Spiritual IT Security.

Some duality, some overlap, some scientific methodologies.

Monitor and surveil both your IT and personal "outputs" i.e. what you or the network or system generates and redistributes in to the interconnectedness; be it social, personal or techincal.

*Then*, and only then, base your controls, processes, methodologies and frameworks or risk assessments upon empirical evidence.

No wonder it's so hard to listen to a system or network, when we don't even listen to ourselves.

Monitor the outputs. Control the inputs. Refine the processes.

Tell it like it is boys

Spotlight: Cyber Terrorism Roundtable with Sami Saydjari, Marcus Ranum, Dean Turner and hosted by Nicole Greco. Discussion on cyber warfare, cyber terrorism, cyber defense with interviews by Mikko Hypponen and Andrew Colarik. Key issues on Estonia, China, Russia. Aired in November 2007.

And here is a snippet from one of Gunnar Peterson's posts I heartily agree with:

"If you want to make a bunch of acquisitions, outsource a ton of work, send a bunch of projects overseas, have multiple reorgs, connect up a ton of historically siloed systems, hook everything to the web and THEN GO ON A QUEST FOR CERTAINTY - well good luck to ya, mate. I think your time is better spent finding ways to lower your risk of permanent loss than trying (pretending) to achieve some semblance of certainty in that environment." From http://1raindrop.typepad.com/1_raindrop/2007/11/dhandho-infosec.html