As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation – mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held – a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power – and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard – and they have a lot of memories guiding their actions.

Now, let me be clear – with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information – and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth – reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision – it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” – which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” – as opposed to seeking “balance” – and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information – and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. – Santa 11:19a

He’s covered mind mapping a bit, and recently covered the beta of MindMeister – an online, collaborative mind mapping tool. He then ran a brief experiment to test it by asking some of us to contribute our answers to “what is the future of blogging.” You can see our final result here: Some Ideas about the Future of Blogging. It got me thinking… we should do the _same_ thing for security. As we focus on “security 2.0″ – or what I’m temporarily calling the “Catalyst Approach to Security.”

No Battle over Security 2.0

I want to make a quick comment on “Security 2.0.” Alex suggested a battle was brewing over the concept:

Third, Interesting “Security 2.0″ battles. By Security 2.0, I mean online InfoSec communities. There’s the Trusted Security Catalyst folks, and now there’s ISM-Community.org. They both seem to be in their infancy. There’s more action at TSC, but ISM seems to have more structure and purpose.

Personally, I’m all for the online community thing, even if I do hate the term “Security 2.0″. Vendor accountability, research accountability, open standards and efforts – they’re all good things. Let me encourage you to research these aveneues and use them to your advantage, in both giving and taking.

To be clear, there is no battle here. I have been looking for a replacement name now for a while, and the next best choice has yet to surface. That said, I like what I know about Mark’s approach and look forward to learning more. My approach to security is one of inclusion. I’m going to keep developing the approach to provide some guidance for how we can advance our practice of the art of information protection. I welcome anyone to join. Similarly, I look forward to the opportunity to learn about and support other efforts, too. I got the impression Alex and others want the same thing – and I’m convinced that by blending our efforts, we all advance.

To that end, I have asked the members of the trusted catalyst community to joining me in building out a collaborative mind map on: The Advancement of Security: Catalyst Approach

You are invited!

Based on what I learned from Grigor’s approach, I invite you to join us. I don’t know how many people helping is “too many” – so we’ll have to play this entirely by ear. I only have 18 invitations left, so if you want to participate, we’ll work a chain of invitations so you will have the opportunity. Interested? Send me an email with the email address you want to be invited with (and then check your spam filter – the mindmeister messages get trapped for some reason) to SecurityCatalyst@gmail.com. I’ll post some suggested rules for working on the map today or tomorrow.

I figure we’ll try this for a week, maybe a few days longer. If it works, we’ll export it and incorporate it into securitypedia (the community, publicly accessible wiki we are launching soon) for any authenticated member of the SCC to help modify. Ideas, comments and constructive criticism is always welcomed.

Since reading that, I can barely use software that doesn’t have other people in it. I want profiles and faces and connections. I want to see what others are doing with the software. I want to connect and be connected.

I believe we need to take a similar approach with respect to how we protect information (practice security). When we call it “security”, it feels sterile, cold and heavily focused on technology. As a result, I think we have ironically made it easier for others to simply declare security “not their problem” and move along. They wait for someone else to help – without the need of having to take personal responsibility.

So I ponder – what if we leveraged the power of social media, media 2.0, web 2.0, or whatever you like to call it – and focus on the success. Rather than focusing on the specific technologies (RoR, ajax, etc.), what if we focused on design, ease-of-use and the ability to connect our concepts to people in a way they understand. What if we did this in a way that makes the protection of information personal again? I bet we start to see less breaches, people happier and we make a difference.

This is why the initial framework I proposed was called “security 2.0″ – but it’s getting a new name and I’m about to announce a project to involve others in defining what the future of our practice of security looks like. I’m really excited about the future of what we do – and am working on some plans to help make this easier for us to be successful!

So what does that mean to you?

How are you engaging the speakers and presenters you listen to? Do you ask questions? Are you afraid to?

As a speaker, I love being engaged (and even challenged) by the audience. I want you to be passionate, take a position and get involved. Yet there are times when I offer to answer questions during a close and there are those awkward silent moments.

Mark Goulston over at the Never Eat Alone blog (great book, good blog) wrote a short piece with some suggestions called: Connecting With Speakers. As a speaker, I have to tell you that I have yet to have someone use this approach with me – but I entirely welcome it. Think about this the next time you are about to attend an event – connect ahead of time, prepare some questions (not acting as a plant, mind you) and then enjoy the richness of the entire experience.

What are some other techniques you use to get more out of the presentations you attend? Do you engage the speakers – why or why not?

Technorati Tags: security, speaking about security

Read/Write Web: Google Apps Premier Edition Launches – One Small Step Towards Google Office

eWeeks’ Google Apps Premier Edition Takes Aim at the Enterprise
What I found interesting, though, is a general lack of discussion around the “security” of the application. If you’ve been reading this blog for a while, you may have picked up on how I’m focusing less on the word “security” and more on the concept of “protection of information.” I would posit the same holds true here. My colleagues in the security profession hopefully realize that the difference is largely semantics, but the concept of how to communicate what we do is much clearer when explained as “helping to protect sensitive information.”

So back to Google. Well, the focus is Google (today), but they aren’t the first or only company to offer well-designed solutions that users will gravitate toward. So back to discussing how web-centralized applications are working to protect our information…

I enjoyed reading Marshall Kirkpatrick’s piece in Tech Crunch, It’s G-Day: Google Launches Apps Premier. In fact, this is the first piece that I read (so perhaps not the first piece in general) that mentioned the security aspect. What I also liked is that it revealed to me (again, not sure if he was the first) that GE and P&G were signing up to be Google Apps customers. Now, often times in an announcement like that, it’s not the *whole* company, but some part of it. Either way, my reaction is “Are you kidding me?”

I don’t mean that as a shot against google, GE or P&G. But by suggesting a company of this size is going to put potentially sensitive documents on a shared drive (or in a shared, web-based location) that they do not control and cannot control, it just seems odd. By odd, I mean: how is this good for the protection of information? Oh, and if you think a *policy* about what can and cannot be stored there will stop someone – think again. See, I *do* believe in the power of the user, but a user just wants to get their job done. As such, if Google Apps (or *ANY* online application) makes their job easier, my experience suggests they will use it.

Now, when GE or P&G decided to go this route, I really hope that their security teams got involved in the evaluation. My instinct suggests otherwise, and that makes me shudder. If you know otherwise – drop me a line (securitycatalyst@gmail.com).

One major concern that hangs over the head of tonight’s news is the ongoing question of Google security. TechCrunch asked for months whether business users would or should trust Google Apps with sensitive business information given the regular lapses of security experienced by the company’s hosted services. See a timeline and discussion of those lapses in this post.

To break it down easy – there is no guidance for companies trying to decide if using Google Apps Premier (or any other service like it) makes sense when they are also obligated to protect information. I run a company. And we launched a community. In both cases, looking at online solutions (especially since both the company and the community have virtual/location considerations) is appealing. In both cases, we have opted to only use them in limited circumstances. We’re small enough that controlling the information outside our walls is a bit easier. So how does the average company decide if using Google Apps, Microsoft Live or Amazon’s S3 storage is a good idea — when it comes to protecting information (if they even consider that)? I have no clue – since we have no commonly accepted framework.

Let me be clear: I’m not suggesting that Google (and others) is not taking this seriously and providing security. Look beyond Google – especially with some of the new and exciting Web 2.0 start-ups. Is designing a system that is “secure” on the forefront of their mind? I don’t think is it for most…. yet. The implication then? Well, we saw with identity theft that while I could steal only your identity, it’s more lucrative for me to break into a system and steal MANY at the same time. So I believe it’s reasonable to consider then that as more of these services go online and more sensitive information is stored on them, the focus of attackers will shift. So while you “trust” Google, Microsoft or Amazon – that’s not good enough for me (or anyone, really).

Interestingly enough, I’m not the only one thinking like this, when Larry Dignan asks, “Will you trust Google with your data?”

When I talk about Security 2.0 (and I still need suggestions for a better name), this is precisely the second component: security professionals need to get engaged in the process of developing and protecting these solutions. But it goes deeper… we need to work as a community to develop a framework and a method to be able to assess these solutions and decide if they are acceptable for us or not. Think about it – no provider can effectively go through a myriad of audits *each* day just to prove they meet the requirements of specific company. Same time, I don’t accept the Trust-E seal or “hacker safe” logos. I’m not knocking them – they serve a purpose; but for a corporation to decide to leverage a service to store data… we need something more.

Aside: I know the name Security 2.0 needs to change. This isn’t about numbers and versions. It was named to build on the success of Web 2.0; the approach still leverages the power of social media to affect a new way of practicing the protection of information. It is about bringing power and ease of use/design to the user. It’s about building a new approach and developing new skills. In the end, this my humble offering for how to move from being on a security diet to having a security mindset. I’m open for suggestions for a new name; until then, we’ll call it the “Catalyst Security Approach.” Clearly, I need some branding help here:)

Now, I don’t like to pose a question without a solution. I believe that what we need in order to assess companies is what I am calling a “security wellness index.” My background is in economics – and this is an approach that blends security with economics, engineering, social sciences and the like. I have a brief 2-3 page overview and have started some discussions to have this research project funded. It’s probably a 2008 effort – but if you are interested, shoot me a note and we’ll talk. I’ll save more details for another post.

But we have solutions if we are willing to apply the time, brain power and energy to making them work. This is not a new problem to solve. We need to change our way of thinking and make sure that, as a community, we all engage and work to implement common solutions. I know, easier said than done – but if we don’t have the conversations and make it happen…

Oh – and since these new web-solutions work, our users will absolutely move to them whether we want them to or not. So ignoring or banning the use of these solutions is not a solution. We have to be proactive and get engaged if we hope to make a difference. If we don’t, we’re doomed for bolt-on security (at best) for another generation – and to me, that means we failed. Besides, how many of you have “banned” gmail at work? Did you see this great posting explaining how to defeat your attempts to ban it: 5 tips for accessing your blocked Gmail (lifehacker)? If something works better than what you designed, they will move to it. The protection of information, therefore, needs to be integrated from the beginning.

The protection of information is a cultural shift.

So we have an opportunity here. Google is a big company that seems to have an interest in Security. They seem to have attracted other large organizations (again with large, I hope, security teams). This is the perfect recipe for working to establish transparent frameworks to embed security into this Web 2.0 (and beyond) applications in a way that we can more readily assess their ability to protect our information and satisfy our corporate policies and goals.

If we ignore this, we do so at our own peril. If we use this as the catalyst to have the needed discussions about how to make this work, we advance on many levels. I’m willing to help, I want to be part of the solution. What about you?

“But if you want the word to spread, if you expect me to take action I’ve never taken before, it seems to me that you need to do something that hasn’t been done before. It might not feel safe, but if you do the safe thing, I guarantee you won’t surprise anyone. And if you don’t surprise anyone, the word isn’t going to spread.” – Seth Godin

For years I have felt that as a security professional, I had to overcome a generally held negative stigma about the way “we” act: we ignore others, we skip meetings, we tell people what they can’t do. Most security teams don’t have carry a positive connotation with them… whether earned or not. When is the last time you heard someone say “oh good, the security team got invited.”

It’s time to change our approach. We have to learn how to communicate more effectively. We have to listen more. To build on what Seth Godin shares (hey, I happen to like bald New Yorkers) – we have to be remarkable. Whether you work as a consultant or are part of an internal organization, we have clients that we serve, and we have to “wow” them at every opportunity. Now I’m not suggesting this is easy, but it’s clearly needed and worth it.

You can get started today (or on Monday) by approaching the situations you take on with a different attitude. Do this enough and you will stand out… here are five suggestions to get you started:

Bring donuts to a meeting
I mean it. If you’re health conscious, bring bagels. Bring fruit. Food is a great peace offering, shows you thought enough about others to make a difference and is a nice gesture. But wait – when people have enough blood sugar, they think better, are generally less snippy and are able to focus better. Think about when your meetings are scheduled and cater to the needs of the people attending. So do you really have to bring donuts? You decide. It is important, though, to think about the others you are working with and work aggressively to meet their needs.
Answer the phone with a smile – don’t growl.
Seriously. When someone calls, do you sound annoyed and overworked? Maybe you are, but how do you feel when you call a company and the person on the other ends makes you feel that you are an inconvenience? I don’t know about you, but I get defensive, irritated and generally enjoy the experience less. Is that what you expect from your colleagues? You have the power to make a difference – answer the phone with a smile in your voice and actually focus on the person on the other end. You’ll both walk away with a better experience.

Ask a user what their biggest security challenge is – and then explain it to them in a way they understand
A lot has been written lately about users. Want to get a different perspective? When you find yourself with some time for lunch, invite a non-technical colleague to join you. During the conversation, ask them about a challenge they have at home with security (or at work). Let them explain it – don’t jump in immediately with the solution. Ask some questions, pay attention and then offer to provide some insight, like this, “would it be useful if I shared some of my experiences with you when I dealt with that?” – see, that sets you up to share – and not tell in a condescending way. Then take some time to find a common ground and language, and work to explain a possible solution to your colleague in their words. This is decidedly a challenge, but if you make a habit of this – you’ll truly grow your abilities to explain how to protect information.

Follow-up with a helpful solution
We’ve all been part of meetings where a solution isn’t immediately clear to us. When that happens, have you ever actually though about it a bit and then provided your insights to the group? In my experience, we in security always get knocked for stopping progress and not helping advance it. So flip it around. Many of us in security have broad access to the company and with it, broad experience. Bring a helpful solution back and be considered part of the success. Good things will follow (especially if you make this a habit).

Point out what is RIGHT with a solution, and then help improve it
In technology, most of us get hit about the head and body when a mistake is made – and therefore it becomes a common mechanism to how we deal with others. Someone makes a mistake (perhaps even one that we made a long, long time ago) and we jump all over them. Have you ever taken the time in a meeting to point out what you LIKE about the solution? How was security considered, or how the choices made really support the ability to protect information? By celebrating and acknowledging others, you are then able to contribute your skills, insights and knowledge to the solution. After all, isn’t that our job as a security professional?

See, I believe in our users. I believe in their brilliance. I believe they just want to get their job done. And throughout my career, I have also believed that by getting engaged, we can make a difference. I have never really engaged in “user bashing” and while I run in technical circles, have equally enjoyed user meetings, sales and even <gasp> business strategy meetings. I know, I know – how can that be?

Well, as I continued to improve my own practice of security (while still with Accenture/Andersen Consulting), I started to speak publicly. Turns out I had a knack for entertaining and speaking while explaining. That lead to to teaching (and I’ve met many of you through those awesome experiences). The more I spoke about security, the more I taught people about security — and more importantly how to be successful professionals — the more I enjoyed it. I soon realized that learning about life, distilling it into stories and then using those stories to relate to others and explain security concepts struck a passion chord in my deep into my soul.

So… while I kept (and continue to) learning the technology of security, I also studied human behavior, organizational development and the trade-craft of speaking and training. In fact, I got really deep into instructional design and then really focused (and continue to) on being an exceptional professional speaker. I read about as much as I can. I learn from nearly every situation – the more I learn, the more I want to learn.

So I confess – I love relating security to users. I really enjoy it. Hell, I THRIVE on it. My passion is engaging users to be inspired to make changes in their behaviors.

Confess, you ask? How is this a confession?
Well, you see, for the longest time, I feared that if I confessed that I really enjoyed teaching, was good at it, and kept trying to improve that I would be labeled as a “trainer.” And that would come with the connotation that I no longer understood technology or security – that I had somehow crossed over (and not in a John Edwards sort of freaky way). Clearly nothing could be further from the truth, but I’ve been around long enough to watch how people talk. I’ve even had people come up to me after a session and saw something to the effect of, “wow, you really knew your stuff for a trainer/speaker.” Backhanded compliment, I guess. Sure, I’m not as deep with some aspects of the technology as some of the company I keep (which is, um, why I enjoy their company) – but I’m not too shabby and I play an important (and needed) function in our profession.

So why confess now?
I could have kept quiet. Same time, I have a sense of purpose about me now that is calm and comfortable. And then after the RSA show, I started to read some of the posts recently in different places where a lot of security “professionals” were really hammering away on users (I could post some links, but I’d prefer you didn’t read them). Yikes! Not only is this bad form, it’s plain wrong and worse, a dangerous mindset. If we allow ourselves to think our users are stupid and incompetent and therefore have to design AROUND them, we’ve missed the point and sealed our own failure. First, that’s a plain bad attitude. Users are smart and just want to do their jobs. When we build and implement solutions that change the “system” in which our users operate, then fail to educate them appropriately, then call them stupid when they don’t comply… well, we look like a bunch of jackasses to them. I could go on – and perhaps I will in the future. But for now, know this: I don’t agree. At all.

I have hands-on proof those assertions are wrong. Over the last year, I really started to focus more on learning how systems work, how they fight to maintain status-quo and how we might be able to introduce new ideas and new concepts into systems in a way that is accepted – even built on. Guess what? It worked! We can always point to a few bad seeds, but it’ll be a long argument to show me that technology overcomes a bad seed. Seriously.

So, confession over, sense of purpose established, the entire company took some time off this year to stop and think. As a result, we narrowed the focus of our company to three core “experiences and solutions” that we offer:

- Speaking about Security
- Avoiding the Breach
- Security Awareness Transformation

It’s a bit of the risk to stop the ship and correct the course. But man, do I believe in our approach! I don’t intend this to be a sales pitch. I’ll actively provide insights gained from each of these offerings over the next few weeks. I have also decided that, for the most part, I would prefer to share my knowledge and what I have learned. I’ve long-held that by sharing our knowledge, we grow stronger and those around us have more information with which to make informed choices. I’m actually in the middle of writing a book about the spate of breaches that has befallen us – and I am providing some insights and solutions – based on what I have learned and what I continue to research. That should be in print and available this summer. More details to come in March (and probably a request for some reviewers and input).

Meantime, I’ll start sharing some of the models, ideas and concepts that I am working on. I believe that by sharing what I am figuring out, a few things will happen: you will help me improve, you will improve your ability to practice information security, we all improve at how we communicate and some of you will want to work with me and the team of superstars around me. All I ask in return is that you stop, think and help me improve.

I continue to have a real passion for being a catalyst; for changing the way people think about and protect information. And I will no longer apologize for being able to connect, to relate and to help others do the same. I look forward to learning from and helping you!

Thanks for letting me confess. I feel better now.

Technorati Tags: security

And it was Kathy Sierra that gave me that awesome quote about education and marketing. Of course (hat tip to Arthur for jogging my memory). Apologies for not remembering sooner! If you’re not reading her blog, you are entirely missing out.

I’m thrilled to see that I’m not alone in this belief. Check out arthur’s post. The change is coming… are you going to be part of it?

As I have already shared with you, we (the entire company) took time this year to stop and think. When is the last time you did that? We actually took the time to stop. To think. To plan. As a result, we are more focused than we have ever been. We understand that our value is working with companies committed to changing the way their organization thinks about and protects information. We are building on our experience across disciplines to create unique and compelling solutions that really make a difference and help to shift the culture of an organization to protecting information more effectively. I’m delving deep into design, communication, management, marketing, sales, and still keeping up with security. It’s been a blast. And you’ll see this through the blog, the podcast and some video I’m thinking of recording and releasing. I *LOVE* my job, this industry and the promise of the future for us all.

Of course, this is the time when the rubber meets the road for The Michaelangelo Group (my company). Since we now are clear about the value we provide as an organization (and have a track record of success to prove it), we have to create marketing materials to clearly explain that to others. We started working on some elements last week, and started to circulate some pieces yesterday. We’re already updating them (seems it’s easier, sometimes, to help someone else). We keep working to practice what we preach and put effective pieces together. This has led to some awesome conversations and exchanges with friends, clients and other professionals. This morning, Cutaway sent me some links, including: http://www.smallbusinessbranding.com/655/branding-tips-small-business/

I started reading this as a business owner, working to produce some marketing. About half-way through, I realized that this posting is required reading for security professionals! Seriously. As I work to explain how I can make you more successful, to both you and your boss (afterall, wouldn’t it be nice of me to make that part of your job easier, too?) — I am following the same process and steps that each one of us should be following when it comes to MARKETING security internally!

I’ve actually had the privilege to coach some clients through website and portal development in the last year – this would have been an excellent post to share. If you’re serious about connecting with users, then this an approach you should read, consider, discuss and try out. You don’t have to be perfect – make the attempt.

In the meantime, I’ll be sharing more information about marketing, branding, communication and other ways of thinking that we really need to be focusing on in order to be more effective. For now, go take a look at: http://www.smallbusinessbranding.com/655/branding-tips-small-business/ and figure out how these can help you. I just read it again. You can look for a way in each step to do that internally. If you need help, send me an email: securitycatalyst@gmail.com. I’m here for you – the time is now for us to make a change. Can you feel it?

P.S.: In the coming days, I’ll post up some information about our three areas of focus – I’m interested in speaking with companies that are serious about preventing a breach, improving their practice of security and understand that it will take the efforts of the entire organization and not just the security team. I’m going to offer some incentives to those that help me get these programs established and can serve as testimonials and such. In return – we can chat on the phone about security and how we can make a difference together!

Technorati Tags: catalyst, security, Security2.0

I just announced a new training program called “Speaking about Security” – and of course, I hope everyone wants to schedule me to work with your team. Eventually, we’ll even offer this as public training. That said, I am not the type to keep information and knowledge to myself.

I’ll start posting information for you to consider…

Let’s start with a marketing essential: Scientific Advertising by Claude Hopkins is a solid read (many would argue it’s a MUST read). The best part? It’s available on the Internet, for free: http://scientificadvertising.blogspot.com/

If you print this out, it’s about 40 pages long. Entirely worth the read. This will bring you closer to building the mindset to be a successful security 2.0 professional.

Discuss your impressions in the Catalyst Community: http://community.securitycatalyst.com/forums/index.php/topic,112.0.html

In his recent ComputerWorld article (http://www.computerworld.com/blogs/node/4425?source=NLT_SIC&nlid=92), Michael Farnum spells out the need for IT folks to be “people” people. Being an asshole no longer works. (See Bob Sutton’s blog.) Marcus Ranum and Bruce Schneier have been saying it for years that security is about the people and process not the technology.

They talk about the problem, but have no concrete solutions. The only way to fix this is that we—the people who design, write, implement, and manage security—have to learn how to deal with people. We need to get out of our introvert shells and learn about people.

We are rectifying this situation as part of the next generation of security. At the RSA 2007 US Conference, I am leading a session titled “Becoming “People” People – The Kinder, Gentler Security Professional.” This technical presentation will show the importance for understanding people: how they think; why they act the way they do and what motivates them. Attendees will learn fundamentals in areas such as psychology, sales & marketing, communications, and leadership to help them be “people” people. They will also receive a resources, tips, and tricks to take home to practice being “people” people. These ideas will force infosec professionals to think about this problem and see what they can do to solve it.

For those not attending the RSA Conference, I will provide a complete article describing this after the conference. Until then, here’s a little tidbit: Maxwell’s 30-second rule. Within 30 seconds of seeing someone, say something nice about him/her. This gives him or her attention, affirmation, and appreciation. This simple encouragement will help you become a “people” person.

By helping each other, we all become stronger.

For this episode, I had the chance to interview four of the team members (by Skype) to discuss their involvement, how the system works, the implications and what the next steps are.

Coming up, we’ll visit with the Punch Scan team again to dig a bit deeper and more technically into the solution. I’m also working to contact someone at Black Box Voting to speak with them about lessons learned and how our industry can get engaged to help.

Comments, ideas are welcomed!

To kick it off, I figured we could start by looking at the security around electronic voting. Yea, I know, the elections are over. To me, that makes for perfect timing. Less stress right now, and a good time for our profession to think about how we can help to improve the process.

Here are some links as mentioned in the podcast:

Google Video

Hacking Democracy (http://www.hbo.com/docs/programs/hackingdemocracy/?ntrack_para1=leftnav_category7_show1)
HRM! It seems to have been removed from Google Video. Well, it’s still being aired on HBO – so hopefully you will get a chance to see a copy. It’s worth the watch!
Site to See

Securosis (http://www.securosis.com/)
Rich Mogul’s Bio (http://securosis.com/about/)

Voting Stories and Links

E-voting 2006: A touch screen, a missing vote, a mystery in Arkansas (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005063&source=rss_topic84)

Questions we can help answer? Stories you want me to explore? Cheers or Jeers? send me an email: securitycatalyst@gmail.com.

Horseless Carriages and Whale Interpreters
Good progress.  I thought you were going a different direction with the analogy of a horseless carriage.  It does represent the relative unimportance of a name in the grand scheme of things.  I do refer to my vehicle as a buggy, however…  I think it also serves as a good analogy for the shift in fundamental thinking around security.  The old way is comparable to the horse-drawn carriage – of security bearing the burden and dragging a resistant load across the finish line into a state of compliance.

The new, desired model is that of a horseless carriage, where the will and the means are one and the same.  The model speaks to awareness, stewardship, integration, design for compliance, secure lifecycle, secure standards and solutions, and of a distinction between operational security (everyone doing everything securely) versus security Center of Excellence (Security as a function for compliance monitoring and subject matter expertise/leadership).

We all know as security professionals that our job as that horse is to put ourselves out of business and yet in all likelihood we will never succeed at doing so.  We can, however, succeed in transferring more of that responsibility to our various stakeholders.  In my mind, the era of firewalls being a “security product” is over – there is only secure network design and administration.  The era of antispam, antivirus, and content filtering as security initiatives is over – the era of secure messaging has arrived.  Same thing for application security and the need for software development to bring the people, process, and technology to bear that prevents vulnerabilities at the source, rather than as the result of costly security assessment and remediation process.

One of the lessons I’ve learned is that if you attempt to consolidate everything “security” into a single empire, you will simply fail.  You CANNOT absolve people of their responsibility to do things securely.  We see this now with the push for application security and the dollars spent on finding vulnerabilities through costly assessments that, in some cases, result in more revenue for developers to remediate the findings.  You CAN arm the right people with the right information at the right time integrated into the right process with the right controls and expert consulting services.  Lead.  Engage.  Align.  Perform.  If Cisco doesn’t have an exclusive right to the use of the word LEAP in the context of security, I think it captures the energy, direction, and significance of this as a global movement.

If there is a letter to add, it’s V for value.  For too long we have been advocating security for security sake.  At the end of the day we work for a business and we are here to enable the business to make money, securely.  We need to make our security investment wisely.  We need to continue to bring the tools to the table (such as Return on Security Investment or ROSI and threat modeling) that demonstrate that value.  We need the metrics that support that we aren’t simply pissing away shareholder value to chase ghosts.  On the flip-side, we also need to start burying the cost of security into everything we do, rather than rolling it up to a centralized security budget.  If it is a separate and discreet security person or technology, or too immature to embed within operational security – roll it up. If it is a requirement and an integrated part of a business process – leave it be.

In closing, we need to develop stronger business acumen so that we can tell our story in business terms.  The business still looks upon many security professionals as whale interpreters – on what basis can anyone not in the field refute our findings? (the whale just agreed with me, by the way).  The ability to put a ping flood, phishing scam, salami attack, buffer overflow, or tcp tsunami (see, I made that one up) into relevant terms and actions that a business person can digest is still a soft-skill and hard to come by.  We need career roadmaps for security professionals that develop these soft skills: communication, negotiation, and business acumen rather than the traditional focus on how to become the best damn whale interpreter in our field…
Editor: Thanks, Rich. Good insights and I really like the approach.

Ironically, I doubt that you refer to the vehicle you have in your driveway or garage as a “horseless carriage.” Instead, you probably call it a car, a truck, SUV or something else; some of you might even have named it (though, looking back, I never named any of my vehicles).

Does it matter if you call it an automobile and I call it a car, a truck, an SUV? Nope. What about vehicle, automobile or whatever marketing term you got? Not for a second. In fact, most of us couldn’t imagine life without some mode of this transportation. Hopefully, we will work together to introduce a new framework that will transform the way we practice information security (not IT Security) in the future.

The Genesis of Security 2.0
Nearly 18 months ago, I started learning about a fledgling movement called Web 2.0. At the same time, I spend a lot of time working with clients and implementing solutions that felt flat, and starting looking for another way.

My personal mantra in life is simple,”to change the way people think.” With that in mind, I set out to start building a framework that would allow me to consistently explain my research to clients to help change the way they practice security.

I decided to call it Security 2.0 because it was built on the concepts and lessons learned from studying Web 2.0. But now that I’ve been working on it and have started to share it, I have come to realize that what we’re working on is bigger than a 2.0 name.

The framework of Security 2.0 consists of three dimensions:

1. Leveraging the elements of Web 2.0 that are effective to change the way we practice security. Simply, it’s about DESIGNING security in a way where it’s easy to explain and it’s easy to understand and use. It goes FAR beyond technology and actually gets down to working with people and process to make a difference. Of course, once we have a solid understanding of the culture and the solution, then we mate the appropriate technology to meet the solution. Not the other way around.

2. Securing Web 2.0. Whether you like the term or not, and whether you think it’s fad or not doesn’t make it go away. If you consider yourself a true professional, then it’s your responsibility as much as mine to work to INTEGRATE (and bolt-on) security into the new applications that keep coming out.

Let’s debate Web 2.0 sometime in the future. I’m not suggesting that I love the name, but the new solutions are coming out, and our users are using them, without regard to security. If we blow securing Web 2.0, we regress as a profession. We have to lead the way in breaking this cycle.

More broadly, we need to really focus on securing ‘emerging technologies and solutions.’

3. Preparing professionals to be successful leveraging this framework. It’s about how we think, how we present, manage, lead, work with others and the list goes on. I spent my summer proving these concepts in Fortune 50 companies. They work, and now it’s time to expand.

The Value of Security 2.0 as a Framework
To me, the value of this effort is in the collaborative nature in which it is being developed and allowed to evolve. The efforts of everyone contributing to this will be shared in a way that provides them recognition. More importantly, the framework will be open for others and freely shared. Of course, a framework still needs to be reviewed, adapted and applied – so creating and designing an effective framework is the first of an important series of steps.

The Name I Once Liked
I have to admit that all the attention focused on names lately has me a bit frustrated. I wish people would focus more on progress and less on names. The horseless carriage changed the world, and over time, the name changed with it.

While the goal with the Security 2.0 framework is nothing short of helping to change the way people practice information security, I have come to realize the name that had a simple start needs to change in order to be taken seriously and impact our industry.

As a framework, Security 2.0 is not really something to sell – it’s something to implement, to use, to practice. The inherent problem with calling it Security 2.0 (beyond the name being ursurped for ill-advised marketing campaigns COUGH COUGH Symantec COUGH COUGH), is that it allows itself to be rapidly updated. What’s next? Security 2.5? Security 3.0? Security 4.11.23b?

This is a framework meant to aid the development of security solutions, holistic solutions, and to guide the way we practice and explain security to others. At the end of the day, if we stick with Security 2.0 as a name, we run the risk of diluting the value of the approach and of the effort. Clearly, that won’t do.

I also started test-marketing the concept with my clients. The name, by itself, did nothing for anyone. After an explanation over lunch, the concepts were clear and the approach welcomed, but the name still didn’t ring true. In fact, I was told bluntly, “I cannot convince my management that we need Security 2.0.”

The good news is that led, immediately, to a discussion of how to rename it.

The Value of Keywords
One of the steps that I have been exposed to in this process is to list out “key words” that capture the essence of what you are trying to do. Keywords should capture the essence, the drive, anything that really matters.

As a framework, here are some of the important elements as I see them:

• Design
• Practice
• Integration
• Framework

Based conversations with the Trusted Catalysts and valued clients and friends, here are some of the keywords that have been kicked around to try to spark some ideas for new names for the framework:

Horizon, Security (Period), Revolution, Next Generation, Phoenix, Genesis, Bravo, Next Level, Generation S, V2, Fundamental, Shift, Overhaul

Potential Titles
And here are some suggestions for how we can rename this into a framework:

• Integrated Security Practice Framework (ISPF)
• Security Advancement Framework for Everybody (SAFE)

How do you make a difference?
We need to stop talking about names and start focusing on substance.
A subgroup of the Trusted Catalysts has started to work on expanding the current framework. As soon as we get more of the details fleshed out (which we may do in our first conference in 2007), we will post it publicly. And that’s when the work begins. We’ll need to come together to review it, design it, improve it, test it and then start using it.

I was alerted to this link the other day, and I have to admit, it was nice to read. While I hate bringing attention to myself, I wanted to share this article with you: Is Symantec’s Vision for Security 2.0 the Real One?

I also liked the summary, since this nailed precisely what we are trying to do with this effort.

Santarcangelo’s concept of Security 2.0 for the community stems from the now popular Web 2.0 movement, which is largely aimed at ushering power back to the users and allowing them to have more meaningful interactions. Santarcangelo’s concept of Security 2.0 builds upon that — software above the level of a single device, software that is portable, security solutions that are non-static and can be seamlessly integrated and expanded in a way that improves the world around us.

And I would add: it’s focusing on the core design values that matter. It combines behavioral science with technology to build solutions; solutions that focus on people and process and guide the selection of technology as opposed to the current methods where technology takes the center stage. And since I have been testing my research, we are now gaining proof that this works, and works well.

So, expect more to come. And thanks to SDA Asia for the moral support; who knows, maybe instead of Santarcangelo versus Symantec, we’ll be able to work together to create a bold new future in which we all celebrate the new practice of security and truly make a difference (which is more important than making money).

PS: I am a capitalist. If you want to bring the benefit of my experience and research to your company, send me an email and we chat.

Technorati Tags: catalyst, puppy, security

Well, first, if anyone else is going, I’d enjoy the chance to meet you in person. More importantly, Tech Crunch is at the center of Web 2.0. Believe me,I know we have lots of (mostly useless) chatter going around right now about Security 2.0, 3.0, etc. It was inevitable that it would happen, and I was obviously the first of people to start proposing a framework under that concept… so I’m keenly interested and involved in the backlash and other whining going on.
Meantime, I’m convinced we need a new name to describe the Security 2.0 framework I we have been working on, but I’m working on another post to address my thinking on that.
Regardless of what it’s called and what folks call it, I am actually researching and growing more active in understanding the successful elements of the Web 2.0 movement. I’m not so terribly concerned with what the term means, per se, as to what people are developing because of it, and the implication for us as security professionals. No one seems to argue we need to change our methods and continue to evolve as professionals. Well, I think the experiences and lessons learned from Web 2.0 will feed the sucess of our efforts.
As a result, I read Tech Crunch (and others) daily and look forward to the event this evening. I’m certain I’ll come away with some new insights (and maybe even the notion to plan a Catalyst Meetup someday!).

More information can be found here: http://techcrunch8.eventbrite.com/

If you’ll be there, look me up. I’ll be the bald guy

As I continue to practice Security 2.0 through our Effective Assurance offering, I have the opportunity to engage corporations in this very discussion. In short, the time has come to stop thinking about security as a silo – which is as important for those of us in security as it is for the business. If we desire to be more effective and truly make a difference, then the time has come for us to go beyond and study marketing, sales, design, and other means of effective communication.

I enjoyed this conversation just today – and those in my course (experience) shared a conversation about the need to be able to relate security to more people by (1) understanding your audience and (2) being able to relate to others, sometimes through the use of scenarios/stories. Both of these are worthy of more in-depth postings, and I will endeavor to do such in the coming weeks. For now, I’ll outline some brief thoughts
Understand Your Audience
Many of us in the technology industry get so comfortable with the technology that we sometimes forget that other people don’t share our passion or knowledge. If you want to help break down the silos, then we need to communicate more effectively by knowing our audience. Does your audience prefer facts, figures and statistics? Do they want background, or only the punchline? And are you answering their questions, or satisfying your own needs?

To be highly effective, it is important to understand how to present your message in a way that your audience will more readily receive it.
The Power of the Story
I am a believer in the power of the story – especially when it comes to explaining security. Stories allow us the opportunity to relate to others key concepts in a manner than can be readily understood. Try it today – if you have to explain a concept, explain it by telling a short story. I find it’s best to be honest and maybe even reveal something about yourself in the process, since we all have the “human experience” in common.

I’ll keep expanding on these concepts – but the key for today is to start applying some of these concepts. Look at what you are doing from a different perspective, think about how you present differently and start practicing the art of explaining what we do through stories.

Still, here we go again.  The day before an important contract is to be signed (by my company), someone (wisely) decided it needed to have a quick “review by security.”  I shouldn’t complain, at least I was given a chance to see what we were getting into.  Normally, contracts are signed and I only find out about it when the software or service goes live.  Then it’s too late for any changes – and we often get stuck footing the bill for changes or cleaning up the mess.

For the record, I was asked to review a “standard” contract that came from the vendor providing a service to my company.  As expected, it was written by the vendor and strongly in their favor.  It’s amazing what others try to hide in a contract.  (We won’t talk about EULA’s here.)  I used this opportunity both as a learning experience and an educational opportunity (even for our lawyer).

Contracts are supposed to spell out the details of an agreement in a way clear to all parties.  So given the opportunity to review this document, I had a simple objective: create clarity of expectations out of ambiguity and ensure my company would not be liable for the vendor’s mistakes, defects, or deficiencies. 

In this case, my involvement helped us prevent some situations we would prefer to avaoid.  But this experience brought to mind a question:

Why is it important for information security to review contracts before they are signed? 

I fear that most people involved in contracts believe that the lawyers and “the business” have all of that covered.  Either that or many dislike ”legal mumbo-jumbo” and don’t take the time to review the contract.  I understand where those beliefs started – but time have changed and if we want to be successful, we also have to change.

Today’s Security 2.0 professional must be able to read, review, and provide comments on legal documents and contracts.  This does not mean that you need a legal degree or extensive knowledge of contracts.  It does mean that we need to move beyond IT. 

It’s all about protecting the business. We must be engaged in negotiating, interpreting, and managing contracts with the business.  Our unique knowledge and viewpoints allows us to spot legal issues that may be missed by others.   We need to knowledgably interact with legal council and those handling business contracts and offer educated suggestions.  Showing how we add value increases the likelihood of our continued involvement. It’s all about collaboration and working together to secure the infrastructure.

How do we reach this nirvana?  By reading and studying in areas outside of IT. The Security 2.0 professional grows outside of his/her IT comfort zone to better understand the inner-workings of the business.  When asked to review a contract, take your time, understand the legalese, ask questions when you don’t know something, and show you can add value to the process. 

To help, here are two resources that are impressive and useful: ChangeThis (http://www.changethis.com/) and the Personal MBA (http://www.personalmba.com/). They have many resources and articles to help you think outside the IT box. 

Michael Santarcangelo is developing these and other concepts of Security 2.0, so stay tuned.

By working together, we all become stronger.

In this episode, I introduce a new segment: “sites to see” and start pointing out security and security 2.0 websites to use.

This weeks Site to See

Microsoft Security Advisories
http://www.microsoft.com/technet/security/advisory/default.mspx

You can learn why I think it’s worth checking out by listening to the podcast. If you have a suggestion for future sites to see (your own or something you think is valuable), send me your idea (and get credit) by email: securitycatalyst@gmail.com.
Special Report
Did Two Factor Really Fail?

The short answer is: no – listen to learn what could have been done differently and why you should care!

Special Offer
I am offering a substantial discount to the first few people who want to improve the way their company addresses compliance and security (while making themselves look like rockstars) as I am about to unveil Effective Assurance. Listen to the podcast for details – or send me an email at michael.assurance@baldsecurityexpert.com — I look forward to sharing my passion with you and helping you improve compliance through security without wasting another dollar!

**** 17 Days and the Catalyst Community is OPEN!! ****

What I really liked about his wording and approach was the concept of “threat source” and how we need to focus on education and other ways to combat the threat sources. I think that most, if not all, of us would agree that technology plays a role in securing our future – but I believe we have been relying on it too much. The end result of this reliance on technology is a total lack of responsibility and accountability which leads to blaming the technology and those who selected it.

Wrong, wrong, wrong!

I’ve mentioned (or dangled) my new “Effective Assurance” experience a few times. I’ll start creating an overview podcast – since we now have proof that engaging employees in a dialogue of empowerment and teaching them the skills and practices they need to take back responsibility works! Ideally, some of you will be able to hire me and we can work on proving it out together (and then you’ll enjoy rock-star status); but I’ll freely share what I have learned if it helps us all improve. I built effective assurance based on my research into Security 2.0 – and consider it to be the first offering in the suite of Security 2.0 solutions.
Cutaway get’s it – and is willing to talk about it, think about it and improve it.

I’ve started working to expand Security 2.0 – and will soon be talking more about it, writing about it and eventually speaking about it. The future is here.

I’m glad Cutaway is with us, and hope you are too!

*** 17 Days until the Catalyst Community is open; Trusted Catalysts are getting it ready now ***

Now I’m not suggesting Security 2.0 is dead. As a concept it lives on – and really, this is a good time for you to get off your chair and fight for a concept to belong to our community and not to a corporation.

In the model I’ve been working on and collaborting on for the better part of 18 months, Security 2.0 is a true transformation of the way we as a community and as a world PRACTICE the art of information security. As such, it’s a model, a framework. Something that is public and will soon be available to be contributed to and built upon.

Listen about the true Security 2.0 in this podcast: http://www.securitycatalyst.com/2006/08/28/security-catalyst-35-introducting-security-20/
But it’s decidedly not a marketing game or the illusion that by shifting security from the network we’re reaching a new level. The whole ’2.0′ concept really kicked in with Web 2.0. And if you look around, we’re still trying to figure out and define precisely what Web 2.0 is (see: Steve Rubel Finally, a Definition for Web 2.0 We Can Agree On?) – save this: we understand that it brings power back to the users and allows them to have more meaningful interactions. Security 2.0 builds upon that – and can be (and should be) seamlessly integrated and expanded in a way that improves the world around us.

This will be interesting… but I’m disappointed that while Web 2.0 seems to be a movement, Security 2.0 may become a dead-end marketing term that is mocked around the world.

This is your chance to step up and change the world. Or you can sit back and be told what to believe and what to do.

== 22 days until the Catalyst Community is open publicly. Trusted Catalysts are engaging now – soon you will have the opportunity to contribute to Security 2.0 and make a difference ==

And now, it appears that AOL is getting into the game. The USA Today is reporting that AOL will be offering Identity Theft protection in a service that could be launched/announced today. I scanned it quick – and to be honest – it looked interesting enough that I look forward to learning more.

I’m curious what the cost for AOL would be to provide this, and if this is as good as it seems. My instincts suggest that it’s not, especially in the wake of the privacy debacle AOL recently faced.

But I’m willing to look beyond all of this right now – we are witnessing a step in the direction where security is becoming a differentiator! Someone’s decision to use or not use a service, to buy or not buy a product is influenced (to some extent) by security.

What does this mean for us?

1. We have to consider that security may not be an important driver for our customers and businesses. Instead of simply being a cost, perhaps now we can positively impact the bottom line by bringing more customers to our solution.

2. The ‘us versus them’ mentality of Security 1.0 has got to be thrown out the window. This is not about balance, this is about ‘integration.’ The successful solutions will be incorporated designed into the solution and easier to use than to ignore. We have to communicate the benefit in an intuitive way and demonstrate a difference without being complicated.

The need for Security 2.0 is clear, and we have started the journey! Security makes a difference.

The Posting is called ‘This might just be the one‘ in which he writes:

“I’m not asking your advice because I need help coming up with a tried and true, predictable, safe or proven idea. No, I’ve already tried all of those and they didn’t work. I’m asking your help in finding something creative, untested, unproven, off the wall, risky, fashionable and challenging. Don’t let me down. Don’t hesitate to share your crazy idea… it might just be the one.”

Seth used this as an example of how words and approach can make a difference. I’ve been thinking about security, security 2.0 and our future as professionals in the last few weeks. As I’m about to launch Effective Assurance (the course) publicly, I’ve been challenging everything to see what does and doesn’t make sense. And I have decided that we need to be more courageous in the way we approach and practice security.

So why this quote and link back to Seth Godin?

Simple, really. Imagine if when posed with a security challenge (which is nearly every day), instead of trying to solve it by yourself, you asked for help. And instead of simply saying, “help” (which we commonly do), you said something along the lines of above?

Seriously.

What if in asking for some advice, we actually invite people to be crazy? What if we toss off the shackles from our mind, bring our passions and experience into play and then see where it leads?

I know this much: you’ll have more fun. I also would bet dollars to donuts (then again, that’s probably a wash these days anyway) that you’ll come up with a clever and inventive solution that makes a difference.

Try it. I know you’ll like it. Practice now. Stop reading, try it. Then tell us how it worked.

Comments are open. Catalyst Community is coming this month.