https://www.quickenloanscareers.com/web/ApplyNow.aspx?ReqID=53545

From the job posting:

WARNING:  If you believe in implementing security only for the sake of security or only for the sake of checking a box, then this is not the job for you.  ALSO, if your primary method of justifying security solutions is to sell FUD to decision makers, then we STRONGLY suggest that you close this page right now as it’s POSSIBLE that reading this job posting will infect your computer with a worm, virus, trojan, nasty bacterium, and/or bovine spongiform encephalopathy OH MY!!!  In fact, you should just stop using the scary interwebs all together!

Kudos, Keith.  You’ve made the Alex Hutton Personal Hall of Fame with this one.

Including my favorite:

Thanks to my friend Bob Rudis for the headsup.

But that’s just me.  Your thoughts on others in the comments?

LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any.

And I have to admit, I’m taking a certain amount of pleasure in watching LulzSec. Whoever’s doing it are actually entertaining, when they’re not breaking the law. And even sometimes when they are. But at those times, they’re hurting folks, so it’s a little harder to chortle along.

Now Patrick’s argument is in the close, and I don’t want to ruin it, but I will:

So why do we like LulzSec?

“I told you so.”

That’s why.

The essence of this argument is that we in security have been telling management for a long time that things are broken, and we’ve been ignored. We poor, selfless martyrs. If only we’d been given the budget, we would have implemented a COBIT ISO27001 best practices program of making users leap through flaming hoops before they got their job done, and none of this would ever have happened. We here in the business of defending our organizations would love to have been effective, except we weren’t, and now we’re mother-freaking cheering a bunch of kids who can’t even spell LOL? Really? I told you so? Is that the best that we as a community will do?

Apparently.

We’re being out-communicated by folks who can’t spell.

Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

And why are we being out-communicated? Because every time there’s a breach, we cover it up. We claim it wasn’t so bad. Or maybe that the poor, hapless American citizen will get tired of hearing about the breaches. And so we’re left with the Lulz crowd breaking and entering for shits and giggles to demonstrate that there are challenges in making things secure.

I don’t mean to sound like a broken record, but maybe we should start talking openly about breaches instead. Maybe then, we’d get somewhere without needing to see Sony, PBS, and Infraguard attacked. Heck, maybe if we talked about breaches, one or more of those organizations would have learned from the pain of others.

Nah.

Let’s just wait for “the world’s leaders in high-quality entertainment at your expense” to let us say I told you so.

It sure is easier than admitting our communications were sub-par.

[Thanks for the many good comments! I've written a follow-up post on the topic of communication, "Communicating with Executives for more than Lulz."]

Under these circumstances, then, it becomes more likely that the charges are indeed weak (or false) ones made to seem as though they are strong. Conversely, if there were no political motivation, then the merits of the charges would be more closely related to authorities’ zealousness in pursing them, and we could take them more at face value.

Likewise, there’s a lot that you can’t measure about security and risk, but you can still infer something from how the effort is pursued.

GUNNAR PETERSON GIVES GOOD PDF

First, in case you haven’t read Gunnar’s article “Reference Monitor For The Internet Of Things (.pdf)” in the latest IQT Quarterly, you really should.  Gunnar smart, Alex head hurt.

CHECKLISTS, KNOWLEDGE AND EXPLODING AIRBUS ENGINES

The Daily Speculations Blog has an interesting link/blog/discussion about the recent Quantas Airbus problems.   What caught me especially was this point - “Over-riding systematic considerations in favour of discretionary controls”. The actual interview they link to is here.

SOMETHING NICELY DONE DISCUSSING PRO’S & CON’S OF BEHAVIORAL ECONOMICS

Here’s an article in FundStrategy webzine called “DefiesLogic” that discusses behavioral economics, biases, market actors and so forth. Ben Hunt (the author) seems a little down on (or at least wants to curb the enthusiasm over) Behavioral Economics.  I’m OK identifying the limitations of any applied tool.

NOT RELATED – GOOGLE CHROME

The “computer guy” part of me finds Google Chrome to be interesting.  The “security management / risk guy” in me thinks the platform has  fascinating potential.  Here’s the TechCrunch review of the new laptops.

ABSOLUTELY NOTHING TO DO WITH INFOSEC BUT I LAUGHED

Awkward Pregnancy Photos.

Thanks to Chris Eng for making this!

Thanks, N! (Added link)

Now the funny thing about that is that I had pretty much forgotten all about CRISC, even though we’ve had a lot of fun with it here at the New School and made what I thought were some very good points about the current lack of maturity in Risk Management and why the last thing we need is another process-centric certification passing itself off as expertise.

I went back and re-read the original articles, and I think that they are still spot-on, so I decided that I would instead take another look at CRISC-The-Popularity-Contest and see who has turned out to be right in terms of CRISC’s relevance now that it’s been nine months almost to the day since ISACA announced it.

Quick, dear readers, to the GoogleCave!

Hmm…CRISC isn’t doing so well in the Long Run.  That’s a zero (0) for the big yellow crisc.

Of course, in the Long Run, we’re all dead, so maybe I should focus on a shorter time frame. Also, I see that either Crisco’s marketing team only works in the fall or most people only bake around the holidays.  If you had asked me, I would not have predicted that Crisco had a strong seasonality to it, so take whatever I say here with a bit of shortening.

Let’s try again, this time limiting ourselves to the past 12 months.

Nope…still nothing, although the decline of the CISSP seems to have flattened out a bit.  Also, we can definitely now see the spike in Crisco searches correlating to Thanksgiving and Christmas.  Looks like people don’t bake for Halloween (Too bad.  Pumpkin bread is yummy) and probably don’t bake well for Thanksgiving and Christmas if they have to google about Crisco.

Oh, well.  Sorry, CRISC.

Now, if you’ll excuse me, I have a cake to bake.

P.S.  Yes, I’m aware my screenshots overflow the right margin.  No, I’m not going to fix it.