March 3, 2008 - Volume 3, #21

Good Morning:
It takes some serious stones to bet the ranch. A friend from college was in town this weekend, with his 3 kids, and we were chatting a bit about the NBA. I'm not a big basketball fan, but I can appreciate how some of the Western conference teams have pretty much bet the ranch to get more competitive this year. The Lakers, Suns and Mavs made huge trades and basically leveraged their future to win today. The Cavs did the same thing in the Eastern Conference, after the Celtics started the ball rolling in the off season. Pro sports are all about winning NOW, and the free agent markets are all about bringing in the talent, whatever the price.

These teams have bet everything on a bunch of stars in their mid-30s, most already in the twilight years of their careers. Can Shaq do it again? Does JKidd have enough left in the tank to take the Mavs deep into the playoffs? That's what makes the game exciting, and I know these moves will likely have a positive effect on ratings and excitement as the season winds down and the playoffs begin.

Which is what it's all about. We can (and should) learn a lesson here relative to risk and reward. A lot of the decisions we make relative to security are not about changing the game, or leveraging our future - it's about doing things as cheaply as possible to provide the bare minimum amount of risk management to keep your organization off the front page of the newspaper, right? Security folks don't really get the opportunity to bet the ranch, and I posit that's a good thing.

With very rare exceptions, security folks operate on a shoestring budget, without even the bare minimum of resources required to get things done. None of our senior teams are "betting the ranch" on a new security system that will change the way you do business, dramatically increasing value.

That means we have to operate differently, a bit under the radar and heavily utilize grassroots efforts in evangelizing why security is important and how it helps to achieve the "reasons to secure." The RTS are laid out in all their glory in the Introduction to the Pragmatic CSO, which you can get by registering on the web site.

I've been giving a lot of thought to the idea of how to make security relevant in the board room. And compliance is not the way. You can get attention through compliance, but not relevance. I think the P-CSO philosophy is a great start, but it's not enough. Do you smell something burning? Yep, it's the sweet scent of the rusty gears turning in my head. I just may have an idea or two to get things moving in this area.

Have a great day.

PS: I finished up all of the Days of Incite last week (YAY!). You can check out all the posts using the "Days of Incite" tag on the Security Incite site (say that 10 times fast).

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

In the mood for a security ratings system?
So what? - If you've done any investing, you know about Moody's rating service. They evaluate the debt of a certain company and assign it a rating based upon perceived risk. The rating then has a bearing on the interest rate those companies have to pay to get access to the funds. What if that same model were applied to security? Could an objective rating be produced that would provide an idea of whether you should do business (and share data) with a potential trading partner? Moody's is trying to do exactly that. Evidently they've got a couple of big financials to start leaning on some companies to get involved. I think this is going to go over like a lead balloon. First of all, given the CDO and sub-prime mortgage fiasco, Moody's ratings have been outed as a sham and investors funds have gone down the toilet with them. But more importantly, what about accountability? Will Moody's assume some of the liability of rating a company a 1 vs. a 4. If the 1 (which is is the best rating) turns out to be TJX, can you go after Moody's right after you send the disclosure letters to your customers? Again, I think not, and that's the issue. I guess I don't get why this is any different than something like PCI, with the exception that this is about enriching Moody's and not really reducing anyone's risk.
Link to this

Why buy the full disk encryption cow, when you can get the milk...
So what? - Symantec has finally joined the ranks of endpoint security vendors that are offering a full disk encryption option. Check Point and McAfee have acquired their alternatives, which means they are committed. Symantec, not so much, since they are just doing an OEM deal with GuardianEdge. NetworkWorld has the details. This is a pretty strange choice, if I do say so myself. Why not buy the company? There are quite a few options, and SYMC will plunk down some big bills if they think there is a market there (Brightmail, Vontu, anyone?). If anything, they are driving their own price up when they ultimately have to acquire and control the technology. In the meantime, they aren't integrating the technology into their EndPoint management console, so it's just a purchasing arrangement. There is no benefit to getting this from Symantec, besides maybe getting another round of golf, courtesy of your favorite SYMC rep. I can understand taking this OEM approach with the anti-bot program (which is Sana's technology), since that is an unproven market and it makes sense there to hedge their bets. But full disk encryption? I guess they missed my Incite on the topic. If I was Sophos or Trend or even Microsoft, I'd acquire GuardianEdge in about 3 months, right after the SYMC field understands how to sell it - if only just to kick the Big Yellow in the McNuggets.
Link to this

The SafeNet also rises
So what? - SafeNet is not dead. I know, I know. There is something deep in the bowels of your memory where you sort of remember a company called SafeNet. They did some authentication and encryption. Bing! Now your remember, they were another casualty of the high flying, back-dating options fiasco. Their house of cards fell down and their CFO is now in the big house. They were taken private by Vector Capital and have been keeping a very low profile since then. But per Rob Newby's blog, his employer Ingrian Networks has been acquired by SafeNet. Rob thinks it's a "VERY smart move," but what is he supposed to say, especially when there is uncertainty about his job? "Oh, I hate this deal. Crap, I need to look for another job." As entertaining as that would be, it would also be stupid on Rob's part to do anything but be complimentary of the deal. Though I tend to agree with him. On the surface this seems like a good deal. SafeNet has a lot of customers (especially in the US Fed market) and they do encryption. The Ingrian platform is complimentary to SafeNet's existing products and Ingrian gets the deep pockets that come with a multi-billion dollar hedge fund calling the shots. Ingrian's investors probably get out with their scalps attached as well, which is always a good thing.
Link to this

The Laundry List

Top Blog Postings

Interviewed by a Mogull
As Rich was out on the DL, we did a little email interview to keep his readers satiated while he was mending from shoulder surgery. It's pretty wide ranging, with the first part talking about NAC and other network security topics and Part 2 focusing on DLP and data protection. For most readers of both of our blogs, there isn't a lot new here, but I do go a bit into why I think 2008 is the tipping point for network security to become a feature of the network. We also discuss why the DLP market hasn't really happened yet (despite lots of funding and lots of acquisitions). We also get into important issues like Rich's time machine and how I get the inspiration to write the Incites every year. 
http://securosis.com/2008/02/19/interview-with-mike-rothman-part-1/
http://securosis.com/2008/02/20/interview-with-mike-rothman-part-2/
Link to this

Running a great analyst event
If you are a security practitioner, then move along. I'm giving you early dismissal today. That's right, go get something done. For any of you that are left, let's talk a bit about analyst events. The RedMonk fellows weigh in on running a great analyst event in a post on James Governor's blog. His colleague O'Grady weighs in as well. Personally, I hate analyst events, and rarely go. Why? Because listening to canned speeches and mingling with my "competitors" is a waste of time. I pride myself on adding value. I'm certainly not going to be smart and give any good ideas to most of the other jokers in the room. If I do get one on one time with any of the senior folks, they are not really paying attention, they've got too many whores to entertain. I also love the really big vendors that do me a favor by offering me free admission to their big customer conferences every year. They don't even cover expenses to get to the event. Now that is the height of arrogance. But I digress. Basically, the best approach to having an analyst event is to not have one. Pick 5 of the analysts that provide the most value and do a strategy day with them. It's a lot more effective on both sides. And don't take it personally if I don't show up to your analyst shindig. There's nothing in it for me.
http://www.redmonk.com/jgovernor/2008/02/14/7-tips-to-run-a-great-analyst-event-dos-and-donts/
Link to this

"Great" analyst briefings - it's a myth
While I'm ranting about the sad state of most analyst events, let's tackle the messy business of vendor briefings. I have dramatically reduced the number of briefings I do, and guess what? I'm still here and even better, I don't burn hours a day having vendors talk at me. Forrester's social media animal, Jeremiah Owang, talks about an effective analyst briefing in this post. But let's be clear, Jeremiah has been doing the job for about 3 months now, when it's still cool to be fawned over by all these vendors trying to curry favor. He does have some decent points in here, like "understand the analyst's coverage area" and "you need to stand out." But those are obvious. To me, there are no great analyst briefings, because if it's a "briefing" that indicates I'm listening and being pitched to. There is nothing I hate more than being pitched to. Don't waste my time. If you aren't interested in my opinion, then send me a press release and a PPT and move on. But if you want a dialog and want to understand how I would do things, and odds are it's a bit different than what you do, then let's get on the horn. If you hear the sound of a tapping keyboard in the background, that isn't me taking notes. That's mean returning email or scanning my blog reader. It means you have lost my attention and I'm counting the minutes until the briefing is over. And that means you've lost a key opportunity for some free consulting. Too bad for you. For some more tips about what not to do, check out this classic: "Top 5 ways to piss Mike off" back from 2006.
http://www.web-strategist.com/blog/2008/02/01/what-a-great-analyst-briefing-looks-like/
Link to this