“Tried and true is where you want to land in your computer security governance.”
I was recently in Vegas to celebrate the sale of a company with my colleagues in concurrence with BSides, Blackhat, and Defcon conferences. Like normal for the past decade we hosted a private party with famous people, drinks, and 3 cabanas at a top pool in the world. It was a great time, especially meeting up with some of my retired and old friends that I hadn’t seen for some time. But let’s not lose focus – this is Vegas we are talking about!
When people think of Vegas they have many thoughts, of which most will not be mentioned on this blog. I asked one person, what is the dark and dirty secret or thing that you’ve done while in Vegas? I naturally asked this of an innocent play-it-safe individual just to see what their response was and I got what I expected confirming my interpretation of that person. But then I asked another and I got an answer that I did not expect, “I’m tired of that s***. I’m just going to hang out here and have a few meetings.” I totally related to that thought – once you’ve had your go of it and experienced it there is no mystery, no wondering what it is like desire. In fact it can be the opposite of that, disliking it, not what I thought it would be, not worth it, etc. Don’t get me wrong, I love the great wonders of Vegas in the construction of amazing buildings, memorabilia, famous people, and entertainment. No different than when I worked at Indian Springs 20 years ago, it’s a great place to visit but I personally wouldn’t want to live there.
Security governance, tools and tactics, can be a lot like Vegas. It can be sexy and appealing at first glance. When you buy your first product or service that you think will be great, it loses the glitz and glam after it reboots unexpectedly, doesn’t perform like you wanted, or is just too expensive for what you get out of it. Eventually you get tired of that s*** and retract back to the basics, the tried and true that you can trust. I have a state of the art range finder for calculating distances out to around 2.5 miles, accurately and quickly. It’s super affordable and it’s amazing and I love it for my long range shooting needs (e.g. 1.5 Miles MOA). I also have a state of the art muzzleloader my wife bought me. It’s lightweight and has amazing accuracy with sabots. But sabots are illegal in Idaho so I have to shoot a roundball monolith. The barrel is so short and fast that a normal roundball won’t obfutrate quickly enough for stabilization resulting in periodic fliers. Not so great. It took a lot of effort before I found the right load to get it to be accurate for my hunting needs in Idaho.
Honestly, if you simply hit the basics on security (e.g. know your software, hardware, patching, assessments) you’ll be miles ahead of the other guy. Go back to the tried and true and, in a very measured way, buy the latest and greatest as it makes sense to do so in order to supplement your rock of security. Whatever you do don’t build a house of cards gambling on it like those in Vegas – you’ll lose to the house almost every time.