Fear Uncertainty And Doubt
14 minute read | Last updated 16-Apr-2018 | 
Security, Rant, Culture Change
Mornings With Mark no. 0034
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
I actually got this working. I’m so interesting. I am now we’re good at just double-checking back on Facebook and simply because I didn’t have time to log into YouTube and get the stream key and all that kind of stuff back on YouTube tomorrow, but I wanted to get this rolling and so I’m broadcasting to you from a new location as you can tell this is mornings with Mark West Coast Edition.
So it’s pretty early for me. I am already just got back from getting breakfast in a standard East Coast Advantage of being up really early. I’m out here in San Francisco for the RSA 2018 us. I’m so one of the biggest security conferences. There is today Andrew. Hay and II Andrew is the sea so add taleo security.
We are running the ransomware indestructible tax seminar in Moscow any West. So if you’re here on site come check it out room 2001 in Las Colinas has a full day of deep dives into the impact of ransomware the impact of destructive attack. I don’t know what it means to you and butter this conference.
Like I said, it’s huge mass of which means everyone ends up being here. So from a good perspective. Let me just double-check the stream right on band from a good perspective in a bad perspective. So the good news is everyone’s here. It’s exciting. I the community kind of pulls together.
And so you get to see a lot of folks. I mean get to your lawn new ideas and the downside is you know, obviously this is a business focused event. There’s a lot to full Expo halls and you see all the marketing position from folks now, he’s come a long way from when it was pure fear uncertainty and doubt.
However, it’s still around. So I hit this up on Twitter yesterday when I landed it took about thirty seconds to see an ad that was really focused on fear, you know that fear uncertainty and doubt to move product and AT-AT. You notice my 25th year in professional practice. Almost all of it cyber-security focused and it’s really really frustrating that we undermine ourselves by going to fear and certainty and doubt route.
So here’s the best way to approach security. You need a pragmatic honest and open discussion about what works and what doesn’t work because nothing is 100% If you were pushing yourself or positioning a security solution or an architectural design or thought or anything is saying like this is going to solve all our security problems.
That’s never going to be the case Securities complex tits nuanced or we need to keep doing is walking off on certain areas and being able to say look like a reduced risk or mitigated the risk in this area. Now. I’m going to work on this other area and based on my business appetite for risk.
We’re appropriate right? It’s not that question of is this secure that’s an impossible question. Its is the secure against a Potential Threat to an appropriate level again definition of cyber security and usable War. Cable One Is to make sure that your it systems are doing what they intend and only what they’re intended to do.
So you’re never going to have stopping 100% of a tax. You’re never going to be able to say I’m yeah, we better system. So Advanced that you don’t have to think about it security is a practice. That means you should be doing it everyday security is something that needs to be able to the foundation or fabric of your applications, which means you need to be building that in constantly.
If you’re not it’s a problem. And if you position your product if you position your company, if you position your services, if you position your open source project in a way that it’s going to solve all the problems for all the people in all the cases that’s a significant issue and you’re putting the rest of us behind the eight-ball because then the question comes is this company says they can do a hundred percent.
Why can’t you do that? Now? The good news is like I said in the opener here is that that’s rare that we see that nowadays and the market is maturing. We’ll have a better understanding but I still I’m a huge fan of being even more Park pragmatic than that.
And I know marketing folks even my own marketing folks, you know, they’re like no we need to be able to put a bit of a shine on something to make sure that it looks good. I mean, oh present it at its best than this one hundred percent understand, you know, that’s just the way the world that’s the way business is you need to make sure that your solution is selling cuz that’s how you make money with people.
That’s how you build better things. But there needs to be this balance of saying I hate for this problem set. We’re great solution. Here’s what we do really really well when somebody asks me and we’ll tell them here’s what we’re not so great at I think there is a balance to be had and I think every year we get closer to it as a as a community and I think that’s a really really positive thing because as I’ve been exploring more security over the last year focus on two aspects The Cutting Edge and serverless and sort of the trailing Edge in operational technology.
So things like robots and tractors and medical equipment and things like that is sort of an interesting Confluence of two areas. We need to understand security principles and we need to be very practical and very very clear lines. But what security can do In One Security can’t do this when you’re dealing with operational technology more often than not you’re dealing with threats to human life, like literal threats, not hyper hypothetical threat since the cybersecurity of this robot that’s working right next to people or a tractor that is you don’t driving on a farm that’s people are also working on the farm and Healthcare where people’s lives are literally in the balance.
Hang in the balance for these machines, so it’s not high. Do you say that you know, this is zero risk tolerance environment because people’s lives are at stake. You know, if your website that selling widgets goes down. Nobody’s going to die. You’re going to lose the money that’s unfortunate.
But nobody passes away does the different risk model? And so that’s really where you need to be a very very pragmatic and very very understanding what’s going on and then serverless eats or that interesting contrast in that we’re exploring on security principles and reapplying to be completely anyways, because all of our existing controls and Technologies kind of break in that environment, so I like studying both of those but they both come back down to being open and honest.
Security is there to make sure that your systems work as intended and only as intended and that’s where we need to go. So I’m really excited to see the Fantastic Innovation this week at RSA. You can follow on Twitter hashtag is RS AC are RSA conference or are sack and there’s going to be a ton of great content this week some amazing talks Some solid Keynotes the U-Haul going to be I think some interesting companies pitching their new approaches to different things hopefully in a great pragmatic way and just in general the hallway conversations at this conference are fantastic.
Looking forward to today and your partner up with my friend Andrew. Hay and delivering that ran somewhere and destructive attacks seminar, and I think it’s really will release hosting it and the lineup of great speakers are delivering it and yeah just generally connecting an in hearing some new ideas, and that’s what this is all about.
As always you can hit me up online at Mark NCAA or down below in the comments a little busy this week on site, but I will be trying to broadcast to every morning hopefully back on YouTube tomorrow, and I’m completely mobile this week. So no laptop, even though laptops mobile, but I’m completely like iPad mobile.
I’m going to see how that works isn’t going to cut this video right now and put it up on YouTube with a normal trailer and stuff. So we’ll see how it goes. Like I said, hit me up online at Mark NCAA. Hope you guys have a great Monday and we will talk to you soon.
I actually got this working. I’m so interesting. I am now we’re good at just double-checking back on Facebook and simply because I didn’t have time to log into YouTube and get the stream key and all that kind of stuff back on YouTube tomorrow, but I wanted to get this rolling and so I’m broadcasting to you from a new location as you can tell this is mornings with Mark West Coast Edition.
So it’s pretty early for me. I am already just got back from getting breakfast in a standard East Coast Advantage of being up really early. I’m out here in San Francisco for the RSA 2018 us. I’m so one of the biggest security conferences. There is today Andrew. Hay and II Andrew is the sea so add taleo security.
We are running the ransomware indestructible tax seminar in Moscow any West. So if you’re here on site come check it out room 2001 in Las Colinas has a full day of deep dives into the impact of ransomware the impact of destructive attack. I don’t know what it means to you and butter this conference.
Like I said, it’s huge mass of which means everyone ends up being here. So from a good perspective. Let me just double-check the stream right on band from a good perspective in a bad perspective. So the good news is everyone’s here. It’s exciting. I the community kind of pulls together.
And so you get to see a lot of folks. I mean get to your lawn new ideas and the downside is you know, obviously this is a business focused event. There’s a lot to full Expo halls and you see all the marketing position from folks now, he’s come a long way from when it was pure fear uncertainty and doubt.
However, it’s still around. So I hit this up on Twitter yesterday when I landed it took about thirty seconds to see an ad that was really focused on fear, you know that fear uncertainty and doubt to move product and AT-AT. You notice my 25th year in professional practice. Almost all of it cyber-security focused and it’s really really frustrating that we undermine ourselves by going to fear and certainty and doubt route.
So here’s the best way to approach security. You need a pragmatic honest and open discussion about what works and what doesn’t work because nothing is 100% If you were pushing yourself or positioning a security solution or an architectural design or thought or anything is saying like this is going to solve all our security problems.
That’s never going to be the case Securities complex tits nuanced or we need to keep doing is walking off on certain areas and being able to say look like a reduced risk or mitigated the risk in this area. Now. I’m going to work on this other area and based on my business appetite for risk.
We’re appropriate right? It’s not that question of is this secure that’s an impossible question. Its is the secure against a Potential Threat to an appropriate level again definition of cyber security and usable War. Cable One Is to make sure that your it systems are doing what they intend and only what they’re intended to do.
So you’re never going to have stopping 100% of a tax. You’re never going to be able to say I’m yeah, we better system. So Advanced that you don’t have to think about it security is a practice. That means you should be doing it everyday security is something that needs to be able to the foundation or fabric of your applications, which means you need to be building that in constantly.
If you’re not it’s a problem. And if you position your product if you position your company, if you position your services, if you position your open source project in a way that it’s going to solve all the problems for all the people in all the cases that’s a significant issue and you’re putting the rest of us behind the eight-ball because then the question comes is this company says they can do a hundred percent.
Why can’t you do that? Now? The good news is like I said in the opener here is that that’s rare that we see that nowadays and the market is maturing. We’ll have a better understanding but I still I’m a huge fan of being even more Park pragmatic than that.
And I know marketing folks even my own marketing folks, you know, they’re like no we need to be able to put a bit of a shine on something to make sure that it looks good. I mean, oh present it at its best than this one hundred percent understand, you know, that’s just the way the world that’s the way business is you need to make sure that your solution is selling cuz that’s how you make money with people.
That’s how you build better things. But there needs to be this balance of saying I hate for this problem set. We’re great solution. Here’s what we do really really well when somebody asks me and we’ll tell them here’s what we’re not so great at I think there is a balance to be had and I think every year we get closer to it as a as a community and I think that’s a really really positive thing because as I’ve been exploring more security over the last year focus on two aspects The Cutting Edge and serverless and sort of the trailing Edge in operational technology.
So things like robots and tractors and medical equipment and things like that is sort of an interesting Confluence of two areas. We need to understand security principles and we need to be very practical and very very clear lines. But what security can do In One Security can’t do this when you’re dealing with operational technology more often than not you’re dealing with threats to human life, like literal threats, not hyper hypothetical threat since the cybersecurity of this robot that’s working right next to people or a tractor that is you don’t driving on a farm that’s people are also working on the farm and Healthcare where people’s lives are literally in the balance.
Hang in the balance for these machines, so it’s not high. Do you say that you know, this is zero risk tolerance environment because people’s lives are at stake. You know, if your website that selling widgets goes down. Nobody’s going to die. You’re going to lose the money that’s unfortunate.
But nobody passes away does the different risk model? And so that’s really where you need to be a very very pragmatic and very very understanding what’s going on and then serverless eats or that interesting contrast in that we’re exploring on security principles and reapplying to be completely anyways, because all of our existing controls and Technologies kind of break in that environment, so I like studying both of those but they both come back down to being open and honest.
Security is there to make sure that your systems work as intended and only as intended and that’s where we need to go. So I’m really excited to see the Fantastic Innovation this week at RSA. You can follow on Twitter hashtag is RS AC are RSA conference or are sack and there’s going to be a ton of great content this week some amazing talks Some solid Keynotes the U-Haul going to be I think some interesting companies pitching their new approaches to different things hopefully in a great pragmatic way and just in general the hallway conversations at this conference are fantastic.
Looking forward to today and your partner up with my friend Andrew. Hay and delivering that ran somewhere and destructive attacks seminar, and I think it’s really will release hosting it and the lineup of great speakers are delivering it and yeah just generally connecting an in hearing some new ideas, and that’s what this is all about.
As always you can hit me up online at Mark NCAA or down below in the comments a little busy this week on site, but I will be trying to broadcast to every morning hopefully back on YouTube tomorrow, and I’m completely mobile this week. So no laptop, even though laptops mobile, but I’m completely like iPad mobile.
I’m going to see how that works isn’t going to cut this video right now and put it up on YouTube with a normal trailer and stuff. So we’ll see how it goes. Like I said, hit me up online at Mark NCAA. Hope you guys have a great Monday and we will talk to you soon.
