Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself  I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk.  Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness  education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.

Developers have the objective of building a functional application. They are focused on building more functionality into applications. Moreover, building security creates more workload  for Developers which is a disincentive and moreover, Developers are rewarded for building more functionality than building more security. I have never seen a Developer in my professional life for being rewarded for building a secure application.

Hackers are focused on how to break the application. They look for weak links in application that will enable them to access application data. Developers usually follow process to build application, but Hackers have no process and all they have is multitude of possibilities. Hackers are innovative in trying various permutations in compromising the application.

A million dollar question is whether we can build secure applications when a Developer is focused on functionality but not on breaking the application?

There is a school of thought about Inside-out security where the application is built securely from scratch. Unfortunately,  this approach won't suffice because hackers traverse Outside-in. A little reflection will highlight the importance of vulnerability scanning and penetration testing of application. This will bring the perspective of what developers do not know already.

Building a secure application inside out is not enough. In order to address unknown unknowns (or blind spots of developers), penetration testing should be done. Both whitebox style penetration testing (where components of an application is known)  and also blackbox style penetration testing which mi micks an Hacker who may not have any knowledge of the application, should be carried out.

An application of higher level of security is not built just by Developers. It is built by integrative process of Developer mindset and Hacker mindset.  This is a constant struggle for years to come.
 

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data  *  Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind. 

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables -  Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Chris Hoff's response on his blog Rational Survivability makes me happy on two fronts. The primary reason I started this blog was to use this medium as an outlet for my ungrounded ego. The other was to participate in the Security Blogging community which was then catching up when I started  this blog 2 years ago. To get a response for my musings from brilliant minds such as Mike Rothman, Alan Shimel, Chris Hoff and others, gives me immense joy. May be this a good therapy for my undiagnosed attention deficit.

It does not matter if Chris is right or I am right. The outcome of IDS/IPS is all determined by random drift of market forces. There is no conspiracy to make IDS/IPS this way or that way. I would like to wrap up with a quote from Arthur Chandler : "We can tell when a technology has truly arrived when the new problems it gives rise  to approach in magnitude the problem it was designed to solve".

Alan Shimel's post on  "IDS - the beast that just won't die" triggered my hidden thoughts about IDS.

Rather than thinking about IDS as a piece of device/software that provides fancy features. Let me try to summarize some assertions about IDS: 

IDS can capture tons of intrusion events, there is so much of don't care events it is difficult to single out event such as zero day event in the midst of such noise.

It requires tremendous effort to sift through the log and derive meaningful actions out of the log entries.

IDS needs a dedicated administrator to manage. An administrator who won't get bored of looking at all the packets and patterns, a truly boring job for a security engineer. Probably this job would interest a geekier person and geeks tend to their own interesting research!

There are companies that do without IDS, and they do just fine. I agree with Alan's assessment that IDS is like a Checkbox in most cases.  Business can run without IDS just fine, why invest in such a technology?

Firewalls and other devices have built in features of IDS, so why invest in a separate product.

IDS is like Vitamins, nice to have, not having won't kill you in most cases. Customers are willing to pay for Pain Killers because they have to address their pain right away. For Vitamins, they can wait. Stop and think for moment, without Anti-virus product, businesses can't run for few days. But, without IDS, most businesses can run just fine and I base it out of my own experience.

Probably, I would have offended folks from the IDS camp. I have a good friend who is a founder of an IDS company, I am sure he will react differently if he reads my narratives about IDS.  Once businesses start realizing that IDS is a Checkbox, they will scale down their investments in this area. In the current economic climate, financial institutions are not doing well. Financial institutions are big customers in terms of security products, with the current scenario of financial meltdown, they would scale down heavily on their spending on Vitamins.

Running IDS software on VMware sounds fancy.  Technology does not matter unless you can address real world pain and prove the utilitarian value of such a technology. I am really surprised that IDS continues to exist. Proof of existence does not forebode great future. Running IDS on VMware does not make it any more utilitarian. I see a bleak future for IDS.

Most of us have heard the conversations about looming threat to survival Fannie Mae and Freddie Mac. Their names are cute but it can't help fix a bad strategy of making money by dishing out bad loans.

I have had interaction with several security project managers who were very good in creating a buzz around their projects. Projects were given fancy names. The funniest project name I have heard was "Baby Rhino". One day I get an email in my inbox with a subject line which says: Baby Rhino Caputred! - The email got my attention, but the project did not gain any extra respect (because of the name) hardly there was any significant accomplishment in terms of its deliverable.

I would rather stick with project names that signify scope, relevance, meaning and value of  a project. It is not bad to market a project, but trying to market a project without delivering value is a gimmick.

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast.  In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework.   The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS).  On the Firewall arena: the focus has moved from perimeter security to end point security.  There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning of product development.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without coordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

 The attitude of IT security leaders and security team members has a significant impact on security.  Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete  information security but accomplishing a well managed information security program is an attainable possibility.

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of  your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

This is a classic management term which does not need any introduction to many folks. The more money you pour into the security budget the more money will be spent in buying unneeded security products which can increase the complexity and reduce efficiency of your security operations. The start-up companies that I worked long ago had installed 5 layers of Firewall to prevent intruders. The security manager claimed to me that it is there to really protect the information assets, but sooner I realized these firewalls were not configured right and they were a set of  a fireholes than a set of firewalls. Moreover, the maintenance costs in this type of  complex security framework can be humongous. Imagine poor me debugging the firewall rules across these 5 layers of firewalls. But, one thing for sure the job security of security professional who implemented these complex security framework is guaranteed.  In reality,the guy who implemented these 5 layers of firewall worked as a consultant for this start-up in the off hours and weekend!

In reality I have seen well run security organizations, they are lean and mean. They not only provide continuous security thought leadership for the entire organization but also implement security in a simple and efficient way. The graph below gives a visual picture of what I mean by order of diminishing returns.

On a related note I have identified four different states of security organizations considering competence of employees and budget availability. Of course there are in-between states. I have considered only the extremes:

Often I hear phrases such as "if the application is truly built secure inside-out, then there is no need for other security layers". Truly secure application is a far fetched statement. 

1. What is the application made of? - Complexity.

2. How was the application built? - Methodology.

3. Where does the application run? - Environment.

#1. Complexity - Applications are developed using one or more of open source software, third party libraries, re-used libraries (from the past), middleware, database and the run-time environment. In order to develop a truly secure application we need to ensure security in all of these components that go into building the application.

#2. Methodology - The development methodology that is employed to build the application. This brings up several issues: customization work, secure coding practice, outsourced development, offshore development, peer review, development tools, security requirements as a part of the design, source code scanning, threat modelling and penetration testing.

#3. Environment - Application exist in an environment. This brings up several considerations such as operating system, virual operating system(such as VMware), other applications that co-exist with this application, CPU hardware, storage, network and lastly whether the application runs behind the firewall or in the DMZ.

It is overstatement to say that the application built using secure development methodology is secure. All the three factors Complexity, Methodology and Environment should be considered to make a judgement call about application security. The pragmatic approach is to build application that is secure enough that poses risks that are acceptable to business (customer) this is what I would like to call "Application Due Care".

A few years ago a dentist that I consulted with recommended me Dental Protector for Night Time Teeth Grinding. She mentioned that I grind my teeth during sleep. How in this world can I disprove her statement unless I have some external observer to monitor me all night to validate my teeth grinding!

Security is invisible. Customers are willing to pay for visible software product functionality but not for secure software product development methodology. Unfortunately, most of the security is in the backend, if security works well, truly, it should be "invisible" and the fact that it hidden does not motivate customers to pay anything extra. Security incidents motivate customers to act, this is the time when security becomes visible but the limelight fades away as soon as this  incident is handled.

We as security professionals see: the internal mechanics of software security and also can speculate ramification of poor software security in customer deployment. Because we see this we can't expect customers to pay for it. Making security visible to the customer will defeat the whole purpose of security and making it invisible diminishes the value of security. It is a dichotomy that we (as security professionals) have to manage and live with.  Customers who notice and are aware of security may start check on of the security aspect of a product before buying it. Unfortunately, security is just one aspect, buying a specific product vs. other products purely based on security is a pipe dream. In the distant future when all products have security built in, security won't be a differentiator anymore and visibility of security will diminish even further.  

If security was highly visible, we would find Steve Jobs touting security on stage at MacWorld. May be this is the reality check for security professionals.

Dave has an excellent blog post on how media affects our risk perception. Dave Hitz is the founder of NetApp.

This is the what Dave says:

"A good risk management plan should take into account hurricanes, lost tapes, lost laptops, and maybe even terrorist attacks, but realistically, headlines typically don't highlight the most important risks. You are much more likely to lose data from human error or inadequately tested backup and recovery processes than from floods or attacks, but inadequate processes don't make good headlines. In addition, headlines fade quickly – if something becomes frequent it's often less newsworthy, but the risk remains. Our more sophisticated customers, like financial institutions, build risk management models that already include the items most likely to show up in the headlines, and if they use media reports at all, it's to update some aspect of their model, like the probability of a particular event, or the impact and cost.

In summary, don't worry about terrorists until restore from your nightly backup is well tested. "

More details can be found on his blog here.

I was fortunate to be introduced to a good ex-Microsoft Security person, Shivaram Mysore.  He has an interesting whitepaper on Web 2.0 Security. It is worthy read. The whitepaper gives a brief introduction to service models available and aligns your thought process around securing Web 2.0 around these service architectures.

I recently attended the pre-screening of the Information Security documentary titled: The New Face of Cybercrime. The documentary was very nicely done, considering the Director Fredric Golding has no background in Information Security.

The thought leaders panel discussion was very stimulating. Being an analogy person, I liked analogy narrated by Howard Schmidt , Former White House Security Advisor, about evolution of Information Security and evolution of Firefighting. In the past, Firefighting was a reactive approach but these days people factor in the the threat of fire pro-actively into the building design - sprinklers, fire retardant materials and so on. Another panelist Ted Schlein, Managing Partner KPCB, mentioned the security spending is around $12 billion/year vs. the loss due to information security breach is around $100 billion/year - trail of money always sounds interesting to me. There were lots of discussions about Inside-Out vs. Outside-In approach to Information Security.

Thanks to Fortify for putting this event together. I am sure we need more such events should happen amongst the executive crowd to bring a high level of security awareness.

Lastly, I would like conclude this post by quoting the importance of user awareness because user awareness determines the "usage" which is a very important component for a the threat model of an information system. I conclude by repeating the popular quote: "There is no patch for stupidity".

My good friend, Muni Tripathi has started blogging on Information Security. You can read his blog about security at:

http://muni-on-security.blogspot.com/

I have been approached by few security professionals about the problem they encounter in getting software developers to fix the vulnerabilities that is detected in the application.

Let us accept the fact that developers are mostly busy focusing their time and effort on the functionality of application. Most of the time the software development manager gets away by using the busy excuse. One approach that I suggest you could  is to rank the vulnerabilities based on "severity" (how bad if the vulnerability is exploited) and "threat" (how likely the vulnerability exploit is) and communicate this list to the software development team. Give the software development manager time to fix the vulnerabilities - usually the time that the software development manager thinks that is acceptable.

If the vulnerabilities are not acted up on despite of your first meeting, then try this route: require the software development manager and the business owner of the application to sign a business risk acceptance form. The risk acceptance form could be as simple as a word document with a list of high severity/threat vulnerabilities and a narrative that states that signatories of the form acknowledge the existence of vulnerabilities (that you communicated) and have accepted the risk (posed by the vulnerabilities) for a time period specified in the form. This way as a security professional you are covered that you did your job in communicating the security risk to the stakeholders. Now that they have signed on the form if something bad  event happens the accountability of the event is outside of you.

You may find out that, business risk acceptance form is a good tool to motivate software development manager - would mobilize resources to act on vulnerabilities rather than sign the business risk acceptance form . 

Web 2.0 has become a well accepted jargon in the current marketplace. It is a set of new web based technologies that enable building of on-line communities.

Web 2.0 is a democracy of user communities [thanks to Paul Graham for his definition]. Web 2.0 gives more power for the users to interact, customize, share and leverage.

The democratization of users bring significant problems.

1. Loss of privacy: Ease of use motivates users to upload personal information. Many users are not aware of ramifications of loss of personal information or they don't even think on those lines. A good example is an employer going through the Facebook entry of a potential hire.

2. Hackers Paradise: New technology brings new vulnerabilities. Hackers are having a party exploiting Web 2.0 based applications. We are more vulnerable with Web 2.0 currently than with Web 1.0.

3. Lots of Junk: Take for example Wikipedia, anyone/anywhere can edit the content [everybody is an expert!]. How can I trust the quality of information? It is not possible to reference Wikipedia in a research paper. Moreover, it puts burden on the users to sift good and bad stuff.

4. Copyright/Intellectual Property Violations: I don't have to say much about this. Web 2.0 provides a platform for such violations and magnifies the impact [Record label sues Napster, Viacom sues Google over YouTube clips].

5. Other Social Problems: People can interact on-line in ways that was not possible before. These new interactions create new set of social problems.

and many more problems that can make my blog post long and boring..

Some of the above aspects can be addressed: for example building web applications securely ground up can help prevent hackers. Designing Web 2.0 application to ensure users use the platform responsibly is a good idea too. Spreading security awareness education to on-line communities can help engender responsible/secure use of the web.

Security should be a feature added to Web 2.0 and let's call Web 2.T3. The "T3" represents the security triad - Confidentiality, Integrity and Availability. 

Though security does not address all aspects of Web 2.0. Web 2.T3 surely will be  a better place to live.

I am currently in India, attending my dad's health concern. I stay awake at wee hours, still recovering from the jetlag. Cow is considered a sacred animal in India for multitude of reasons:

1. Cow gives milk which is a main source of protien in many parts of India.

2. Diluted cow's milk is given  to newly born baby in cases where mom is not lactating hence elevating the status of a cow to that of a mom.

3. Cow's dung can be used as manure and also dried dung cake is used  as fuel.

4. Cow's urine is used as a cleansing agent and also for other medicinal purpose.

Cow is considered sacred because of its utility value to common people. Cow roams around in the streets of my hometown freely and they are unharmed because they are sacred. By being sacred, cow is the most secure animal over here.

Security function is considered as an extension of IT, it is an overhead of an overhead - it is not sacred. Security function usually is the foremost to feel the pinch due to IT budget cut. A good way to make security function "secure" is to make it sacred. There are standards like ISO27001, COBIT which are well respected and considered sacred in the security domain. By conformance of security function to such standards we can not only create a perception of "sacredness" for the security program but also communicate value of the program easily through the standard's framework.

Laptop has become our essential travel companion. Lost brand new laptop without personal or company data will result in a loss of current market value of the laptop. Lost laptop with personal or company data can result in a loss which can depend on the value of the "data". It is easier to make amends for the lost laptop but making amends for lost valuable company data or valuable personal data may not be possible.

It is very important for us to be "laptop data aware" i.e. the categories of data it has and the consequences of lost data. A good practice is to treat your laptop like your wallet.

I found these 9 tips on Microsoft website. These tips are really thoughtful and well written and hence I like to repeat it below:

Use these 9 tips to learn how you can keep your laptop more secure when you're on the road.

1.	Avoid using computer bags. Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase.
2.	Never leave access numbers or passwords in your carrying case. Keeping your password with your laptop is like keeping the keys in the car. Without your password or important access numbers it will be more difficult for a thief to access your personal and corporate information.
3.	Carry your laptop with you. Always take your laptop on the plane or train rather then checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
4.	Encrypt your data. If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With Windows XP and Windows Vista you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data with Windows XP or encrypt your data with Windows Vista.
5.	Keep your eye on your laptop. When you go through airport security don't lose sight of your bag. Hold your bag until the person in front of you has gone through the metal detector. Many bags look alike and yours can easily be lost in the shuffle.
6.	Avoid setting your laptop on the floor. Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down, try to place it between your feet or against your leg (so you're always aware it's there).
7.	Buy a laptop security device. If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs that will report the location of a stolen laptop. They work when the laptop connects to the Internet, and can report the laptop's exact physical location. Some tracing programs include CyberAngel and ComputracePlus.
8.	Use a screen guard. These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when you're traveling or need to work in a crowded area. This screen guard from Secure-It is just one example of a screen guard you could use.
9.	Try not to leave your laptop in your hotel room or with the front desk. Too many things have been lost in hotel rooms and may not be completely secure. If you must leave your laptop in your room, put the "do not disturb" sign on the door.

Being information security professionals, we have obligation to follow good e-mail practice, by this we can operate with due care in our profession and that will make us look good. In my earlier job, colleague of mine [a security expert] had sent me an e-mail describing how he broke the weak encryption of an application. Inadvertantly, in his e-mail, he had pasted his own encrypted password! I showed up at his office and presented this expert his own password. All I did was to follow his advice and write a trivial program to break the cipher. It is very important that we as security professionals should not  look or act stupid ;)

Check out this blog post from Marshall Goldsmith  "E-Mail Food for Thought". Excerpt from this blog:

"Managers need to worry not just about their own e-mail but also that of their employees. Email is permanent and searchable and can be forwarded as easily to a thousand people as to just one. And the results can range from embarrassing to costly to disastrous. All the goodwill you've built up over years or decades can be destroyed with one bad e-mail from anyone in your organization."