At the faculty-led round-table discussion at the recent Mid-Atlantic Network Security Forum, my discussion topic was "Keeping your sanity while positively influencing your enterprise security posture" (or maybe it was a bit less wordy).

These are some of the things we came up with.

• Consistent, regular, targetted communication is important. "Targeted" as in speaking the executive language to the execs, and technical language to techies.
• Sometimes a grown-up with a customer-service orientation and an MBA who is also technical is an asset.
• Hold security forums aimed at the security people plus everyone else.
• Demonstrations of what can happen -- in a controlled, demo environment -- are useful.
• Build community. The security staff should know people and be known by them.
• Face-to-face, one-on-ones break down walls between countries, organizations, and levels in an organization.
• Before any changes: educate, educate, educate, and warn that they are coming.
• Keeping up with the change, maintaining a gradual improvement in the security posture is often just fine (i.e., good enough).
• "Old school" security management -- "Because I said so" -- just does not work anymore.
• Ask "what makes sense in our environment and our corporate culture?"
• Remember, those in power -- and maybe others -- may always ask, "But, why?" Or, "Prove it to me." Or, Which government regulation?"
• Ba patient, wait for the business case, take it one step at a time. But, stay the course, and stick to the plan.
• Oh, yeah. Plan.
• Sometimes the user is his/her own worst enemy. He/she doesn't need another.
• Concentrate on protecting your most important assets. Do the best you can with the rest.

In addition to these things, remember my blog Seven Things to Help Keep Sanity and Equilibrium.

The background: it is traditional, at the faculty-hosted "Gala Dinner" of the Institute for Applied Network Security Forum, for the faculty to be the entertainment. It is also traditional for faculty-member Marcus Ranum to come up with the assignment. In the past, we've had to come up with our (individual) favorite pet-peeve or rant in the area of computer and network security. (See a column based on mine at www.ianetsec.com/news/all_fc_avolio1.htm or this blog entry.)

At the recent Mid-Atlantic Network Security Forum the assignment was to come up with a haiku (at least structurally) based on a real network security story.

First the abbreviated story:

Not liking to make fun of current clients, this is something that happened back in 1993. My team and I were connecting a high-profile government site onto the Internet for, they believed, the first time. We were goign to install a firewall that we built special for the occassion. We suggested a review of the existing physical network to make sure we and they knew to where they were already connected. The review turned up an already-existing connection to the Internet through another organization. In fact, at the time this other organization was well-known for getting broken into.

The haiku: