Subscribe in a reader
The Daily Incite - January 31, 2007
January 31, 2007 - Volume 2, #19
Good Morning:
I have to admit, the older I get - the less I like to travel. For work anyway. I do like to be out there, working with my clients, which is a lot of fun. But getting there is such a pain. And I had a pretty good flight experience yesterday morning, as far as flights go. But travel kind of screws up my routine. I know it's a necessary evil to do what I do. But it does feel evil nonetheless.
Another day another deal in security land, with Shavlik delivering some of that brandy to St. Bernard by taking UpdateExpert off of their hands (here). I think even Stiennon would call this consolidation. Entrust also introduced a $5 token, biting at RSA's ankles (here). Looks like the token cash cow is about out of milk. Nothing really going on in blog land, besides Shimel reminding us of blogger bias (here). I've got no issue with folks sharing their opinions, as long as they are clear that have an ax to grind.
Lots of other news today, but nothing really moved the needle. Feels like many of these vendors are going through the motions ahead of RSA. Hopefully there will be something more exciting next week because what I've seen thus far is underwhelming with a capital U.
Have a great day.
Technorati: Information Security, CSO
 | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Top Security News
Deal: Shavlik/UpdateExpert - Bring on the brandy
So what? - Do you think Steinnon would call Shavlik taking out St. Bernard's UpdateExpert product line consolidation? I have no idea what else it would be, but Shavlik trying to increase market share. Of course, that is easier said than done in these kinds of deals. When customers need to make a change (and sooner or later they will because UpdateExpert is now DOA), they put the deal back out to bid and given the number of solutions that do "patch" stuff there are no lack of options to choose from. So it's not clear what Shavlik paid for the right for customers to put their solutions out to bid, but unless they have a strong migration story and some significant customer incentives, this type of deal could be a money pit.
http://biz.yahoo.com/bw/070130/20070130005482.html?.v=1
Link to this
PCI Humpa-Humpa
So what? - I guess PCI is real now because it has it's own vendor alliance to go after the market. Huh? Yeah, I'm not sure why this matters either. So you get some data security vendors together and they do what? Try to convince us that PCI is important? Already know that. Weigh some lobbying prowess towards changing things for the better? Who is going to listen to these guys? Their charter is to "assist members of the payment card industry and the PCI Security Standards Council -- composed of merchants, banks and point-of-sale vendors - in educating the business community on the requirements and business value of the Payment Card Industry (PCI) Data Security Standard." OK, again - so what? Not sure why they need to band together to do some webcasts and sponsor some events for the PCI council. But what do I know?
http://www.pcialliance.org/media.html
Link to this
A penny for your token
So what? - With the rapid erosion of token pricing, it won't be long before you can get one of these things for pennies. VeriSign and Ebay laid the gauntlet with their $5 token offering for large merchants and now Entrust is "disrupting" the market with their own $5 tokens. First of all, I'm pretty sure it's Mr. Market that decides who disrupts what, but I don't think there is any question that the inherent value of the token is dropping like a stone. Of course, the acquisition cost is but a small part of the total cost of operating a token-based authentication system. And switching costs could easily eliminate any cost savings, so I wouldn't be shoveling dirt on RSA's SecureID yet. But clearly the value of an authentication system ain't in the token anymore.
http://www.entrust.com/news/2007/archive2007_6689.htm
Link to this
No solitaire for you
So what? - What are the slugs of the white collar world going to do now that Sophos can shut down Solitaire and FreeCell? Probably the same thing they do now - which is nothing. I'm not really sure why this is so novel, since the executables that run the games have been well known for years. But I guess Sophos needs to hit their PR Newswire quota this month, so they may as well announce something. But at least they won't be announcing their NAC strategy at RSA, like everyone else, because they already did that earlier this month (by acquiring Endforce's coffin). To be clear, I think stopping these simple games is pretty ludicrous. I can get why you'd want to stop things like Skype and the like that present security risks and liability, but solitaire? I guess they are trying to limit the carpal tunnel syndrome that results from too much of these games. What's next, ruboneout.dll?
http://www.sophos.com/pressoffice/news/articles/2007/01/windows_games.html
Link to this
Top Blog Postings
Blogger independence?
Shimmy points out that all blog readers need to keep in mind who's stuff they are reading and whether they have some reason for bias. I do believe that the venom about the Symantec/Altiris deal is well founded, given Symantec's track record in integrating acquisitions, but criticism coming from competitors is a bit suspect. Clearly Amrit is a smart guy, and I appreciate his opinions about markets he used to cover with Gartner. But again, how can he come down on Altiris' technology and it not be vendor sniping? Maybe he's pissed that Symantec didn't buy his shop. The point is that former analysts lose their halo once their paycheck comes from a vendor. You don't work for the big G anymore, bud. That makes you just another vendor with an opinion. As with everything else, it's buyer beware.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/01/bloggers_reacti.html
Link to this
I hated economics
So Rob Chiampa is working on a security economics model and I can't get the bad memories of the absolute worst professor I had at Cornell out of my head. He taught micro-economics and he must have been a great researcher because he sure was a crappy teacher. I'm interested in Rob's ideas, but I'm skeptical. In order to have a true "economic model" you need both outputs and inputs. What is the output of security? We can argue about that all day. Clearly Pragmatic CSO's need to justify why they are spending money. Basically you need to build a plan that shows how you protect critical business systems, and through the process of building and socializing that plan you will make the case to get the budget you need. It's all laid out in the Pragmatic CSO book (www.pragmaticcso.com).
http://knowidentity.typepad.com/tnt/2007/01/the_security_wo_1.html
Link to this
Aberdeen looking for security analysts, fishnet stockings required
I don't think I'll applying for the open security analyst position at Aberdeen Group. Now that they are part of Harte Hanks, will they be any less whorish? Well, HH is a marketing company - so you draw your own conclusion. But I can say I look really bad in fishnet stockings, so this position probably isn't for me. OK, maybe that was a bit harsh - but Aberdeen earned their brand through years of misbehavior, so getting acquired isn't going to change that.
http://analystnews.tekrati.com/firmnews/?id=8426
Link to this
Recently on the Security Incite Rants Blog
Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite
No argument that fishnets may not get you a date even in the Bois de Boulogne on a rainy and moonless night, but kicking Kastner and Bedard in the head like this is more than a little mean-spirited mischief. You're sending a message to conservative analyst management around the world: there's no upside to adopting transparency -- that the only upside is in not getting caught.
Whatever the past, Aberdeen today practices more "transparency" than many (if not most) analyst companies. They clearly describe their business model, research model, and publication model. They clearly map vendor dollars to every report. And they've been exercising this level of transparency since 2004. I don't know of many analyst companies that can make that kind of claim, in or out of the security space
As far as security job goes, i think it's imperative to look at Harte Hanks owership as part of the opportunity evaluation. I would also consider this: any analyst company incapable of modern digital ontent marketing, sales and distribution is incapable of thriving.
If Aberdeen wants to change, then they should change their name. Their brand is the technology space is of a bunch of whores. No amount of hocus-pocus or even changing their delivery model is going to change that. They should jettison the Aberdeen boat anchor and move on as a Harte-Hanks branded research group.
Mean spirited? Yes. But also true.
There has to be convergence in the configuration space. That is a static market. The only agent of change is Microsoft. So Altiris being acquired and now this minor acquisition by Shavlick. Look for lots more convergence in the space. Within a couple of years you will not be able to get configuration management software from a stand alone company. You will be going to IBM/CA/Symantec/Microsoft for that stuff.
That is not going to happen in the security space just yet. Not until the bad guys settle on one business model and stop innovating. Try and predict when *that* will happen!
-Stiennon