Boy, Chris is all riled up over my criticism of Jericho.

Let me put this bad boy to bed, at least from my side. Chris missed the point of my last post, and my editor tells me it might be because of how I wrote it. Thus I’ll be a little clearer in this one.

To quickly recap, it seems that they’re ruffled at Jericho’s suggestion that the way in which we’ve approached securing our assets isn’t working and that instead of focusing on the symptoms by continuing to deploy boxes that don’t ultimately put us in the win column, we should solve the problem instead.

I’m not ruffled with that suggestion at all, agree completely. I just think they communicate it very poorly.

The threats aren’t the same. The attackers aren’t the same. Networks aren’t the same. The tools, philosophy and techniques we use to secure them can’t afford to be, either.

Agree completely. Look at pretty much everything I’ve ever published over the past 5-6 years. As a mater of fact, I’m doing my best to contribute actionable advice, models, and frameworks to manage these problems. Heck, I barely even talk about “traditional” network security since the world has moved on.

Go back to my original posts– when I criticize Jericho it’s over how they communicate and that they spend too much time stating the obvious, not that I disagree with our need to change.

Because we do need to change how we approach security. We don’t need to throw away everything we’ve done, but there’s a lot of new work we need to complete. Data security, application security, how we manage users, identity, and fundamentally how we define trust all need to evolve.

I’m with ya man, don’t put the wrong words in my mouth. I’m contributing in my own small way over here, and if you know people at Jericho I’m happy to work with them directly. If I can keep the irons to the fire I might have some new stuff to reveal this week.

Peace out.