The Daily Incite – 8/24/09 – Difficult People

Today's Daily Incite

August 24, 2009 – Volume 4, #33

Good Morning:
We start school pretty early in the South. Today is the beginning of
the third week of school for the rats. They are getting into the
schedule a bit, though getting up at 6:30 AM is probably something
they’ll never get used to. By Thursday, the boy is complaining about
wanting to get back in bed. After telling him about 20 times that it’s
not an option, he’ll begrudgingly put on his clothes and sulk through
the rest of the morning ritual. Thank the heavens for GoGurt, since
that seems to be something the kids like in the AM. We freeze them, and
it keep them occupied and not bitching.

How about using a bat? That works great....But as with
everything else, life would be a lot easier if we didn’t have to deal
with people. That’s a big part of the reason I work remotely, and how
in a perfect world, I wouldn’t have to deal with people much at all.
Between ATMs and Pay at the Pump, I don’t really have to interact with
anyone. Which is a good thing for all involved. Yet, for the kids,
being as anti-social as their old man is not an option. Nor should it

The big lesson this year is how to deal with difficult people. We all
know them, we all try to avoid them, but sometimes that isn’t an option
and it creates angst. Especially for a high-strung Dad, who doesn’t
like anyone giving his kids a hard time. But it’s a teaching
opportunity, but the real question is what to teach.

Of course, my first instinct is to teach them how to wield a bat most
effectively to create the most pain, while leaving the fewest marks.
That is a time-tested means in dealing with difficult people, and they
usually cause very few problems after a date with Mr. Easton. But
that’s probably not the best approach for kids today, especially given
the litigious nature of most folks. So I guess we need to scratch that
approach off the list.

Next is what I’ll call the "biting sarcasm" approach. Basically, slice
the difficult person into little pieces verbally and make them question
their value in society. Yep, I’ve used that one before pretty
effectively, but it does require some verbal sparring skill, a quick
wit and an adversary that understands you are calling them an idiot.
Again, this may not be the best approach for my young kids. As they get
older, we’ll have more success with this method, but not quite yet.

Of course, neither of these will win me a Parent of the Year award. The
point is really to teach the kids to be better than that. To face down
the difficulty and handle it with elegance and grace. To call out the
person, make it clear to them they are not being nice, and then ignore
them. And do that time and time again because difficult people rarely
stop until they get a rise out of you. So we have to constantly
reinforce and coach the kids to not take the bait. Don’t let them see
their words bother you. Don’t give them the satisfaction. 

Though I still have a lot of work to do in my own right, this
is what we work on with the kids almost daily. Not only with external
folks, but this skill is important for inter-family dynamics. At any
given time, one of the kids is being difficult. So these are skills
they need and trying to raise kids better than myself is certainly a

Of course, I still maintain my "people to kill today" list and am sure
to put these difficult kids on it. I guess old habits are hard to
break. Have a
great day.

Photo: "How
" originally uploaded
by benterrett

Technorati: , ,

The Pragmatic CSO

Pragmatic CSO:

Available Now!

Read the Intro and

"5 Tips to be a
Better CSO"

me on Twitter:



I’m not sure where I’m going, but I’ll get there in 140 characters – or

Incite 4 U

Candidly, it’s been a slow summer for security news. I guess it usually
is, but this summer seems even slower. There is a lot of activity on
Twitter, at least in terms of good productive dialog, but I can’t get
confused between discussions on Twitter and what is happening in the
real world. Sometimes we get myopic and think that because you have a
good discussion with some smart people, the rest of the world is
following along. They are not.

So we’ve seem some news about the retailer breaches, and per usual, it
was an unsophisticated attack executed well. Fortinet filed papers for
an IPO, so there is hope a number of companies can gain exit velocity
and show security is a thriving industry. Yet, the conversations I’m
having with most folks is still about relevance. Everyone knows they
are being attacked and breaches are happening. But we are still
fighting to overcome the reality that senior management wants to spend
the least amount possible on security.

Right, just like insurance. I’ve mentioned this before, but in reality
we’ve got to sell security like we sell insurance. A candid assessment
of what can kill you, and then a set of options for how much an
organization will pay to mitigate those risks. All the while,
understanding that there is no panacea and you can still get hit by a
truck (or a SQL injection attack) regardless of how much you spend. OK,
off soapbox and onto what (little) I’m seeing out there.

  1. Living with
    – No I’m not going on a Buddha-tinged rampage
    (irony intentional), I’m pointing to a post from Bejtlich regarding Digital Situational
    . At my day job, there are a lot of cycles focused
    on protecting against cyber-attacks and of course, the term de jour for
    that is "situational awareness," which my pea brain interprets as
    security posture. Anyhow, Richard describes a number of levels of how
    aware you are of your security posture – ranging from waiting until
    your credit brand informs you of a breach to proactive intelligence
    gathering to determine who is targeting you and how. Most are within
    the first three buckets (external notification, vulnerability
    assessment, penetration testing) and that may be OK, depending on what
    you are protecting. But knowing where your not is always an important
    thing to realize.
  2. The User
    Frustration Metric
    – Security is a trade-off, it’s a
    simple as that. We all know that, but we forget because we are mired in
    the day to day battles and the politics and the futility. The safest
    device is one not connected to anything. Alex, whose rural existence is
    giving him lots of time to think, comes up with something that is
    pretty interesting. The user frustration metric. Yup,
    a lot of folks go around security controls because it frustrates them,
    so if we measure that frustration and then use it as an input into our
    cost-benefit analysis, we’d get some interesting results, no? Of
    course, really measuring this is hard (and probably not worth the
    effort), BUT it is a good line of thinking to understand if any new
    security controls we’re implementing is worth the effort or whether it
    will cause more misery and suffering.
  3. ConSentry buh
    – Yup, another start-up goes down. Actually I’m
    surprised we don’t see more investors pulling the plug on companies
    going nowhere fast. Of course, knowing folks at ConSentry, it’s always
    sad. But all the same, statistics are statistics. Not all companies
    work. Here is the NWW coverage of ConSentry’s demise.
    But more interestingly Shimmy does a good obit for Inline NAC,
    and also a bit more analysis of NAC
    pointing to a piece from John Pescatore on some of the more
    compelling use cases for the technology
    . As I’ve long said,
    NAC is a feature and really should be embedded within the network.
    That’s happening slowly and provides a short term opportunity for the
    out-of-band flavor of NAC, until switches go through another
    generational update.
  4. Fighting the
    AppSec fight
    – Big J continues to try to help security
    folks understand how to position an application security program within
    their own organizations. Of course, many of us know why it’s important
    to write code securely, but when you have compliance mandates and years
    of conditioning that putting a widget in front of whatever you want to
    protect will work – there is precious little incentive to do the hard
    work of secure coding. Jeremiah does a nice role play in surfacing
    and then discussing many of the objections
    developers bring
    forward, mostly around not my problem, it’s the security guys issue.
    Which it is, but selling the benefits of doing it right the first time
    is still way too hard.  
  5. MSS hits the
    tipping point
    – Andreas from Nemertes uses his NetworkWorld column to highlight some
    research showing security services gaining adoption
    . I can
    say my
    are seeing a similar trend. As the economy has
    tightened, a lot more folks are suspending their disbelief about who
    should be monitoring what and looking to outsource things not core to
    their operations. To be clear, managed security services are not always
    cheaper (especially in the long run), but there is a cost to staffing
    and buying the tools for a SOC, so it’s certainly something every
    organization should consider. A real concern is that 40% of the
    benchmark claim their outsourcing engagement is NOT a success. The key
    is to scope effectively and manage the crap out of the service provider.
  6. You’re
    auditor hates you too
    – One of my favorite posts is from Jeff Kirsch, who unabashedly lets you know
    that auditors are onto your game
    , know you are lying to them,
    and don’t like you too much either. Seriously, part of the P-CSO
    process is to treat an auditor like a peer. Lying to them and making
    things hard for them to do their job is not the path to success. Read
    the post, laugh a bit and then take the message to heart: "Having a good relationship with
    your auditor does not mean you have to be friends, but it does mean you
    need to find common ground to share trust.
    " Amen to that.
  7. The impact of
    the social networked generation
    – Pescatore, who’s been
    busy blogging, brings up a good point that we in the protection game
    need to stay focused on. Namely, the impact of this new generation of
    socially networked kids
    that will be entering the workforce
    over the next 4 years or so. These are kids that don’t think twice
    about posting pictures of them (or their friends) hurling into a bucket
    or passed out by the porcelain god or doing other similar stuff that is
    funny at the time, but doesn’t bode well for your security clearance.
    These folks think differently than us old timers, and that means our
    protection strategies need to evolve. Just like trying to gain the
    "attacker’s mindset," we also need to understand the mindset of the
    next generation to understand how they are going to undermine our
    security best laid plans.
  8. Measurement
    gets back to managing expectations
    – I guess we’ll always
    be doing this push and pull between doing things, measuring them, and
    then telling someone else what we are up to. AndyITGuy
    riffs off a Grumpy Pete concept of whether we can even measure security
    Andy believes we can, but it gets back to communicating not just what
    the senior folks want to see (you know, the things that impact their
    bonus) rather all the stuff we do. In concept, that is nice, but in
    reality they don’t care. So WE measure operational stuff, not because
    the senior folks care, but because we need that data to improve our own
    house. The things they care about (incident response, loss numbers,
    attack trends) are about THEM (and their bonus), so we have to
    understand (and not take personally) the reality that they don’t care
    about our metrics. 

*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at:

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman