Operation Bootstrap

For nearly a year and a half I’ve been working to build the InfoSec program at my current company. This company is a late stage startup, but still a startup. This has been quite a challenge and I’ve learned a ton in the process. Some of the most important things I’ve learned:

• It doesn’t really matter what you think until you prove it. Analysis and understanding are more valuable than a thousand educated guesses.
• Key to understanding your risk is understanding your business, what assets are key to your business, and working your way through those from most critical to least.
• People do care about security, they just don’t think about it. Security in a startup isn’t as in your face as other problems like finances, availability & growth. You have to find ways to tie security to those things and it’s not easy. This probably doesn’t just apply to startups.
• To be in security, you must have patience. Lots of patience.

With these lessons learned, it’s time for a new chapter at a new company. I’m not leaving security but my role isn’t going to be only security. I’m taking a bit of a step back to what I really have enjoyed in the past – fixing & building infrastructure. I’m walking into a company with some pretty significant challenges and I’m actually pretty excited about it. After a few years of management, I’m ready to get my hands filthy again.

This blog may evolve a little, but I’ll keep rambling here about security stuff and probably other things. I’ll still be “the security guy” at the new place – but I’ll also be “the network guy”, “the systems guy” and probably 15 other things. This is what I do – I put myself in difficult situations & do my part to improve them. I’m pretty proud of what I’ve done in the last 1.5 years running a security program – for a guy who’s never done that before I think I made good progress. If nothing else, I got some good typing practice…

And since I love quotes:

“The follies which a man regrets most, in his life, are those which he didn’t commit when he had the opportunity.” – Helen Rowland

Here’s to no regrets…

“If everything seems under control, you’re just not going fast enough.” – Mario Andretti

I wrote an article or two about change control some time back. I called it “change control” because that’s what you were doing right? You were controlling change. Only, I didn’t really stop to think about what I actually was trying to control. Changes are a necessary part of any operation and when changes can’t happen that’s not good. Changes that happen fast aren’t usually bad unless something goes wrong. It’s not the change that you are fundamentally controlling. What you are actually trying to control is the risk of change and there are lots of aspects to doing that.

The race car driver going around the track isn’t trying to never slip or trade paint, she’s trying to be fastest and stay in the race. You can’t do that and guarantee you will never hit the wall – so you adjust your acceptance of risk to the point that you make good time around the track without getting knocked out of the race most of the time. Bad things happen sometimes, but you are doing ok if you come out ahead on average. Guys like Andretti are really good at this balancing act.

If you drive an ambulance, the math is completely different…

Read more…