Skip to main contentdfsdf

    • It is also important to note that Hamlet is extremely melancholy and discontented with the state of affairs in Denmark and in his own family—indeed, in the world at large. He is extremely disappointed with his mother for marrying his uncle so quickly, and he repudiates Ophelia, a woman he once claimed to love, in the harshest terms. His words often indicate his disgust with and distrust of women in general. At a number of points in the play, he contemplates his own death and even the option of suicide.
    • King Lear

       

      Lear’s basic flaw at the beginning of the play is that he values appearances above reality. He wants to be treated as a king and to enjoy the title, but he doesn’t want to fulfill a king’s obligations of governing for the good of his subjects. Similarly, his test of his daughters demonstrates that he values a flattering public display of love over real love. He doesn’t ask “which of you doth love us most,” but rather, “which of you shall we say doth love us most?” (1.1.49). Most readers conclude that Lear is simply blind to the truth, but Cordelia is already his favorite daughter at the beginning of the play, so presumably he knows that she loves him the most. Nevertheless, Lear values Goneril and Regan’s fawning over Cordelia’s sincere sense of filial duty.

    • An important question to ask is whether Lear develops as a character—whether he learns from his mistakes and becomes a better and more insightful human being. In some ways the answer is no: he doesn’t completely recover his sanity and emerge as a better king. But his values do change over the course of the play. As he realizes his weakness and insignificance in comparison to the awesome forces of the natural world, he becomes a humble and caring individual. He comes to cherish Cordelia above everything else and to place his own love for Cordelia above every other consideration, to the point that he would rather live in prison with her than rule as a king again.
    • In William Shakespeare's tragedy, King Lear, the plot is driven by the misguided and sometimes baseless decisions made by King Lear and the brutality of family members towards one another
    • Data governance is not – and should never have been – about the data. High-quality and trustworthy data sitting in some repository somewhere does not in fact increase revenue, reduce risk, improve operational efficiencies, or strategically differentiate any organization from its competitors. It’s only when this trusted data can be delivered and consumed within the most critical business processes and decisions that run your business that these business outcomes can become reality. So what is data governance all about? It’s all about business process, of course.
    • Even if they are presented with proof of value, management will be reluctant to invest in data governance. Why? Because managers aren’t rewarded on economies-of-scale, they’re rewarded on revenue realization. So all the duplicate work, re-work, and skunkworks efforts don’t count. What counts is how data governance will help generate revenue, which is a much more difficult pitch, and they won’t invest in that either. (Ditto for data quality and MDM.)

    4 more annotations...

    • “Security” is facing a similar problem.

       

      To that end, and without meaning to, Gunnar Petersen and Larry Zeltser unintentionally wrote about this whale of a problem in two thought provoking blogs describing what they portray as the sorry state of security today; specifically the inappropriate mission focus and misallocation of investment (Gunnar) and the need for remedying the skills gap and broadening the “information security toolbox” (Lenny)  that exists in an overly infrastructure-centric model used today.

       

      Gunnar followed up with another post titled: “Is infosec busy being born or busy dying?”  Fitting.

       

      Both gents suggest that we need to re-evaluate what, why and how we do what we do and where we invest by engaging in a more elevated service delivery role with a focus on enablement, architecture and cost-efficiency based on models that align spend to a posture I can only say reflects the mantra of survivability (see: A Primer on Information Survivability: Changing Your Perspective On Information Security):

    • [Gunnar] The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.

       

      [Lenny] When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems.

    2 more annotations...

    • When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the “background and hobby interest of the majority of technical people in the industry.”
      • In addition to the infrastructure security “hammer,” our toolbox needs to incorporate the following elements:

          

        These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.

    • As practiced in many companies, Information Security is a confused discipline. There are many contributing factors, but the fact that security budgets are misspent is a leading reason. The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry. 

    4 more annotations...

    • "Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.
    • Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile.

       

       We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures. Regulation and litigation have both increased. We're still struggling with the expensive PCI initiative, an effort as controversial as its efficacy is questionable--U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet.

    • Minimal control over technology use is a mantra I’ve been chanting into the blogosphere for a while now. The great majority of people know how to behave, want to do their jobs well, and are predisposed to be helpful to their colleagues. If you believe what’s in your mission statement, empower your people (who are, as you say, your most important resource) with the new digital tools without lecturing them too much about how to use them appropriately. When I see 20-page social media policy documents, I always think they could be reduced to one sentence: “We’d really prefer that you not use social media.”
    • We get best practice shoved down our throats all the time (ITIL anyone?).  I would bet a rare Yorkshire quid that few of the people touting best practices can articulate both Why and In Relation to What.

       

      If a best practice is defined as “superior to other practices”, then what are those other practices?  And why is one superior to the others?  It just might be that in my situation another practice might be best.   What’s best for you might not be best for me, right?  But you can’t know that, so we are still friends.

       

      I’ll be honest: best practices appeal to my lazy self.  If someone else has done all the heavy lifting then why not leverage their hard work?  Aren’t best practices a form of altruism?  Well, that’s a bit of a trusting approach in an untrusting world.  What if the author is lazy too?  What if that auther just lifted their best practice from someone else, ad infinitum?  Now nobody knows why its a best practice, reason is lost in time, and we all go baa.

       

      FWIW I give a damn because my lazy self really wants to use best practices but because of my irksome sense of self preservation I have to do a bit more homework before I reuse any existing best practices… and in fact, this attitude means I can’t take someone else’s short cuts and makes me into an ever more cynical person.

      • So, here’s three things I’m going to do from now on and I encourage you, Dear Reader, to do the same:

         
           
        1. If you feel the words “best practice” bubbling from your brain to your mouth, make sure you can answer the Why and In Relation To What questions.
        2.  
        3. If you are writing a best practice then you must include text that answers the Why and In Relation To What questions.  Otherwise, you are just recommending a practice (ie. not best).
        4.  
        5. If your ears ever hear the words “best practice” from someones mouth or in see them in print, make sure you think Why and In Relation To What and unless you have at least one counterpoint, just downgrade it to a practice (i.e. remove the best).  Ask the author, Why?  and In relation to what?  They might have a superb answer that we can all learn from.
        6.  
         

        Up for it?  Let’s start now.  Personally I never recommend best practices I only recommend suitable practices to match the requirements but that’s another story…

      • This situation typifies the classic security dilemma. Everyone wants three things from their security system:

         
           
        • Strong security. Everyone wants the highest level of security  
        •  
        • Low cost. It can't cost a lot to build or maintain  
        •  
        • Ease of use. It can't be complicated or people won't use it
    • Raise security awareness - Good security is like the electrical grid, no one thinks much about it until it fails. While you don't want to create hysteria, you might want to make people aware that there are real security threats. Does anyone outside of IT know how many intrusion attempts you've blocked or how many virus threats you've countered? Maybe they should.

       

      Knowing this may make people a little more rigorous in following security provisions, and management may be willing to spend a little more on security if they know what it is doing for them. 

       

      Avoid the Chicken Little syndrome - There are new security threats every day. It's our job to assess them and act accordingly. Part of this is knowing when to raise the alarm and when you shouldn't. "The sky is falling" didn't turn out well for Chicken Little, and likewise a constant security crisis attitude eventually will dull people's sensitivity to security.

       

      Match the security to the risk - One way to get people more accepting of stronger but more difficult to use security provisions is to only use them when truly warranted. Save the tight security provisions for the really important stuff. Treating everything the same tends to lower the overall significance. Does access to the stock records in the parts warehouse really need the same tight security as the payroll records? 

    • There are a number of data loss prevention systems and techniques that can control data from leaving your system. The downside is that there are trade-offs including cost and impact on your business. While controlling the flow of information can protect your data it can also limit your ability to do business.

       

      This is the classic security dilemma. Everyone wants three things; tight security, ease of use and low cost. The dilemma is that you only truly have a choice of two. As a result we compromise to balance these three factors to suit our needs. Our job as IT leader is to help determine the right balance, to be an honest broker in evaluating pros and cons and to lead the discussion and decision.

    • Most IT systems like EMRs, EHRs, and other medical record capture and retrieval products are purportedly designed for physicians but they really are created to improve the hospital administrators' lives, get data to government agencies looking for comparative medicine, push paperwork through to insurance companies so that they can deny claims faster, and many other "features" that don't really do anything for the doctor.

        

      The problem is not that doctors don't like IT, it's that they don't get the same value out it that other participants in the system do.

    • EMRs today are like CASE tools were back in the early 90's. Think back to the early- to late-90's and all the talk surround CASE (computer aided software engineering) and how, by automating requirements gathering and coding tasks we would "improve the engineer" and perhaps even get rid of programmers. Pretty soon we realized that programming is a cognitive process not easily modeled or automated -- we realized that the training and tasks performed by programmers and engineers can't easily be improved. Once we gave up on CASE tools (and how to improve programmers' thought processes) we learned that we could improve significant tasks like editing, compiling, testing, etc and the actual application lifecycle.

    3 more annotations...

    • I have made my opinions on honeypots known, and while I think they're fun and useful to those who have the time or focus on analyzing attackers and their tools (I can't stress enough that there *are* orgs that *should* be using honeypots [like F-Secure!]), they're just not useful to most organizations (in fact, almost all, if you ask me).
    • I have the SSO conversation at length with people the conclusion is always the same. If all you have are applications from the last 10 years and some cloud stuff, there are approaches, including Quest’s, that can fully solve that problem. You can integrate into your commodity AD authentication, put up SSO portals, or use widely adopted standards like SAML – or all of the above in a clever combination. Even thick client GUI applications can be tamed with enterprise SSO (ESSO) solutions at the desktop. The things that always end up falling through all the cracks are older applications. Things that are often the crown jewels of the business. Applications that are so old because they are so critical that no one can touch them without huge impact to the business. But the older technologies resist almost every attempt to bring them under control. Even ESSO, which is the catch all for so many other laggards, can’t tame many of the odd green screens, complex multi field authentications, or other odd things that some of these applications demand at the login event. When I’ve spoken to our SSO customers, they always seem happy with 70-80% adoption on their SSO projects. They know they will never get that last group until the applications change. But there doesn’t seem to be any compelling event for those applications to be changed.
1 - 20 of 33 Next ›
20 items/page
List Comments (0)