April 17, 2008 - Volume 3, #37

Good Morning:
It's been a long two weeks. I feel like I'm drowning. I can't keep up with all the inflow. I'm doing my best, but I feel like I'm in a leaky boat trying to keep the water at bay with a little Styrofoam cup. My laptop dying last week didn't help, and the inflow just keeps coming and coming.

Thus I feel I have no choice by to declare bankruptcy. Leave the creditors holding the steaming brown bag of my liabilities. I know you are probably wondering how this could happen. I always talk about being very busy, and in fact that's the root cause of the issue. I'm too busy.

I'm declaring Blog Bankruptcy. Economically I'm doing fine, thanks for your concern. But with about 400+ feeds hitting me with news at all times, I just can't keep up. Not after losing last week to RSA and the early part of this week to Uncle Sam. So I'm not even going to try. 

When I opened up my reader this morning, there were like 4000+ unread posts, and that didn't even include the newswires (there are probably another 4000+ of those). There is no way I am going to get through them. So I'm just going to use GReader's trusty "Mark All as Read" and move on.

So I'm sorry to all of you that wrote masterful pieces of prose over the last week that would make James Joyce proud. I apologize to those hoping for a little link love to get your blogging efforts off the ground. I apologize for those of you who I've deceived into thinking I'm going to wade through all the noise and crap, so you don't have to. Usually I do, but not this week.

On a more serious tone, I know how stressed out my overflowing RSS reader was making me. It's hard to imagine how folks who are in real financial straits deal with the pressure. The Boss and I have had our moments, but we've been very fortunate to always have maintained enough runway to keep the lights on. Given the state of the economy, I fear the problem is going to get a lot worse. I've been hearing about an increase in the number of foreclosures in my area of suburban Atlanta, and I know it's happening around the world.

Good folks are losing their jobs and having a really hard time finding a new one. I've been there. No job, big mortgage, uncertain employment prospects. But I got through, and for that I'm thankful. That was a big reason why I decided to start my own business after I was asked to leave my last job. I never wanted to be dependent on the whims of anyone else to pay my bills. 

I've probably mentioned this in the past, but of all the hard times I've had (and we've all had hard times), there is one statement that has done more to help than any other. "This too shall pass." Seriously. As bad as it got, as I drove up to the left toll booth at the Reston Parkway exit of the Dulles Toll Road (westbound, towards the airport), there was a little sticker below the change basket that said, "This too shall pass." I'm not sure it's still there, but I wish I could hug the person that put it there. That sticker got me through some pretty dark times. 

Now I think I need to go see what's accumulated in my reader since I reset it this AM. Just like the bills, I'm pretty sure the world hasn't stopped just because I can't keep up... Have a great weekend.

Photo: "Bankrupt" originally uploaded by theamericanroadside

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

They are still doing anti-spam tests?
So what? - Imagine my surprise when I stumbled across this InfoWorld review on email security gateways. Really? Now? It's 2008, you know. Back when I was in the anti-spam business (around 2005), a huge part of my job was "managing" reviews. That mean masking the complexity of the product, "gaming" effectiveness results where we could, and basically trying to ensure my product looked better than the competition. At some point, I'll probably write an ebook about winning product reviews. I learned it is a science, with a little bit of art thrown in for good measure. But enough about me, what about anti-spam gateways? Aren't they all the same? What is the differentiation now? And more importantly, how do you test them and hope for decent, sort-of real world results? Basically, you don't. This review is mostly useless, unless you need a primer on the different functions that show up on email security gateways. If, for some wacky reason, you still want to have an email gateway in your perimeter, the only way to figure out if it's going to work for you is to try it out. All the vendors will let you run real mail through the gateway for 30-60 days to test effectiveness. Take them up on it. Make sure the device stops the mail you want stopped and doesn't stop the mail you can't miss. And then buy it. For the most part, they work good enough and fairly consistently. You'll figure out that it sucks in two years and then go buy another one, which will suck the same way after another two years. 
Link to this

Finally... why I hate Rolling Reviews
So what? - I've been pretty critical of Network Computing's Rolling Review concept. I understand the business has become real time and you can't really wait for a detailed, in depth review of a bunch of products. I had just chalked it up to my general impatience and need for instant gratification. After reading Fratto's review of StillSecure's SafeAccess, I figured it out. It's just not fair. I know, I'm not two years old. I can't go complaining to Mommy that life isn't fair. But the review pointed out some issues with the product. Issues that are neither unique, novel, or deal breakers. But all the same, those issues are rocket fuel for the competition, especially since their products haven't been reviewed yet. Competing in early stage, hyper-competitive markets - especially that have plateaued a bit - are like being in a bare knuckle brawl. The combatants will use absolutely any data point (however flawed, untrue, or irrelevant) to get a leg up in a deal. And customers willingly play along, legitimizing many of these ridiculous ideas by using the data points to rake a vendor over the coals some more. I know this kind of review can cut both ways, in that a sterling review gives the vendor running room until the competitors weigh in. But overall, I still favor getting a comprehensive, balanced view of a market segment all at once. Even if it means I have to wait a bit, while all the reviews get done.
Link to this

Maybe we should call this "No Coat"
So what? - Yesterday Secure Computing and Riverbed announced a "partnership," to do joint selling and marketing initially and then some technical integration later on between a web filtering gateway and a WAN acceleration device. Of course, this is all about responding to Blue Coat, which has done a good job evolving the content perimeter to include both web filtering and WAN acceleration. So on the surface, this deal seems to make sense. Yet, after doing my own brand of analysis on the deal, basically this is a Barney announcement. That's right, I'm issuing a Purple Dinosaur alert. To me, it gets down to one fairly simple assessment, and many of will think it's kind of petty. But you'll see, I'm right. It's all about the quotes in the press release. Having been a marketing guy, the strategic nature of a partnership can be inferred (with a high degree of probability) based on who is quoted in the release. If this is a big deal, the CEO gets quoted. EVERY TIME. If it's not, then it's a bus dev grunt or a marketing hack. Guess, who is quoted from Riverbed? BD grunt, though at least he has a VP title. From Secure? Marketing hack. It's also strange they don't include the email security products in the deal, since that would at least be a bit of a differentiator against Blue Coat. Thankfully Barney has a thick purple coat to keep him warm, since this No Coat announcement won't do much against the cold macro-economic winds. 
Link to this

The Laundry List

Top Blog Postings

We've still got a lot of work to do...
Dan over at TechDulla tells a horrifying tale of the general disregard for common security practices. We've all seen this stuff a bunch of times. You know, the guy that leaves his laptop and cell phone on the table at Starbucks or at an airline club. They go on walkabout, hit the potty or take a call outside and just leave their stuff on the table. Dan at least had the cajones to engage the guy in conversation and try to educate him on how stupid it is to leave a laptop on a desk ANYWHERE. I have two takeaways - most folks need to learn the hard way. At some point, someone will figure it's cheaper to join the Admiral's Club for $400 and then steal a bunch of laptops to pay it down. Seems a lot easier than other petty thievery. And then guys like these will learn the hard way not to leave their stuff around. The other take-away? If you don't have laptop data encryption deployed on your mobile devices, you are a sitting duck. You probably have guys like this carrying laptops with your private information. And they will be losing the laptops. Then you get to tell your customers what an idiot you are. Unless you encrypt the disk. So encrypt the disk.
http://techdulla.wordpress.com/2008/04/07/would-you-trust-the-admiral/
Link to this

You forget option 5: Die on the vine.
Shimmy puts his McKinsey hat on and for a fraction of the cost, maps out the strategic alternatives for most security start-ups today. They can 1) earn their way out of it (usually not an option), 2) merge (they need to have something worth acquiring, like a product or customers), 3) lower expectations and settle (that seems like #2 to me), and 4) Pray for a miracle (hope is not a strategy, and no security companies are like Guitar Hero). The other option is one that Alan didn't specifically mention, but that's probably because he's an optimist. Basically these companies will go away. Alan's 4 steps actually happen in chronological order. First you think you can grow the business. When that doesn't work out, then you look for high value mergers. Then reality sets in and you look for any merger. Failing that, you pray. When you realize the higher power is pretty busy doing other things, then you go away. Hopefully you have enough money left over to surgically remove the VCs foot from your backside. But it always ends like this, though it takes longer than you think. Mr. Market is rarely wrong for an extended period of time.
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/04/shimmys-theory.html
Link to this

CSO job responsibility: Silo breaker
AndyITGuy makes a good point about siloed security in this post. The fact is, rarely is the security officer credible enough to actually persuade his/her peers at the executive level that security is something that needs to be addressed and handled by everyone. So the executives do the minimum they can get away with (like AV on the desktop and a firewall on the perimeter) and point the finger (yes, it's usually the middle finger) at the other folks when something inevitably goes wrong. Remember, the security job is not about managing firewalls anymore. It's about PERSUASION. You need to convince the other members of the team that doing a little now, will stop them from doing a lot of very painful stuff later. It's hard to point to a specific ROI, so you need to appeal based on the reasons to secure (discussed in the P-CSO introduction). And you need to be persistent. Silos weren't built in a day and they rarely come down like the Berlin Wall. If you wanted something easy, go into sales. (yes, I'm kidding)
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/04/shimmys-theory.html
Link to this