Lessons Learned, and those to thank (or blame)

Many things have changed for me in the past couple of years, much of it because of lessons I have learned from others. Below are a few folks I have learned from and want to thank for their enlightenment. Note that I won't mention what I learned from each, or even when (a few lessons may not have been intentional) because that doesn't really matter, I just want to say "Thank You" to them. In no particular order:

Chris Brogan- people will tell you that Chris is intelligent, articulate, friendly, helpful, insightful, sharing, and on and on. All the gushing over this guy might be a bit much- if it weren't all true.

Jennifer Leggio, aka Mediaphyter- I've only known Jennifer for about six months, and watching her work is amazing. Her ability to "connect the dots" on a dizzying array of levels is amazing and eye-opening.

Critt Jarvis- I have never "clicked" with someone at work the way I did while working with Critt. We often handed each other pieces of a puzzle before the other knew they needed it. Amazing, actually. Thanks, and get out of my head.

Martin McKeay- Content, Community, Identity. I could say a lot more about Martin, but I'll leave it at: he creates content and builds community, and he's Martin. Which is pretty cool.

Chris Hoff- Is really smart. "Stop it now, Hoff, my head's gonna explode" kind of smart. You can't help but learn from him, and he's a great guy to be around- but I can't imagine trying to keep up with him for any length of time.

The list is far from comprehensive, there are certainly others I have learned from and should thank- and many more I should have learned from, but didn't.

Maybe you can learn something from these folks, too. Or you can find your own people to learn from. Maybe you could even learn from my mistakes, there's plenty of material there.

Jack

Podcast updates

It has been a while since I reviewed my list of security podcasts and a few new ones have made it into rotation since I last visited the topic. My regular listens and a link to the Getmon Security Podcast list are in my Podcast.com widget (over there on the right, scroll down a bit and you'll see it). Click away at any of the titles for episode details, links to Podcast.com pages, or to play episodes.

My previous recommendations still stand:

• Pauldotcom Security Weekly
  • Pauldotcom has grown into an empire, with video and webcasts and an entire community involved.
• The Network Security Podcast
  • Rich Mogull is now Martin McKeay's cohost and his addition has expanded the perspective of this great show.
• CyberSpeak
  • Brett and Ovie continue to deliver informative and entertaining forensics and cyber-crime content on a quasi-weekly basis (They are busy guys).
• Security Now*
  • Steve Gibson and Leo LaPorte talk security, and stuff.
  • *figure out the asterisk for yourself.

And newer in the rotation:

• Risky Business
  • This one is a must-listen, an outstanding weekly podcast featuring news and interviews hosted by Patrick Gray (Patrick Gray is great, and he also has a weekly networking and systems podcast, "A Series of Tubes").
• The Silver Bullet Podcast:
  • In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine.
• Radio Free Security
  • A good podcast aimed at the small business IT administrator produced by WatchGuard LiveSecurity Service reporters.
  • NOTE- this shares a feed with their "Firebox Special", a podcast dedicated to the WatchGuard Firebox. Unless you are a customer, you may want to skip those.

And a few seem to have faded away, but I haven't completely given up on them:

• The Security Roundtable [UPDATE: The Round Table is back, see comments below]
• The Rear Guard
• Sploitcast*
  • *Not quite dead.

Happy Listening!

Jack

Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

• Focus on the things you can actually accomplish.
• Accept that we really do need a "Plan B", (and maybe C, D...) 
  • Work on those plans.
• Prioritize work based on real exposure.
• Think about risk
  • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

Astaro, RSA, Bloggers, and Beer

OK, this post is much more "commercial" than anything I've done before, but bear with me on this...

A handful of factoids:

• The San Francisco RSA conference is coming up in a few weeks.
  
• I'll be there covering the event.
  
• Astaro will be there, promoting their new (and of course, current) product line.
  
• I blog, and I work for Astaro.
  
• Getting press credentials for RSA means you are solicited by everyone who wants press for their products and services.

Now to connect some dots. Several people have commented on the barrage of email invitations to schedule meetings and other such things. Some have commented on the cluelessness of some of the PR and Marketing people. I see two primary issues; first is that some PR and Marketing types don't have the time (or possibly skill) to do a good job (see this post at the Mediaphyter blog); second is that many people do not realize that bloggers and traditional press may have some overlap, but are generally very different people with different situations (see this post at Martin McKeay's blog).

I don't mind the mountains of email invitations. I'm getting into the event with a complimentary Press/Analyst pass and the vendors want to get their message out- that's how this works. I do think many of the messages and invitations are excessively verbose and hype-laden, but some are pretty well done. The well done ones are much more likely to get my attention, both before and during the conference.

Here's the Astaro connection: Astaro wants to get attention from bloggers and I think they are trying to do it right. Tuesday afternoon (you'll be ready to sit down, have a beer and jump on the Internet by then) there will be a "Beer and Blog" event at the Astaro booth; meet Astaro people including the CEO, see the products, talk about whatever you want. And beer. The invitations are short and to the point, and they are only being sent to bloggers. Yes bloggers, Astaro wants your attention, but they are trying to do it right. If you are registered as a Blogger for RSA you should get an invite- if you are interested please RSVP, it would be bad to run out of beer. If you don't get an invite, let me know. And let me know what you think.

Now, back to your irregularly scheduled blogging.

Jack