Security product testing criteria have always struck me as quite odd.  Why *just* focus on the product or even the vendor financials?  I mean, the product is wrapped up in a sales cycle, a marketing program and sometimes, an entire belief system.  Then there is the on-going relationship...

Vince Tuesday has been around the block.  He's heard what you have to say my dear vendor.  He knows your script, in fact, he's probably reading ahead.  The sad truth is you already lost his attention 5 minutes into your sales pitch.  He did briefly perk up as you enthusiastically sprayed your enthusiasm towards him - but this was merely to avoid getting his suit wet.  As you posture to impress him, he's figuring out whether to eat the left over Chinese food for lunch or go down the pub.  He's already decided if he's going to take you up on your offer of lunch.  Sharing food does not mean you are any closer to a deal.  It merely means he is more likely to fall asleep when you insist on using up more of his precious time by ordering desert as a tactic to "keep him in play".

Vince makes purchasing decisions that sales people would die for.  But to get to the sale, the path is narrow...and winding as you'll see below.  Thanks Vince - I owe you a beer!

By Vince Tuesday

I am a security manager with a secret identity, Vince Tuesday. He comes out when I have things to say that it would be inappropriate under my work identity. You may also know him as a 2003 East Coast Region ASBPE Silver award winner for “The Strange Case of the Phantom Intruder”, no? You surprise me. When KingCloud (as I like to call Craig) approached me about FUD I dithered but the promise of international fame and fortune was hard to resist, so I’d like to talk to you today about more than just FUD (although FUD will be a part of it). I’m going to do a top ten of “Things I never want to hear from my vendor”. It may be when I get into the flow I go beyond 10…

1. "You can write your own templates/scripting language"

Not only great for your professional sales organisation but I also can extend my vendor lock to you in by forcing all my team to learn your stupid re-invention of perl/bash and better yet you can hide behind the fact that you haven’t incorporated decent features by claiming I can add my own. I can even pay extra for training from you – so be sure to change the scripts on a regular basis so you can make that a recurring revenue stream. Also, when you release the new version of the product then make sure my scripts stop working and don’t dare give me things like import/export and change control.

2. “We wrote our own crypto”

Sure, you did an MSc from some European country, maybe you even read “Applied Crypto”, you might even own the Brucie action figure – what could possibly go wrong? I’m sure there is no reason that the solution to every software problem from a security point of view (see Gunnar Peterson’s excellent critique) is Network Firewall and SSL. Why would we like SSL? – sure it has problems but they get fixed. Your own implementation is never going to have any problems and even better if there was then you’ll never know and never fix them – less patches, love it! Better yet are those security products that don’t even include authentication or confidentiality in their own connections and therefore add security risk to the environment. That kind of stuff is just hard to configure and adds overhead, doesn’t it? No better way to convince me your security tool is a must have if it lacks any security over the features it offers.

3. “Sorry, We forgot to encrypt the laptop”

Along with not bothering to embed security features in your security product it is even better when security vendors and consultancies don’t take security seriously in their work and own infrastructure. I’ve found vendors with my staff and clients’ personal data stored in their environment without full disk encryption on their laptops and thank goodness – no pesky keys to protect if you don’t bother to encrypt. Also it would be a waste of time to have some modicum of physical security for your office and your data centres – you’ve a mission to spread the knowledge of your product to the world so what better way than having my data stolen and published? It’s like cheap advertising, no?

4. “We have a great console”

When start-ups build in their environment they make a nice whizzy front end that they use for a few minutes on a local network link to the back-end and with a small set of test data from a few end point systems. In our enterprise environments we have WAN links between desktops and backend, sometimes over satellite from remote areas, we have hundreds of admins, 100ks of endpoints and terabytes of data flowing through our systems. We also have hundreds of security systems to integrate and limited analyst time in the SOC. So I’m dying for a new front end that I can’t integrate with my existing management framework and toolset – then I’d never see your badly rendered pie charts that I can’t cut and paste into my other reports.

5. “The front-end is web based”

Oh great, slow Java pages that don’t load and work properly on the ancient version of IE we get on our desktops. Lovely,

6. “The front-end is thick client”

Oh great, a patching and update nightmare that also means I get some painful licensing and DR site version errors and have to pay extra to get the client packaged and deployed. I’m an easy customer to make happy, aren’t I?

7. “It's in the cloud”

Thank goodness because if you hadn’t mentioned cloud I might have forgotten it is 2009. Either you are using this as a marketing buzz word in which case well done for firmly sitting on that bandwagon or you are not building out your own data centre so you can respond to demands of growth – you’re probably using mains electricity and have an office near public transit – why not include that in your sales pitch as well?

8. “It has an alerting tool for the desktop”

If I thought having a management client for my desktop wasn’t enough of a thrill ride then I definitely want an alerting system –something proprietary and heavyweight or extremely configurable like a hard coded email address (and just one, why waste time supporting multiple addresses?) in every end point for where the alerts are forwarded. Don’t worry about throttling or summary – I love getting 9000 emails/minute when your system has a hiccup as it provides a useful replacement for your failure to include a heartbeat in the communications protocols.

9. It works via "secret sauce" or "magic"

That reassures me that they don’t waste valuable time and money training pre-sales staff to actually understand or be able to communicate the details of the product. Why would I want that? If you did that and your sales team had integrity you might actually tell me when the product wasn’t a good fit rather than sell me any old nonsense and then were would your IPO be?

10. "The next version will support that."

Good, let me give you my money for all the things it doesn’t do, in fact why not show me the same 5 year roadmap for 2 years running but just slip the start date each time, that convinces me to invest exactly as much in your product as you are and saves you time and thinking bothering with a decent plan.

11. "Dave at XXX is one of our reference sites"

Wicked, when I do buy your product then I’m going to be keen to be a reference site – to feed my own ego and try to convince more suckers to deploy it so I look like a visionary (call it twisted skin in the game) so I enjoy knowing that you bandy your highly confidential client contact details to entirely un-validated prospects.

12. "Here is a picture of our head office"

I bet your VCs loved having this in their pitch, and it certainly makes exactly as much sense to show me the picture of the outside of a managed office in a business park. You may be very proud of your move out of your carport or your ability to search on google images but with only 20 slides you’ll definitely not get closer to a close if you tell me about the product so better to show me stuff I just don’t care about but that looks pretty.

13. "Here are our key clients and customers.”

I love a page of badly cut'n'paste logos, mostly at web quality dpi so they look ugly and old versions that break brand guidelines as much as anyone. A particular pleasure is when people pitch with our own logo on the page, sure we are a big company but you’ve got to be gutsy to attempt to get us to pay for your licenses twice – let’s face it, if I’m going to buy it’s all going to be because you spent a long time on the graphic design and look and feel of that page, isn’t it?

14. "It has no CPU impact"

It’s great to come with a hardware upgrade but isn’t that going to be expensive to deploy, oh hang on, what you are really saying is “we don’t bother doing stress tests in a range of circumstances to be able to give you meaningful capacity planning information as you might realise it’s a bloated pile of crap that doesn’t scale beyond 5 users if we published anything like that”. I agree the other wording is better.

15. "It automatically updates"

Great, I do enjoy troubleshooting problems on a Monday mid-morning at peak business hours because all your agents decided to use some insane Hawaiian time zone to schedule their updates. And change control is for companies who don’t really bother with availability, isn’t it?

16. "It doesn't automatically update"

Marvellous, I do love a steadily increasing TCO based on dedicated teams of people packaging, and deploying new versions containing features I don’t want but some big prospect in Japan wanted. For bonus points make sure old agents don’t work with new central servers so I have to do a big bang high risk upgrade or add gaps in coverage if I want up to date versions. Also great to have updates work only from scratch so I have to uninstall the old version and install from scratch so I can lose all my configuration and customisation work each time

17. “No, I don’t think it is covered by any export restrictions”

Yes, I’m certain your intuitive grasp of State Department rules and regulations is spot on because they are instinctive and clear and spending any time or money understanding them and making your product workable isn’t going to be helpful to a global buyer.

18. “Let me do a demo…I just need unfiltered, broadband connectivity right now”

Absolutely, I’m going to allow you to connect your ropey laptop to my corporate network and thanks for not bothering to tell me so I could have got you a wifi guest login or god forbid you bother to set up a WebEx demo or bring a 3g card rather than make it my problem for you to be able to do the demo.

19. "It's common criteria/ITSec certified"

Spiffy, I do enjoy it when you meet some outdated self-defined model rather than actual business needs. Also good to spend your limited funds with certification agencies to chase a government market rather than add features and improve the product. Even better for you to have a strong incentive not to issue substantial security updates to your product because they would invalidate your certification.

20. "It can log everything"

Just make sure you do it in your own proprietary format and ensure all the logging is done locally, we all need to drive a bigger security market so everyone needs to do their bit for log aggregation tools. Also make it so you spread alerts over several lines and change the headers of your data layout between versions. I don’t have any desire to automate this stuff, my SOC teams can’t get enough of this as it really uses their skills in the right way..

21. "It has a very granular access control database so you can control exactly which menu items each user can see"

Brilliant, more professional services, I can see your IPO going better and better, I am visionary to have selected your product, just make sure you don’t add any sensible roles so everyone gets to be admin under a shared account. And as a large enterprise I don’t have enough different stores of user credentials so don’t integrate with any of them. I want a whole new username and password and a system of groups. Who wants all their eggs in one basket?

22. "It scales without limit"

I’m glad the laws of physics and 60 years of IT experience don’t apply to your product. Clearly you tested it on 1, 2 and 3 users so by proof by induction means it scales without limit and make sure you confuse “XXX company was stupid enough to buy a 100,000 user license that now sits on a shelf” with “XXX company has 100,000 users using it”.

23. "Company X has tested it and found no security holes"

You paid someone to say it was brilliant, and they did. That _was_ money well spent. There is nothing as independent as paying someone to say you are lovely, might I suggest you get your mother to test it next time as she’ll be cheaper and I bet she thinks it is really secure as well. Even better if you save money by picking a name of someone I’ve never heard of or go for a big name but a very limited scope so it comes with so many caveats that the testing is worthless.

24. "We ran a contest to show it was hack proof"

Even better if you make the prize be a pile of gold or don’t pay the people who win the contest. I like your gutsy approach of either a) nobody breaks in as organised crime thinks it can get more out of exploiting your product in live or b) some script kiddie owns you entirely and then you have to whine on about how they didn’t follow the rules – because attackers are always following the rules!

25. "It solves/prevents problem X"

Yep, you are actually selling a combined magic beans/silver bullet that will also make coffee. Nothing convinces me you are a well researched and sensible sales organisation as when you convince me it will solve a problem it can’t. PGP ran some great ads about how important full disk encryption at border crossings was after customs accessed data on disks. The fact the customs agents have the legal right to demand the keys doesn’t make that advert bizarre at all. A nice 20/20 hindsight variety is "If only so-and-so had had it then <big bad thing> wouldn't have happened!"

26. "It fixes HIPAA/Sox/BASEL II"

All the better if I’m not in healthcare/listed company/regulatory capital regime. And won’t it be great for me to look down my nose at those companies hiring hundreds or thousands of compliance staff and running holistic programmes across technology and the business when all I needed to do is buy your one niche security product – cost saving!

27. "It's much better than product Y"

I love it when you competition bash because clearly you have many great bits of your product if you use your time trash talking other products. Nothing adds to your credibility if you used to work for product Y company and only a few weeks ago were trying to sell that to me.

28. "Do you like Golf?"

Now we are stepping towards the inducement and bribe approach to selling product, nice. It’s not like I’m well paid and successful so a day of golf is more than enough to make me change my mind and risk my integrity and job. I was going to make a joke about a certain company here but I actually don’t even want to risk my integrity and job for a joke.

29. "Vince, Vince, blah, Vince"/ NLP

It is true that people who trust each other use their first names more frequently in conversation, however you’ve delightfully confused symptom with root cause and I love your cargo cult-style approach of repeating the symptoms in the hope of reaching the cause. Add a little mirroring of my body language and we’ll build so much rapport that I’ll pile my entire budget into your in-tray.

30. What is your no. 30? Add it in the comments below.

When you need to get things "in", "on time"...what tactics do you employ and where did they come from?  When you present to decision makers, how do you frame your request for the pot of gold?

I came across Ewout a few years back on a course in preparation for a popular certification.  He'd paid for it himself and consequently he was getting stuck in, challenging some of the not-so-great material on the course (in a blunt, yet respectful way).  Initially, I rolled my eyes - "this course will never finish" I thought.  Anyway, a few coffee break discussions later and I was joining in.  We somehow managed to suspend our Infosec belief system just enough to convince the people reviewing our test papers that we "got their religion".  Anyway, we've been good friends ever since.  it gives me great pleasure to share a "Mokum joint" with you.  Thanks Ewout!

FUD Just Feels Right [Or how the FUD card was created by the end user and since we couldn't beat them, we joined them.]

By Ewout Meij

My first assignment as a coder, done while still a teen in a programming language that was already old by then, was to decipher barcodes stuck on carts entering and leaving the company's delivery platform to keep inventory of said carts. There was just one single user of the application. All he had to do was check the inventory and enter a cart number by hand if it had bypassed the scanners somehow without being registered.

The reading of the serial data was simple, the requested totals where even simpler. What took me three weeks to complete was the user interface.

Since 'my office' [think of an empty box floating in a giant hall, formerly used as storage for… crap] was right above the work floor I just had to jump down to show my latest incarnation of the interface and get feedback from my user. This proved more cumbersome then I ever imagined. I am not a certified Asperger unlike most of my buddies, but dealing with the ever changing requirements and wish list of my sole user grounded my productivity to a halt.

Bigger letters, larger numbers, less options ["Maximal 2 and not 3 items in the list please"], an amber not green monochrome screen, a clicking keyboard with larger keys: the requests for changes where endless and I would respect each and every one of them. The customer was my senior in age, like 3 times, on IT-literacy I was his to the third power.

One day my boss [there were no managers at the time, they were bosses and owned your ass 120 hours a week if they so pleased] walks in, asks me with a smug smile about the progress of the juniors' assignment and I told him about the logic being up and running for weeks, but the interface issues I was having.

Long story short: next day there was a 16 year old behind the amber screen with one of the first incarnations of my application front end.

This introduction to the awesome powers of the IT wizard shocked me, for all I had faced until that moment was the magic of turning human readable code into pure binary. What I liked so much about hacking for fun and profit was the fact that the box would do exactly what I did, mistakes and surprises included. The spill over from the confined, well-known, trusted, reliable, "turn on and off-able" world to real life was unprecedented and unforeseen.

Loads of water under the bridge since, but what has actually changed?

I dropped the “security” part as description of what I do as I got bored with explaining the exclusivity, availability & integrity trinity, now I call my current role “site reliability engineer” as it better fits the underlying desire of the companies I work for. It boils down to the same old, same old, but it gives me a nice platform to reiterate the importance of all aspects and not just focus on the exclusivity aspect. As a freelancer I face a plethora of issues, companies & people. 9 out of 10 times the intake conversation goes something like "We have an issue with product X and need you to solve it. Get it done!" What happens next is that for a couple of hours, days or weeks even, I'll be given a guided tour through the organization and try to get acquainted with the problem at hand. Very soon the nice technical issue will turn out to be of an inter-departmental process challenge more than anything else. Long time operator|department X|Y|Z will not accept change A|B|C and thus resorts to pure guerrilla tactics, added with a splice of artillery, to prevent change A|B|C to be successfully implemented.

The tricks are basically the same: make it take too long, come up with endless prerequisites, show another far away department's form does not fit the new requirements or call in sick 'at the right' moment.

Here is where not 'we', but the 'user' is playing the FUD card. They've done this since day one, and we are so accustomed to the procedure and its inherent effectiveness that there was no other option than to use it too. But does it work as well?

As a reliability professional part of our job is to come up with metrics for FUD. We show tons of events being generated and… forgotten about. We show intriguing scans of systems, clever IP ranges & routes. We come up with 'simple' solutions to stop XSS, buffer overflows, DOS and try to make the decision makers listen and pay for what we come up with. Multiple Internet gateways, DMZs, proxies, scanners, redundant paths, enforced paths, black hole routers, IDS, firewalls, end point isolation, private IP space and duty segregation. I have done presentations, enthusiastically explaining 'man in the browser' attacks against a particular bank to people so alienated from society, they had a stylist visit me a couple of days before the planned presentation to make sure I looked the professional they expected to see.

With all the tools & smart tricks that we have at our disposal it is of no surprise that a frequently asked question is: "If we let you do this, when will you be here again asking for more?" The famous "Security is not a project, but a state of mind" line does not cut it in that case. It feels like you're asking for a blank check, something not too many BODs are happy to hand out to people who do not have a handicap in golf.

In situations like these only the money oriented approach will swing the doubters over. Get a couple of 'verifiable metrics', divide & multiply, pinch in some climate-gate trickery and show the result to be positive in one form or another. But will it make your customer safer in the real world?

For each and every hurdle we put in place, a de-tour will be found. Example? We have been issuing identification papers for 100's of years and make them more and more fraud resistant. What does Mr. Foo do? He hacks the issuing process.

FUD is something we all use, abuse and understand and it is a Good Thing[™] as long as it motivates action and does not lead to submission.

I'm very pleased to have Rocky as this weeks "Fudsec Friday" guest.  I've had the pleasure of meeting Rocky in a business context.  I quickly came to appreciate he is one of the minority: an information security professional providing true insight and solutions based on real world experience of what works.  To put it simply, Rocky "gets it".  If you read just one blog post today, read this one.  Thanks Rocky!

By Rocky DeStefano

Recently, I was fortunate enough to have the opportunity to listen in on a speech from General Hayden (former Director of the NSA and CIA, in addition to his service as a four star general in the US Air Force).  This man has executed at a level most of use only see through fiction writers and movies and he has done so for 30 + years.  I provide that backdrop only to say that when General Hayden speaks, I not only listen, I listen intently and replay his words and overall sentiment in my head very carefully.  What he said at this event was encapsulated very well by Richard Bejtlich in this blog post so I won’t go into all the areas described in this post.  In short, General Hayden’s speech sparked some long-dormant thought in my feeble brain.  His thoughts energized me to refocus my thoughts and actions to go beyond the day-to-day struggles we constantly fight.  I was stuck in a rut and didn’t even realize it.

In order to navigate our world and interact with it and one another, we as humans had to learn to fly, we had to learn to navigate the oceans, and we had to learn to overcome distances and difficult terrain, by creating solutions to work with the landscape.   We’ve done something quite unique though, we created a new terrain and new domain.  The domain we’ve created is fundamentally different while at the same time it is every bit as tangible as the natural domains we exist in.  The difference is that this information domain is of human ingenuity and therefore in addition to building tools to work within the landscape, we can actually alter the landscape as we see it.  This information domain also exists separately as its own entity and as such evolves at a rate much different than the physical domains.  Perhaps most importantly this information domain evolves, dies or otherwise is influenced based on our human interactions.  It is moldable.  Sure I can agree that humans might affect the temperature of the planet every few thousand years by a fraction of a degree, but we can fundamentally change our information domain on a daily basis if we chose to.   Think about it, we all know that, it isn’t new, but at the same time it’s quite liberating to think about the fact that we can change the entire game to suit our needs, versus playing by rules we can’t change or worse yet play in an environment that highlights the strengths of our adversary.

As this domain has evolved we have set in motion a series of evolutionary steps based on tactical requirements without really having a strategic plan for where it should be headed.  We made decisions along the way that were necessary to get us past a hurdle, but without much rational thought about the impact.  To put it simply there is no city planning going on.  We’re continually developing “solutions” to meet short term needs.  Granted these are real needs, no question, but who is providing the strategic vision of how our decisions will affect how we interact in the future?  For far too long we have applied “fixes” that fit the bounds of the information domain as it exists today.  It is time to start looking at how we can transform the domain itself to more appropriately suit our needs moving forward.  I’m convinced we are in the very earliest of stages in the evolution (perhaps on the doorstep of revolution) with regard to this domain, but unlike evolution on the natural plain this domain can’t and won’t change itself, we must act to influence it to better meet our needs.

Much to my own amusement I see this domain much like a scene from a kids movie - when Jafar turns is transformed into genie in Disney’s Aladdin and he boasts something like “The Power, The absolute Power, The universe is mine to command, to control, to create” and we get it without the constraint of living in a bottle.  The constraints that apply only exist in our minds and actions.  We need to get out of the mindset of applying protection techniques based on physical realms and focus on evolving the entire environment to better suit our needs moving forward.

I’m certain as we start this dialogue that more fundamental aspects will arise – which is exactly what I hope to elicit from this dialogue but here his where my current thought process has lead me to consider with regards to how to step out of our box and move our eyes towards the horizon.  I’ve bundled my thoughts into a few categories, leadership, research and information sharing.   I’m sure your thoughts will help us all to refine this into much more!

Leadership:  I’ve come to realize that there is no one coming to save us from ourselves here.  No government czar, compliance initiative, nor vendor product suite is going to pave the way.   Homeland Security, NSA, Military, Congress, The White House – they’ll all continue to play their part, but let’s be honest here they have not and should not drive the overall thought process here.  We must all define how we chose to exist in this domain.

Certainly we should encourage government and legal involvement along the way so that they can contribute as appropriate.  In the end the government should be involved to enable us to succeed in this domain, not to define how it should be crafted – at least not without our agreement.  Yet we wait the announcement of the all mighty czar… it’s crazy.  I believe that we can lead from right here, wherever here happens to be.  There are dozens of examples, but I chose just a few to highlight some of the decisions we’ve made and how we can start making better ones moving forward.

1. Information Security Leadership.  We need to start pushing back at all levels here.  It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk.  Risk to the mission, risk to the business not the risk to an asset.  We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary. 

As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives?  We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business.  We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?

Partners, Vendors play a critical role in helping us reach our goals; they should also play a role in the thought leadership moving forward. Product and solution vendors have done a great job in developing solutions to meet our defined needs along the way as we’ve evolved in our usage of information systems.  We’ve all witnessed some seriously cool steps forward over the last 15-20 years, but recently many of those solutions have been evolutionary in nature, not necessarily innovative, but more and more they are band-aid fixes for problems we’ve encountered or realized.  

Don’t get me wrong it is a very necessary evolution, but we’ve hit a point that we need to start thinking about long-term health and welfare of how we interact as humans.  We need to find ways to encourage that vendor thought leadership onto a larger more strategic problem-set.  I would encourage those customer facing people with consulting and/or vendor organizations to take a very basic consultative approach on a daily basis: listen to your customer’s actual needs, not always what they state as a need (PCI Compliance, etc) but to the goals they are really trying to solve and communicate those findings inwardly to your organization (and in general terms externally to the community).  The more inputs for this information stream the more refined the thought process can be.  You can’t imagine the amount of information that some of these folks have in their heads they just haven’t been heard appropriately.   

To those that manage consultants - please encourage your staff to listen and enable meaningful communications, in fact I would challenge you to incentive your staff to provide this input.  Give them the opportunity to buy in to more than just a single technology, but into solving a much greater problem.  This may mean some major internal change in thought about how to approach management of teams, customer engagements, support, product development, etc – that’s exactly the point – we need to learn to listen better to the larger picture and not the point in time snapshot.   

Those were two very basic examples of how we can lead from wherever we sit in the organization there are literally thousands of other examples out there.   I hope you can see that I’m suggesting leadership by example – you can still enable business using these techniques, you just have to get past “the way its been done”. 

2. A key component in moving forward has to be a dedicated focus on Research and Development.  I mean significant investment in R&D on a national and international scale, information sharing about current and proposed strategies across industries, etc.  We need to be pushing our employers, VC’s, governments into broader research initiatives.  We need an innovation revolution at this point, not just evolutionary point solutions. 

There are some very recent initiatives that show promise, like the announcements by Northrop Grumman that NG is sponsoring information research in conjunction with Carnegie Mellon, The Massachusetts Institute of Technology and Purdue University.

If you will, think of these research opportunities as form of health care for our future, I don’t care how it’s justified but we need to act in support of efforts like this in every way we can, perhaps by offering state or federal tax credits?  Certainly I can agree that we need to watch spending and as such we should have to pay for performance, but we need to encourage strategic innovation versus tactical evolution (band-aids).  The investment in long-term strategy has been anemic at the federal level.  We’ll spend millions on watching the effect of gnat bites on mouse nuts, but we haven’t found the necessary stomach to pay for the ability to effectively comprehend where we’re headed as a species as it relates to communications, business and everyday life. 

3. Perhaps the most immediate thing we can influence is better Information Sharing.  We need to start thinking about how we can change the IT Domain into something that allows for a level playing field.   The old adage “The enemy of my enemy is my friend” applies very well here.  It’s ridiculous to think that our teams are better off not talking with industry competition about defensive strategies. The other side is free to share, adapt and overcome as they see fit, yet we tie our own hands and ask for beatings – and hope they don’t hurt too much.  I’m really not into S&M.  I’d rather retake control – how about you?

A few good examples to learn from already exist, the Defense Industrial Base (DIB) has an information sharing related to APT (Advanced Persistent Threat) detection profiles, and workshops like SANS “What Works” or IANS Summits are a great beginning to this conversation,  but in reality they are very limited in reach and only relevant at a point in time.  We need to develop more daily interaction at a deeper level.

Summary:  I’m in no way suggesting I’m intelligent enough to have all the answers, or to have even fully described the problems, I’m simply stating that we need to elevate our thinking and we must invest in the thought process and commit to the information sharing required to make the decisions necessary so that we may shape our own destiny.  As I see it we must all act on the relevant fronts (Leadership, Research, Information Sharing, others?) to better comprehend the changes and position ourselves to be able to make the changes necessary in the future.  That’s my starting point, how will you enhance the conversation?
 
Disclaimer:
The opinions expressed here are my personal opinions. My views and opinions are subject to change based on the input I consume and the analysis I apply to those inputs.  Content published here is neither read nor approved in advance by my employer and does not necessarily reflect the views and opinions of my employer.