Not that interesting

I haven't been blogging much recently, that's not because I haven't got anything to say, far from it, I'm just not particularly inspired again. I've had one interesting conversation in the past month, with Gretchen Hellman at Voltage. I really like their ideas, but then you'd expect that from a team with such a strong security background. I hope their product isn't lost in the mire.

Apart from one or two of the really good bloggers, most of what I read is pretty bland. This is because they are being driven by sales initiatives, not original thought. Before he thinks I'm picking on him with the mention of risk, I have to say that Alex over at Risk Analysis is still a favourite of mine, but that's because he takes often boring subject matter and makes it readable with new twists and insights. That's the sign of someone who's interested in what he says and not afraid to write what he wants.

Backtrack a few months: When I joined the SBN, Mark Curphey had just left in a storm of abuse, saying how it was full of the same old rubbish, people making statements they couldn't back up, etc. I was a little taken aback at the time, but now I think I have to agree to some extent, although generally the SBN is better than the world of security at large. I emailed Mark to get some input on this, and he turns out to be thoroughly approachable, so I wondered if he may have a point.

So, I'm not picking particular examples, I guess it's just the way things are at the moment. Security is stagnating. Too many salesmen in what was an interesting area have diluted the original thoughts so you have to look much harder for the gems. They are still there though.

Sadly, if you are still selling firewalls, IDS and anti-virus over the next few years, you are going to see your profits dropping by degrees. The interesting bits of security are in the data. Salesmen don't seem to get that though, so security is going round in circles, talking about regulations, risk and ROI in areas which have long fallen by the roadside.

I've read too many blogs recently which are all the same. And don't think the big guys get away with it. They are often worse, more often if they are trying to sell something rather than educate. One in particular that I used to enjoy now keeps it's readership by blinding them with science. I doubt many people actually read it. I'm not interested in in-depth technical jargon. I haven't been an engineer for years. What I want is a well explained, easily accessible piece of writing by someone with brain, not a low-level geek back-slapping exercise which makes everyone else stand back in amazement and say "wow, you're really clever."

The point is that very few security commentators are taking the time to really THINK. We can all regurgitate regulations, and stand on our soapboxes about a particular standpoint, but we never get anywhere if we don't put our minds to things. I'm all for a good argument (just ask Rory at Rory.blog), but I wish people would get facts in order, then back it up with some original thinking.

I'll probably rant again about "geniuses", "gurus", and "experts", because we've got too many in an already crowded space, but a brief story should get the point out here: I mentioned in a very tongue-in-cheek manner last week to a colleague that I was "one of Europe's foremost PCI commentators". Perhaps he's been living in Spain too long, but he didn't get the irony. Just because I blog about it sometimes, doesn't mean I'm any good. I have thoughts and have been in security for a long time, that is all. (You will have your own opinions of course.)

Said colleague spent a long time afterwards trying to imply that I wasn't anything special without saying so outright (in case I asked him to prove otherwise I assume). Salesmen are often very insecure, and yet I hadn't said anything to put him down, just that I am an "expert". Is it an alpha male thing?

In fact it started to get quite irritating that he hadn't (and still hasn't) understood my joke. I feel the subtlety will be lost if I have to explain it. It makes my point quite nicely though. The fact is, anyone can set themselves up as a field specialist, and they are rarely called upon to prove it. Time to start asking questions.

So, if you're wondering where I am, I'm amongst your blogs, trying to find some answers.