February 5, 2008 - Volume 3, #11

Good Morning:
I remember it like it was yesterday, but it was 1995. Matt Cain, a fellow META analyst, and I were walking out of Lotus' Cambridge headquarters after a day of meetings. We both looked back at the building and he wondered aloud who was going to own Lotus in a year's time. It was a prescient comment, since no more than 6 weeks later IBM launched their hostile bid. I was kicking myself in the ass for not buying those call options on Lotus when we walked out of the meeting.

Lou Gerstner had some big cajones to offer $3.5 Billion for Lotus. That was a lot of money in 1995. It was all about Notes at the time, and hoping that the 1-2-3 franchise wouldn't erode as quickly as it did. Lotus certainly had their ups and downs. Lumpy quarters, Wall Street frustration. And then this IBM bid comes in at a huge premium. What else could Lotus do? No one else had the balance sheet to rescue them from IBM's clutches. So they grumbled a little, negotiated a little and finally relented with an extra couple hundred million in their pockets.

Do you see any similarities to another deal that is making headlines? Of course, Microsoft/Yahoo. It's not necessarily the sign of the apocalypse, but it is certainly an indication of the transference of power in the technology space.

In 1995, IBM bought Lotus because they were having trouble competing for mind share with this upstart company outside of Seattle called Microsoft. IBM was still smarting that they made Bill Gates a billionaire by giving him the PC operating system franchise, so they certainly weren't going to let him take the collaboration franchise as well.

But in reality, by that time IBM was no longer a player, and it truly indicated that Microsoft was the dominant force in all of technology. Not that IBM wasn't huge, but they had struggled and were rapidly becoming a services player. They would not be dictating technology architecture moving forward. Lotus lost that battle and IBM couldn't save it.

Yahoo! will relent and fall into Microsoft's embrace. Maybe they'll get another $1 or so on the share price, but they will sell. No one else will come forward with a bigger bid and it's not like Yahoo has a lot of momentum nowadays. Staying the course isn't an option, not after blowing a quarter and reducing the outlook for 2008. But more importantly, to me this also indicates the transference of power to Google. Microsoft is admitting they can't compete with their own online stuff. Which they can't, so this is a good shrewd move, timed perfectly by Ballmer and crew.

Will they execute? Who knows? Who cares? Microsoft had no choice. They are playing the only card they have right now in the search and online world.

It really is amazing how history repeats itself in this business. I've been around long enough to have seen each movie, a couple of times. As they say in Battlestar Gallactica, "it has happened before and it will happen again." Yes it has, and yes it will. You just have to pay attention to see the cycles repeat. 

Have a great day.

 "Remember Big Fish Eat Little Fish" picture originally uploaded by theothermattm

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

The Fed Fall Fiesta
So what? - Thanks to George Hulme for pointing out a little pork in the proposed US Federal budget for this year. OK, not just a little pork - A LOT OF PORK. $30 BILLION earmarked for cyber-security over the next 7 years. Holy crap. $30 Billion. The projected expenditures would be $6 billion this year. First of all, I hope by now we all know that throwing money at the problem doesn't make it go away. Not by a long shot. Not that having money and the ability to make investments isn't a good thing - but it's certainly not a panacea. This entire thing seems a bit back assward to me. Normally, security professionals have to do a good job with limited resources and then some type of catalyst (like a breach perhaps) will make the light bulb go off in the corner office, and the investments will be made. But with performance like FISMA and all the other indications that a lot of the money spent today by the Feds on security is wasted, how on earth do they think that throwing more money at the problem is going to help. All I can say is that it'll be a great Q3 in public security land if this budget goes through.
Link to this

The living policy
So what? - Dr. A recently published a byline in ComputerWorld that discusses the role a security policy has in our efforts. It's a good read and makes the point that you need a policy because the regulations say you need a policy. As early as HIPAA, there was a requirement for a security policy - whatever that means. And that is really the point. The policy is only a piece of paper (or likely a lot of pieces of paper) and if the organization doesn't make conscious efforts to change the culture and accept security and data protection as important aspects of day to day operations - it doesn't make a difference. That takes marketing, that takes selling, that takes a lot of evangelizing within your organization to make the policy real and to evolve it over time as things change. 
Link to this

PDF spam is baaaaack....
So what? - A while back we went through a fairly short period where PDF spam was all the rage. And then it stopped. Why? Because it didn't work. Having spent some time (OK, a lot of time) in marketing, it's all about return on investment and response rate. Sending spam is a business and the bad guys will continue to refine their techniques until they get adequate response. Thus, it's not surprising that MXLogic would point out the re-emergence of PDF spam in more inboxes. What should users do? Probably not much different. Thump your email security vendor on the head if their accuracy is going down. Continue to train end users about why they shouldn't open PDF files or even messages from people they don't know. 
Link to this

The Laundry List

Top Blog Postings

Are you secure? Prove it...
Metrics continue to be a thorn in the side of security practitioners everywhere. The point Stuart King makes in this post is that there are lots of things he can count, but what will really show relevance to the business? He's going to rely on the results from vulnerability scanners, patching information, project plan effectiveness, and then some incident data. I can see how the incident information would be useful, but patching and vulnerabilities? Those are maybe causes, and good to track for operational requirements (continuous improvement, etc.), but would an SVP of Sales care about this stuff? We need to go back further into the process and focus on what outcomes we are trying to generate. It's time we take the next step beyond Jaquith's great work to define the problem and make metrics more actionable.
http://www.computerweekly.com/blogs/stuart_king/2008/01/security-metrics-are-we-secure.html
Link to this

How do you count awareness?
Chandler has been doing some great writing on his journey to put a better metrics program in place. This piece talks about security awareness metrics and whether they pass the sniff test. On the surface they do. It's interesting to be able to track the % of folks that take training and pass the tests. But once again, this is useful only from the standpoint of operational improvement initiatives. This doesn't correlate whether the people that took the tests actually did something stupid that resulted in a breach or incident or something else. Chandler uses the word "outcomes" in lots of his posts, and I'm right there. We need to define the outcomes we want and then back into the appropriate metrics that will put the right incentives in place to do the right thing. If it was easy, everyone would be doing it, but it still needs to be done.
http://thurston.halfcat.org/blog/2008/01/26/do-awareness-metrics-fail-the-so-what-test/
Link to this

If you are going to count, count the right stuff
I think we are numb to Microsoft patting themselves on the back about how many vulnerabilities and patches Vista hasn't had. Thankfully Andy Jaquith took the time on the Security Metrics wiki to deflate this balloon by using a very appropriate joke. There was a bit of buzz when Jeff Jones first released the report, but then it died down quickly. The fact is, no one cares. Microsoft has done a great job of dramatically improving the security of their operating system. Of course, it's not perfect - but nothing is. But the cold hard truth is that security is not why people buy operating systems. Functionality and user experience is. Yes, Vista is certainly more secure than XP. But my friggin' HP Vista driver still won't do duplex right. And it performs like crap. Slow as molasses on a new machine. Give my back my XP. Oh, too late. I already moved over to OS X for 98% of my work. Maybe this report makes the MSFT security team feel better, in that their hard work is yielding some type of result. I suspect they'd feel a lot better if the results were relevant to real customers.
http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_310108_1
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite