New Years Resolution for 2009

Well another year has come and gone, and we are mercifully nearing the end of the prognostication period: that time of the year when everyone start gazing into their crystal balls to tell us what the big threats are going to be for 2009. Generally speaking, I try to avoid making predictions and I try to avoid reading other people's predictions. However, there is one prediction that I feel safe about: Management is going to freak out about some sexy-sounding problem and throw excessive resources at it at least one time in 2009.

The reason I don't like to focus on predictions is because I really don't think that they help with anything. In fact, I'm more likely to develop tunnel vision and look for these specific attack vectors rather than focusing on developing a sound strategy for securing my resources. So instead of giving you my predictions for 2009, I'm going to tell you about my New Years Resolution for 2009.

This year I want to more effort into moving away from using Fear, Uncertainty, and Doubt to get my ideas past management. I want to start developing metrics that I can use to back up my claims and metrics to prove the value of my suggestions. This is not an easy task by any measure. Many times over the course of the year it will be easier for me to spin some voodoo about an unseen threat and get my way. However, I know that if I can put in the time and develop the discipline to be more scientific in my statements and requests, then it will pay dividends. For example, there are people in my organization that challenge me on just about every idea that I present. If, however, I gain a reputation for having solid data to back up my claims and a track record of showing hard results, then it will become more difficult to impede me.

The other major resolution I'd like to share for 2009 is that I want to spend as little money as possible on security. This year I'd like to show that you can achieve compliance and you can improve security without spending a big pile of cash. The reason I feel this way is because there is so much you can achieve just by implementing the basics. And the basics are free.

Some examples of where I've started each of these resolutions are here on the blog. A few months ago I started a real study into the effectiveness of our passwords and how our password strength is being affected by the recent change in policy. A couple days ago I shared a script I started developing to automate my detection process for data leaks. I hope to do more of that in 2009, and I'll try to keep it all documented right here.

So I hope that 2008 was good to all of you, and I hope that you'll be feelin fine in 2009!