The Security Catalyst

Well, the big announcement last week and through the weekend was that Google Apps Premier launched. This is a chance for companies to leverage the power of “office tools” from anywhere and is set to foster more effective collaboration. On a personal level, I use (and like) Google docs, so I can see the draw. If you want more information, here are some great overviews:

Read/Write Web: Google Apps Premier Edition Launches - One Small Step Towards Google Office

eWeeks’ Google Apps Premier Edition Takes Aim at the Enterprise
What I found interesting, though, is a general lack of discussion around the “security” of the application. If you’ve been reading this blog for a while, you may have picked up on how I’m focusing less on the word “security” and more on the concept of “protection of information.” I would posit the same holds true here. My colleagues in the security profession hopefully realize that the difference is largely semantics, but the concept of how to communicate what we do is much clearer when explained as “helping to protect sensitive information.”

So back to Google. Well, the focus is Google (today), but they aren’t the first or only company to offer well-designed solutions that users will gravitate toward. So back to discussing how web-centralized applications are working to protect our information…

I enjoyed reading Marshall Kirkpatrick’s piece in Tech Crunch, It’s G-Day: Google Launches Apps Premier. In fact, this is the first piece that I read (so perhaps not the first piece in general) that mentioned the security aspect. What I also liked is that it revealed to me (again, not sure if he was the first) that GE and P&G were signing up to be Google Apps customers. Now, often times in an announcement like that, it’s not the *whole* company, but some part of it. Either way, my reaction is “Are you kidding me?”

I don’t mean that as a shot against google, GE or P&G. But by suggesting a company of this size is going to put potentially sensitive documents on a shared drive (or in a shared, web-based location) that they do not control and cannot control, it just seems odd. By odd, I mean: how is this good for the protection of information? Oh, and if you think a *policy* about what can and cannot be stored there will stop someone - think again. See, I *do* believe in the power of the user, but a user just wants to get their job done. As such, if Google Apps (or *ANY* online application) makes their job easier, my experience suggests they will use it.

Now, when GE or P&G decided to go this route, I really hope that their security teams got involved in the evaluation. My instinct suggests otherwise, and that makes me shudder. If you know otherwise - drop me a line (securitycatalyst@gmail.com).

One major concern that hangs over the head of tonight’s news is the ongoing question of Google security. TechCrunch asked for months whether business users would or should trust Google Apps with sensitive business information given the regular lapses of security experienced by the company’s hosted services. See a timeline and discussion of those lapses in this post.

To break it down easy - there is no guidance for companies trying to decide if using Google Apps Premier (or any other service like it) makes sense when they are also obligated to protect information. I run a company. And we launched a community. In both cases, looking at online solutions (especially since both the company and the community have virtual/location considerations) is appealing. In both cases, we have opted to only use them in limited circumstances. We’re small enough that controlling the information outside our walls is a bit easier. So how does the average company decide if using Google Apps, Microsoft Live or Amazon’s S3 storage is a good idea — when it comes to protecting information (if they even consider that)? I have no clue - since we have no commonly accepted framework.

Let me be clear: I’m not suggesting that Google (and others) is not taking this seriously and providing security. Look beyond Google - especially with some of the new and exciting Web 2.0 start-ups. Is designing a system that is “secure” on the forefront of their mind? I don’t think is it for most…. yet. The implication then? Well, we saw with identity theft that while I could steal only your identity, it’s more lucrative for me to break into a system and steal MANY at the same time. So I believe it’s reasonable to consider then that as more of these services go online and more sensitive information is stored on them, the focus of attackers will shift. So while you “trust” Google, Microsoft or Amazon - that’s not good enough for me (or anyone, really).

Interestingly enough, I’m not the only one thinking like this, when Larry Dignan asks, “Will you trust Google with your data?”

When I talk about Security 2.0 (and I still need suggestions for a better name), this is precisely the second component: security professionals need to get engaged in the process of developing and protecting these solutions. But it goes deeper… we need to work as a community to develop a framework and a method to be able to assess these solutions and decide if they are acceptable for us or not. Think about it - no provider can effectively go through a myriad of audits *each* day just to prove they meet the requirements of specific company. Same time, I don’t accept the Trust-E seal or “hacker safe” logos. I’m not knocking them - they serve a purpose; but for a corporation to decide to leverage a service to store data… we need something more.

Aside: I know the name Security 2.0 needs to change. This isn’t about numbers and versions. It was named to build on the success of Web 2.0; the approach still leverages the power of social media to affect a new way of practicing the protection of information. It is about bringing power and ease of use/design to the user. It’s about building a new approach and developing new skills. In the end, this my humble offering for how to move from being on a security diet to having a security mindset. I’m open for suggestions for a new name; until then, we’ll call it the “Catalyst Security Approach.” Clearly, I need some branding help here:)

Now, I don’t like to pose a question without a solution. I believe that what we need in order to assess companies is what I am calling a “security wellness index.” My background is in economics - and this is an approach that blends security with economics, engineering, social sciences and the like. I have a brief 2-3 page overview and have started some discussions to have this research project funded. It’s probably a 2008 effort - but if you are interested, shoot me a note and we’ll talk. I’ll save more details for another post.

But we have solutions if we are willing to apply the time, brain power and energy to making them work. This is not a new problem to solve. We need to change our way of thinking and make sure that, as a community, we all engage and work to implement common solutions. I know, easier said than done - but if we don’t have the conversations and make it happen…

Oh - and since these new web-solutions work, our users will absolutely move to them whether we want them to or not. So ignoring or banning the use of these solutions is not a solution. We have to be proactive and get engaged if we hope to make a difference. If we don’t, we’re doomed for bolt-on security (at best) for another generation - and to me, that means we failed. Besides, how many of you have “banned” gmail at work? Did you see this great posting explaining how to defeat your attempts to ban it: 5 tips for accessing your blocked Gmail (lifehacker)? If something works better than what you designed, they will move to it. The protection of information, therefore, needs to be integrated from the beginning.

The protection of information is a cultural shift.

So we have an opportunity here. Google is a big company that seems to have an interest in Security. They seem to have attracted other large organizations (again with large, I hope, security teams). This is the perfect recipe for working to establish transparent frameworks to embed security into this Web 2.0 (and beyond) applications in a way that we can more readily assess their ability to protect our information and satisfy our corporate policies and goals.

If we ignore this, we do so at our own peril. If we use this as the catalyst to have the needed discussions about how to make this work, we advance on many levels. I’m willing to help, I want to be part of the solution. What about you?

It’s a bit of a departure for me to post something like this, but I wanted to publicly congratulate both Martin McKeay and Still Secure on the recent announcement that Martin has been hired as a product evangelist. I thought Martin wrote a nice introduction about his great start in Feeling welcome at StillSecure. I also liked the piece Alan wrote in his blog in Friends who blog … and work together.
I’m actually impressed that this all came together via blogging and the opportunity to get to know each other over a period of time. Neither is really in for any surprise, and I think we are just starting to see the power of the “new” social media. I am obviously a proponent of actively blending security and social media together - so clearly I am excited about these developments. But it goes further, too, since I know everyone involved in this announcement.

I appreciate the fact that Rothman and others consider me a nice guy (I link, but you all read him anyway, right? If not, why not?). Perhaps I am nice (my Mom would be proud), though I tend to be a bit demanding, too. Why does that matter? Well, I tend to be a bit demanding on people, too, and harsh at times. So when I take the time to congratulate Martin, I really mean it.

Martin is someone that impressed (and impresses) me. He has a clear sense of who he is, and who he is not - and I believe that will serve him well. Since Martin initially reached out to me (via our blogs and podcasts), we have found many occasions to speak, meet in person and generally find ways to improve the way the world practices the protection of information. I genuinely enjoy working with Martin, and look forward to good things in his new role. I also plan to keep working on the SRT with him (our new episode with Dan York is coming soon) and a few other TCC related things…

After shooting emails back and forth with Alan for a while, we finally got to speak over the weekend. I was introduced to Mitchell Ashely, too - and quite frankly, I felt comfortable talking with them. I didn’t get pitched, we talked shop. It was comfortable and I look forward to more such conversations in the future.

I’m excited for everyone on this deal and hope that we see more companies working with leaders in our field to get their message out.

I’ve often said that we don’t achieve security through compliance. The only way to be compliant (with whatever) is to follow “good” security practices. It works into a nice mantra: Compliance through security. But recently, I’ve realized that while effective, it’s not good enough.

I still believe that, btw, but now I’d even say it differently. See, the more I think about things, the more I realize that “scale matters” (sorta like size matters, but different). See, when I tell someone I practice security, it leads to a host of responses and questions: alarms? security guard? background checks? firewalls?

So I started to explain that I help companies protect information - sometimes your private information. And that seems to bring clarity. Think about it - say out loud “1 Billion years” (it’s gets funny if you do this with your pinky next to the side of your mouth). Now - try to image how long that is. It’s so big we can’t actually picture it. Now, go tell someone you’re in security. Same effect. We have no practical scale by which to measure what it means to be in security. But when we talk about information and how we help protect important information - people immediately understand. It also explains better the processes we go through, education we must focus on and the role that technology plays.

Inherent in that way of explanation is the role that the individual plays. It brings what we do into proportion and gives it meaning.

Great! Now what?
Well, the next step is to help organizations start to realize that the protection of information is not a seasonal event. We’re all familiar with spring cleaning (whether we do it or not), the concept of skiing in the winter, swimming in the summer and enjoying activities that come with the seasons. I see a lot of companies that “rush” to “get security done” in time for an audit. We could argue the effectiveness of that approach short term, but long term it simply doesn’t work. By seeing security as an end state, we lose focus that security is a process. So better - protecting information is a lifestyle. Think about it.

I’m not the only one who thinks and writes about this. For a similar perspective, I highly recommend reading Alex Bakman’s Compliance should be integrated…not an event

Technorati Tags: catalyst, security

It’s always a risk when we write and put our ideas out there - it makes us vulnerable. At the same time, it is precisely that willingness to be vulnerable and share our ideas that leads to our growth.

Well, this week, I am definitely starting my week off right. First, over the weekend, I had the opportunity to speak with Alan Shimel and Mitchell Ashley when I was interviewed for the Still Secure After All These Years (SSAATY - say that fast three times). It was an opportunity for me to share a bit about my company and approach - and then we got to explore the catalyst community. I really enjoyed talking with them, and actually found the entire experience to be rewarding. So thanks, my new friends!

You can find the interview here: StillSecure, After all these years, Podcast #32 - Michael Santarcangelo, Security Catalyst
(note: that looks a lot like the picture that Martin McKeay took at the PME last year. If so, they definitely cut the best part of that picture out. I apologize for you having to look at my mug).

I have always enjoyed listening to their refreshingly direct approach. I hope you enjoy the opportunity to learn from them as you learn a bit more about our efforts to build a vibrant and supportive catalyst community. I think you’ll enjoy and learn from what they have to share and would do well to subscribe. Of course, I also think they were brilliant to hire Martin McKeay as an evangelist - so I’m looking forward to some exciting times from them.

Over the last few weeks, I’ve also had the chance to get to know more about Andy Willingham, who writes the Andy, IT Guy blog. Well, this morning, he validated my approach and generally brought a smile to my face citing my “confession” post from Friday night and linking to my post about how we need to change our attitudes and approach. But the part that inspired me? He puts his substance where his fingers are and shares some great insights on how to keep the improvement going.

Next time a user comes to you with something that you consider to be “stupid” take time to listen to them, ask questions to help you understand them, and take a little extra time to teach them. If you have to take a few minutes alone to gather your composure before engaging them do so.

He’s got more there to review - and learn from. If you’re not reading his blog yet, you should be. And Andy - thanks. I really appreciate your support. I’ve actually enjoyed some truly inspirational conversations these last few weeks. I feel like a kid on Christmas morning! We’re in for a great ride.

Hurray to Rosalind Wiseman and Parade magazine for their article today on Cyberbullies. (See it in print or online here: http://www.parade.com/articles/editions/2007/edition_02-25-2007/Cyberbullying.)  They understand the problem and they’re spreading the word.  Security Professionals need to do the same.

Cyberbullying has plagued us for years, but little has been done because most parents didn’t understand the technology and the ramifications.  Also, Cyberpreditors and inappropriate content have taken center stage as the top concerns of parents.  That is now changing.  Articles in national magazines like Parade, along with Internet sites like Netbullies (http://www.netbullies.com/), i_Safe (http://www.isafe.org/), and WiredKids (http://www.wiredkids.org/wiredkids_org.html) help parents, kids and educators understand the problem.  They also provide simple solutions that reduce the problem (bullying can never fully be eliminated.) 

The Internet provides a unique challenge for confronting and preventing bullying: anonymity.  Unlike bullying in person, cyberbullying can be done from a distance under the safety umbrella of anonymity.  Bullies are cowards and like to hide; the Internet only enables this behavior.  Unless the bully makes a mistake and reveals his/her identity, there may not be much that can be done.  Like the rule on the playground: ignoring the bully may make him or her stop. 

To help you educate yourself and others, here are the tips from the Parade article:
- Use technology as an opportunity to reinforce your family values. If you buy a cell phone or computer for your child, attach rules for appropriate use and consequences if these rules are broken.
- Move the computer out of your child’s bedroom and into the family room.
- Teach your child not to share passwords.
- Install monitoring and filtering software. Find free downloads at k9webprotection.com and safefamilies.org.
- Save and print out any evidence if your child is cyberbullied. Decide together to whom you should go for additional assistance.

Join the discussion on the SecurityCatalyst Community: http://community.securitycatalyst.com/forums/index.php/topic,114.0.html

By working together, we all become stronger.

Over at Blogarithms, Doug Kaye writes about “Why panels suck” when we attend conferences. It struck me as a fitting follow-up to the reader question from the other day and the subsequent discussion on the catalyst community forum (registration required, please use: Firstname.Lastname when making a new account).

A lot of us are plain unhappy with the quality of panels at the conferences we attend in security, and apparently in other fields, too. I think Doug nailed it when he pointed out:

The problems are threefold. First, conference producers tend to staff panels using speakers they don’t think are strong enough to justify solo sessions. Second, some producers use panel-slot invitations as payback/thanks for favors. Third, there just isn’t enough time. I’ve flown from one coast to the other, burning up the better part of three days, to be one of five speakers on a one-hour panel. How much value can I transfer in just 12 minutes?

When coaching someone who is going to be on a panel, my first question is ALWAYS: did you prepare? I always am amazed that people think being on a panel means “no prep required” (it’s worse, of course, when they are solo speakers and feel that way). Of course, if it’s your role AS the moderator, then you not only have to prepare yourself, but then you are responsible for actively preparing the panelists! I even think you need to be prepared to guide them or otherwise support their efforts in the event something bad happens (prepare for the worst, hope for the best).

I am shocked, no appalled, well, shocked and appalled at the number of people who present at conferences that don’t prepare. How can you present any message without preparing and rehearsing?? No one is that good. When speaking - the best thing you can do (besides having _something_ to say that others want to listen to) is to practice, practice, practice. Keynotes that I have delivered a dozen times get practiced and rehearsed as if it were the first time I am giving them.

Everyone prepares differently, so I’d suggest it ranges from 2:1 to 20:1 to be successfully prepared (so yes, a 60 minute presentation could take 20-30 hours to rehearse AFTER it’s been written). In Speaking about Security - we go into detail on how to prepare. If athletes practice their game, we need to practice our presentation. If you spend all your time practicing, refining your message, distilling the key elements… then when you actually get in front of the crowd, we will be wowed (or at least we won’t be bored or otherwise distracted). This is precisely why we were asked to create Speaking about Security - and I will unveil more to you in the coming weeks.

So - if you are a moderator of a panel, you’re the leader. It’s your responsibility to set the tempo long before the event. Talk to each panelist before hand and run some ideas by them. Gauge their responses, tempo and perhaps tailor questions that will bring out the best in them. Encourage everyone to prepare. Then practice - if only on a conference call. Have dinner together the night before and practice again. When you are presenting - have fun, smile and bring your value to the table. We’ll all thank you for your efforts and remember the impression you made.

Here are some additional excellent suggestions for how to moderate or participate on a panel:

Guy Kawasaki (who prepares as much or more than I do!): How to Kick Butt On a Panel

Mike Ma shares some ideas for Moderating a Panel (and some good ideas here that I hadn’t considered - I like creating a fake event to work through)

If you invest the time to make it happen, it will pay off in terms of value communicated and the way you connect with others. If you take this seriously and practice, then not only will your message will be heard, but you’ll set an example for others to follow. If more of us did this, then our conferences would be _awesome_ to attend and we can work together to really advance the profession. Now that just brings a smile to my face.

Seth Godin has an brief, insightful post about what we have come to expect from different organizations. His conclusion is that while in life, most things don’t and shouldn’t surprise us, if we want to stand out, we have to be a surprise. Read “I’m not surprised” - but put it in the context of how your security team operates. And then read his conclusion:

“But if you want the word to spread, if you expect me to take action I’ve never taken before, it seems to me that you need to do something that hasn’t been done before. It might not feel safe, but if you do the safe thing, I guarantee you won’t surprise anyone. And if you don’t surprise anyone, the word isn’t going to spread.” - Seth Godin

For years I have felt that as a security professional, I had to overcome a generally held negative stigma about the way “we” act: we ignore others, we skip meetings, we tell people what they can’t do. Most security teams don’t have carry a positive connotation with them… whether earned or not. When is the last time you heard someone say “oh good, the security team got invited.”

It’s time to change our approach. We have to learn how to communicate more effectively. We have to listen more. To build on what Seth Godin shares (hey, I happen to like bald New Yorkers) - we have to be remarkable. Whether you work as a consultant or are part of an internal organization, we have clients that we serve, and we have to “wow” them at every opportunity. Now I’m not suggesting this is easy, but it’s clearly needed and worth it.

You can get started today (or on Monday) by approaching the situations you take on with a different attitude. Do this enough and you will stand out… here are five suggestions to get you started:

Bring donuts to a meeting
I mean it. If you’re health conscious, bring bagels. Bring fruit. Food is a great peace offering, shows you thought enough about others to make a difference and is a nice gesture. But wait - when people have enough blood sugar, they think better, are generally less snippy and are able to focus better. Think about when your meetings are scheduled and cater to the needs of the people attending. So do you really have to bring donuts? You decide. It is important, though, to think about the others you are working with and work aggressively to meet their needs.
Answer the phone with a smile - don’t growl.
Seriously. When someone calls, do you sound annoyed and overworked? Maybe you are, but how do you feel when you call a company and the person on the other ends makes you feel that you are an inconvenience? I don’t know about you, but I get defensive, irritated and generally enjoy the experience less. Is that what you expect from your colleagues? You have the power to make a difference - answer the phone with a smile in your voice and actually focus on the person on the other end. You’ll both walk away with a better experience.

Ask a user what their biggest security challenge is - and then explain it to them in a way they understand
A lot has been written lately about users. Want to get a different perspective? When you find yourself with some time for lunch, invite a non-technical colleague to join you. During the conversation, ask them about a challenge they have at home with security (or at work). Let them explain it - don’t jump in immediately with the solution. Ask some questions, pay attention and then offer to provide some insight, like this, “would it be useful if I shared some of my experiences with you when I dealt with that?” - see, that sets you up to share - and not tell in a condescending way. Then take some time to find a common ground and language, and work to explain a possible solution to your colleague in their words. This is decidedly a challenge, but if you make a habit of this - you’ll truly grow your abilities to explain how to protect information.

Follow-up with a helpful solution
We’ve all been part of meetings where a solution isn’t immediately clear to us. When that happens, have you ever actually though about it a bit and then provided your insights to the group? In my experience, we in security always get knocked for stopping progress and not helping advance it. So flip it around. Many of us in security have broad access to the company and with it, broad experience. Bring a helpful solution back and be considered part of the success. Good things will follow (especially if you make this a habit).

Point out what is RIGHT with a solution, and then help improve it
In technology, most of us get hit about the head and body when a mistake is made - and therefore it becomes a common mechanism to how we deal with others. Someone makes a mistake (perhaps even one that we made a long, long time ago) and we jump all over them. Have you ever taken the time in a meeting to point out what you LIKE about the solution? How was security considered, or how the choices made really support the ability to protect information? By celebrating and acknowledging others, you are then able to contribute your skills, insights and knowledge to the solution. After all, isn’t that our job as a security professional?

I’ve been carrying this burden around for years…

See, I believe in our users. I believe in their brilliance. I believe they just want to get their job done. And throughout my career, I have also believed that by getting engaged, we can make a difference. I have never really engaged in “user bashing” and while I run in technical circles, have equally enjoyed user meetings, sales and even <gasp> business strategy meetings. I know, I know - how can that be?

Well, as I continued to improve my own practice of security (while still with Accenture/Andersen Consulting), I started to speak publicly. Turns out I had a knack for entertaining and speaking while explaining. That lead to to teaching (and I’ve met many of you through those awesome experiences). The more I spoke about security, the more I taught people about security — and more importantly how to be successful professionals — the more I enjoyed it. I soon realized that learning about life, distilling it into stories and then using those stories to relate to others and explain security concepts struck a passion chord in my deep into my soul.

So… while I kept (and continue to) learning the technology of security, I also studied human behavior, organizational development and the trade-craft of speaking and training. In fact, I got really deep into instructional design and then really focused (and continue to) on being an exceptional professional speaker. I read about as much as I can. I learn from nearly every situation - the more I learn, the more I want to learn.

So I confess - I love relating security to users. I really enjoy it. Hell, I THRIVE on it. My passion is engaging users to be inspired to make changes in their behaviors.

Confess, you ask? How is this a confession?
Well, you see, for the longest time, I feared that if I confessed that I really enjoyed teaching, was good at it, and kept trying to improve that I would be labeled as a “trainer.” And that would come with the connotation that I no longer understood technology or security - that I had somehow crossed over (and not in a John Edwards sort of freaky way). Clearly nothing could be further from the truth, but I’ve been around long enough to watch how people talk. I’ve even had people come up to me after a session and saw something to the effect of, “wow, you really knew your stuff for a trainer/speaker.” Backhanded compliment, I guess. Sure, I’m not as deep with some aspects of the technology as some of the company I keep (which is, um, why I enjoy their company) - but I’m not too shabby and I play an important (and needed) function in our profession.

So why confess now?
I could have kept quiet. Same time, I have a sense of purpose about me now that is calm and comfortable. And then after the RSA show, I started to read some of the posts recently in different places where a lot of security “professionals” were really hammering away on users (I could post some links, but I’d prefer you didn’t read them). Yikes! Not only is this bad form, it’s plain wrong and worse, a dangerous mindset. If we allow ourselves to think our users are stupid and incompetent and therefore have to design AROUND them, we’ve missed the point and sealed our own failure. First, that’s a plain bad attitude. Users are smart and just want to do their jobs. When we build and implement solutions that change the “system” in which our users operate, then fail to educate them appropriately, then call them stupid when they don’t comply… well, we look like a bunch of jackasses to them. I could go on - and perhaps I will in the future. But for now, know this: I don’t agree. At all.

I have hands-on proof those assertions are wrong. Over the last year, I really started to focus more on learning how systems work, how they fight to maintain status-quo and how we might be able to introduce new ideas and new concepts into systems in a way that is accepted - even built on. Guess what? It worked! We can always point to a few bad seeds, but it’ll be a long argument to show me that technology overcomes a bad seed. Seriously.

So, confession over, sense of purpose established, the entire company took some time off this year to stop and think. As a result, we narrowed the focus of our company to three core “experiences and solutions” that we offer:

- Speaking about Security
- Avoiding the Breach
- Security Awareness Transformation

It’s a bit of the risk to stop the ship and correct the course. But man, do I believe in our approach! I don’t intend this to be a sales pitch. I’ll actively provide insights gained from each of these offerings over the next few weeks. I have also decided that, for the most part, I would prefer to share my knowledge and what I have learned. I’ve long-held that by sharing our knowledge, we grow stronger and those around us have more information with which to make informed choices. I’m actually in the middle of writing a book about the spate of breaches that has befallen us - and I am providing some insights and solutions - based on what I have learned and what I continue to research. That should be in print and available this summer. More details to come in March (and probably a request for some reviewers and input).

Meantime, I’ll start sharing some of the models, ideas and concepts that I am working on. I believe that by sharing what I am figuring out, a few things will happen: you will help me improve, you will improve your ability to practice information security, we all improve at how we communicate and some of you will want to work with me and the team of superstars around me. All I ask in return is that you stop, think and help me improve.

I continue to have a real passion for being a catalyst; for changing the way people think about and protect information. And I will no longer apologize for being able to connect, to relate and to help others do the same. I look forward to learning from and helping you!

Thanks for letting me confess. I feel better now.

Technorati Tags: security

I don’t know about you, but lately I’m finding that the security conferences I actively sought out in 1997 (which is when I can remember an entire conference _dedicated_ to security) aren’t really teaching me anything new or inspiring me. Sure - I am meeting some great people and enjoying the interactions, but I want to see dynamic speakers and be blown away with ideas, stories, and events designed to inspire. I can’t think of one security conference that meets that bill (perhaps it’s just me). To be clear: I’m not trolling - if the conferences are meeting your needs, then great! I’m just suggesting that I am no longer interested, let alone inspired. I want something that I would spend MY money to attend.

By way of comparison, when I attend the National Speaker’s Association workshops and conferences, I am impressed. Then again, an organization of professional speakers had better impress, right? Well, it hasn’t let me down yet. Why can’t we have that in security? This isn’t a new concern of mine, and I already disclosed that I have plans to offer a smaller, more passionate event. I don’t have a date scheduled yet - so that probably means early 2008.

How perfect, then, that I got this question yesterday:

“f you were able to go to attend ANY forum/seminar/conference, etc. no matter what the field (other than TED since it’s sold out through 2008!) which would it be? Obviously it can’t be an Invite only affair unless I knew someone who’d be willing to invite me.”

So - what do you think? What inspires you? I *do* so much desire to attend TED, but outside of that - where are you spending dollars that are making a difference… and why? Turn us on to something different, the diamond in the rough.

For what it’s worth, here are two courses I am interested in taking in 2007:
Drawing on the Right Side of the Brain

Presenting Data and Information: Edward Tufte
Share your ideas here, or in the catalyst community here: http://community.securitycatalyst.com/forums/index.php/topic,127.0.html

Tim posted this in the catalyst community today:

“Can anyone tell me where I can attend more vendor independant speaking engagements? I have a few colleagues and customers who like to learn about security but they hate going to events and getting stuck with the vendor pitch instead of learning about information security. I’m located in the Chicago area.

Any guidance would be appreciated.”

I think this is a good point - I know I don’t listen to many webcasts or such these days, because I always feel like I’m getting pitched (and I’m not begrudging those doing the pitching). So where do we go to learn more?

I understand the stock answers - ISSA, Infragard, etc. And they can be useful. But I want to offer some real guidance. I want to make a difference here - since we’re talking about colleagues… customers… the very people we need to engage.

As a speaker, I have often been asked to speak at local events, and when I can, I do. I’m sharing that with you since if I’m out there speaking at “non-security” events, so are others. So - where you find good explanations? Where are you inspired? Where would you bring your colleagues to learn more about security and get fired up? Tim, thanks for asking - catalysts, how do we help?

This is the chance for our community to stand up and shine. Comments are open, or you can join Tim and others in the catalyst community and respond directly there: http://community.securitycatalyst.com/forums/index.php/topic,123.msg550.html#msg550

PS: If I’m traveling in your neck of the woods and you’d like me to speak at your event, drop me a line and if I can, I will. We need more passionate professionals, and I’ll do what I can, one city at a time!