 Today I want to talk to you about mistakes. No, not those kind of mistakes. Tripwire recently wrote a blog on their state of security where they interviewed 25 well-known information security professionals and told them to fess up. A mistake that they've made at some point in their career through which they've learned and grown and adopted it and now are stronger because of it and proof that you can make a mistake in the field of information security and still maintain a relatively respectable level of careerism. Is that a word? I'll make it up as I go along. Nobody washes these anyway. Okay, so my story goes a bit like this. I was young, naive, I was fresh-faced and the world was full of hope and I was given an assignment to go and review an application to a security review on this application that was out there in the finance world. So I got my checklist and I marched over there, pen in hand, clipboard in the other and sat down with the manager in one of my best suits and I said, okay, tell me, have you got user access controls in place? Are passwords hashed? Do you monitor all the access? Is third-party access through an approved solution? Is storage backed up? Is confidential data encrypted? And the manager who I was talking to turned round and basically said to me, yep, absolutely compliant. Absolutely, no doubt in my mind, 100%. Yep, we've been green on that from day one. So I thanked him and I thought, wow, this is a really good department. They know their stuff and they're doing everything well and I walked back to my own department and went to my boss and I said, fantastic system. Absolutely secure. They meet all of our guidelines and he turned to me and said, did you get any evidence of this? Nope. Why don't you try going back and asking them to prove any of this to you? So I went back in my nice suit and my clipboard and my pen and marched my way down and I said, excuse me, can I just ask one more question in my best Colombo impersonation? And the answers that came back were a bit different this time. Yes, we were meant to have that implemented. Yeah, that's a work in progress. So it's not really implemented, but we've selected the vendor who's going to deliver that for us. Yeah, that's an accepted risk. The architect that designed it said it was but no one's ever signed it off and it changed from a completely green report to a slightly green, some amber and very red report. So what did I learn from this? Don't trust people. They're liars. They just want to tell you what they think you want to hear and get you out of their department. Who wants to talk to the security guy or something? They view you as the step brother of an auditor. I'm here to help you man. Tell me where your gaps are. I can document them. Then I can come back and help you fix them. No, I don't trust people. I trust them, but verify. And I've managed to stick to that principle. I never blindly trust anyone anymore. My father-in-law wasn't too happy when I done a background check on him before I married his daughter. But hey, you can never be too careful. And if you want to hear about bigger, better and badder mistakes than me, then click on the link here. Well, you can't click on this. I haven't really implemented annotations, but look in the description. You probably see the link to the Tripwire state of security blog. Stay secure, my friends.