As we get into late May it is getting to be summer in the ATL. The kids finish up school this week, the pools open, and my standard work attire consists of shorts, a T-shirt, and flip flops. The Boss is frantically getting the kids ready for camp, and we have a few family trips planned before they leave.

But first things first – this is the one week a year I won’t travel. It’s dance recital week. I used to be very diligent about not missing well check-ups with the pediatrician. But as the kids get older, especially the girls, it has become a bit awkward for me to be in the room. That’s a bit of a bummer, but I understand.

Recitals are something else. I’m sure I have mentioned it before, but the girls don’t dance in the most competitive studio. There is no Black Swan action here. No anorexic high schoolers trying to audition for the Bolshoi. It’s a bunch of girls (and a few brave boys) with a passion for dance, which shows during recitals. So I gladly reserve a week at home, regardless of how loudly duty calls, and I’ll be watching recitals on Monday, Tuesday, and Wednesday nights.

This has been an annual ritual for at least 8 years, and they all blur together. Lots of sparkles, sequins, and hair buns. Some ballet, modern, contemporary, tap, and even hip-hop. Each night they do maybe 25 routines. Seeing the 4 and 5 years olds go on stage brings back great memories. Seeing the seniors do their solos is a glimpse into the future. The studio just started a program with special needs kids, and it’s uplifting to see them get up on stage and dance as well. Limitations only exist in our minds, so it’s great to see kids up there held back by nothing but their own courage.

Monday night’s show featured XX2 in 6 routines. She’s in a very large group, so sometimes it’s hard to see her. But she shines up on the stage like a supernova. With a featured spot in one of the routines, you could see the performer in her. The artist. I have no idea what her future holds but she’ll be in front of people in some way, shape, or form. She’s just too comfortable on stage to not pursue that path.

Having gone for so many years, I have gained perspective into how the dancers grow – both physically and skills. The munchies (little girls) have no idea what’s going on. They wave to the crowd and muddle through the routine, and they just have a lot of fun. At some point when they are no longer little girls, we watch the routines and go holy crap, these kids can dance. That moment happened for me this year when I got to the studio a little early a few weeks back and saw XX1 practicing her modern dance routine.

The last third of the routine I saw was beautiful. Their movements were graceful and fluid. They were in their element. It was all I could do not to tear up right there, seeing my girl and her friends blossom into dancers right in front of my eyes. I won’t see that routine live until Tuesday night (I write the Incite during the day Tuesday). I can’t wait.

They say parents enjoy the accomplishments of their kids a lot more than their own. I’m working on recognizing my achievements, but there is nothing like seeing your kids having fun, doing something they are passionate about. So I’ll keep going to the recitals (and tennis matches and lax games) as long as they play and perform. And for those couple hours time will stop. As it should.


Photo credit: “Melbourne Recital Centre” originally uploaded by Wojtek Gurak

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will all be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. It didn’t take long to commoditize threat intelligence: We have been writing for a while about threat intelligence – most recently about how TI fits into the security monitoring process. Next up on our research plans is a look at how TI can be leveraged in incident response (that series starts next week) and within network controls. It looks like Check Point is already there, announcing their ThreatCloud IntelliStore. Obviously product naming remains a strength over there. But it allows a customer to buy a bunch of threat intel feeds, already integrated into Check Point’s security gateways. RSA NetWitness has had a TI integration program for years (even before the RSA acquisition), and we have seen a bunch of other SIEM and product vendors setting up TI partner programs this year. Though I am not sure anyone else provides a one-stop shop – with pre-integration that is pretty cool. – MR
  2. Saving face: Fierce Retail is answering the wrong question when they say EMV migration won’t save retail. EMV will (mostly) address fraud from card cloning. It does not fix stupid – if you keep credit card and consumer data lying about, don’t be surprised when it’s stolen. But while many security pundits wax poetic about point-to-point encryption as the solution to this problem, that is not really going to happen. It does not address the business problem of how applications, databases, and data exchanges use the data. In reality it becomes “point to a jillion other points”, which defeats the purpose. Visa has the right idea: FPE or tokenization is what will make the difference, and more likely to “help save retail” is the embarrassment of breached credit card data. – AL
  3. From one CEO to another: I wrote about the demise of Target’s CEO and what that means for CISOs Monday.. Other folks are jumping on that bandwagon to increase the urgency with which CEOs worry about security. Too bad it’s security company CEOs patting themselves on the backs and writing all sorts of bylines to their fellow CEOs to take security seriously. Which, of course, means they should talk to these companies and put cybersecurity training at the forefront of their strategic priorities. That’s definitely more important than fixing the distribution chain or getting the new product right before their competition mops the floor with them. Of course the competitors probably know all about the new products because they have been hacking into your company for years. <sarcasm>Maybe there is something to these CEO bylines.</sarcasm> – MR
  4. Sooper-strong ACME Encryption: Ever see a vendor market weak encryption? Admit that their encryption is sub-standard? Anyone? The SecurityOrb blog is touting the benefits of Strong Cloud Encryption as protection against the NSA, quoting Snowden saying “properly implemented strong crypto systems are one of the few things that you can rely on.” Blah blah blah. Most accepted encryption standards are strong, but that’s not the point. If your fear is the NSA, or any other state-sponsored organization bent on breaking into your files, you are likely too paranoid to put files in the cloud. Remember that encryption services, infrastructure, cloud provider employees, key management systems, and every other link in the chain may be compromised by subterfuge, with pressure and brute force applied (to individuals, organizations, and tools) by the NSA and everyone else with a budget or a gun. “Can the NSA break my crypto system?” is an extreme outlier use case – not a suitable yardstick for measuring the effectiveness of cryptosystems for the cloud. For most enterprises protecting data stored with a cloud service provider, standardized (i.e.: strong) crypto systems are more than adequate. – AL
  5. The FUD is strong in this one: FierceCIO’s Data breach could cost you up to one-third of customers made me chuckle. You know what else could cost you a third of your customers? Raising your prices by 100%. That could do it. Maybe shutting down 1/3 of your stores? That could do it too. This nonsense was based on an Identity Finder survey by Javelin research, which definitively proved that 33% of consumers will shop elsewhere if their retailer of choice suffers a data breach. Uh, no. The actual data doesn’t come close to proving this. Go back to TJX and pretty much every other retailer that has been breached, and none of them lost a third of their customers. But hey, it makes a good headline. Some days marketing tactics just make me feel dirty. Looks like I’ll need a sandblaster to get that FUD off. – MR
  6. The absence of proof: NIST was called a puppet of the NSA during the Snowden revelations, placing the integrity of their encryption standards in doubt. To help ease fears, a panel of cryptographers will review the NIST encryption standards. Don’t expect any surprises – most of these standards passed multiple reviews before official acceptance. This is more a marketing exercise to restore faith in the standards, but anyone who seriously believes NIST compromised now-accepted encryption standards won’t believe these findings anyway. If and when the panel does find things, there will be no smoking gun from a crypto expert panel – they might find ‘peculiarities’ around functions or methods that are not fully understood. The bottom line is that NIST is in a bad position, and there is not much they can do to restore faith. – AL