Making decisions is very hard for most people. Not for me. The Boss and I constantly discuss a single issue over and over again as she debates all aspects of a big decision. I try to be patient, but patience is, uh, not my forte. I know it’s her process and to rush that usually lands me a spot in the doghouse, but it’s still hard to understand. Decisions are easy for me. I do the work, look at the upside and downside, and make the call. Next.
I don’t look back either. When I make a decision, I’m pretty confident it’s the right thing to do at that point in time. That’s the key. Any decision any of us make at any time is presumably the best decision right then. 10 minutes or 10 years from now things will have changed. Things always change. The question is how much. Sometimes you’ll find your decisions are wrong. Actually, often your decisions are wrong. Yeah, it’s that human thing.
I’ve been known to weigh intuition higher than data in some decisions. Especially relative to my career choices. If it felt right, whatever that means, I would go for it. And I’ve been wrong in those choices, a lot. But I guess I come from the school that says it’s better to do stuff and screw up, than to not do anything – stuck in a cycle of analysis paralysis. I’m sure I’ll have regrets at some point, but it won’t be because I couldn’t make a decision.
It’s worth mentioning that I’m not opposed to revisiting a decision, but only if something has changed that affects my underlying assumptions. Lots of folks stew over a decision, poring over the same data over and over again, in an endless cycle of angst and second guessing. If the data doesn’t change, neither should the decision. But these folks figure that if they question themselves constantly for long enough, the decision will become easy. But often, they never achieve peace of mind. Gosh, that has to be hard.
I pay a lot more attention to the downside of any decision. In most cases, the worst case scenario is you upset someone or waste time and/or money. Obviously I want to avoid those outcomes where possible, but those are manageable downsides for me. So I don’t obsess over decisions. I make the decision and I move on. Second guessing isn’t productive.
Part of life is taking risks and adapting as needed. And cleaning up the inevitable mess when you are wrong. I’m okay with that.
-Mike
Photo credit: “Lose your sleep before your decision, not after it” originally uploaded by Scott McLeod
Incite 4 U
- Liar, liar, pants on fire: Any time I catch my kids telling me less than the truth, I break into the “Liar, liar” refrain over and over again. Yes, I look stupid, but they hate it even more, so it’s worth doing. One of the (former) Anonymous folks pretty much pinpoints the fundamental skill set of social engineering – lying. Okay, there is grey around lies, but ultimately that’s what it is. Does that make the ability to defend against lies any less important? Of course not. Nor am I judging folks who practice social engineering daily and professionally. But if it walks and quacks like a duck, you might as well call it a duck. – MR
- Misplaced confidence: There will be a lot written over the next weeks and months over the hack of the Certificate Authority DigiNotar, including a post I’m working on. But if you want to quickly learn a key lesson, check out these highlights from the investigation report – thanks to Ira Victor and the SANS forensics blog. No logging. Flat network. Unpatched Internet-facing systems. Total security fundamentals FAIL. Even better, they kept the breach hidden for a month. The breach probably happened many months earlier than their claimed date. Keep in mind this was a security infrastructure company. You know, the folks who are supposed to be providing a measure of trust on the Internet, and helping others secure themselves. Talk about making most of the mistakes in the book! And BTW – as I’ve said before I know for a fact other security companies have been breached in recent years and failed to disclose. How’s that for boosting consumer confidence? – RM
- They stole what?: When it come to breach notification laws, California has been at the forefront for more that a decade. Now California has updated its breach disclosure laws in order to disclose additional incident data. Most firms adhering to breach notification laws include so little information that the recipients of a breach notification have no clue what it means to them, nor what steps they need to take in order to protect themselves. Credit monitoring services are more of a red herring – and occasionally a devious revenue opportunity for breached companies to offset notification costs. So California Senate Bill 24 (SB-24) requires companies to include additional information on what happened, and explicitly state what type of data was leaked. Will it help? As usual, it depends on what the company decides to put in the letter, but I don’t have high hopes. Will security vendors be pitching monitoring software to aid companies in identifying what was stolen? Absolutely, but many firms’ legal teams will not be eager to have that data hanging around because it’s often a smoking gun, and they will choose ignorance over security to reduce liability. As they always do. – AL
- Ethics, hypocrisy, and certifications: You have to hand it to Jericho, one of the drivers of attrition.org. He puts the time in to build somewhat airtight cases, usually turning folks’ words against them in interesting ways. I wouldn’t want to take him on in a debate, that’s for sure. His recent post at Infosec Island, clearly pointing out the hypocrisy of the CISSP folks, is a hoot. As usual, you can find all sorts of cases of selective enforcement, but that’s no different than most other environments. It’s just rarely documented so clearly. I don’t have a CISSP, so I welcome their ethics complaints. I associate with known hackers, and they make me smarter. But I can see the value of a CISSP to folks trying to pass through the automated resume filters employed by big firms nowadays. Though I think a focus on certifications rather than skills is a root cause of today’s screwed-up state of security. – MR
- OAuth – What comes after a drumbeat? The rapidly accelerating OAuth drumbeat sees three releases: Ping Identity, Layer7, and Apigee, all go OAuth big time. For the many apps that need to connect identity, across cloud and mobile apps, OAuth is fast becoming the de facto standard, so it’s time to start figuring out when/how to integrate it into your environment. (h/t: Eve Maler) – Gunnar
- Please stop! The specter of “The APT” continues to loom large in the minds of security vendors desperately hoping potential customers will be frightened enough of something – anything – to buy right now. But APT is not an attack that can be defended against with any particular technological measure – APT represents determined attackers/adversaries, so FUD like this recent piece makes me want to hurl. Since when do we lump accidental data leaks and the insider threat in with APT? Outside government and select companies with intellectual property wanted by Chinese ‘students’ ‘the APT’, nobody mentions APT. We talk to dozens of firms every week and no one mentions it. Unless you work for a security vendor – then you talk about it every day, ad nauseaum. – AL
- vWar: A lot of the strategy days I have spent with vendors (both big and small) lately involve working on their cloud security plans. One consistent problem that keeps coming up is the inconsistency of VMware. I don’t mean the products, but VMWare’s changing approaches to security and their partner programs. “Hey, join our new API program”. “Oh wait – we bought someone and want to do it ourself, so no one else can join the club. But don’t worry, we’re opening a new club.” Call it growing pains, and Chris Hoff has a great post-VMWorld post on the situation. I can tell you most of the security vendors I work with are pretty uncertain of the longevity of their VMWare relationships, and would really like both some stability and assurances that they won’t get screwed again. – RM
- Everything is a seat belt: Let’s all congratulate Sourcefire, which this week entered the 21st century by starting a corporate blog. Kidding aside, there are some pretty smart fellows over there, so they should have some pretty good stuff to say. Like this post by Al Huger on having realistic expectations for anti-virus performance. The quote that resonated best with me is: “Your antivirus software is a seat belt – not a force field.” But let’s be clear: every control is a seat belt. You do your best to prevent bad things, but at the end of the day you need to plan for FAIL and compromise. I know, it’s broken record time again, but the single biggest requirement for any security program is a solid incident response plan. – MR
Reader interactions
2 Replies to “Incite 9/7/2011: Decisions, Decisions”
@Russ – Being behind on the awareness curve is a possibility. Most firms – large and small – don’t have a clear understanding of the threat vectors and the common tricks used by attackers to access data/IP. But with firms specifically being targeted by APT are aware of this fact. It’s likely been going on for two to three years. I also acknowledge there is some selection bias as most firms I speak with are not top targets – but here is why I am saying what I am saying: APT is a bad catch-phrase. Firms I have spoken with look at APT as leveraging the same threat vectors they already worry about – so APT signifies a heightened level of attacker determination. The response is _not_ to go buy a new product, but monitor what they have more closely, and have respond faster when something bad is happening.
As far as awareness goes, I am not sure. How do companies become aware of threats? Internal analysis, or is it from reading the news, or is it from their security vendors? With APT it’s quite often the U.S. government, or the log files that show thousands of probing events and basic attacks every hour. I think awareness of the threat is usually there. Budget, preparation, motivation and creativity to match that of the attacker is lacking.
-Adrian
Re Please Stop!
Dear Adrian,
While I believe one of the useful roles Securosis can play in the industry is to help turn down the hype on over-blown issues, in this particular case I’m not sure I agree with your conclusion. I spent a career in aviation safety, and found that what the average line pilot was talking about every day had nowhere near the amount of aviation safety content we as aviation safety advocates thought to be adequate (an example would be the extraneous cockpit conversation prior to the Colgan Air Flight 3407 crash in Buffalo). Could it be that the fact APTs is not brought up in your daily conversations with firms could be an indication of how far we have to go in creating a better awareness of red-flag situations?
Just a thought…
Thanks