In 1972 I was in the south of France. I had eaten some bad fish and was in consequence rather ill. As I lay in bed I had a strange recurring vision, there, before me, was a concrete building like a hotel or council block. I could see into the rooms, each of which was continually scanned by an electronic eye. In the rooms were people, everyone of them preoccupied. In one room a person was looking into a mirror and in another a couple were making love but lovelessly, in a third a composer was listening to music through earphones. Around him there were banks of electronic equipment. But all was silence. Like everyone in his place he had been neutralized, made gray and anonymous. The scene was for me one of ordered desolation. It was as if I were looking into a place which had no heart. Next day when I felt better, I went to the beach. As I sat there a poem came to me. It began ‘I am the proprietor of the Penguin Cafe. I will tell you things at random.’
Category Archives: Security
Does your company actually need a security department?
Gunnar Peterson prompted us yesterday in Dark Reading with this provocative question:
Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no
It’s easy to agree with Gunnar when you read his analysis. He offers a false dichotomy fallacy.
Standing up a choice between only awful pointless policy wonks in management and brilliant diamonds found in engineering, it’s easy to make the choice he wants you to make. Choose diamonds, duh.
However, he does not explain why we should see security management as any more of a bureaucratic roadblock than any/all management, including the CEO. Review has value. Strategy has value. Sometimes.
The issue he really raises is one of business management. Reviewers have to listen to staff and work together with builders to make themselves (and therefore overall product/output) valuable. This is not a simple, let alone binary decision, and Gunnar doesn’t explain how to get the best of both worlds.
A similar line of thinking can be found by looking across all lines of management. I found recent discussion of the JAL recovery for example, addressing such issues, very insightful.
Note the title of the BBC article “Beer with boss Kazuo Inamori helps Japan Airlines revival”
My simple philosophy is to make all the staff happy….not to make shareholders happy
Imagine grabbing a six-pack of beer, sitting down with engineering and talking about security strategy, performing a review together to make engineers happy. That probably would solve Gunnar’s concerns, right? Mix diamonds with beer and imagine the possbilities…
Inamori had interesting things to say about management’s hand in the financial crisis and risk failures in 2009, before he started the turnaround of JAL
Top executives should manage their companies by earning reasonable profits through modesty, not arrogance, and taking care of employees, customers, business partners and all other stakeholders with a caring heart. I think it’s time for corporate CEOs of the capitalist society to be seriously questioned on whether they have these necessary qualities of leadership.
Gunnar says hold infosec managers accountable. Inamori says hold all managers accountable.
Only a few years later JAL under the lead of Inamori surged ahead in profit and is now close to leading the airline industry. What did Inamori build? He reviewed, nay audited, everything in order to help others build a better company.
An interesting tangent to this issue is a shift in IT management practices precipitated by cloud. Infrastructure as a Service (IaaS) options will force some to question whether they really need administrators within their IT department. Software as a Service (SaaS) may make some ask the same of developers. Once administrators and developers are gone, where is security?
Those who choose a public cloud model, and transition away from in-house resources, now also face a question of whether they should pursue a similar option for their security department. Technical staff often wear multiple hats but that option diminishes as cloud grows in influence.
In fact, once admin and dev technical staff are augmented or supplanted by cloud, the need for a security department to manage trust may be more necessary than ever. This is how the discrete need for a security department could in fact increase where none was perceived before — security as a service is becoming an interesting new development in cloud.
Bottom line: if you care about trust, whether you use shared staff or dedicated services, dedicated staff or shared services, you most likely need security. At the same time I agree with Gunnar that bad management is bad, so perhaps a simple solution is to build the budget to allow for a “beer” method of good security management.
I recommend an Audit Ale
This style had all but disappeared by the 1970s, but originated in the 1400s to be consumed when grades were handed out at Oxford and Cambridge universities…. At 8 percent ABV, it has helped celebrate many a good “audit” or soften the blow of a bad one.
Alt Career Advice: Go Make Mistakes
When I was young I occaisonally received advice from friends and family, often academics with colorful and distinguished careers, to drop out of the normal paths offered to me and instead find myself before I took a job.
One particular sunny summer afternoon at Kansas State a tall lanky Anthropology professor named Harald, with wild gray hair who had a tendency to get over-excited while speaking, looked me over and asked “now that you’ve graduated what will you do with yourself”?
I forget how I answered. I am not sure I even had a chance to speak before his bright blue eyes grew wide, he sucked in a deep breath, wagged a finger and bellowed in a thick Dutch accent “you should go west to the ocean, jump on a ship as a deck-hand headed for New Zealand or Australia, and get a job working with sheep! Just be careful and make friends because if someone dislikes you they’ll throw you overboard and…”
The first thing that flashed in my mind was the irony of being told to chase my own dreams and then being given a dream to chase. I since have learned this is a clever management trick: “Bob, you’re in charge of this project. Now listen to me as I tell you how to run it.”
What Harald really meant, it soon occurred to me, was that I should use the time of my youth to explore, to discover, to make controlled mistakes, to recover and learn from them (recover being the operative word — don’t get thrown overboard). This seemed like age-old common advice and that is what I did. I would recommend the same to everyone.
This story came to mind when I read Moxie’s latest blog post. Although I found myself nodding my head a few times, he also said a few things about risk and judgement that I tend to disagree with.
More to come later…
Top Reasons to Move to Windows 8
I am no big fan of Windows. In case it isn’t clear from my site name, I really don’t wish Windows upon anyone. However, every time I read an article about reasons not to upgrade to Windows 8 I wonder if that writer has considered the risk of delay.
The logic for a Windows 8 upgrade is simple:
- If you have run Windows 7 for a while and do not have any problems, then do not upgrade. Wait. There are many more years of support for your system. Unless you really love the new UI, what reason do you really have to upgrade? I don’t see one. In fact, here’s a small reson to not install. App store systems, modeled on mobiles and Apple profits, are #$%@#$ng annoying on a PC. Try to install Microsoft’s own Skype in Windows 8, for example. You will be directed to register a new ID with Microsoft to download the app “easily”. I hate that kind of marketing. It’s so obviously false. The app store is making software installation artificially harder on a PC than just downloading from a trusted link. With a little digging you can still navigate to install a normal Windows 7-style “desktop” version of Skype in Windows 8 without creating a new ID and a new financial relationship; but that’s a pain. So if you don’t want to be mired with an app system designed for tiny touch-screen keyboard-less devices…wait. A better compromise/interface will probably emerge.
- If you run a brand new copy of Windows 7 and are troubleshooting problems or would like a very in-expensive support extension, then consider the $15 switch to Windows 8. It’s a simple business decision. Your OS will be supported longer with patches and updates at a nominal cost.
- And then here’s the bottom line if the previous two rules don’t apply to you: if you are running anything older than Windows 7 then you should walk, no run, to buy a copy of Windows 8 (despite the fact that shortened it becomes “W8”).
Given the above decision criteria, here are three reasons why W8 is great:
- Research time to upgrade has been significantly cut down and the upgrade is a risk assessment in disguise. W8 runs tests during the upgrade to inform you whether existing applications will work or not. This is not just so you can buy more software, it secretly is doing a patch/vulnerability assessment. A test I ran on an old system for a client uncovered a bunch of old programs in a template (Adobe Air, Acrobat) no one could account for. We gladly wiped those away and the upgrade paid for itself in this initial assessment phase alone. Anti-virus also was removed and replaced with the native Microsoft Defender. This kind of change must be factored into capital and labor estimates. You could save a bundle in support time by getting off old/unnecessary software.
- Although it is tempting to see every upgrade as a heftier, slower code base it actually could be the reverse. You will put new life into old hardware if you move from Vista, for example. XP and Vista are known to slow down over time (e.g. registry bloat) so an upgrade to Windows 8 in my experience has given a huge performance boost to old systems especially for multimedia applications. Note that the hardware requirements are not far from those for Vista so this is really about killing Vista/XP. That being said there’s a hardware assessment utility also that will warn you if you do not have resources required to upgrade (e.g. 2GB RAM for 64bit).
- As Microsoft has publicly tried to defend itself, don’t get hung up on the start menu. Users have used other OS without start menus so analysts should stop whining about it. Of course you can put the start menu back in W8 if you really can’t live without it. I grant that a change from W7 can be disruptive, yet look around at the other OS. It took me all of five minutes to retrain users to use the pop-up bar and sliders because they own other OS that have no start menu (e.g. someone show me a start menu on Apple OSX and Ubuntu Unity). W8 brings users up to speed with the UI they own at home, or that their friends/family own. It’s actually easier to cross-train when diff OS are more similar. Except for a hardcore, dedicated start menu junky who wants to prune and manage their menu lists (if such a person exists) more experienced/advanced users already are used to and expect no start menu.
Also note that the upgrade process has a key verification step that is super annoying. If you get an error during upgrade that you have the wrong media for your key, you don’t have to download another copy of the media. Instead, just modify the ei.cfg file to point to your current media, as detailed by Microsoft, or use a SKU removal tool
Incidentally, I have to bring up again why I criticized Apple for their single-user marketing nonsense; security does not fare well when product management has a one-user-one-device mentality. Apple ads always portray a single adult user looking at an iPad screen. Kudos to Microsoft for pictures like this one that hint at a more typical multi-user environment.
And all that being said, if you aren’t married to some application that requires the Microsoft OS or if you like the idea of getting off the Windows train, then really you should take a look at Linux.
Either way, please DO NOT stay on XP or Vista – Move to Windows 8 or Linux now. Don’t delay the W8 (pun intended).