August 24, 2009 – Volume 4, #33
We start school pretty early in the South. Today is the beginning of
the third week of school for the rats. They are getting into the
schedule a bit, though getting up at 6:30 AM is probably something
they’ll never get used to. By Thursday, the boy is complaining about
wanting to get back in bed. After telling him about 20 times that it’s
not an option, he’ll begrudgingly put on his clothes and sulk through
the rest of the morning ritual. Thank the heavens for GoGurt, since
that seems to be something the kids like in the AM. We freeze them, and
it keep them occupied and not bitching.
But as with
everything else, life would be a lot easier if we didn’t have to deal
with people. That’s a big part of the reason I work remotely, and how
in a perfect world, I wouldn’t have to deal with people much at all.
Between ATMs and Pay at the Pump, I don’t really have to interact with
anyone. Which is a good thing for all involved. Yet, for the kids,
being as anti-social as their old man is not an option. Nor should it
The big lesson this year is how to deal with difficult people. We all
know them, we all try to avoid them, but sometimes that isn’t an option
and it creates angst. Especially for a high-strung Dad, who doesn’t
like anyone giving his kids a hard time. But it’s a teaching
opportunity, but the real question is what to teach.
Of course, my first instinct is to teach them how to wield a bat most
effectively to create the most pain, while leaving the fewest marks.
That is a time-tested means in dealing with difficult people, and they
usually cause very few problems after a date with Mr. Easton. But
that’s probably not the best approach for kids today, especially given
the litigious nature of most folks. So I guess we need to scratch that
approach off the list.
Next is what I’ll call the "biting sarcasm" approach. Basically, slice
the difficult person into little pieces verbally and make them question
their value in society. Yep, I’ve used that one before pretty
effectively, but it does require some verbal sparring skill, a quick
wit and an adversary that understands you are calling them an idiot.
Again, this may not be the best approach for my young kids. As they get
older, we’ll have more success with this method, but not quite yet.
Of course, neither of these will win me a Parent of the Year award. The
point is really to teach the kids to be better than that. To face down
the difficulty and handle it with elegance and grace. To call out the
person, make it clear to them they are not being nice, and then ignore
them. And do that time and time again because difficult people rarely
stop until they get a rise out of you. So we have to constantly
reinforce and coach the kids to not take the bait. Don’t let them see
their words bother you. Don’t give them the satisfaction.
Though I still have a lot of work to do in my own right, this
is what we work on with the kids almost daily. Not only with external
folks, but this skill is important for inter-family dynamics. At any
given time, one of the kids is being difficult. So these are skills
they need and trying to raise kids better than myself is certainly a
Of course, I still maintain my "people to kill today" list and am sure
to put these difficult kids on it. I guess old habits are hard to
break. Have a
me on Twitter:
I’m not sure where I’m going, but I’ll get there in 140 characters – or
Incite 4 U
Candidly, it’s been a slow summer for security news. I guess it usually
is, but this summer seems even slower. There is a lot of activity on
Twitter, at least in terms of good productive dialog, but I can’t get
confused between discussions on Twitter and what is happening in the
real world. Sometimes we get myopic and think that because you have a
good discussion with some smart people, the rest of the world is
following along. They are not.
So we’ve seem some news about the retailer breaches, and per usual, it
was an unsophisticated attack executed well. Fortinet filed papers for
an IPO, so there is hope a number of companies can gain exit velocity
and show security is a thriving industry. Yet, the conversations I’m
having with most folks is still about relevance. Everyone knows they
are being attacked and breaches are happening. But we are still
fighting to overcome the reality that senior management wants to spend
the least amount possible on security.
Right, just like insurance. I’ve mentioned this before, but in reality
we’ve got to sell security like we sell insurance. A candid assessment
of what can kill you, and then a set of options for how much an
organization will pay to mitigate those risks. All the while,
understanding that there is no panacea and you can still get hit by a
truck (or a SQL injection attack) regardless of how much you spend. OK,
off soapbox and onto what (little) I’m seeing out there.
- Living with
Awareness – No I’m not going on a Buddha-tinged rampage
(irony intentional), I’m pointing to a post from Bejtlich regarding Digital Situational
Awareness. At my day job, there are a lot of cycles focused
on protecting against cyber-attacks and of course, the term de jour for
that is "situational awareness," which my pea brain interprets as
security posture. Anyhow, Richard describes a number of levels of how
aware you are of your security posture – ranging from waiting until
your credit brand informs you of a breach to proactive intelligence
gathering to determine who is targeting you and how. Most are within
the first three buckets (external notification, vulnerability
assessment, penetration testing) and that may be OK, depending on what
you are protecting. But knowing where your not is always an important
thing to realize.
- The User
Frustration Metric – Security is a trade-off, it’s a
simple as that. We all know that, but we forget because we are mired in
the day to day battles and the politics and the futility. The safest
device is one not connected to anything. Alex, whose rural existence is
giving him lots of time to think, comes up with something that is
pretty interesting. The user frustration metric. Yup,
a lot of folks go around security controls because it frustrates them,
so if we measure that frustration and then use it as an input into our
cost-benefit analysis, we’d get some interesting results, no? Of
course, really measuring this is hard (and probably not worth the
effort), BUT it is a good line of thinking to understand if any new
security controls we’re implementing is worth the effort or whether it
will cause more misery and suffering.
- ConSentry buh
bye – Yup, another start-up goes down. Actually I’m
surprised we don’t see more investors pulling the plug on companies
going nowhere fast. Of course, knowing folks at ConSentry, it’s always
sad. But all the same, statistics are statistics. Not all companies
work. Here is the NWW coverage of ConSentry’s demise.
But more interestingly Shimmy does a good obit for Inline NAC,
and also a bit more analysis of NAC
pointing to a piece from John Pescatore on some of the more
compelling use cases for the technology. As I’ve long said,
NAC is a feature and really should be embedded within the network.
That’s happening slowly and provides a short term opportunity for the
out-of-band flavor of NAC, until switches go through another
- Fighting the
AppSec fight – Big J continues to try to help security
folks understand how to position an application security program within
their own organizations. Of course, many of us know why it’s important
to write code securely, but when you have compliance mandates and years
of conditioning that putting a widget in front of whatever you want to
protect will work – there is precious little incentive to do the hard
work of secure coding. Jeremiah does a nice role play in surfacing
and then discussing many of the objections developers bring
forward, mostly around not my problem, it’s the security guys issue.
Which it is, but selling the benefits of doing it right the first time
is still way too hard.
- MSS hits the
tipping point – Andreas from Nemertes uses his NetworkWorld column to highlight some
research showing security services gaining adoption. I can
overlords are seeing a similar trend. As the economy has
tightened, a lot more folks are suspending their disbelief about who
should be monitoring what and looking to outsource things not core to
their operations. To be clear, managed security services are not always
cheaper (especially in the long run), but there is a cost to staffing
and buying the tools for a SOC, so it’s certainly something every
organization should consider. A real concern is that 40% of the
benchmark claim their outsourcing engagement is NOT a success. The key
is to scope effectively and manage the crap out of the service provider.
auditor hates you too – One of my favorite posts is from Jeff Kirsch, who unabashedly lets you know
that auditors are onto your game, know you are lying to them,
and don’t like you too much either. Seriously, part of the P-CSO
process is to treat an auditor like a peer. Lying to them and making
things hard for them to do their job is not the path to success. Read
the post, laugh a bit and then take the message to heart: "Having a good relationship with
your auditor does not mean you have to be friends, but it does mean you
need to find common ground to share trust." Amen to that.
- The impact of
the social networked generation – Pescatore, who’s been
busy blogging, brings up a good point that we in the protection game
need to stay focused on. Namely, the impact of this new generation of
socially networked kids that will be entering the workforce
over the next 4 years or so. These are kids that don’t think twice
about posting pictures of them (or their friends) hurling into a bucket
or passed out by the porcelain god or doing other similar stuff that is
funny at the time, but doesn’t bode well for your security clearance.
These folks think differently than us old timers, and that means our
protection strategies need to evolve. Just like trying to gain the
"attacker’s mindset," we also need to understand the mindset of the
next generation to understand how they are going to undermine our
security best laid plans.
gets back to managing expectations – I guess we’ll always
be doing this push and pull between doing things, measuring them, and
then telling someone else what we are up to. AndyITGuy
riffs off a Grumpy Pete concept of whether we can even measure security.
Andy believes we can, but it gets back to communicating not just what
the senior folks want to see (you know, the things that impact their
bonus) rather all the stuff we do. In concept, that is nice, but in
reality they don’t care. So WE measure operational stuff, not because
the senior folks care, but because we need that data to improve our own
house. The things they care about (incident response, loss numbers,
attack trends) are about THEM (and their bonus), so we have to
understand (and not take personally) the reality that they don’t care
about our metrics.
*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at: http://securityincite.com/blog/mike-rothman/the-daily-incite-8-24-09-difficult-people