Incite 8/27/2014: It takes a villageBy Mike Rothman
The first couple weeks when the kids are back in school can be a little rough. We don’t have the routine down so there is some inevitable confusion and miscommunication. There are just so many details. Who is picking up which kid, from where? We drive that carpool which night? What is the address of the 3rd kid to grab for LAX practice? You know, that kind of thing.
And that’s just the logistical stuff the Boss and I need to figure out. Complicating matters is the alternative schedules we have to maintain. One when I’m in town, and the other for when I’m on the road working with clients. Obviously things are a bit easier when I can lend a hand and grab this kid from there and/or take the other kid to the dance studio.
We have found it really does take a village to raise kids nowadays. I remember when I was growing up and my Mom worked in a retail pharmacy. Some nights she would have the afternoon shift and then have to close the store. I was a latchkey kid, so once we were old enough to go home and fend for ourselves for a couple hours (probably late in elementary school for me) I would take my brother home and we’d play until Mom got home. Sometimes I’d go to a friend’s house and play a game of pick-up football. Another kid had an Intellivision so we went to his house a lot.
I became pretty self-sufficient. My Mom would cook a bunch of meals over the weekend, and I’ll pull one out of the freezer and throw it (whatever it was) into a pan and boom! Dinner. If my clothes were dirty I put them in the wash. She would get home after a long day of work standing in the pharmacy and make sure we got our homework done, and we all had to lend a hand to get everything done. That’s just the way it was for us.
Nowadays that wouldn’t work very well. Sure my kids can do laundry and probably even warm up their food (through the magic of the microwave!) But the kids can’t get themselves to dance practice 4 days a week. I guess the Boy could walk down to his tennis practices in the neighborhood, but he can’t walk the 10 miles to LAX practice Monday nights. Actually he could, but probably not in time for 6pm practice. So we work it out with the other parents. We drive some nights and pick up others. With 3 kids and overlapping activity schedules, there isn’t really any other way – especially given my travel schedule.
Though we got a little smarter this year. I put the kid’s schedule in my phone, so I know which practices are what days and where. We discuss who is doing what at the beginning of the week, so I know where I’m expected to be, and I put it in my calendar. The goal is to minimize confusion and so far it’s working.
And we took another step towards what emancipation looks like for 10-year-olds this year. We got them pre-paid cell phones, so when they are tooling around the neighborhood or at their various practices, and we make the inevitable mistakes, they can just call. It’s very helpful to just dial them up and figure out where they are. My Mom didn’t have that option – she sometimes had to drive around the neighborhood to figure out which back yard I was playing in. Yes, things are more complicated now, but we have much better tools to handle them.
But the thing that hasn’t changed? The relationships you build with people who can lend a hand when you need one. And where you lend a hand when they need one. No magic device or web-based service can replace that.
Photo credit: “The Village Store and Tea Shop” originally uploaded by Alison Christine
The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- August 18 – You Can’t Handle the Gartner
- July 22 – Hacker Summer Camp
- July 14 – China and Career Advancement
- June 30 – G Who Shall Not Be Named
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
- April 14 – Three for Five
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
The Security Pro’s Guide to Cloud File Storage and Collaboration
Leveraging Threat Intelligence in Incident Response/Management
- Quick Wins
- The (New) Incident Response & Management Process Model
- Threat Intelligence + Data Collect = Responding Better
- Really Responding Faster
Trends in Data Centric Security
Understanding Role-based Access Control
NoSQL Security 2.0
Newly Published Papers
- The 2015 Endpoint and Mobile Security Buyer’s Guide
- Open Source Development and Application Security Analysis
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
Incite 4 U
Media take note: I recently ranted a bit about Security Trolling Mass Media, and Ken Westin from Tripwire also posted on the same topic on LinkedIn. His is a good read, pulling back the covers on misleading threat reports and offering tips to journalists so they don’t get trolled and manipulated by the ‘cyber’ marketing hype machine. Little tactics like asking questions and validating findings with people who actually understand security (like us!). He also cautions against using clickbait titles – the modern “equivalent of tabloid journalism”. Amen. But alas, reality dictates page views = click bait = PR manipulation, so it is what it is. And so it goes. – MR
Stuck in port: Docker containers have arrived at the security inflection point – when you move past cool new developer tool to hard corporate IT realization. “Oh crap, how do we secure this stuff?” Docker no longer needs to prove agility and multi-cloud ease of development – now they need to address corporate needs for safety, security, and manageability. Docker’s approach to security is threefold: keys and digital signatures to validate that a specific container can be trusted, a policy-based management framework to control how the container runs, and an interface to add or drop privileges. Adding capabilities into the base containers and framework is great, but integration with identity and security management tools? Not so much. But it’s still early and Docker is very promising, so stay tuned. – AL
Defend like an attacker: If you can get past the sales stuff this post by Lauren Barraco on AlienVault’s blog includes some good content. It basically shows how you can take a systematic approach to looking for attackers in your security data and prioritizing appropriately. The reality is that there is no exact science of finding attacks manifestations. You can correlate thousands of different data points hoping to find anomalies. You can threat model attack chains and look for evidence. And you should. Sometimes you get lucky and stumble across something. Other times you get a call from a third party delivering bad news. My point is that you are more likely to avoid the latter if you have a systematic process of gathering and analyzing security data. Which I think is Lauren’s point as well. – MR
Discovery first: Wired Magazine says Don’t Get Bullied by Shadow IT. But can you really get bullied by something you are not aware of? The problem of rogue IT services being outside IT control and processes only becomes an issue when they move sensitive production data into third-party systems, which seems to happen with ease. But Mr. Ennis suggest the answer to this issue is to control Shadow IT, which is great if you can detect it. Those pesky details, right? Unless the sales or marketing team provisioning these services actually tell you, how do you find it? There is no proven way but I suggest you work with Finance, and ask them to scan expense reports for cloud service providers on credit cards. If someone is spending $1,000/month for AWS, you probably just found rogue IT, along with who is responsible. You can also check out egress filter logs for signs of data going to third-party SaaS apps, which are the killer apps for cloud broker services. To protect your critical data awareness is the key. – AL
Softer skills for security folks: It seems most security leaders I talk to spend a bunch of time ruing that they cannot find enough good people to build their teams. It’s true. Security is very much in demand, and the skills are honed over years of experience. Not a certification or a SANS course. That said, many security folks with the requisite experience don’t really help themselves either. I have mentioned the need for softer skills for years, and George Hulme reiterates a lot of these points in Five CISO skills critical to your success. Although I would argue that communicating well, understanding business management, and being able to explain risk in business terms aren’t skills that need to be restricted to CISOs. These are key skills for any security practitioner. As I mention in the 5 tips for being a better CISO (you can get it by registering for the Pragmatic CSO mailing list), you are a business person – who just happens to do security. So get to know your business and be able to talk in business terms. Thanks George – I needed another reason to get back on the soapbox. – MR