Cool as McCumber

Oct. 27, 2008
The Texas Two-Step

Austin, Texas is a cool town. I hadn’t had an excuse to visit Austin for several years, so I was pleased to accept a chance to teach a couple classes at an IT conference there. I knew I would find an excuse to slip out one evening to hear good live music at a place like The Broken Spoke. I was musing about the options when I noticed the conference attendees shuffling in with their conference bags stuffed with marketing slicks and complimentary pens, mouse pads and other vendor-labeled doo-dads.

I had been informed this session was for computer security-types looking for updates on new and emerging threats to IT systems. It was a perfect fit, as I had just obtained the latest information from a large-scale international study. I had all the data and statistics packed into about 50 slides. I made sure to use plenty of colored charts and graphs to bring out the major points and to highlight important trends. I know how tedious a detailed recitation of statistics can be, so I had to tailor this outsized file of facts with analysis that would address the needs of these security practitioners.

As I begin taking the audience through the data, I looked out across the room and realized it wasn’t working. Anyone who has experience in classroom teaching or public speaking notices when those whom you are trying to reach are thinking about anything but your talk. This group was tuned out. Clues for yours truly consisted of vacant expressions, several people looking studiously into their laps and some light snoring. It was time for drastic action.

I stopped in the middle of a discussion of the use of botnets and asked how many people in the group of about 80 were IT security practitioners. Two hands went up, albeit rather uncertainly. I asked the group as a whole where their interests lie. I found out from a couple responses and some nods they were mostly state-level government employees and only a couple had security responsibilities. I then proceeded to do what had to be done. I told them about my background and asked them if there were issues I could address for them while I was here. Suddenly, hands shot up around the room and we were able to begin a fun dialogue around the impact of security issues on this group’s activities.

After a couple points about credit card fraud and phishing scams, a woman asked what software I would recommend for filtering Internet content for her two sons, both in their early teens. She also asked if there was something she could purchase that would scan images for ones she and her husband might find objectionable for their sons. There was no misunderstanding her concerns, and her question arrested the attention of many other parents in the room.

This was an easy one. I could address this one as both a security practitioner and a parent. I explained I once had two teenagers who were growing up with the Internet always available at home. However, knowing the limits of technology, my wife and I had opted for a non-technical solution: we simply put the kids’ computer in the middle of the solarium. We use this room primarily for reading, and it can be quiet and away from the television; however, the screen was always clearly visible from the kitchen and family room. We were also always happy to monitor their use of the computer to ensure they learned how to avoid threats such as online predators. Problem solved — the only investment required was parental time and attention.

I could tell from her expression this was a novel solution, or at least one she had yet to consider. I decided against asking a follow-up question, as I didn’t want to put her on the spot. I suspected she was considering how to explain to junior that the PC tucked away in his bedroom was going to find its way to a more accessible venue.

Effective security solutions are not always the most expensive or the most technically-advanced. A good security practitioner will always be looking for cost-effective ways to mitigate risk while taking the time to understand just how much time, money and effort should be invested in implementing a solution. Of course, it is always about trade-offs, and those who can best define and evaluate them will be at the forefront of the security profession.
That evening, as I was heading for the Austin airport, the cab driver turned to me and asked if I liked the live music scene in Austin. I said absolutely! He then mentioned that he had tickets to see Velvet Revolver at a small local club in a couple hours. I reached up, grabbed his arm, and said, “Turn around. I just changed my plans.”

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at:[email protected].