As you get older time seems to move faster. There may be something to these theories of Einstein. It’s hard to believe that yesterday was July 1. That means half of 2014 is in the rear view mirror. HALF. That’s unbelievable to me. Time is flying at the speed of light. I look at the list of things I wanted to do and it’s still largely unfinished. I did a bunch of things I didn’t expect to be doing. Though I guess that’s always the case.
Back when I was flying solo at Security Incite, I would revisit my trends for the year and see what I got right and what not so much. We don’t do formal trends, though we do post our ideas for the coming year in our RSA Guide. We don’t really go back and check on those, so maybe I’ll do that over winter break. But right now, there is other work to be done.
You see we are all in the maelstrom. It has been a crazy 6 months. The business keeps increasing in scale. We don’t. So it’s been sleep that fell off my table. I’m holding up pretty well, if I do say so myself. Maybe there is something to this healthy mindful lifestyle I’m working toward.
Though I’m very cognizant of the fact these are first world problems. And on a relative basis, things probably couldn’t be going much better. Not while allowing us the flexibility we have running our own business. And no, I’m definitely not looking for sympathy that I’m working with great clients, doing cool projects. That my research agenda, which candidly was pretty opportunistic, turned out to be pretty close to what’s happening. That 5 years in our clients know what we do and how we do it, and continue to come back for me. These are good problems to have. It’s a good gig, and we all know it and are very thankful.
But there is always that little voice in the back of my head. That little reminder that what goes up, eventually comes down. I have been around too long to think I have figured out how to suspend the laws of physics. That Einstein guy again! Bah! To be clear, I’m not doing this in a fearful or paranoid way. It’s not about me being scared that something will go wrong. It’s about wanting to be ready when it does. So I let my unconscious mind churn through the scenarios. While meditating I will indulge my internal planner for a short time to make sure I know how to respond.
And then I let it go. The good news is this doesn’t consume me – not in the least. I’m not naive, so I know you need to assess all the possibilities. But I don’t assess them for long. I mean who has time for that?
Photo credit: “Speed of Light” originally uploaded by John Talbot
The fine folks at the RSA Conference posted the talk Jennifer Minella and I gave on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will be there when you get back.
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- June 30 – G Who Shall Not Be Named
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
- April 14 – Three for Five
- March 24 – The End of Full Disclosure
- March 19 – An Irish Wake
- March 11 – RSA Postmortem
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
Endpoint Security Management Buyer’s Guide (Update)
Trends in Data Centric Security
Open Source Development and Application Security Analysis
Understanding Role-based Access Control
NoSQL Security 2.0
Newly Published Papers
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
- Eliminating Surprises with Security Assurance and Testing
Incite 4 U
- Sell yourself: Epic post by Dave Elfering about the need to sell. Everyone sells. No matter what you do you are selling. In the CISO context you are selling your program and your leadership. As Dave says, “To truly lead and be effective people have to be sold on you; on what and who you are.” Truth. If your team (both upstream / senior management and downstream / security team) isn’t sold on you, you can’t deliver news they need to hear. And you’ll be delivering that news a lot – you are in security, right? That post just keeps getting better because it discusses the reality of leading. You need to know yourself. You need to be yourself. More wisdom: “Credentials and mad technical skills are great, but they’re not who you are. Titles are great, but they’re not who you are. Who you are is what you truly have to sell and the leader who instead relies on Machiavellian methods to self-serving ends is an empty suit.” If you can’t be authentic you can’t lead. Well said, Dave. – MR
- Security pin-up: Australia plans a rollout of PIN (Personal Identification Number) codes for credit and debit card transactions later this year. The Australian payment processors association’s current report shows total card fraud rates have doubled between 2008 and 2013. While the dollar amount per case has dropped (good), the total number of fraudulent transactions doubled (not good) – that’s what automation will do for you! On the RSA blog Richard Booth discusses the rollout, contrasting it with the UK’s adoption of PIN codes a few years back. And the UK has shown PIN for POS offers better security as it’s the very definition of two-factor authentication. But what it does not do is impact Card Not Present (CNP) fraud rates (on-line shopping) which is growing the fastest. PINs don’t impact CNP fraud because you cannot (and should not) use a PIN for transactions. The card brands have yet to find a method which does not decrease sales faster than it decreases fraud. So I guess ignoring the problem is the right approach… – AL
- Nearly half? Uh, no… You gotta love sensationalist marketing and the unwitting reporters who just regurgitate skewed numbers. Do you believe 41% of organizations globally suffered a DDoS attack? That’s what ZDNet is reporting based on a BT-commissioned survey. Maybe it’s because I write, but the words matter. And with tens of millions of companies globally, there is no way 40% of them got blasted. If we’re just making up numbers now, let’s say a majority of companies don’t even have a website, so it’s hard to see that all the remainder got DDoSed last year. Maybe 40% of the respondents got hit. I’d believe that. But 40% of organizations globally? NFW. So check your words, reporters. You come off as a buffoon when you don’t. – MR