John Pescatore

Plans are of little importance, but planning is essential – Winston Churchill

Plans are nothing; planning is everything.– Dwight D. Eisenhower

No battleplan survives contact with the enemy. – Helmuth von Moltke the Elder

                         Wiki entry for “plan”

Time magazine recently had an interesting piece on Macolm Gladwell’s new book “Outliers.” In the book he references the “10,000 hour rule” that says in order to excel at something you have to spend at least 20 hours a week for ten years doing it. That idea really comes out of training Olympic-class athletes in physical competition, but it is nice to find some justification for how experience does matter.

I think for the first ten years of my career I was really good at attacking and solving problems, but not so good at seeing the connections between the problems, or any patterns that could lead to ways to avoid the problems. There’s probably some evolution-driven reason for why it works this way – the fast young cave guys rush out and catch the wildebeests while the older, slower, chubbier cave guy waits behind the tree by which he knows the other wildebeests will rush to escape.

That rule and that approach worked fine when it took generations before the wildebeests changed their patterns but when threat generations are measured in months, not decades, what to do? As a great scholar once said “The only difference between a rut and a grave is the depth of the trench.” If well established security processes don’t react to change, they don’t work.

That leads to an interesting Security Brief on threat modeling in Microsoft’s MSDN Magazine by Michael Howard.  Threat modeling is a good way to inject some continual updating into mature processes, whether it is software development, vulnerability management or intrusion prevention.

4 Comments »

Category: Uncategorized     Tags:

Share