As I picked up my latest copy of Information Security Magazine I found myself wondering what Tom Hanks was doing on the cover. On second glance I noticed that this wasn’t Tom Hanks but rather Eric Bangerter from the University of Wisconsin Credit Union.

This mistake made me think of two things:

1. How could my eyes possibly be that bad?
2. Why doesn’t the security industry have champions on Hollywood?

The first item really isn’t the basis for a good article so I’ll stick with the second item.

Animals have Paul McCartney, Buddhism has Richard Gere, Scientology has Tom Cruise (or maybe it’s the other way around), the UNHCR has Angelina Jolie, and PETA has Pamela Anderson. Who do we have? The security industry does not have a famous face to market the importance of implementing security measures in the home nor in the enterprise. Granted, we have such pioneers as Martin Roesch of Snort and Sourcefire fame, Bruce Schneier the author of such greats as Applied Cryptography, Secrets and Lies, and Beyond Fear, Kevin Mitnick the well known social engineer, author of The Art of Deception and The Art of Intrusion, and Radia Perlman one of the most respected names in security and networking, to name a few.

Even though these people are incredibly well known in the security industry I suspect that none of them would be met at the airport by 10000 screaming fans who are there just to hear the person say something life changing. I’ve been thinking about who should be approached for several days now and I’ve short listed a few people:

• Harrison Ford – who wouldn’t listen to this great actor from such timeless films as Indiana Jones, Star Wars, Blade Runner, and most recently Firewall (not ‘timeless’ but helped put him on the short list due to its content).
• John Travolta – his attention grabbing cool demeanor in such films as Pulp Fiction, Get Shorty, Face/Off, A Civil Action, Swordfish, and Be Cool ensured that he would make this list.
• Speaking of cool what about Jack Nicholson? This man has done it all from The Shining to Batman to As Good as It Gets to A Few Good Men to One Flew Over the Cuckoo’s Nest. When Jack speaks people listen.
• What about Catherine Zeta-Jones? This Welsh beauty commands the screen with her sly wit and sultry delivery. I’d be hard pressed not to listen to EVERYTHING she told me.

I’m sure I could go on listing people forever but I wanted to put some names out there. Who would you like to see represent the security community from Hollywood? Before answering ask yourself this question…“Who would make security cool enough that you’d be embarrassed not to care about it?”

I received a hilarious email posted to the security-basics mailing list this morning that I had to share:

I was in a bar in San Francisco where my English accent has a habit of stimulating conversation with total strangers, in this case it was with a webmaster (sadly not webmistress) of a dubious website hosted in Amsterdam (I don’t think I need to expand on the nature of the site;) I mentioned that I was passionate about Information Security, whereupon, he proceeded to tell me his root password, as he was so proud about how hard it would be to crack! If this was an isolated incident I wouldn’t mention it.

However, these instances are becoming ever more frequent, is it my trustworthy face or are others experiencing similar errors of judgement?

Special thanks to Andy Cuff, the originator of this email and CEO/Founder of The Taliskar Security Wizardry site, for making my day.

The illustrious Shon Harris has stated in her latest article for SearchSecurity.com that:

Not only should the networking group and security group have distinct and clearly defined tasks and responsibilities, but they should also have separate chains of command.

which I agree with completely. Her next comment, however, is another story:

Problems can occur when sharing the same chain of command. For instance, let’s say someone in security informs a network administrator that there is an unsafe rule set on the firewall. This traffic setting, though, may have been implemented by the network administrator to support a business need or a user’s particular preference. There is a chance then that the administrator may rank the network concerns more of a priority than the security issue and ignore the information.

This sounds like a documentation or process failure to me and not one related to the sharing of the same chain of command. If the rule is required to fulfill a business requirement then it should be documented as such and made available in times of need (like for auditing purposes).

Her final point suggests introducing an intermediary, in the form of a security engineer, to help open the communications channels between the two groups:

The network lab manager and the CSO should perform their duties separately. If the CSO needs help, then a security engineer should be hired to properly arrange the responsibilities.

I’m not sure if this is the right approach or not. Hiring a subordinate to manage the channels between two groups may result in a power play for the engineers favor. Also, there is nothing in the article suggesting to whom this security engineer would report, which may cause even more internal conflict between the two groups.

A better suggestion might be to hire an experienced security project manager who has experience in both networking and security. This person could have a dotted-line to both the CSO and network lab manager for these types of issues and could report directly to the COO to eliminate the aforementioned conflicts.

One final thought…

If these two groups cannot work together during the course of a regular business day what hope do they have of handling an incident when it occurs in a timely and organized manner?

P.S. Hopefully the ‘security gods’ don’t strike me down for crossing Shon Harris…love your book…