Blogging Cybersecurity: Looking Back at the Best, Worst and Most Surprising

Blogs have a strange way of defining a person. Looking back, it’s been an unexpected five year journey that, when you connect the dots, may point to future cyber events for all of us. Mark Twain once wrote this: “It is not worthwhile to try to keep history from repeating itself, for man's character will always make the preventing of the repetitions impossible.”

Five Years and 21 hours. That’s how long the web counter told me I had been blogging at CSO Magazine as of last Thursday morning. I remember being surprised and honored when Derek Slater asked me to be their first external security professional to blog for their magazine. (At the time, SC Magazine and Government Technology Magazine didn’t even have blogs.) I believe that one CSO Magazine staff writer posted a blog before me. (Is that right Derek?) Regardless, let’s take a look back at the good, the bad and the surprising over this period and surmise what that may point to in the future (or possibly prompt you to start blogging.)

As CISO five years ago, I remember asking Teri Takai, my boss and Michigan CIO at the time, for permission to blog.  She said yes with some caveats. What were those guidelines? Beyond trying to point to solutions (and not just problems) and being kind to others (attack ideas and acts not people), she had some “recommendations.” I touched on this topic in a 2008 blog: Is Blogging About Government Security Safe?

Have any of these self-imposed blogging rules changed for me over the years? Yes, and I regret -made a mistake- saying that I’d never take money to blog. Now, I do often get paid to write articles and blogs by various magazines – but I still never get told what to write or the perspectives to take. Of course, I do this on my own time, after hours, and not on the government clock.   

When I started blogging, my first instincts were to discuss the “behind the scenes” activities within security. This involved people stories creating the greatest concerns. I still believe that the cultural issues are the hardest to fix in every organization. My first blog was posted on November 10, 2006, but like other instances over the years, I had technical difficulties and needed to delete and repost my blog with fixes two weeks later.

There were several multi-part blogs, such as:

 Lessons in Changing Culture - (How people didn’t care about security when I arrived in Michigan in 1997.)

 Are You For Us or Against Us? - (Insider threat trends seen back in 2006, before the topic got hot.)

Why Do Security Pros Fail? - (Seven part series that touched on the relationship-side of our profession.) You can see the powerpoint slide-deck here

Some of these multi-part blogs were condensed into shorter summary articles by CSO or Computerworld Magazines with a more descriptive name that ended up having wider global appeal. And yet, I have been surprised that the most popular blog (according to google search rankings) was on career burnout for cyber pros.   

Along the way, there were stories about busted hackers, trusted identities in cyberspace, Frank Abagnale on ID Theft, iPads in government, the impact of security industry acquisitions, life after CISO (yes, now I’m back again as CSO), new NIST guidelines, Cyber Mondays, when your Dad is the CSO (from my daughter’s perspective), Telework trends and new Presidential security plans. No security blog would be complete without war stories about viruses, worms and botnets in government.

No doubt, I’m known in the security industry for my strong views regarding cyber ethics at home and work. Our personal and corporate integrity is paramount for everything that security professionals do. Check out the comments and ensuing dialogue at the end of this blog piece for an example of the interactions that I enjoy most.

In 2007, I kicked-off a trend amongst friends by writing this open letter to the Wall Street Journal on their lack of ethics for writing the piece: How to skirt corporate IT policy. I am a firm believer that we need cyber ethics training/discussions for adults too. Of course, the importance of character and integrity is evident in every area of life. Great career accomplishments can be overshadowed by lapses in professional judgment, as the current tragedy with Joe Paterno at Penn State is showing America and the world.

What rises to the top in importance going forward? Clearly, we must be preparing the next generation with cyber defense competitions. This several year old trend is gaining significant traction and offers good job prospects for our children.

Another key topic that I see emerging is the balancing of freedom, law and responsibility in cyberspace. Government cannot (and in most cases should not) stop people from exercising their rights of “free speech” on the Internet.  But what activities should or should not be allowed? Where are the proper “policing” lines to be drawn? Should ISPs block “bad stuff?” Beyond battling viruses, worms and bots, how do we define “Internet safety” over the next decade?

Regardless of your views on this issue, people need to understand the impacts of their virtual actions. The physical and cyber worlds are merging in every area of life. This topic was addressed in my July 2011 blog – Can Online Indulgence be Managed? Lessons from Dr. Jeckyll and Mr. Hyde. This piece was in response to a blog from the Harvard Business Review advising on how to manage online indulgence effectively. This is a controversial, yet vital, discussion. The education process for teens and adults will continue to be a battleground for the rest of my life – and I won’t shy away from these important topics.

Other surprising trends? Cybersecurity blogs are still more popular than technology infrastructure blogs, even though there are many more Lohrmann on infrastructure blogs written over the past few years. I will say that blogging about cyber can take you down many related roads in technology (or even fun at the office). We each need to decide when and where to engage or back off. 

For those thinking of starting to blog … I say – go for it. Blogging has opened up doors for me to hone my writing skills, speak more effectively and even write a book. I doubt if I’d be invited to speak at events around the world if I hadn’t started blogging.  

Back in 2006, I never would have dreamed that a Google search in November 2011 would yield my CSO bio and a list of my “Lohrmann on Govspace” blog entries as the top two choices, ahead of the Virtual Integrity book website or work-related items.

Where will things be in five more years? Only time will tell.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline