Monday, February 15, 2010

The lights come on, the set is down, the curtains float away...

People already blog about information security – just look at my short but growing blog roll. Does the world really need one more? I think so, and my inaugural post is to make the case for it.

Information Security is big business. The U.S. federal government alone spent 7.1 billion dollars on it in 2009, and private industry dropped a pretty penny on it as well. The headlines regularly show the cost of not getting it right, literally and figuratively. Companies appoint executives, staff departments, allocate budgets, and do all the other things that businesses do in order to secure their computing. I should know – it’s kept me employed full time for most of my adult life.

And yet, the headlines keep coming.

It’s not just business. Home users have their identities stolen; lose years worth of writing, photography, and other work to computer virii. Their computers get enlisted in zombie armies and slow to a creep, which can look just like a machine getting old – leading to a new computer before its time. There’s a whole information security industry selling to the home market, and it’s not small.

And yet, people at parties still ask me if their computer can be saved from the latest infection with a combination of trepidation and hope generally reserved for an oncologist’s office.

People like me have careers, consulting firms have revenue lines, vendors have entire product and service lines, and governments pass legislation dedicated to solving the problem of how to let people compute safely.

Yet security programs fail, one after another.

Clearly, trying something new is called for. I've had front row seats for most of my career. I've seen security suceed and fail many times. I've examined the people, products, and processes time and again.

This blog will be about what I've found. Ultimately that means it will be a blog about people, because people are what make security work or fail. Products just do what people tell them to; processes are just people telling people what to do. Meaning that the famous mantra "people, process, product" is really just a complicated way of saying "people, people, people."

I want this blog to be useful. Not just to my colleagues, who may agree with my ramblings -- or not. I don't want this to just be a place to geek out. Nor do I just want businesspeople -- my clientele -- to see this simply as a vehicle by which I credentialize myself. I want people who don't normally think about security to come and read so that they can think about it with less difficulty afterward. If I can communicate nothing else, I want to get this across: security is easy, if one lets it be.

I want this blog to be entertaining. I do what I do because I have fun doing it, even when I’m doing the boring bits that every job has. I want to share that sense of fun.

I’m going to try to make a post at least once a week. If I can’t post something of substance, I’ll give a quick explanation of why; perhaps a bit of off-topic nicety to round things out.

I intend to encourage informed, spirited, and civil discussion and debate. I ask that those who feel moved to comment do so in a way that is respectful of the broad range of viewpoints I hope readers will bring to this space.

I request that you, the reader, participate. That invitation stands whether do security professionally, as an interested amateur, out of self-defense, what-have-you. Bring your knowledge, but also bring your questions. This is a space to learn, and I’ll learn as much as anyone else.

I hope that’s enough of a reason to load this page every so often, add me to the RSS reader of your choice, or otherwise check out what I’ve got to say.

I have not yet monetized this blog, but I reserve the right to do so. If I do, I promise to make every effort to do it in a way that is respectful of your privacy and intelligence.

In the next post, or perhaps the one after that, I’ll talk about the fundamental security process that drives all the others: governance. Developing the charter and policies that guide how one’s security practice works. This post is a good jumping-off point for that, because a business case, charter and some policies is pretty much what I've written.


Scott said...

Nice first post Dan - looking forward to many more!

Dan Holzman-Tweed said...

Thank you and welcome! I look forward to your participation as well.

Post a Comment