November 8, 2006 - #152

Good Morning:
Let's talk about regime change, given that's going to be a popular topic in the media over the next few days - especially as they are recounting votes in my former home state of VA. Sometimes things happen and new blood comes into your organization. Typically it starts a period of uncertainty, disequilibrium, and general terror as every tries to figure out where they fit in the New World Order. It's easy to take your eye off the ball when that happens, but don't. Remember you (if you are a user anyway) get paid to ensure availability, protect intellectual property, minimize corporate liability, protect your brand, and ensure compliance. Even your new boss will understand that.

E-voting is going to be all the rage as the fallout from the US elections continues to hit (here). I do think we are on the train to get to e-voting and we aren't going to get off, but it's going to be a bumpy ride - that's for sure. Q4 tends to be budgeting time, and here is some good advice from guru James Champy about how to make your budgeting "healthy." Wouldn't equate that to a good pump from the gym or a refreshing run, but these tips do make sense.

I've also been pretty vocal about how annoying vendor "momentum" releases are. Shimel agrees here, though he walks a fine line as a vendor calling bunk on this practice. And speaking of asinine press releases, here I give the "jackass press release" award to a vendor that just puts "Security 2.0" in the title, without mentioning it again.

Have a great day and I'll be at CSI again today, so if you happen to see me - say Hi!

Technorati: Information Security

Top Security News

Taking the pain out of budgeting
So what?- Guru James Champy provides some perspectives on budgeting in this SearchCIO contribution. I don't know about you, but most of the folks I deal with don't view budgeting as "healthy." They hate it. They spend a lot of time figuring out what needs to be implemented to do their job. They ask for the funds and then they get shot down. Seems about as healthy as a root canal. But James then goes through some tips to make the budgeting case more compelling, and although at a high level - it's good advice. Separate OpEx from CapEx costs, so it's clear to the powers that be how much it costs just to keep things running at the status quo. Then for those new expenditures you want, you need to show value and position that value within the context of key corporate goals and imperatives. That's a key part of the Pragmatic CSO process, and it's really important. Because as long as there is no tangible link between security efforts and business value, your stuff will always end up on the cutting room floor. And it'll be your fault.
http://searchcio.techtarget.com/columnItem/0,294698,sid19_gci1226339,00.html
Link to this

Microsoft's security impact - measure it in years
So what? - This column by Kelly Jackson Higgins on Dark Reading brings up a good point, which brings me around to a bigger topic of understanding the timeframe of Microsoft's eventual impact on our little security world. Should IT pros use Microsoft's stuff because they are Microsoft? Of course not. And the rumors of the demise of Big AV are exaggerated, which is clear based upon their most recent quarterly results. BUT, two quarters is not the right timeframe to be evaluating this. We need to get into the time machine and set it for 2-3 years in the future and I guarantee the security business looks differently. Why? Because Microsoft grinds competitors into dust over time. And folks like Google, Intuit, and Adobe/Macromedia that have successfully fended off Microsoft's advances in the mass market are few and far between. So Microsoft does sell a lot of ISA into the mid-market but it took them years to get a somewhat competitive product. We'll see the same in the AV market, but it will take years. Inertia is high in the AV space and it will take time to get folks to move. And I don't think Microsoft is going to get 80% of this market either. But they will be a factor by 2009.
http://www.darkreading.com/blog.asp?blog_sectionid=342
Link to this

Whole disk is driving encryption
So what? - I've ranted quite a bit about encryption and the fact that it's like 4 or 5 distinct markets that everyone seems to think is just one. But the real driver right now for encryption technology is protecting the disk drives of mobile machines. The numbers are pretty modest right now in terms of market size, but the growth is astounding. This Network Computing review puts some products through it's paces. If you are shopping right now for this kind of product, check it out. The market for whole disk is booming right now, because no one wants to end up on the front page of the WSJ (like Starbucks this week), so they are just encrypting disks left and right. Of course, this is a stop-gap, but I suspect after another couple of quarters of significant growth, we'll start to see consolidation kick-in. Whole disk is really part of an endpoint security capability, as opposed to part of an "enterprise" encryption architecture. But some folks are positioning a tactical product as the first step in building an encryption "architecture" and I'm not sold on that. I'm sure my friends at the big encryption shops will be happy to educate me as to why I'm wrong.
http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=193500189
Link to this

Next stop for big security - the physical layer
So what? - Lots of folks love to hate Cisco. And regardless of which side you are on, the response tends to be pretty passionate. I guess that goes with the territory. But you do need to give props to Cisco for being one of the only companies out there that actually CREATES markets. Looks like the surveillance market is the next stop. Again, I'm no physical security expert, but I've seen enough CSI (the TV show, not the conference) to know that tape tended to be the main mechanism and with the advent of IP video, all of that is changing. This Dark Reading article goes into what IBM and Cisco are planning, and also some other products that are working to integrate physical and information security. Looks like I better get some physical security tutoring from The Mogull, who used to do that kind of thing.
http://www.darkreading.com/document.asp?doc_id=110084
Link to this

I officially hate Security 2.0
So what? - The winner of yesterday's "jackass press release" award is Cyveillance. Why? Because of the ridiculous use of "Security 2.0" in the title, and that's it. You got it right, they put that over-hyped term in the title and didn't make one other mention of what Security 2.0 means or why it is relevant to the domain "reputation" offering which is really the subject of the press release. I'm not a big fan of bandwagon-jumping on marketing, and these folks are very guilty of that. So, if you are going to use an over-hyped term in your press releases, at least make sure you back it up. Or I will call you out and you can have your own jackass award for your mantel.
http://www.cyveillance.com/web/newsroom/press_rel/2006/2006-11-07.htm
Link to this

Top Blog Postings

And the loser is... electronic voting
I haven't really followed the Daily Kos regular beatings of electronic voting, but clearly the system isn't working. Regardless of the possibilities of hacking and voting machines freezing up, the biggest problem is education. I read numerous stories of polling place workers not knowing how to use the machines. I envision a day when I can vote from the comfort of my Fat Boy chair in my office, but it's clear that we are a long ways off. First the technology must be solid, I mean rock solid. Clearly it's not. Then the voting "experience" needs to be a positive one. Clearly not on that front as well. Then maybe voter perception will turn. It'll be interesting to watch the pendulum swing back to paper ballots and hanging chads.
http://www.dailykos.com/storyonly/2006/11/7/1546/82402
Link to this

Things are great, just ask me
Shimel rails here against the common practice of private vendors patting themselves on the back about another "record" quarter. I hear Tower Records always had a record quarter (they sold lots of them anyway), until they didn't. So Alan is absolutely right on the money relative to the annoyance and stupidity of these "momentum" releases. But that's not how the game is played. Part of the game is to nurture the perception of leadership. That means convincing your investors and your field that you are winning and the other guys are not. I remember the angst I went through in the anti-spam business about those releases. We need to say we have higher customer growth, higher than the other guys. We need to list more technical do-dads. Just more, and it's stupid. But it is, and that's not going to change. I did a long post on this back in February, it's here and still very relevant today.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/11/private_compani.html
Link to this

Security as a red herring
It's going to be fun to see security evolve in the process control systems and applications (like SCADA). Fun? Yep, because we've seen the movie before and it's playing out to the script. Jim C points out a vendor that touts security in an announcement, but the "meat" is a bit underwhelming. Long live Clara Peller (where's the beef?)! But this is all part of the process. Buyers are increasingly becoming aware of "security" and the issues, but they don't really know what that means. So the vendors treat it like a check box initially and basically mention security whenever and wherever they can. Yes, it's a non-sequitur in a lot of cases and probably very frustrating. But I suspect it will be 12-18 months before the stories get fleshed out, so Jim and the rest of your SCADA folks, get ready to see lots of stuff that just doesn't make sense.
http://dcssec.blogspot.com/2006/11/security-based-pcn-marketing.html
Link to this

Don't forget the physical
Increasingly security officers are becoming responsible for both information and physical security. This post from Jeff Hayes reminds me that I'm personally glad I never had to deal with any of the kinds of situations he remembers. But the reality is, the world we live in has changed and in many cases, we are not necessarily safe even in our own homes and offices. But the core imperative for physical security is to keep the employees safe. Sure you want to make sure private data isn't physically compromised, but it's more important that no one goes "postal" in your break room. I'm not surprised the situations Jeff mentions centered around greed and revenge, those are strong motivators - but the point is the same. If you are in charge of physical security as well, then things like bulletproof glass, parking lot cameras, and mantraps will become part of your vernacular - and I that's pretty sad, but as I said before - it just is.
http://mycsosolutions.net/2006/11/07/physical-and-employee-security/
Link to this

Recently on the Security Incite Rants Blog

Coming Soon: The Pragmatic CSO
I'm really excited to announce my upcoming book, the Pragmatic CSO: 12 Steps to Becoming a Security Master. Security hasn't really gotten better, and most security professionals are totally overwhelmed and having a hard time putting in place a program to be strategic, as opposed to firefighting. So the Pragmatic CSO is the Security Incite methodology for "doing" security, allowing you to focus on what's important and show value to the folks that write the checks. There will also be a web community and training programs to support the book as well. You can check out the Pragmatic CSO teaser site here.
http://securityincite.com/blog/mike-rothman/coming-soon-the-pragmatic-cso

Year-end webcast and seminar promotion
In order to support (and properly evangelize) the Pragmatic CSO, I want to be speaking anywhere and everywhere about pretty much anything related to information security. To do that, I'm making it very attractive for vendors and associations to book my talking head for the first 6 months of 2007. Check out the promotion and sign up quick, since the promotion only lasts until the end of the year, and I expect slots will be going fast.
http://securityincite.com/blog/mike-rothman/year-end-webcast-and-seminar-promotion

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-07