Why you do the things you do?

I spent a day in Orlando with the nice people of Symantec. As I've said before I'm on an Advisory Council for them and this was an opportunity for us and them to get together face to face and talk about security. It was really a very good experience. I went in with a little trepidation (at least as much as you can have when you get a free trip to Orlando) thinking that it was going to be all marketing and fluff. I expected them to try and feed us a bunch of good PR in hopes that we would all run back to our blogs and write good things about them. Well they didn't. They treaded us like the information security professionals that we are. They didn't try to insult our intelligence or feed us the company line. They showed us some of the things that they are doing and some things that they are working on or researching. They asked for our thought and feedback and gave us a chance to ask questions, give input, and talk about what we did and didn't like about their products. Then when we did this they actually engaged in serious conversation with us. They gave us access to top management and engineers. When we asked questions they were answered and not side stepped. Again, I must say I was very impressed with how they treated us.

One of the good things about the trip was that my good friend Michael Santarcangello was also there. There are 5 of us from the Security Catalysts Community on the Advisory Council and unfortunately Michael and myself were the only SCC members able to attend. I've spent lots of time talking with Santa one on one over the last year but this time he really amazed me. I got to see him in action and was able to see the things that he writes and talks about. Michael really does think differently (in a good way, usually) and challenges people to do the same. He is passionate about this and it shows.

As you may have noticed that lately I've not been posting as much as usual. This is because I'm tired of the "same ole same ole" blog posts. Most of the news worth talking about is chewed up and spit out 100 different ways on 200 different blogs and I just didn't feel the need to add to the fray. Why? Because I (at least I hope so) try to think differently. I try to not take the same perspective as everyone else. So you could say that if that's true then why didn't I take those stories and present them in a different light. Well, you are right, but not all stories are worth doing that to.

Well, since the Symantec trip I've really been thinking about thinking. Thinking about what it means to think differently. I posted some thoughts on that here back in December of last year. I still think that we must continue to find ways to think and do things differently. I'm tired of seeing people do the same thing just because that's the way we've always done it or just because it considered "best practices". People, especially those tasked with protecting information, need to consider not just how to do something but why are we doing it in the first place. Alex Hutton of the Risk Analys.is blog asked a basic question on the SCC forums today that too many times is just over looked by IT and security professionals. The discussion was around the fact the the SCC doesn't use SSL for logins. Someone questioned why a community of security professionals would do such. After several people commented Alex asked "What's the risk?" That's such a basic question but we are so ingrained into thinking about how and not why that we missed it.

Some people would argue that we are less secure today than we were at the beginning of the year. If that is true I think that it's our fault more than anything. We see a problem and start looking for a solution that will fix it and we don't stop to think about it. We don't ask the hard (or sometimes easy) questions that can shed valuable light on the subject. We have to think in order to adequately protect. We have to quit looking for a solution until we understand the problem. We have to quit striving to check a box on our compliance forms. We have to get out of the "best practices" mindset and get into the "what will best solve my problem with the least amount of pain" mindset.