Remember when coffee used to be brown? You know, that Chock Full O’Nuts caramel color? We used to sit on red vinyl stools in the diner, sipping cup after cup and not really giving much thought to it. Now I go to Peet’s Coffee, or Seattle’s Best or, of course, Starbucks, and the coffee is black. Deep black. Like a black hole in space sucking away all my cares and worries and leaving me with aJodie Foster in Contact flying through space and timekind of buzz. Ahhh.

I gotta tell you, no Hills Brothers coffee ever gave me that kind of buzz. But coffee is not my point. Changing tastes is my point.

Security management is like coffee, and we seem to be hooked on the current flavor. Yesterday’s security management priorities are either completely forgotten, or are somehow already integrated into our lifestyle – or security architectures.

The New Sarbanes-Oxley

Take PCI for example. Some of you just got a frightening chill down your spine; others are waiting for me to explain what I mean. Last year we were all concerned about Sarbanes-Oxley. This year it’s PCI. PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information.

The VISA Cardholder Information Security Program (CISP) is one specific standard in this category. Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of U.S. businesses – from online customer-based transactions, to data storage, to document retention.

There are over 20 specific statements in the PCI requirements that pertain to physical security. For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.

A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy and business continuity. Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements. PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program. That and a good cup of café Verona.

Packing for the ASIS show

OK, let’s see if we’ve forgotten anything. We want to make sure we have everything we need to get the most out of the big ASIS conference this month.


Fashionable but not too business-like suits because I want to look high-tech, but not like I’m selling anything? Check.

Comfortable walking shoes for miles of walking on the show floor and to off-site meetings? Check.

Look on the face that says “I’m so happy to see you” even though I can’t remember your name? Check.

Map of the show floor with the far ends of the exhibits circled because that’s where the most innovative products are? Check.

Raised eyebrow and look of skepticism for whenever a DVR vendor claims to have a “convergence solution?” Check.

Yoga mat for realigning my back after carrying vendor marketing collateral all day? Check.

Sore throat lozenges to compensate for trying to be heard in booth after booth? Check.

Eye drops and Red Bull to recover from the nightly parties? Check.

Oh wait. I can’t bring red bull on the plane. I’ll bring some ephedra instead. Check.

Note pad for scribbling down the latest industry gossip? Check.

Pocket full of quarters for the slots? Check.

Are You Part Of The Blogosphere?

I’ve been curious why I don’t find blogs from security executives. There are several by folks employed by vendors like Phil Libin’s Vastly Important Notes (, and an excellent blog by journalist extraordinaire Bill, but not too many by security directors or CSOs. I can imagine that there is a good reason the vendors are blogging but the end-users aren’t. The security execs are probably just too busy. Either that or they don’t see any advantage to it.

The blog I write is designed to be a place where security professionals can go to get an unfiltered look at vendors, best practices and the industry as a whole. The response I get is telling – private e-mails flow in from readers who echo my sentiments and share their pleasure that someone else says what they already thought.

With a blog, you can share tips that you’ve figured out that may help your brethren in the industry. You can also cajole a vendor into providing better service or products.