The Falcon's View

Bruce Schneier would have us believe that security awareness training is pointless. People have inadequate incentive to change, and thus why waste the time, money, or energy? And, to a degree, he is certainly correct. The old-fashioned once-per-year computer-based training modules to which many (if not all) of us have been subjected are, in fact, completely worthless. After all, these training modules are a mere blip on the radar of one's life, with no foundation in reality, and making no meaningless impact on how we conduct our jobs.

However, that is not the state of practice in the industry. Or, more specifically, it's not the leading edge state of practice. Moreover, his comments ignore much that we know about approaches, learning styles, incentives, etc., based on research from the past few years.

Well well well... what a week! Sadly, I didn't make a single session (other than my own) due to poor time awareness (several times I realized I had just missed the session I'd been planning to see, derailing myself by being chatty... go figure!). Overall, this was one of the best RSA conferences I can recall over the last few years. I mean, it ended with Hugh interviewing Billy Beane... how could it be much better? :)

For everyone I saw in San Francisco last week - it was great seeing you! For those I missed... dreadfully sorry, and I hope we catch-up at any of the many other events I'll be at later this year (e.g., Secure360, RMISC, MISTI "Big Data Security" conference). It has been a busy year thus far, and the pace will not be lessening anytime soon. Wheeeeeeeeee! ;)

I had the opportunity during RSA 2013 to interview Gen. Harry Raduege (ret.), who is currently Chairman for The Deloitte Center for Cyber Innovation. His full bio is available at the link provided. Among his many accomplishments, he was the longest-serving director of the Defense Information Systems Agency (DISA), including overseeing the restoration of ICT at the Pentagon in the wake of the 9/11 terrorist attacks.

RSA 2013 is underway, with registered attendees wandering San Francisco with their badges on, showing perhaps a little less OPSEC awareness than is appropriate... billboards and taxis are adorned with infosec vendor advertising... BSidesSF has 1 day in the books... and the ABA InfoSec Committee has closed the books on yet another excellent annual pre-RSA meeting (I'll post separately on just how awesome this meeting was - and why you should get involved!:).

For those unfamiliar, the Monday or RSA week is about pre-conference workshops, seminars, etc. In the past few years, this day has become incredibly overcrowded with competing offerings, such as a huge Cloud Security Alliance full-day event, or this year's "Advancing Information Risk Management" half-day seminar. RSA also runs their "Innovation Sandbox" event where they showcase a handful of up-n-comers, and then they open the Expo floor with a big reception. Also, increasingly, Monday is becoming the secondary night of choice for vendor receptions as companies realize that trying to do anything on Wednesday night is just a bad idea, unless you're already well-established on that schedule.

Coming up later this week:

The conference gets started "officially" on Tuesday, with a string of vendor keynotes in the morning, and then actually track sessions starting in the afternoon. You can find me in the LAW track to start, moderating the "Hot Topics in InfoSec Law" panel for it's Nth consecutive showing at the conference. The LAW track is sponsored by the ABA SciTech Section, and provides a unique perspective vs. the rest of the event. If you have any interest in law as it pertains to security and privacy, then we hope you'll join us!

Wednesday morning, bright and early, a handful (or maybe a bunch) of us will be heading out on a fun run around 7am. That seems a little crazy, especially given the hills around here, so hopefully we'll take a sensible track. :) You can then find me Wednesday afternoon co-presenting with Bill Burns of Netflix. This will be a very quick 20-minute session on the confluence of security and risk management within a true DevOps/NoOps environment, looking at how it works! :) This session is begin reprised Thursday morning as a studio session, too.

Beyond that, I will be floating around between meetings, sessions, expo floor, etc. If you see me, please say hello! Oh, and btw, just to toot my own horn a little bit... I'm a "top-rated speaker" this year! :)

I'll try to post some updates during the week. In the meantime, if you're out here in San Francisco, have a good time and I hope to meet you all! If you're not here... have a good week, and maybe we'll see you out for RSA 2014! :)

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

Newsflash: Just because you work in the "security" industry does not mean you "do" security. In fact, allow me to go a bit extreme and declare that none of you/us have ever "done security." It's simply a distortion of reality and misrepresentation of the facts to say or believe otherwise. Is this an old Schneier-esque point? Perhaps, to a degree... but...

Drop whatever it is you're reading and go read The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. This short book will quickly change your perspective on a lot of things, not the least of which being the role and importance of IT within the greater context of business operations, as well as the imperative to more tightly align business priorities with operational risk management.

Go here for more information about the book.

Go here for a free 170-page excerpt of the book.

The book walks through "The Three Ways" as it describes a fictional company transitioning from a badly broken and dysfunctional old school IT and dev environment into a newer-than-new-school DevOps model. A sage guides the new IT director through this transition, with one of the big lessons in the end being the point that IT is so central to all business operations today (and forever more) that the COOs of the future will have to be extremely competent in technology operations, and may just come almost exclusively from an IT background (offset with business school training, or comparable).

It's hard to understate how well this book explains the concepts contained therein. It covers many of the topics that I've mentioned over the years on this blog, but the authors do a much better job explaining those ideas. Security, IT, and Dev should no longer exist as standalone silos, but should instead be all part of one cohesive, optimized unit designed to rapidly evolve and function with great agility.

I could go on, but will spare you... go read the book! :)

I've often remarked that perception is far more important than reality, as we see proved time and time again through public and political life. Perception is what leads people like Beyoncé Knowles to walk out to a large, hyped press conference - as happened yesterday - and ask that people rise while she sings the national anthem, all to prove the point that she knows the words and the tune (it seems there was some controversy related to her lip-syncing during the recent Presidential Inauguration).

One area where perception is incredibly important is with regards to risks and risk management. Specifically, we in developed countries tend to "overestimate rare risks and underestimate common ones" (as noted by Bruce Schneier today). We can see the effects of such mistuned risk perceptions in the hasty, ill-conceived passing of laws like the USA-PATRIOT Act and the standing of the TSA (all to address the perceived risk of terrorism, despite terrorist incidents being extremely rare, and the subsequently losses of civil liberties hardly justified by the alleged benefits). We similarly see mistuned risk perceptions at play in the current gun control debate, which has visually targeted semi-automatic rifles with certain stylistic characteristics, intentionally conflating them with military-grade fully automatic firearms.

A theme I've seen surface lately is this notion that "good enough isn't good enough." My response to this is quite simple: if what you're doing isn't commercially reasonable and legally defensible, then your notion of "good enough" is itself flawed. At the end of the day, businesses should be aiming for "good enough" insomuch as that means doing as much as is reasonable and appropriate without wasting resources.

I would submit that anybody who argues against aiming for "good enough" simply doesn't understand how business operates, nor do they truly understand risk management. Infosec is not some zero-sum game where we can magically defeat all threats, eliminate all vulnerabilities, and go home "winners." Rather, it's a journey, not a destination. Every day we have to account for new threats and new vulnerabilities. However, we should not be focusing exclusively or obsessively on them. Instead, we should be focusing on the business and what it values and has of value.

My apologies for the lack of consumable content of late. A combination of work, new baby, work, and... well... work have been keeping me otherwise occupied. Rest assured, I have a handful of posts started, but I've just not had the time (or energy) to make tracks on them. Soon, though! :)