Mike were instrumental in putting it together. The consumerization presentation was really informative – the audience responses surprised me – but the breach victim “fireside chat” was awesome. The only way we could mimic the human stress angle in a preparedness drill is to set part of your office on fire during a press conference, or taze IT personnel as they rummage through logs. Don’t discount the stress factor in breach planning.

Around the time of the RSA conference I have had a few discussions with VCs about technology acquisition. We discussed market trends, total market revenue estimates, sales opportunities, how products should be sold, and what changes in the ‘go-to-market’ strategy were needed to turn the company around. At the end of the day, the investment was a non-starter. Not because of the market, or the value of the technology, but because of the level of trust in the management team. They simply got “a bad feeling” they could not overcome. People not trusting people.

I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering.

Nice, huh?

It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • Rich: How’s that secrecy working out? The bad guys talk. We don’t. Guess who has the advantage?
  • Dave Lewis: Researchers find MYSTERY programming language in Duqu Trojan. It shows both skill and dedication to create your own language to write malware. But why? Anti-reverse engineering? Sounds spook-y!
  • Mike Rothman: Heartland 2011. Gunnar revisits the impact of the breach Heartland’s on business operations. Some folks will use this as proof that a high-profile breach is nothing but brief event. Heartland clearly responded effectively and got their business back on a nice growth path. But don’t make the mistake that correlation = causation. It’s a data point, nothing more nor less.
  • Adrian Lane: The Ruby/GitHub hack: translated. The only lucid discussion of the GitHub incident I’ve seen, and a nice breakdown of the issue.

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Zac, in response to Burnout.

Nice post, it applies in may areas of life.

I experience chronic headaches and migraines… which can be quite the strain. Last night while playing an online game with my wife she remarks “are you always this upbeat?!?”. The thing is, I have to be because the other choice is to just give up and find a way to die.

Like the point you make in your article, everyone will hit “the wall” eventually. This wall may be professional or personal – sometimes both. The question is for all: can we overcome this wall?

I think that there is far too much negative stigma attached to not being able to overcome the walls we hit. Just as we don’t “hold it against” the paraplegic for not being able to use the stairs we shouldn’t hold it against the person that can’t overcome a particular “wall” that they don’t have the skills or ability to cope with.

However, they should be encouraged to excel where possible, to find the best fit of their skills – ideally were this will also help them overcome that endeavor’s wall. After all, without such there would never have been the Paralympics.

For those that have no choice but to deal with their walls we need to give them help – even when they don’t want it. Help them professionally. Help them personally. Help them because sometimes there just isn’t any other alternative for them.

Burning out or hitting a wall happens and as you say none of us are immune. All we can do is decide how we will respond and how we will help others respond.