September 2009 Archives

Hotel Showerheads

| 1 Comment | 1 TrackBack

If you've done a fair amount of traveling, then you've inevitably noticed the wide variety of showerheads in showers throughout the country (and possibly the world). For as simple as the function needs to be, it's remarkable to me just how complex some of these devices can be. There are now showerheads with a dozen or more variations available, which seems rather odd to me given that really all you want is a steady stream of water to soak you and rinse you when the time comes.

In thinking about this in the shower this morning, on the road yet again and wondering how to work the overly complex - and partially functioning - showerhead in front of me, it occurred to me that the security industry is often much like these showerheads. In many ways, we have a tendency to grossly overcomplicate things when we're failing at the most fundamental practices. This is not to say that we should throw away the tech that we have a revert to sticks, stones, and fires in front of offices, but it does seem to me that if we can't get the basics right, then what makes us think we can get anything else right?

Recent Reading (Books)

Nothing security-related, but for whatever reason I've been able to knock out four (4) books in the last few weeks (on top of my normal reading load). I like to read outside of the industry whenever possible as it provides a good mental break. As such, I polished off two works of fiction and two works of non-fiction. The four are: That Old Cape Magic by Richard Russo, The Color of Magic (the first Discworld book) by Terry Pratchett, The Guinea Pig Diaries by A.J. Jacobs, and Liberty and Tyranny by Mark R. Levin. Following is a quick summary of my thoughts on each book.

The Writing Funnel

| 1 Comment

A few people have complimented me this year on my writing, usually with a self-deprecating comment along the lines of "I could never do that." My response is to first thank people, but then to also speculate that "oh, I'm sure that's not true" - I'm sure they could in fact write just as well as me. The fact of the matter is that, while words come easily to me in many cases, it's not always a cake-walk. More importantly, for me writing is as much therapeutic as it is intended for communicating ideas.

Toward that end, I thought a few people might appreciate an expansion on my approach to writing, since I do firmly believe that others not only can write, but should write. The security industry, in particular, has a very small core that needs new ideas and commentary to keep it fresh and to help stimulate evolution. New voices help us find new ideas, which in turn lead to innovation.

Howdy! As of this morning, without warning or much in the way of explanation, I've found myself unemployed and in need of work ASAP. My resume is available here:

In a nutshell: I'm a high-level strategic security person, particularly adept at writing. I've tended to focus largely on "layer 8" concerns as of late (that is, the disconnect between people and their security needs), but also have deep experience in architecture, solutions, policies, compliance, and overall program organization and management. I'm published, have a MS in InfoSec Mgmt, CISSP, etc, and am an experienced speaker.

Location: I'm currently based in Phoenix, AZ, but we're open to moving. In particular, we have a strong interest in moving back east, such as to No. Virginia / DC metro. Given the circumstances, a bit more flexible in this area.

CIScon 2009 Summary

I had the honor and privilege of speaking at the Cyber InfoSec Conference in Helena, MT, last week. Overall, I had a great time. My own talks went very well, and I was somewhat surprised by the high caliber of speakers at what is, honestly, a small regional event (by design). This event is run by Brad "the Nurse" Smith, a fixture on the national speaking circuit, including being one of only a very few paid employees of the Black Hat conference in Vegas. He's been around for ages, knows a ton about the industry, and more importantly knows how to put on a high quality show at a reasonable price (which is perfect for the region).

Amazing and awesome news folks! My recent submission to The ISSA Journal - "Elasticity: Will your organization bend or break?" - was not only accepted for publication, but it has been published this month (September 2009) as the Feature Article. !!! I'm so incredibly grateful for the vote of confidence from ISSA and the Journal board for this great honor!!!

Please head over to the ISSA Journal page, where you can download the article for free. Members can view the entire September 2009 edition online, or will see it in their mailbox soon.

Enterprises often jump into risk assessment and mitigation (treatment) with both feet, but to what end? Just because an enterprise assesses and mitigates “risk” does not mean that a risk-tolerant program is in place. Bad data, poor communication, excessive reliance on technology, and bias all impact how elastic the enterprise will be when faced with pressure from increasing risks.

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10