January 31, 2008 - Volume 3, #10

Good Morning:
If I've said it once, I've said it a hundred thousand times. The first key to success is understanding how to manage expectations. Like with the Super Bowl, I don't expect much. After watching the pomp and circumstances this week, I'm just happy the G-men are there. If it's a competitive game, all the better. If they win, my head may explode. I'm working hard to temper my own expectations.

Why are expectations so important? Basically your impression of any experience can be either horrible or great depending on what you expected. Let me paint two cases in point. First, I've been doing a lot of road work lately, which means a lot of airports, hotels and the like. I expect the situation to be mostly miserable because I've been doing this for a long time, and the attraction of life on the road faded many years ago.

This week, I found myself in a airport with about an hour before my flight. I figured I would grab a decent meal and chill for a bit. So I hit one of the ever-present airport TGI Friday's and took a load off. I'm maintaining a mostly vegetarian lifestyle now (I eat meat once per week), so it can be a hassle to find things to eat in an airport. I saw a Portobello sandwich and jumped at it.

The waiter took the order and then came back about 2 minutes later with the news that they were out of Portobellos, so that sandwich was a non-starter. I shrugged and asked what else a vege could eat. There wasn't anything formally on the menu, so he suggested a quesadilla with roasted vegetables and no cheese (I've cut out dairy as well). I asked if they had some guacamole to lube the sandwich a bit, and he said none was made, but he'd talk to the chef.

My meal comes out maybe 10 minutes later, and it looks great. It tasted great too. The waiter asked me about the guac, which was pretty tasty too. Evidently the chef wouldn't make it, so the waiter made it himself. Now that is service. And that is also totally unexpected. I'm at an airport Friday's, not the Four Seasons. You see? A fantastic experience because the waiter took a little initiative and pleasantly surprised me.

The other case in point is also pretty unexpected because it comes from Microsoft. I (like most other Mac-heads) jumped on the Black Friday $100 rebate offer to buy Office 2004 that included a free upgrade to the new Mac Office 2008. I filled out the paperwork and was prepared to wait 6-8 weeks after product launch to get my new package.

So I was pretty surprised when I got home and waiting for me was the shipment from Microsoft. Less than two weeks after the product was released, I got my stuff. That beat expectations by a full month. I haven't even used the software yet, but I'm happy with it because I got it early.

It's not that hard. If you are candid with customers and meet expectations (or even exceed them), you will be perceived as a star. On the other hand, if you promise Jupiter, but only get to Mars, you are a schmuck. Keep that in mind as you meet with senior management. Don't commit what you can't deliver. That doesn't mean you don't expect more from yourself and push yourself to do better than you've committed to. But be careful what you commit too. You may not get another chance to reset expectations. 

Have a great weekend and GO GIANTS!!!!

 Confucius says... picture originally uploaded by randeclip

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Finally the masses agree! Applications are the path of least resistance
So what? - We are about a month into 2008 and for the most part, this new year has been the same old same old. If there is one thing that seems a bit different in 2008, it's the amount of coverage and conversation around application security (have you checked out my monthly eBizQ feature and podcast on the topic yet?). Like this article on Byte and Switch (Dark Reading's sister that focuses on storage) which talks about why application security is important. Of course, you have Ted Schlein from Kliener flogging the topic (he was the early money into Fortify). But most interesting is the comment DTCC's James Routh makes about putting packaged software vendors through the ringer: "For packaged software, we demand that the vendor provide us documentation of static code analysis, dynamic code analysis, and manual code analysis." As more and more customers start making these demands, free market economics indicate that the vendors will have to respond. That's a great thing for all of us. If you are looking for more background and reading on application security, check out Dark Reading's columns from folks like Gary McGraw of Cigital (4 ways to get started) and RSnake (how to hire a web app security pro). Applications and data are the future of security - are you ready to rumble?
Link to this

The community can't help you if you violate the patent
So what? - I do have to say that the folks at Barracuda are master marketers. I'm still pulling splinters out of my backside from how they ate up the low end of the anti-spam business when I was in that game. Now they've focused their marketing muscle on trying to convince the open source community that Trend Micro's patent on gateway AV is a threat to the entire open source community. Actually, it's really just a threat to Barracuda's margins. This patent has been prosecuted and enforced. Trend won a case against Fortinet (which uses a proprietary AV engine) and they had to stop selling boxes until they cleaned up their code. The patent doesn't talk about any kind of specific AV engine, so this crap about being a threat to the open source community is just marketing hype. Theere are more specifics about Trend's intentions in this post. Say what you will about the patent system, and whether something like gateway AV can or should be under patent protection, but until the entire system changes - you need to pay the man. The Trend man in this case. It's a cost of being in that market, just like with Tumbleweed's patent on the email firewall. You hate writing the check, but you do it because spending a lot of money to fight it in court is a waste of time and you are going to lose. Barracuda wants to make this about open source and the open source fanboys are up in arms. But make no mistake, this is about profit and once again Barracuda is playing the open source community like a fiddle to build their business.
Link to this

Users will do stupid things
So what? - I've long said there is no panacea for security. If you still read my stuff after two years, I hope that is not news. But there are a lot of folks, especially in the mid-market, that continue to think that a product or service or other type of magic box can make all their security problems go away. Well, that's what the vendor said, no? Perhaps the tide is turning. Based on some research (sponsored by GFI, so I'm a bit skeptical), it seems that mid-market CIO's don't want more budget, they want educated users. Wow! If it's true, that's a huge sea change in the entire model that drives the security market. Of course, they probably want to wave a magic wand and all their users would be enlightened. The reality is security awareness is a long, tough slog through the swamp. But as with any other type of educational endeavor, you need to be consistent and persistent. You need to live the process and lead by example. But it does point out the huge opportunity that secure awareness training presents, especially as more and more folks understand that another box with flashing lights isn't going to solve the problem.
Link to this

The Laundry List

Top Blog Postings

Fix the pain to sell security
A big part of the P-CSO methodology is helping more technically oriented security professionals to "play the game" and get the funding they need to secure the environment. Amrit has a post here that does a good job of helping to decode the CFOs pain and worry and what specific security ideas help to solve those pains. Remember, in order to sell anything (and if you - as a practitioner - don't think you are in sales, get used to that firewall management interface, that's where you are going to spend your career) you need to understand the pain and position your offerings to fix that pain. Whether it's being green (Kermit is probably sipping mai-tai's somewhere collecting royalty checks), software management, or infrastructure consolidation - these are all high-profile initiatives that have the attention of senior management. You need to position security within the context of these macro-trends. You need to buddy up to the technologist's driving these programs and show them how (and why) security plays into the mix. Or you'll find yourself selling red shoes into a blue shoe market.
http://techbuddha.wordpress.com/2008/01/23/the-high-cost-of-securing-it/
Link to this

Are you in the service business or not?
While I'm on the topic of meeting customer needs, what about servicing those customers? Is that something you - as a security professional - take seriously? If not, then you better start dusting off your resume. For the past couple of years, ITIL has been big news in most large enterprises. Why? Because these folks tend to need guidebooks to help them push through large scale initiatives. For better or worse, a lot of organizations have been adopting ITIL practices to help them reduce the impact of constant change on their environment. Does it work? Personally, I'm not sure. But it doesn't matter what I think. A lot of senior IT people think it works, and therefore security folks need to understand the language of ITIL a lot better (probably including me). Rebecca Herold has written an e-book called "The Shortcut Guide to Improving IT Service Support through ITIL" and given the quality of Rebecca's past works - it's worth a look. And it's free, all you have to do is share your email address (and probably get pounded by the e-book sponsor Opsware). It's on my reading list, right after a bit of fiction because it's been all work and no play for too long.
http://nexus.realtimepublishers.com/previews/SGITIL-preview.htm
Link to this

Finding that next CSO job
The reality is the average tenure for most CSOs is less than two years. No es bueno, but the reality is that you should always be looking for that next gig. Jeff Snyder has a security-oriented recruiting blog, and if you can get over the totally obnoxious full screen bio that precedes every blog post (I don't care who you are man, I want the information) - there is some decent material there. Like this post about why most CSO-types have a hard time getting hired. This is basic and obvious stuff like having a resume that doesn't suck. But the second and third are causes for concern - poor communication skills and under-developed business skills. Let's be very clear here. The CSO Next must be a BUSINESS PROFESSIONAL that can EFFECTIVELY COMMUNICATE to peers on the senior team. If you can't do that, then you shouldn't be a CSO. It's as simple as that. No fancy recruiter is going to get you there. That's why so many new CSOs are coming from the business. It's not about technology anymore, it's about how security can (and must) serve the business.
http://securityrecruiter.blogspot.com/2008/01/career-advisor-top-five-reasons-cso.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite