Comments on LARES BLOG: Confessions of a SecAddict

The Registration plate shall bear nine characters,...

2011-10-10T02:29:14.251-06:00

The Registration plate shall bear nine characters, laser branded into the reflective sheeting and would act as a permanent

consecutive identification number. The hot stamping film shall bear a verification inscription.

hsrp

I am sorry, but am I the only one who finds the wh...

2011-09-19T11:41:59.147-06:00

I am sorry, but am I the only one who finds the white text on the black background difficult to read?!! The article seems interesting and I see many a ppl have read and commented..but somehow I couldnt look at it for long... :(

Moon. So True. This is why I consider proper testi...

2010-04-06T19:40:17.328-06:00

Moon. So True. This is why I consider proper testing much like an intervention. Even proper education or training in an org can do this. Because as you said, they usually need some type of "force" to get them started.

Great points! But noone who is addicted goes to r...

2010-04-06T12:35:14.811-06:00

Great points! But noone who is addicted goes to rehab unless they are forced to by circumstances… hitting rock bottom or some "intervention"… In the case of business, "rock bottom" could be a breach (resulting in substantial direct or indirect costs to the company) and intervention could be a Board member who understands business risks in terms of more than just credit, market or regulatory risks and factors in the IT security & business continuity, etc and the privacy components of risk management and pushes for better governance.

First of all, I just want to say the opening lines...

2010-04-06T08:53:50.113-06:00

First of all, I just want to say the opening lines attributed to Delchi are pure genius and I say they resonate with me, especially the last line which ultimately says, "Be happy despite not getting what we want every time."

----
I think there are a ton of layers we could go through when talking about things like "learned helplessness" and powerlessness in regards to corporate or even individual security, and how it may relate to our own well-being in the face of not getting the security we know an entity needs. Likewise to the internal employees who have an ear towards being more secure.

----
I get what jbrashars is saying about letting a few lumps get through to make a point in learning. I feel like until corporations feel a few lumps, the best they do is throw their IT ops into detox (assessment), pop some pills (appliances), and limit their view to only what they want to deal with (scope). But like you've said, that's not getting at the root of the issues, which is attitude/perception/happiness/human minds.

----
Steps #2 and #3 could be a great approach for a corporate entity to start turning their initiatives over to security experts who can help them!

--LonerVamp

Thank you. PS Also liked the Vodka metaphor.

2010-04-05T12:36:05.644-06:00

Thank you.

PS Also liked the Vodka metaphor.

Awe, fuck. I missed the red text at the top before...

2010-04-05T12:26:13.581-06:00

Awe, fuck. I missed the red text at the top before I posted, with your serenity prayer. Well, I guess it's suicide again for me.

Loved the “Well, we will consider you recovered i...

2010-04-05T12:15:27.299-06:00

Loved the “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE” quote!

Chris, I'm digging it. Although I can't he...

2010-04-05T12:04:49.335-06:00

Chris,
I'm digging it. Although I can't help but wonder if the 12 steps are more for the tester/auditor/savvy employee, or for the company themselves? As the boundaries of the internet melt away and people plug more and more of their lives online, the need for security goes up exponentially but the budget rarely moves in an upward direction. Too often, security is treated as a costly measure and not a cost saving measure, and thus so much of it is reactive. "Shit, we got pwned and gigs of cardholder data is on our twitter feed. Guess we better call ACME Sec. But ask if there's a coupon." Any why SHOULD they care? Jesus, look at the financial sector. One of the biggest economic fuck ups of our lives and the banks get bailed out on our dime. Where is the incentive?

Being an InfoSecPro is a lot like being a parent. You can talk until you're blue in the face about not grabbing onto the scalding hot pot handle, because you're GOING to get burned, or don't ride your big wheel down the stairs or we have to go to the hospital. But unless the kids (or companies) take a few lumps and learn WHY you have to be careful, from scars, the lesson is never truly absorbed.

As both an InfoSecPro and the father of a toddler, I am learning that my job is to make sure the kid/company lives long enough to learn and to reach maturity. Sometimes that lesson is expensive, but if we've done our job, it's not fatal or permanently disfiguring.

But knowing that isn't enough to make it any easier, or less frustrating. That doesn't mean I don't stomp and scream whenever I see my kid put himself in harm's way. I don't know that I'll ever be able to stop doing that. I guess part of the process is knowing when to let someone get owned a little bit, so that they learn to listen, and when to put your foot down and say "If you don't listen to him THIS time, you might not get to hear me say anything next time."

I think it's important to take your 12 step approach; I also think a helpful supplement to your program is the InfoSec Serenity Prayer:

$deity grant me the serenity to accept the policies I cannot change;
the courage to change the things I can;
and the wisdom to know the difference.

Living one assessment at a time
Enjoying one hack at a time
Accepting hardships as the pathway to security;
Taking this sinful circle jerk
As it is, not as I would have it.
Trusting that getting popped and leaked all over twitter will make things right if we surrender to FUD
That I may be reasonably happy in this industry
and supremely happy with my job
Forever and in retirement.
Amen.

Very inspirational!

2010-04-05T11:49:52.002-06:00

Very inspirational!