So it’s old news (originally published in The New Yorker in May 2006), but this is an interesting read:  Game Theory.

I’m reading this essay, and all of the sudden I had a “wow” moment.  It all revolves around the complexity of information security and because it’s dependent on so many external factors, it’s hard to point to one indicator to say “this one thing makes or breaks an information security program.”

For some of us, this is disheartening.  What do you mean there’s not one prime directive in running a security program?  Surprise, it’s the “Magic/Silver Bullet” problem rehashed.

For the rest of us, this is fantastic.  What it means is that since it’s a security program is holistic–in the words of the old-school Perl hackers, TMTOWTDI:  There’s More Than One Way To Do It. 

You can gather metrics about all sorts of things, but at the end of this academic exercise, it comes down to what you really want to accomplish–the soft-skills to temper the hard science.

There still is a place for Bubba the Infantryman and Guerilla CISOs out there in the world.  These are people who know instinctively when to ignore the numbers and execute.

Yes, America, good strong leadership can trump adversity if you know how and when to apply it.

• Business Leadership Training
• Resume Gaps
• Cult Crossovers Into Information Security
• An Open Letter to the Next President of the United States
• Government Pre-Election Slowdown has Started

One idea I’ve been mulling over the past couple of weeks is the amount of crossover skills that information security people need to get things done. We’re almost coming to the point where we admit that we need this kind of crossbreeding to get new ideas into the IT security industry.

2 people that I think are on most of the New School’s closet reading list:  Seth Godin and Malcolm Gladwell.

Seth Godin lives in New York and dreams about how he can get your attention by using a trained army of purple cows.  Unfortunately, there is an army of purple cows, people being uncreative for the most part,  and now the most interesting thing you can do is to be a yellow giant wooden badger.  If you think that the phrase “Think outside the box” is in itself thinking inside the box, then Seth’s blog should be an interesting read.

Malcolm Gladwell is an overly smart person with Sideshow-Bob hair.  He wrote some little article called “The Tipping Point” that eventually he expanded into a book and people have been fawning all over him since. If you believe that sometimes the right thing to do is the counterintuitive thing thing to do, then Malcolm is your guy.

• Create Your Own Apple Rumors
• MREs and Bad News
• CSO Online
• The Honor System
• Noisy People

#1:  How does a company/organization convert from doing compliance management to doing true risk management?  I think it’s the difference between being good and being great.  There are a couple of non-IT models that we can look at:  Emergency Room care transitioning into long-term care being a good one.

#2:  Compare and contrast the metrics that are collected as part of the annual FISMA reports with the major initiatives that we have on the table.  They don’t add up.

OK, I think it’s time to go fish this weekend, I’m having dreams about LoB initiatives.  Mini-me says I need to do something non-IT/security/$foo for the 8 hours of the day that I’m NOT working.

• Core Belief #4 — Compliance is a Dead-End
• Now ISC2 Blogs have an Opinion on FISMA
• Core Belief #2 — Risk Management Uber Alles
• Comments on the Annual OMB Security Report to Congress
• It’s a Problem of Scale!

Geeks are cool now.  They even are members of Congress.

Gratz Representative Foster.

• What’s Happening at Wired?
• Blame it all on John Hughes….
• Making Press Releases
• Julie Amero Backlash Reaches Mass Media
• 8 Bit Peoples

Wow, interesting twists abound.  If you’re a geek, into security, and haven’t been following along at home, what’s wrong with you?

Hans Reiser Trial Blog at Wired

Some highlights:

• It all goes back to the Motherland:  Wife dated KGB, mail-order-bride follies, and ties to the mafia
• Father says he warned son of “Techno-Geek S&M Crowd”
• “I do strange things because I’m a geek”
• In retrospect, it’s probably bad to buy books about murder investigations when you might be the subject of one
• Doing suspicious things does not mean that you’re guilty, but it makes it harder to prove that you’re not guilty
• If you can’t find the body, does that mean that a murder has happen?

• Mandatory Reading
• On Vacation
• Election Year Follies
• Blame it all on John Hughes….
• Transparency in Government: Just Give us the Data!

Yes, I’ve been sporadic over the past month or so.  Let’s just say that changing jobs, new commute patterns, buying a boat (more on that in a minute), having a case of “The Winter Blahs”, my aquatic biodiversity hardships (ie, not having fished since October), and being horribly sick have all conspired against blogging.

Well, that’s all over now, it’s time to start spreading my own brand of cynical infosec cheer around.

• Where Have I Been?
• On Why I Blog… FUD is the Reason for the Writin’
• Give Me Your Free-Form Comments
• Auditors, Frameworks, and Philosophy
• Marketers and Security People