Monday, April 23, 2007

Allen Baranov is alive, well and living a State of Fear (Part One)

"Is something wrong, she said
Well of course there is
You're still alive, she said
Oh, and do I deserve to be?
Is that the question?" - Pearl Jam, "Alive"


Yes. I am still about.

The last few weeks have been mad. My folks are visiting from Australia, blogger has been doing funny things, work has been hectic and I'm trying to work out what to do with my life. Lots of excuses why I have not posted in a long while...however...

... I am reading "State of Fear" by Michael Crichton. It is a really good book and worth reading as are all his books. The basic story behind it (besides all the fast paced action you should expect from his novels) is that Global Warming is junk invented by Earth Rights groups to get money that should go to starving kids in Africa and not some theory that may or may not be true.

So, what does this mean for us security professionals? This IS (sorta) an info-sec blog.

Well, he takes it further near the end of the book. He says that there are always issues facing mankind. The press and interested parties (in each case) just blow them up for their own gain. Interested parties so that they can get funding and the press so they can sell their media.

I know I get excited every time some bit of security news makes the papers (sometimes front page) even if once I dissect it, it is really some arbitrary news. It puts what I do in the spotlight and I can get a warm fuzzy feeling. I can also (maybe one day) tell people exactly what I do instead of "I'm in IT". And maybe more companies will take Information Security more seriously and spend more and some of that will trickle down into my usually empty pockets.

Bruce Schneier seems to think about this issue a lot and I like the title of his book "Beyond Fear" because that sums up where I think we should be going. Manage your systems correctly and don't worry.

Still, there are the Fear-mongers - buy security (and then even more) because you may go to jail if you don't secure your company down to the last little screw.

There are also...hmmm... the naive ones... who believe everything can be put into black and white. I always thought I was missing something because even in all my (too many) years in security I have no idea what numbers to use in a risk assessment.

Recently I posted to a security list asking "is a firewall really necessary?" and one answer was "do a risk assessment". I wasn't talking about an external firewall but the answer came from someone who didn't know that.

I can't see how my time would be best spent trying to (research/invent) numbers to prove that a firewall is needed. Its just plain sense (at least on the border) - I think.

Maybe there is a fine line between State of Fear and State of Risk. I hope that I am there.