While this is most certainly a time to enjoy family and be together, I want to take a brief moment to express gratitude for the good things that have befallen our company in the past year.

Harkening back to a weekly sports column I wrote in 2008, I offer you MeThinks. The official definition of the word is “it occurred to me”, so today MeThinks I am thankful for:

1. Every single one of the 500+ customers who have bought Network Emulators and Net Tool Optimizers from Anue Systems in our seven years of existence.
2. Our outstanding group of channel partners who are out there in the field spreading the word about Monitoring Optimization and Pre-Deployment Testing
3. Erin Jacobs, Mike Pennacchi, and Branden Williams, the three thought leaders in packet analysis, security, and PCI compliance who are presenting their outstanding knowledge at the Eye on Security webinar series.
4. Every out of band monitoring tool vendor, without whom Monitoring Optimization would be merely words on a page.
5. Our competitors, for pushing us to make our Monitoring Optimization solution better and better with each passing month.
6. The good folks who offer outstanding and free social media tools such as Twitter, LinkedIn, Facebook, PitchEngine, and WordPress. Social media is here to stay, and we are glad to have the opportunity to take part in the community itself.
7. The City of Austin for providing us such a beautiful city and highly educated population with whom we can interact, work, and thrive. We can’t say how important it is to operate in such a progressive, innovative, and open-minded culture.
8. All of our hard-working employees who have helped poise us for continued growth heading into next year.

And finally, we are thankful for you, the readers of this blog. Without you, these words are just words, but with your gracious attention and feedback, we can enjoy a continuous and rewarding conversation.

MeThinks 2010 will be a great year to know Anue Systems. Join with us for this exciting ride.

Couldn't have said it better myself!

SPoT: David Mortman / @mortman

Today we focus on a gentleman who we have followed since our very early days on Twitter: David Mortman. According to his bio, Mr. Mortman is a CSO who is currently seeking his new adventure, so if you like what you read here, perhaps you can explore working together.

Together with Alex Hutton and other leading security experts, David is one of the masterminds behind The New School of Information Security. Take a look at David’s most recent post titled Meta-Data? for a good read about the appropriate level of information that is required to have important strategic discussions about security. The post has already spawned a conversation within it’s comments.

Real Name: David Mortman
Twitter Handle: @mortman
Top 3 Social Media/Networking Sites:
Twitter is the main one I use, although I have accounts on Facebook and LinkedIn as well

1. In which area(s) of security are you most involved?
These days I’m largely involved in management, risk, privacy and compliance, although I still do some technical security work as well.

2. What security topics will be the most important in the next 18 months? Why?
Compliance by a long shot, there are lots of new regulations on the horizon, plus PCI and the new changes to HIPAA, all of which will keep lots of folks busy.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
One of my personal long term goals is for business stakeholders to better understand what security can and can’t do for them.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out as just an convenient way for me to keep in touch with peers in a more interactive way than  email. It quickly became a great medium to launch discussions about security and privacy issues.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name 2 if you can’t decide on only one)
Jeremiah Grossman (@JeremiahG), Alex Hutton (@AlexHutton), and Shrdlu (@shrdlu) [EDITOR'S NOTE: Does anyone actually know @shrdlu's real name?].

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
I think that having security concerns with social media and cloud services is important, but that they are often over-hyped in the media. My biggest concerns are around reliability with regards to uptime / data recovery and compliance. Largely going to the cloud isn’t significantly different than other forms of outsourcing, provided you can get the appropriate protections for your business. This does mean that you can’t just use any cloud service “willy-nilly”, but that’s not any different then any other outsourcing agreement. As for social media, this is largely an education issue, similar to what companies have had to deal with in  public IM services that have been around for over a decade now. We just need to remind employees what is and is not appropriate to discuss, and remind them that social media is, in fact, a public forum.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA, Blackhat/Defcon and any conference I am at .

Seriously though, I hear great things about Shmoocon, Toorcon, and SecTor.

Security Pros on Twitter (SPoT) Series Wrap Up

We have greatly enjoyed networking with all of these impressive SPoTs, and we hope you have also found the content enjoyable and informative.  Our next series will profile some key technical sales personnel at security tool companies, and we hope you are looking forward to it as much as we are.

As always, we want your feedback. Got a hot topic you want to see discussed on here? Want to contribute a guest post? Have an idea for an interesting additional series on any topic in network monitoring or security? Bring ‘em on; we’re all ears.

SPoT: Michael R. Farnum / @m1a1vet

Welcome to today’s entry in the ongoing SPoT series. Today, we are covering someone who serves a different role in security, Michael R. Farnum, who is a Pre-Sales Security Engineer for a VAR / Consulting company. Most of our SPoTs to date have been client-side practitioners, but that is most certainly not a requirement to be considered a “Security Pro”. Mr. Farnum is also known for his role in An Information Security Place, a blog which offers insightful security podcasts a minimum of once each month. The podcast discusses a range of topics, including hacking, security breaches, PCI, vulnerabilities, security/compliance audits, and cybersecurity.

Real Name: Michael Farnum
Twitter Handle: @m1a1vet
Top 3 Social Media/Networking Sites:
Twitter, LinkedIn, YouTube

1. In which area(s) of security are you most involved?
Because I am a pre-sales security engineer for a security consultant / VAR, I tend to have my fingers in a lot of pies.  I talk to clients about risk, compliance, and security assessments.  I also talk to them about security technologies to fill the gaps found when doing a gap analysis or assessment.  I have to keep pretty current in those areas as best I can [to] find opportunities to help my clients.  I also podcast about security quite a bit (since Twitter and work has pushed down my blogging volume).

2. What security topics will be the most important in the next 18 months? Why?
I think more and more disillusionment with PCI will really begin to cause the PCI Security Standards Council headaches.  I believe you are going to see some big push back on PCI DSS by companies of all sizes, as more and more money has to be spent on keeping “compliant”.  Though I have had major issues with Robert Carr, CEO of Heartland Payment Systems, in his recent interviews, I believe the auditing process has really come under fire lately and will continue to do so.  It is a broken model.

Of course, cloud computing will continue to move up and up in everyone’s mind, in both infrastructure and, necessarily, security.  Even if the economy improves, I believe this is a train [on which] more and more companies will jump, to varying degrees.  And specific to compliance, if cloud providers can start showing that compliance headaches can at least be eased by the Cloud, then it will grow even more.  I know that is a huge question, but if they can at least make CEOs and CIOs believe it, the Cloud will grow.  I don’t like it, but there it is.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Let me change the focus of this question.  I think the failure to secure one’s business infrastructure is a failure of basic responsibility.  This is not just a business stakeholder issue, because security is not just about the ability of the business to turn a profit.  Of course, security is a driver for profit if done right and applied correctly.  But if the economy as a whole has major issues, then that business and every other business will begin to feel pain.

Here is what I mean.  Good security measures contribute to the whole economy.  Just like businesses often become a part of their neighborhood or the community as a whole by contributing money and resources for good causes, those businesses should also contribute resources to the security of the Internet as good Internet citizens.  They must look at how their security posture affects the whole of the Internet.  The Internet is, obviously, a huge part of the economy.  When a company becomes a cesspool of malware, they become a hindrance and a detriment to that economy.  Business over the Internet is not going to stop, but I wonder how much better it could be if even one third of businesses would clean themselves up.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out simply an outlet for my way of thinking.  I am a “snippet” thinker.  I am a quipper, if that is a word.  I used to blog a lot, and I felt that I always needed to expand on my thoughts when I blogged.  But I often simply wanted to kick out a thought and just forget about it, or at least save it for later.  Twitter gave me a way to do that without feeling “guilty” for not expounding.  I sometimes get into trouble via Twitter, but that is because I sometimes quip without thinking first.  There are a lot of people doing research on various subjects and products via Twitter, so I have to be careful.

That same dimension of Twitter is what makes it so valuable.  So many people are giving their “two-cent’s worth,” that I can literally come up with ideas on security which would never have naturally occurred to me without the inspiration from some Infosec Twit.  It gives me options to take to clients.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Without a doubt, Chris Hoff (@beaker) is on of the top on my list.  His insights into security continue to astound me.  He is always on the forefront of security ideas, and his spectacular imagination makes his method of dispersal of those ideas entertaining.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.

The Cloud: A Modern-day Jabba the Hut?

As stated above, cloud services make me nervous.  I used to trust that “blob” out there where all my lines seem to terminate in the Visio drawing.  But now that cloud providers want to get all my data floating out there, that trust has diminished quite a bit.  I just don’t see the same enterprise that is buying DLP letting all their data go into this mass that looks more and more like Jabba the Hutt everyday.

Social media is going to grow and grow and grow.  I can’t go a day without hearing about another social network.  I don’t think it is a fad.  But it will continue to cause great security fears for me.  I no longer have a Facebook account, because I just got sucked into it so quickly that I was not guarding my content very well.  Yes, I only allowed certain people to see my page,  but the temptation to let more and more people see it was getting out of control.  That is why it never ceases to amaze me how so many security folks have Facebook pages and are on other social media sites.  I don’t fault them.  if they weigh the risk and deem it appropriate, then more power to ‘em.  But I know my propensities, so I had to stop myself.  If you are an infosec professional, then you have to look very closely to see if those types of sites are good for you [or not].

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?

• I am more and more into local user groups and conferences.  I have attended TRISC here in Texas, and I attend local ISSA meetings.  I am also looking to start up a local Houston NAISG chapter.  That kind of event appeals to me.
• The RSA Conference is something I attend more for the socializing aspect (security bloggers gathering).
• BlackHat/Defcon are a must if you want to rub elbows with the geekier group.

SPoT: Alex Hutton / @AlexHutton

Welcome to our ninth installment of Security Pros on Twitter.  This week, we are featuring Alex Hutton, who “works in Risk Intelligence for a Fortune-something company”, according to his profile on The New School of Information Security blog, where Alex is one of the main contributors of content. The blog shares its name with a 2008 book authored by blog founders Adam Shostack and Andrew Stewart, and they are joined by some savvy security pros including Alex, David Mortman, and Brooke Paul. Mr. Hutton has been involved in security since the early ’90s, and we are very glad to profile him as a SPoT.

Real Name: Alex Hutton
Twitter Handle: @alexhutton
Top 3 Social Media/Networking Sites:
Twitter, Facebook, LinkedIn

1. In which area(s) of security are you most involved?
I love Risk, Management Science, & Security Metrics.

2. What security topics will be the most important in the next 18 months? Why?
Regulatory pressures & Business Intelligence.

I think we’re going to see Regulatory pressures (both government and private pressures) increase, because I believe that our industry will continue to see people outside our profession try to “solve” our problems for us.  The danger being that their good intentions will lead us towards an undesirable destination.

Business Intelligence for InfoSec, done right, could be a major catalyst towards solving significant problems in security.  If we’re lucky, it’ll destroy GRC as we know it.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Wow, if you’ll forgive me for saying so, I think that question is backwards.  If you think about it, it’s rather egotistical to think that “they” need to “get” us.  Nope, my perspective is that they sign the paychecks, so “we” need to “get” them.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I became active when I was developing Risk Analytical software using Ruby On Rails.  Twitter was just kind of experimental then, a neat RoR app to play with.  I was also very interested in how my application would provide security practitioners with a feeling of “Miryokuteki Hinshitsu“, and thought maybe Twitter (or rather twitter-like functionality) might be a piece of that.  The idea being rather than long, arduous web forms in Archer-like software for project management, security analysts could just “tweet” their processes and outcomes back to a central server using an IM-like interface (yeah, this was back when you could still use Jabber for Twitter).

The value I get is twofold.  First, I get to meet good people.  That’s important, as everyone has perspective that contributes to your world view, and I believe that your world view is only as good as it is broad.  Second, and related to that, I get to watch really smart people talk.  For example, I used to despise PCI-DSS, and now I don’t.  That’s largely because of conversations I’ve had with @sfoak and others on Twitter who desire that we stop whining and start solving problems.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Only two?!  Ed Bellis (@ebellis) and Dave Lewis (@gattaca) – both Security Management, both with massive amounts of “get it”ness.  Apologies to dozens of others I would have liked to have mentioned.  And everybody mentions @shrdlu, so he goes without saying.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
IMHO, social media represents more of a time-wasting threat than new attack vector threat.  With regards to the cloud, it’s going to be a mess. And I like that.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
I would break down real world events into two categories – local and non-local.  Pick any of the large non-local events to try to get travel budget for.  Networking with peers is super-important for your career on so many levels.  That said, I’d spend a ton of time getting to know the local environment, even if that means creating your own informal events (especially  if your ISSA/ISACA/Infraguard meetings are “Death by Powerpoint”, with little time for socialization).  The most successful professional events I’ve ever gone to was our Security MBA (Masters of Beer Appreciation) events in Columbus organized by Dan Houser.  We can put our professional guard down, not be over-exposed to some “speaker”, and really have meaningful conversations about our professional and personal lives.

SPoT: Andy Willingham / @andywillingham

Real Name: Andy Willingham
Twitter Handle: @andywillingham
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
I started out in Network Security but have focused mostly on program development, regulatory compliance, and architecture for the last few years.

2. What security topics will be the most important in the next 18 months? Why?
I think we really need to focus on user education, reclaiming the desktop, social media and “The Cloud”. The first two will give us the biggest bang for our buck, and the last two have to be tamed before they get too far out of hand. They are coming fast and furious, and we can’t stop them, so we’d better learn how to secure them.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
We have got to start involving security in the beginning stages of projects. I can’t tell you how many times I have found out about something in a Change Control meeting when the business was trying to get approval to go live with something. They had been working on it for months, and no one ever said “Hey, I wonder if Security would have any concerns about what we’re doing?”. It only hurts them in the long run, because they end up getting delayed on launch, or if someone with enough clout “insists” that it still go live, they end up spending lots of time and money fixing things that could have been prevented. It looks bad to their customers because of all the down time and bad features.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I’ve spent much of my career in smaller companies with limited tech staff, and there have been lots of times when I needed someone to bounce an idea or question off of, but the only option that I had was an online forum. Not that there is anything wrong with that, but you are taking a chance that 1) someone will know the answer and 2) that person will actually check the forums and see your question, which can often take several days. With Twitter and other social media sites, I’ve got experts in all fields right there willing to help out. It also keeps me informed on up to the minute happenings in security, and it is lots of fun to banter with and trade ideas with others in near real-time.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Michael Santarcangello, The Security Catalyst, @catalyst on Twitter. Santa thinks like no other security pro that I know. He is on to something that has the potential to set the security industry, and by default the companies we protect, on it’s ear. He not only realizes that we need a shift in how we think and how we practice security, but he has a plan and is actively getting the word out.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
First off, as I said earlier, they are here to stay, and we had better do something about it. We can’t just sit back and wait until our company adopts them, and then try to figure out how to secure them. Chances are there are people in your company who are already using them, and you just don’t know about it yet. As security pros, we have to know the issues, concerns, and threats to fix them before they become problems.  My first concern is that [this movement] is happening too fast and the industry is not keeping up. Businesses are adopting them without taking proper measures to ensure that they are being used in a secure manner. As for overstated issues, there are a few, but what makes them overstated is that lots of “experts” are talking about them and complaining about them withoutt offering any real solutions. It’s okay to talk about problems so that others become aware of them, but then you need to either quit talking or start offering something of value.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Picking a specific three is hard because what you choose (especially if it costs money) needs to be based on what your area of focus is. RSA is a safe bet for most any aspect of security, but beyond that, it gets foggy. If you have the budget, I’d say do something like this: Go to RSA and one conference that is specific to your area of expertise. Then I’d say find local chapters such as NAISG, ISSA, InfraGard, DC 404, etc., and attend their meetings and events. If you can do those three things, then you will be able to build a network that will serve you well in solving problems, answering questions, and finding new positions when the time comes to move on.

SPoT: Jeff Kirsch / @ghostnomad

Jeff describes himself as “Infosec geek, IT risk (yes I am a risk), CISA, husband and father“. As you can tell from his bio, he offers a a nice blend of professional and personal information, with a little fun thrown in, which is precisely what you’ll find in his tweets. Jeff personifies what many of us hope to find on Twitter: “real, interesting, and engaging people.”

Real Name: Jeff Kirsch
Twitter Handle: ghostnomad
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, SecurityCatalyst.com

1. In which area(s) of security are you most involved?
I have been an IT Auditor for the last 8 years. I get to work with many aspects of security, but I find myself always drawn to the core infrastructure. If I am digging into operating systems, databases, or network security, then I am happy.

2. What security topics will be the most important in the next 18 months? Why?
Protecting what provides value has always been and will always be the most important challenge in security. I know that is a broad statement, but the technologies are always changing, thus provide a wide array of potential to the threat landscape. Ultimately, systems that provide a service have value and are targets. Being able to adapt to those trends will be most important.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Business requirements should be built into systems, instead of designing a system for security and then creating exceptions to the controls. Exceptions to security are typically not intended to create security holes; they result from a failure to design all needed business requirements into the security structure. Having good communication between security and business design are important early in a project to close any gaps that may arise.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I originally joined LinkedIn on advice from the Pauldotcom Security Weekly podcast when they discussed protecting your digital identity. It made sense; even if I had limited information available on my own profiles, that is better than having inaccurate information freely available. I jumped on Twitter later because it seemed the place to be. I thought I would just lurk around and drink from the Infosec knowledge tap, but I never expected to participate. Being on Twitter has allowed me to interact with people I probably would have been afraid to talk with otherwise.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name 2 if you can’t decide on only one)
I find Jack Daniel (@jack_daniel) is a great source of information for all the is network infrastructure [Editor's Note: Jeff submitted this answer before the Jack Daniel profile went live]. He has a no nonsense approach to dealing with issues that he sees arise. Christofer Hoff (@beaker) is certainly someone I recommend when it comes to the cloud. To say he spends a lot of time with his head in the clouds is not a negative thing in the least, and he gets down to business as well. There are many people out there that bring unique perspectives, and I enjoy the banter.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
I think social media and cloud services face similar threats that “traditional” technology faces. When you put information someone wants in a place they perceive they can get it, you usually see a lot of determination and effort put into gaining access. It is important to focus on educating people about how we can use these technologies while protecting the information that drives their usefulness.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
I don’t get out all that often, but when I do I stick with local events. I still engage a broad range of security professional at local events. I like the Northeast Ohio Information Security Summit, and always find great value in the people I meet. From my social network, I would say Defcon and Shmoocon sound like really great places to get together with security people from all around. Those are on my wish list for the near future.

SPoT: Jack Daniel / @Jack_Daniel

Welcome to this week’s installment of Security Pros on Twitter. Today’s SP is a very well known security expert, and one who brings an intriguing dose of personality to the table, Jack Daniel. Self-described on Twitter as “Sporadic blogger, Tech Community Activist, InfoSec Curmudgeon, Reluctant CISSP, Amateur Blacksmith, and stuff”, Mr Daniel is truly a man of many “hats.” In addition to serving as the Director of the National Information Security Group (NAISG), Jack shares his musings on Twitter and his blog, Uncommon Sense Security.

Real Name: Jack Daniel
Twitter Handle: @jack_daniel
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, and Facebook as a distant third

1. In which area(s) of security are you most involved?
I live and work in the UTM space, covering all the fundamentals of network security, firewall/content filtering/proxies/VPNs, etc.

2. What security topics will be the most important in the next 18 months? Why?
It kills me to admit it, but “cloud” computing (whatever that means) will be very important.  Not because of the hype, but because, like virtualization, it will let us make old mistakes in new and creative ways while also offering exciting and original ways to get security wrong.

I also think that “antivirus” is of renewed importance.  Microsoft’s venture into free antivirus and the impact that will have on the AV industry, combined with the increasing irrelevance of traditional AV in defending against many modern attacks, means that it is time to step back and challenge what works, what doesn’t, and what to do about it.  We may not have many conversations about this, but we should.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
A failure to grasp and act on the fundamentals.  In network security, this often manifests itself as an unhealthy push for needless complexity, which dramatically increases the likelihood of misconfiguration and failure.  (I’m not blaming anyone, but if I did, I would look toward San Jose, CA)  All the blinky-light boxes in the world will not overcome basic misconfiguration issues.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
My adoption of Twitter was pretty slow, and has grown gradually over time.  It started as a way to stay in touch with friends and has expanded into a powerful (and still wonderfully inane) way to communicate.  I have gotten more out of Twitter than I can list in a short space, from friendships and information to Twitter being the starting point for the Security B-Sides events.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
That’s hard; I follow too many people for too many different reasons to pick one or two.  I’ll cop out and recommend following @SecurityTwits, that is a good way to find out who is saying or asking what, which leads to finding good people to follow.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The fundamental insecurity of social media is also why people use it.  Platforms designed for openness and sharing of content are perfect for exploitation, but if you lock them down, you lose their value.  User education is the only solution, and that will only reach a limited number of people (and they don’t have to listen).  I have more hope for the security of cloud services in general; I think it will eventually be possible to do an acceptable job of securing the infrastructure, but as with everything else, the client implementation is where I see ongoing insecurity.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA and BlackHat are giant events with many opportunities for socializing and networking.  SOURCE Boston is a much smaller event – you could almost call it intimate – and it really encourages the feel of community.  I’ll cheat and add a fourth – Shmoocon is a great and affordable event.

SPoT: Branden Williams / @BrandenWilliams

Welcome to this week’s installment of Security Pros on Twitter. Today we turn our attention to an expert in a very important area of compliance, PCI DSS – the Payment Card Industry Data Security Standard – in addition to his other areas of security expertise. Branden Williams is the Director of the PCI Practice for Verisign, a global security consulting firm. He also maintains a Verisign blog focused on a range of security topics: Branden Williams’ Security Convergence.

Real Name: Branden Williams
Twitter Handle: @BrandenWilliams
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
My primary focus is payment security, however, my background is fairly technical and includes application development.

2. What security topics will be the most important in the next 18 months? Why?
Application Security, Data Discovery and Loss Prevention, and Wireless.  The first two are inter-related as we continue to amass more data on more individuals, and need more ways to crunch the data.  Today, we have a myopic view of where our data lives, which unfortunately becomes focused when we lose it.  The latter is a catch-all.  More applications are going mobile, thanks to improvements in networks and devices like the iPhone.  Watch for attackers to flock to those platforms.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
I’m not sure I have one particular one, but the future of security lies in the hands of those individuals that can speak to the business about quantitative risk in a way they can understand.  Security is a business issue, and they need to be on-board with it.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I became active on Twitter to keep up with colleagues in the industry and to stay on top of the deluge of information available to netizens.  I’m getting a ton of value as it helps me promote my blog and allows me to learn more about emerging trends.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
@DavidNavetta – Legal professionals need to have an open dialogue with Security pros.  This guy gets it, bigtime.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The top concerns around this type of media really should be the content, not the method.  PR departments have to embrace this more real-time method of information dissemination, but moreover, employees have to realize that what they post leaves a permanent record.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA Conference, a long staple even though its attendance in recent years seems to have dwindled a bit.  Blackhat, the best of the best are here.  Information Security Forum, the global community is well represented here.

SPoT: Jennifer Jabbusch / @jjx

Ms. Jabbusch is an experienced network security engineer and consultant at Carolina Advanced Digital. She holds a CISSP, among other certifications, and she also maintains the Security Uncorked, JJ’s Complete Unofficial Guide to Infosec blog. Jennifer has consulted with a wide range of organizations and government entities, and she is also involved in various trainings and coursework to help share her security-related learnings.

Real Name: Jennifer Jabbusch
Twitter Handle: @jjx
Top 3 Social Media/Networking Sites:
LinkedIn, Facebook, Twitter

1. In which area(s) of security are you most involved?
Network & Infrastructure Security

2. What security topics will be the most important in the next 18 months? Why?
I could make up some great exciting answer here, but the truth is each organization is going to have their own top-priority security concern. Right now, I’m seeing trends from enterprise and government in wireless security, VoIP and the continuation of investigation in cloud and hosted security issues. In about 8-12 months, I think we’re going to see a renewed interest in the wired security standards that are coming with IEEE’s 802.1X-REV because of the complete re-tooling of thought that will accompany it.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
The intricacy of integration. The business side is used to solving problems with boxes. In the current network security environment, our solutions require an extensive amount of planning and integration between systems; you can’t simply install a magic box and make the problems go “bye-bye” any more.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Several of my security colleagues dragged me in to Twitter prior to a major security conference. I found it was a great way to share ideas, find others in my specific niche, and get feedback from colleagues. Of course, I definitely picked up a few new blog readers through Twitter, too.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name 2 if you can’t decide on only one)
Oh my gosh- that’s a hard one! There are so many people I get value from, for a variety of reasons. On the network security side, I’d have to say Mike Fratto (@mfratto) for his unbiased and well-researched thoughts on various topics for Information Week. The next one that pops in my head would be Rich Mogull (@rmogull) because of his involvement in such a variety of interesting security-related projects. In addition to great security topics, these two, along with another dozen or so, keep me laughing each day.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
If I don’t own it, manage it, and see it; I don’t trust it. Our company policy mandates that no sensitive data is stored by a third party. We can outsource the services, but we’re not outsourcing the risk when the company’s reputation is at stake.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
My favorites are RSA USA, INTEROP Las Vegas, and SecTor. I was most pleasantly surprised with the type of content and level of professionalism at SecTor last year. It’s the one conference I speak at that I get up early for and stay late so I can watch all the other talks. It’s just THAT good!

SPoT: James Arlen (@myrcurial)

Beginning this week, we are kicking off our new SPoT (Security Pros on Twitter) series, profiling security professionals who are present and active on Twitter. We will profile one SP each week through the rest of the summer.

Since Anue Systems  (@AnueSystems) first joined in on the Twitter fun, we have followed and interacted with a variety of folks, and these are the thought leaders who we’d turn to first with a specific, hands-on question regarding security of the internal network, the cloud, or even virtualized environments.

Without further ado, let’s get to it…

Real Name: James Arlen
Twitter Handle: @myrcurial
Top 3 Social Media/Networking Sites:
Twitter / LinkedIn / Liquidmatrix Security Digest!

1. In which area(s) of security are you most involved?
I used to be technical/tactical – IT Security. These days, I’m spending most of my time working on Organizational Security and Risk Management.

2. What security topics will be the most important in the next 18 months? Why?
Of key importance (of course) is going to be the increasingly porous “perimeter” which will surpass database flaws as the primary source of data breaches. Unfortunately, the vendors are not on our side and are not going to help solve the problem. It needs to be fixed at the employee/user level through increased awareness of the problem and active cooperation on solutions.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
The thing that is the hardest to explain is that the presence of a firewall isn’t going to save you (the business user) from your own foolish actions – the best preventative technological controls available can be bypassed by (a) 14 year old kids and (b) users doing what they feel is the best thing at the time. [Once more for effect] A firewall won’t save you from sending your customer list to 100 sales people and 1 ex-sales person’s Hotmail account.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
The primary reason that I became active on Twitter is to have access to a peer group. The Canadian security space is fairly compact, and sometimes, having an international opinion is a great thing. And of course, [I'm there for] the fooling about and goofing off – Twitter is an outlet for stress as much as it is an inlet for knowledge.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
Wow – it’s #FollowFriday! If you’re focused on Network Security, you should really be following @jack_daniel and @jjx. He’s a curmudgeon who generally cuts to the core of the issue FAST. She’s about as unlikely a security expert as you can imagine – short, blonde, southern accent – but if you’re mature enough to value people for their skill rather than the package, she’ll teach you a thing or two that you never expected. [The Network View has engaged with both of these security experts for inclusion in SPoT series as well.]

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
Security – for social media? I’m pretty sure there isn’t much of that. My simplest response is that you shouldn’t depend on social media to provide you with any security – if you’re not comfortable putting it on a postcard or wearing it on a t-shirt, you shouldn’t be posting it to a social media site. With regard to cloud security – ask @Beaker, I get all of my opinions from him.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
The number one thing is to remember that for any event – from a local SIG all the way up to Blackhat or RSA - the most important thing to do is cruise the “Hallway Track”, get involved in conversations, and have an opinion. If you were coming to me and asking me where to spend your money – considering value for dollar – DEFCON, Shmoocon/SourceBoston/SecTor, and your local SIG. The big names (RSA and Blackhat) are awesome, but unless someone is covering the tab, they’re crazy expensive and you can get the same content at the second tier conferences for less money with better access to the speakers.