As you get older time seems to move faster. There may be something to these theories of Einstein. It’s hard to believe that yesterday was July 1. That means half of 2014 is in the rear view mirror. HALF. That’s unbelievable to me. Time is flying at the speed of light. I look at the list of things I wanted to do and it’s still largely unfinished. I did a bunch of things I didn’t expect to be doing. Though I guess that’s always the case.

Back when I was flying solo at Security Incite, I would revisit my trends for the year and see what I got right and what not so much. We don’t do formal trends, though we do post our ideas for the coming year in our RSA Guide. We don’t really go back and check on those, so maybe I’ll do that over winter break. But right now, there is other work to be done.

You see we are all in the maelstrom. It has been a crazy 6 months. The business keeps increasing in scale. We don’t. So it’s been sleep that fell off my table. I’m holding up pretty well, if I do say so myself. Maybe there is something to this healthy mindful lifestyle I’m working toward.

Though I’m very cognizant of the fact these are first world problems. And on a relative basis, things probably couldn’t be going much better. Not while allowing us the flexibility we have running our own business. And no, I’m definitely not looking for sympathy that I’m working with great clients, doing cool projects. That my research agenda, which candidly was pretty opportunistic, turned out to be pretty close to what’s happening. That 5 years in our clients know what we do and how we do it, and continue to come back for me. These are good problems to have. It’s a good gig, and we all know it and are very thankful.

But there is always that little voice in the back of my head. That little reminder that what goes up, eventually comes down. I have been around too long to think I have figured out how to suspend the laws of physics. That Einstein guy again! Bah! To be clear, I’m not doing this in a fearful or paranoid way. It’s not about me being scared that something will go wrong. It’s about wanting to be ready when it does. So I let my unconscious mind churn through the scenarios. While meditating I will indulge my internal planner for a short time to make sure I know how to respond.

And then I let it go. The good news is this doesn’t consume me – not in the least. I’m not naive, so I know you need to assess all the possibilities. But I don’t assess them for long. I mean who has time for that?


Photo credit: “Speed of Light” originally uploaded by John Talbot

The fine folks at the RSA Conference posted the talk Jennifer Minella and I gave on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Security Management Buyer’s Guide (Update)

Trends in Data Centric Security

Open Source Development and Application Security Analysis

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. Sell yourself: Epic post by Dave Elfering about the need to sell. Everyone sells. No matter what you do you are selling. In the CISO context you are selling your program and your leadership. As Dave says, “To truly lead and be effective people have to be sold on you; on what and who you are.” Truth. If your team (both upstream / senior management and downstream / security team) isn’t sold on you, you can’t deliver news they need to hear. And you’ll be delivering that news a lot – you are in security, right? That post just keeps getting better because it discusses the reality of leading. You need to know yourself. You need to be yourself. More wisdom: “Credentials and mad technical skills are great, but they’re not who you are. Titles are great, but they’re not who you are. Who you are is what you truly have to sell and the leader who instead relies on Machiavellian methods to self-serving ends is an empty suit.” If you can’t be authentic you can’t lead. Well said, Dave. – MR
  2. Security pin-up: Australia plans a rollout of PIN (Personal Identification Number) codes for credit and debit card transactions later this year. The Australian payment processors association’s current report shows total card fraud rates have doubled between 2008 and 2013. While the dollar amount per case has dropped (good), the total number of fraudulent transactions doubled (not good) – that’s what automation will do for you! On the RSA blog Richard Booth discusses the rollout, contrasting it with the UK’s adoption of PIN codes a few years back. And the UK has shown PIN for POS offers better security as it’s the very definition of two-factor authentication. But what it does not do is impact Card Not Present (CNP) fraud rates (on-line shopping) which is growing the fastest. PINs don’t impact CNP fraud because you cannot (and should not) use a PIN for transactions. The card brands have yet to find a method which does not decrease sales faster than it decreases fraud. So I guess ignoring the problem is the right approach… – AL
  3. Nearly half? Uh, no… You gotta love sensationalist marketing and the unwitting reporters who just regurgitate skewed numbers. Do you believe 41% of organizations globally suffered a DDoS attack? That’s what ZDNet is reporting based on a BT-commissioned survey. Maybe it’s because I write, but the words matter. And with tens of millions of companies globally, there is no way 40% of them got blasted. If we’re just making up numbers now, let’s say a majority of companies don’t even have a website, so it’s hard to see that all the remainder got DDoSed last year. Maybe 40% of the respondents got hit. I’d believe that. But 40% of organizations globally? NFW. So check your words, reporters. You come off as a buffoon when you don’t. – MR
  4. Encryption peace offering: Good post on the Vormetric blog regarding international use of personal data, and what that means for cloud and Internet providers. Data security and privacy is already a key impediment to cloud adoption, and that’s just when companies understand their local cloud security responsibilities. Include multi-jurisdictional issues when moving data around, and most firms are not even sure what rules apply, much less how to comply. This will get harder before it gets easier. The German government canceling their contract with Verizon telecommunications and ruling against Google on privacy policy signals one nation’s intent for data security – be it cloud, Internet, or telecomm. Other countries are sure to follow. Sure, you’re probably thinking that all the other service providers are equally pwned by the NSA, so why bother? But that’s not the point. If the spying case prompted Germany to take action with partners, it is likely to affect new German legislation as well. It’s obvious that rules over privacy, data collection, and data custodianship will become more stringent in coming years – forcing all software and service providers to provide better security if they want to do business in these countries, anyway. For example, Microsoft enabling webmail encryption is less about “better security” than a signal to foreign business partners and customers they can be trusted. – AL