March 20, 2007 - Volume 2, #47

Good Morning:
Let's talk about noise this morning. I've got a constant ringing in my ears from all the crap that passes through my feed reader, email and general contact base. Curphrey got pissed off (here), which elicited responses from Farnum (here) and Shimel (here). I think these guys are getting spun up about nothing. In fact, Curphrey even admits he may have used some misleading language in this follow-up post (here). It takes some stones to admit you may have talked out of school, so thanks for that Mark.

But personally, I think we are all thinking too small. We are witnessing the birth of a new communications medium and for those of us bold enough to participate - we are lending a hand and guiding the ship relative to what it can become. I'm not sure any of these guys truly appreciate how cool and rare this is. Maybe they do, but in this case they have clearly lost sight of it. Sure there is a lot of crap. When was the last time you flipped through the channels on your TV? Lots of crap there too. And as with TV, you can tune out. The blogosphere is an OPT-IN mechanism. You don't like it, don't read it. Unsubscribe. Go on your merry way. Good luck to you, and don't let the door hit you on the ass as you leave.

The noise is something I deal with because I've decided that's my job. I wade through all the crap and distill it into a digestible format that hopefully saves you some time each morning. You shouldn't follow 400 blogs and another hundred news sources like me, I presume you have better things to do. Some days I do as well, but I'm an information junkie and I wouldn't have it any other way - even if it means I get a headache from overflow from time to time.

But don't mistake an early market for an incestuous fad. Our security audience is growing every day and folks getting into the business have information resources (most of them free) I could only dream about when I was starting my career. Only a small minority of folks speak out, just as with every other communications medium - but it doesn't mean other people aren't listening. And it doesn't mean it's a fad.

Many folks will lose interest because blogging successfully is hard work, but good for them for trying. The more voices, the more discussion, the more conflict, the better the end result. A market of one is not much of a market. Early markets are messy and some days it's frustrating, so Mark - I feel your pain. But I am not discouraged by any of this. After all, if you don't like what I'm saying or how I say it - then turn the channel.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Waiting for Godot, I mean metrics
So what? -  Security metrics has been one of the most elusive topics for a long, long time. Andy Jaquith's book is scheduled to hit this month (I'm supposed to be getting a copy, and I'm looking forward to that), and lots of other organizations are taking a crack. Such as this effort by the CSO Executive Council, a paid roundtable group, covered here that is taking a crack a building a benchmark. Hmm. Benchmark. Sounds like Step 11 of the P-CSO to me and it is. Guess I wasn't the only guy out there figuring it would be nice to see how you stack up relative to other folks. I've put forth some ideas on metrics (it's in the book) and lots of others will also. Let's hope as an industry we can come to some consensus on what makes sense to track and then do so.
Link to this

Deal: Ingram buys into training
So what? - Security training is big business, especially in emerging areas like application security. But most of the dollars are in the old, boring stuff like firewall and IPS certifications. How else can you explain a multi-billion dollar distributor like Ingram buying a training firm specializing in Juniper and Check Point training (here)? Ingram wouldn't get involved unless they figured they could amp the revenues by a significant multiple. If I'm a VAR, I'm increasingly wondering when folks like Ingram are just going to bypass my business altogether and go directly to customers. Kind of like CDW does. But growth is growth and every company needs to strive for it - even broadline distributors. So what, you ask? VARs, like every other organization, need to continually search for ways to continue adding value. That is what services are all about, and it's clear that training on mature products isn't long lived as that type of opportunity. Big companies commoditize markets like this. So it's on to things like managed services and becoming a retainer-based strategic advisor to your customers. Or not, but as Deming says, "It is not necessary to change. Survival is not mandatory."
Link to this

Google thyself
So what? - I've made no secret of my belief that information security professionals need to be proficient with the tools and techniques that the bad guys use and proactively test your environment to see how it will hold up under fire. I call that function - Security Assurance - and it's becoming a real responsibility in cutting edge companies. These aren't auditors, though they perform an audit-like function. They work for the CSO and their job is to break things - before the bad guys do. An interview featuring Tom Bowers (here) highlights yet another tool that you should be familiar with, and it's one that you use probably every day. Right, Google. There is lots of information out there about how the bad guys use Google to find soft spots in an organization to ease penetration. Kind of like the KY of hacking. OK, sorry - that was gross. Couldn't resist. Yet, the point is the same and it's important - find out what Google has to say about your organization. The bad guys have already done that.
Link to this

The Laundry List

Ecora makes SOX "affordable." If it was that easy, everyone would be doing it. - here
AV is really a commodity. Get McAfee with your friggin' modem now. - here
V.I. Labs prevents tampering on .NET applications. Yet another solution looking for a problem. - here
ScanSafe says 49% of web traffic is crap. Crap is in the eye of the beholder. - here
Novell delivers "next-generation" SIEM. Wonder if that bridge is still available? - here

Top Blog Postings

Nothing is guaranteed!
Last week Mitchell ranted a bit about whether choosing a big company is any "safer" than going with a smaller shop. I think he's talking about selecting products, but he could just as easily be talking about a career. Big companies provide the PERCEPTION of being stable and safe. But as everyone knows, nothing is guaranteed. Not a product you buy, not a company where you work, not even that you'll get up tomorrow morning. That's why I'm such a big fan of contingency plans. With the exception of maybe 10 technology companies, any company can go under or be acquired and wreak havoc on your plans. So you need to have Plan B. And from a career standpoint, you could be taken out at any time. Symantec is laying folks off right now to bring their costs more in line with reality. Always have Plan B well fleshed out and give some thought to Plan C. You never know if today is the day you'll need it.
http://www.theconvergingnetwork.com/2007/03/big_companies_aint_so_safe.html
Link to this

Is this your job?
Steve Hunt takes a crack at defining what the CSO needs to do. From a job function standpoint, I think this is pretty close. I could split hairs relative to whether the CSO is in charge of implementing the solutions as well, or whether they should be (separation of duties), but the answer is you'll see both models out in the field. I also agree that if this type of CSO is also responsible for physical security, then he/she should report to either the COO or CFO. Not the legal counsel. Nothing will get done if the security function reports into legal. Ultimately, the CSO is responsible for the SECURITY PROGRAM and will need to work with the other parts of the organization to make it a reality. You may not be there yet, but you will get there. Remember, someone needs to watch the watchers.
http://www.securitydreamer.com/2007/03/job_description.html
Link to this

No cost justification for Skype??
MCW does an interesting piece here about some internal gyrations he had to go through in order to kill Skype from his network. First thing I wonder is whether it's really dead. If Skype were that easy to kill, I don't think we'd hear so much about it. But that's not the point. His analysis is based upon the fact that Skype allegedly impacts network performance which would allegedly impact productivity, and allegedly cost the company more money than they'd save via long distance savings. If Skype was only a long distance replacement, perhaps the analysis would be correct. And if his employees really lost that much productivity. But both of those assumptions require a leap of faith. Skype is more than phone, it also adds video, collaboration and probably some other stuff I don't know about, which fosters tighter COLLABORATION, which allegedly increases productivity. Again, allegedly. Clearly I'm playing devil's advocate here because I hate these types of analyses. The security guy does an analysis to get the answer he wants. The business person that thinks Skype is cool can do a similar analysis showing how it significantly increases productivity and debunks the 10% network performance tax. Anyone can make a spreadsheet dance on it's head. If you think Skype is insecure and an unnecessary risk, then make that case. But don't just fall back on a simplistic economic justification, when that isn't even the issue.
http://mcwresearch.com/archives/440
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite