Maybe it’s just the DC area.  Every good security person I know here is very confrontational.  We just like to argue.  Some days I feel like it’s a slow morning, so I just walk around and stir the pot, knowing that some good conflict will rise to the top.

I think it has to do with the following factoid: security is the conflict between economics, paranoia, and useability.  We have to be able to manage the tradeoffs between these 3 corners of the triangle.  The good people understand the nature of this and realize that sometimes it’s not really a security problem–its a client education problem, it’s an auditor problem, it’s a personality conflict, etc.

So how do we conclude an argument?  Well, I know 2 people right now that when I’m around both of them, we can talk for hours debating the particular merits of one viewpoint or another.  The way we stop the disagreement is to mention risk.  Once we do that, the game is over.  Once I can pin the actual risk (versus the perceived risk, but that’s another story), then there is nothing to talk about anymore–we have rounded the corner on that topic and there isn’t anything else to debate.

• Core Belief #2 — Risk Management Uber Alles
• MREs and Bad News
• You Didn’t Outsource Your Responsibilities
• Another Day, Another Vendor
• Security Assessment Economics