Blogs

Holy Crap! I took a job...

Submitted by Mike Rothman on Mon, 2008-10-06 07:19.
::
I'm constantly amazed by life's little surprises. If you would have told me I'd take a job before the end of 2008, I'd have laughed. But only after calling you a number of things I wouldn't say to my kids.

It's true. I've been named Senior Vice President of Strategy and Chief Marketing Officer of eIQnetworks. I've rejoined forces with Jim Geary, one of the co-founders of SHYM to work with the existing team and take eIQ to the next level.

No, I wasn't expecting this. No, I wasn't looking for a job. No, I didn't "need" to. Yes, I'm probably nuts for taking another vendor job. But a number of pretty cool things came together and compelled me to make this move.

I should always remember that "never" is a very long time. Given my short attention span, the idea of "never" doing anything again is pretty silly.

First things first, you may not have heard of eIQ. We (wow, it's weird to refer to a vendor as "we") provide a security management platform that transforms the way security, audit and compliance professionals do their jobs. Our product set fits very cleanly into my world view of how security management needs to evolve and what the products in the space need to do.

Yep, I've pretty easily slipped my slick marketing hat back on, eh?

Security Incite will live on!

Obviously, I can't continue to parade around as an "independent" analyst. So as of today I'm no longer President and Principal Analyst of Security Incite. I think I'll just call myself Chief Blogger. That's right, I'll still blog right here and do my usual "no bull" analysis of what's happening in the security space.

I'm also going to evolve the Daily Incite to a more reasonable format for a part time "hobby." No it won't be daily (but I'm too lazy to change the logo), but that shouldn't be a surprise because it hasn't happened daily in about two years. I'll probably do 2-4 snippets twice a week or so. I'll also continue to do at least one detailed post a week based upon what I'm seeing in my travels and working with customers.

I'm not going to talk (much) about eIQ on the Security Incite blog, though tomorrow I will dig a bit deeper into my rational for making this move. Obviously I'll disclose when any of my posts would/could be influenced by my employer or slam my competition. Surprisingly enough, we're launching a blog at eIQ, so add that to your feed reader. Myself and a few of my colleagues will be blogging about security and compliance management over there.

Part of my job as SVP, Strategy is to be very visible in the community. So I'll be doing a lot of speaking engagements, trade show appearances, and meeting with enterprise customers. If you are interested in having me come speak to your group, I'm game - just drop me a note. I'll even bring a few Pragmatic CSO books to raffle off.

I'm humbled and grateful that all of you have joined me on this journey for the past few years. You've challenged my positions, told me about what is really happening out there, and become good friends. As I move into this new role, I hope you'll stick with me as I continue to poke fun at idiocy, fight mediocrity, and try to make a difference in how security professionals do their jobs.

At some point, I expect to open shop again as an analyst because I really do love the role. But until then, I hope you are still able to enjoy the Incite of yet another vendor puke.

Photo credit: "old time clock" originally uploaded by mbtrama

Pragmatic CSO Podcast #23 - Picking the Right Product

Submitted by Mike Rothman on Thu, 2008-09-25 09:06.
::

I guess picking noses is like picking products.

This week we'll focus on the 2nd half of Step 6: Buying Security Products, which get down and dirty in picking the product. We've already engaged with a long list of potential vendors (we discussed that last week) and now it's time to figure out what will work for you.

Next we do a bake-off and actually test the products under real world conditions. Then we develop our short list (based on products that can meet the need), then we get to negotiate. Get out your bat because that's what you'll be using. Finally the selection should be obvious if you've done the other steps correctly.

If you didn't get the Buying Security Products ebook, you can sign up for the Daily Incite email newsletter. If you read TDI via a blog feed, just send me an email and I'll forward the guide over to you.

Running time: 6:56

Intro music is Jungle and to close the show I bust out a classic from the Pure Funk age called "Pick Up The Pieces" from the Average White Band. Yes, you remember it. Yes, you love it. Get funky! 

Direct Download: 23_Pragmatic_CSO_Podcast_23.mp3

SubscribeSubscribe in a reader

Photo Credit: haledavid1@msn.com

Pragmatic CSO review on Slashdot

Submitted by Mike Rothman on Mon, 2008-07-28 13:35.
::

Nothing like getting a little present on a summer Monday. I wanted to point out that a review of the Pragmatic CSO was  posted today on Slashdot. You can check it out:

http://slashdot.org/article.pl?sid=08/07/28/1330215

Overall, Ben Rothke provided a balanced and positive review of the book, which really hits on the key points I try to highlight not only in the process, but also in my weekly newsletters and podcasts.

 

Pragmatic CSO Podcast now on iTunes

Submitted by Mike Rothman on Tue, 2008-01-29 07:21.
::

Now you can take the P-CSO on your iPod with you. This is great news, so now I can haunt you in your car, on an airplane, or even when you are running. Although since all of the podcasts are 6-7 minutes, it wouldn't be much of a run I guess.

To get the podcast, click this link and then it should direct you to iTunes to subscribe to the podcast. Screenshot of what you should see is below.

 

P-CSO Podcast on iTunes

 

5 for 2009

Submitted by Mike Rothman on Mon, 2009-01-05 10:45.
::
Today's Daily Incite

January 5, 2009 - Volume 4, #2

Good Morning:
The holidays are over. Though as I was driving around my neighborhood, it seems not everyone has a new calendar. Some folks still have their decorations up, which is pretty annoying. Though I'm sure those wreaths will be pulled down and the lights dismantled over the next week - or else the neighborhood decoration police start squeeling a bit.  Wake up! It's 1995... 

More importantly, this week is about setting the tone for the rest of the year. My kids need to go through a serious detox. We've been a bit lax about sleep patterns over the holiday break, but that's got to end. When I poke my head into the oldest's room tomorrow AM at 6:30, it'll be a real shock to her, and probably to me as well. Maybe getting her a Space Invaders alarm clock will help. Probably not.

If you can't get your priorities in focus and make some progress on that list this week, then it's probably not going to get a lot better throughout the rest of the year.

I'm not going to belabor the points I made on Friday about commitment to change. Whatever you want to do this year, it needs to start today. Before you know it, the ball will drop on 2009 and another year will be in the books.

So stop reading my drivel and get to work. Have a great day.


Photo: "Space Invaders Alarm Clock" uploaded by _ES
Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

5 for 2009

Before I jump back into my cycle of news commentary, I thought it made sense (on the first real work day of 2009) to give a little perspective on what I expect to happen this year. A lot of folks have made predictions (though seemingly not as many as in previous years) and I want to be clear, I am not in the prognostication business anymore - so these are just a few things to think about as we head into 2009.

  1. Budget tightening - Unfortunately, I was right in my macro-economic projections from last year. I figured Q3 would be bad and Q4 horrible. The security business seems relatively insulated, but I don't expect that to continue through 2009. The reality is budgets will be tightened throughout the year as the depth of the malaise sets in. So it's wise to take an approach like MCW, which is to figure out what you can do with NO new funding or resources.
  2. Product line extensions - Given the need to do more with less, it's going to be hard to get new vendors into the mix. But you will see a lot of existing vendors start to wrap more and more functionality into their existing "suite," which then allows customers to bring in new capabilities into a maintenance renewal. Of course, we've seen big security vendors adding more capabilities to their offerings for years. The difference we'll see this year is the vendors bundling in more value-add to maintain renewal dollars - as opposed to seeing those go away. The best example of this will be full disk encryption, which will emerge as a feature of the endpoint suite.
  3. Fire sales - Given the difficulty of placing new products in customers in 2009, and the focus of Big Security to add value to their existing offerings - there will be a lot of carnage in security start-up land. VC funding will be scarce and cash flow will be challenging for these small vendors. So you'll see a lot of asset sales and companies going away. Customers need to be very focused on this both for new purchases (which will be minimal) and even renewals. It's reasonable to check a vendor's balance sheet and make sure they've got a decent plan to exit 2009 in one piece.
  4. Services are everywhere - In this kind of environment, customers are increasingly looking at service offerings to allow them to reduce capital expenditures and address the skills gap (since it'll be very hard to add headcount). The biggest issue is going to be a lot of shysters offering services they can't deliver on. Smaller MSSPs may not have the infrastructure and processes to support the 24/7 types of oversight that security requires. So it's reasonable to really dig into any of these providers and make sure they can answer the right questions.
  5. Hype deflation - Pssssst. That's the sound of the air coming out of the virtualization security balloon. Not that virtualization won't continue happening. Of course it will. But in the absence of any verifiable attack on a virtualized stack, there won't be much to talk about. That won't stop Hoff (and others) from trying, though. There is a chance that the PCI council will make a strategic mandate on virtualization, which could blow up the balloon. But I think they are much more likely to make a nebulous statement and decide to do nothing. Also expect new categories like network-based entitlement management to struggle, since there isn't really a compelling need for these boxes.
Yes, there will be more attacks. Yes, there will be more zombies. Yes, there will be more patches. But that's not new and candidly, it's just not interesting anymore. Though customers should focus a lot more on more effective security operations and automation - odds are they'll just focus on getting through the day.

Thus I expect 2009 to be The Year of Surviving. That's right. I don't think there will be an overall theme this year besides trying to make it through each day, week and month. Over the past few years there has been a lot of new technology categories that emerged - many of which are important to the overall theme of information protection. These new offerings, like web application firewalls and database security gateways, have been clicking along and growing - but not exploding. I don't expect any security market to really break out this year.

I think if we look back at 2009 and got some stuff done while keeping our heads attached to our bodies - it'll be a good year.

Special Incite: 2008 Incite Report Card

Submitted by Mike Rothman on Fri, 2009-01-02 12:16.
::
Today's Daily Incite

January 2, 2009 - Volume 4, #1

Good Morning:
Happy frackin' New Year. That's right. After being largely invisible in December, I'm going to try to be better about consistently posting the Incite a few times per week and some other random thoughts as they appear in my pea brain.  Are you ready??? 

You see, I've come to realize that I can't get everything done. I've been weighed down for the past month with guilt that I would spend a few hours doing my "personal" stuff when I had some much to do for my day job. What I've discovered, is that regardless of whether I work 10 or 18 hours a day - there is always more to do.

So screw it. I'm going to write my newsletter because I've missed doing it. The Boss reminded me of a few good one's that I wrote over the year (she doesn't exactly read them the day they are written) and I realized how much logging my daily rantings have become part of what I like to do.

So I'm going to keep doing it. And with that, take a look back at 2008 and see what you did right and wrong. What are you going to change? How are you going to change it? Are you sure? I've got no patience for the "resolutions" that everyone makes when the ball drops in NYC.

You either change or you don't. I mean MASSIVE CHANGE. Some folks look to make incremental changes. In my experience (especially with personal developement), it doesn't work. It's too easy to back slide into the old, bad habits. I do that all the time.

Don't fool yourself thinking that 2009 will be different unless you are going to be doing something different, actively and consistently. I've heard definition of someone insane is one who expects a different outcome from the same activity. I believe that.

So here's to you making the changes you need to make in 2009, and to having a great year!


Photo: "massive change" uploaded by 416style
Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

2008 Incite Report Card

We could sit and agonize about how crappy 2008 was. But actually it was a pretty decent year for me. I'm very fortunate and I know it. But as Anton points out, there is no way I was going to miss getting back to my Incites for 2008 and seeing how I fared. Of course, my time schedule doesn't allow me to do such detailed analysis of each Incite, but I'll provide a sentence or two on each one - just to keep myself honest.

As I look at the Incites, I only have one comment. Pretty crappy... But like everyone else, I didn't foresee the depth of the economic malaise and that had a direct impact on a lot of these projections. At least, that's how I rationalize my continued inability to project much of anything.

 

Incite #1:  Express Your Inner Bean Counter

Substantiating the value of security continues to plague practitioners, who still can’t specifically answer the question: “Are we secure?” Structured security programs (ISO 27001/2, COBIT, Pragmatic CSO) help align programmatic activities, and look for significant advances in the area of security metrics – where the industry begins to gain consensus about what can and should be tracked.

Grade: D+

This one didn't exactly go as planned. OK, it really should be an F. There was no consensus and there doesn't seem to be any consensus on the horizon. It's too bad because it's something that is sorely needed by the industry. But we are (justifiably) more worried about keeping the lights on and fighting to keep our already limited resources and funding. Though metrics will help in the long term. We don't have the luxury of thinking long term right now.

 

Incite #2: It’s time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Grade: B

Whenever you see any of the surveys heading into 2009, compliance is still a critical issue and one that "will not" be deferred, regardless of the economic situation. I'm not quite sure I believe that, but I do think that compliance continues to be a major corporate imperative. Even in a global recession, the auditors still show up and we'll probably still treat them like crap. Which is another story for another day.

 

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Grade: B+

Can you even get a stand-alone firewall anymore? I guess if you consider Palo Alto's box a "firewall," then maybe - but that's about it. This has happened and no one even talks about it anymore, and with Check Point's acquisition of Nokia's appliance business - it'll accelerate. Consolidation will continue in 2009, valuations will come down (reflecting the lack of options for most small security companies). I'm also right on target with the consolidation of security management offerings. At least I've made a huge career bet on it, so I'm not just blowing smoke on this one.

 

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Grade: B-

Network security is largely just "accepted." Everyone has some equipment to protect their perimeter. The rush to bake security into the fabric will take longer than anticipated, mostly due to the fact that with the economic carnage - there are no real catalysts to invest in the infrastructure right now. We saw a few NAC vendors go out and some trying to keep their heads above water. But this is a market for the big boys and the sooner any independents find a partner, the better it will be for them (and their investors).

 

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Grade: A

There was seemingly no stopping the zombie machine as it continued to proliferate around the world. We did see an ISP of ill repute get thrown off the island (when other ISPs stopped peering with them), but an amazing thing happened. Attacks continued, machines kept getting compromised, and with the exception of a week respite, the head grew back. In 2009, trying to stop all of these attacks is a bit too much to ask. So focus on making sure you contain damage and (right) REACT FASTER.

 

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Grade: B+

Are there any stand-alone laptop encryption things left? I know, I know - a few - but not many. All of the big AV vendors have their own solution and in 2009, we'll likely see the bundling happen in earnest. Why wouldn't McAfee, Sophos and Symantec (once they buy GuardianEdge) just give it away? In this kind of environment, these guys will be pushing for renewals, and adding a lot of sweetener to get it to happen. What has lagged are the management tools from the O/S vendors (MSFT and Apple) to really make this happen as part of the operating system. The fact that no one is deploying Vista doesn't help either.

 

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Grade: C

Another casualty of the economic downturn will be strategic things like the SDLC. Which is too bad, since it's critical that we address the root cause of these application attacks. Web application firewalls did find their sea legs, and they can send the check to "PCI Security Standards Council." When the PCI folks made the firewall a must-have, they carried the entire business with it. That will likely lead to Imperva and Breach getting a long look from the network security vendors in 2009. And the SDLC work that really needs to happen gets pushed back to 2010/11, best case.

 

Incite #8: Protect the Vault (that’s where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

Grade: B

Database security limped along in 2008, as big companies started dipping their toes into the water. But this wasn't a very exciting business in 2008, and it's hard to see what's going to make it exciting in 2009. And every year this space doesn't break out is another year the big DB folks get closer to doing it themselves - or acquiring technology at fire sale prices. And when was the last time you heard anything about encryption infrastructure? I suspect a bunch of the small vendors hanging on in that space will go away in 2009, and the rest will be subsumed - because there just isn't a market for it. 

 

Incite #9: Get the jumper cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Grade: B+

The fact is that DLP is a small market, and will remain that way. I've heard (anecdotally) that Symantec's group (the former Vontu) is doing well, but that's about it. The standalone vendors are struggling, and the big vendors are trying to figure out what to do with it. Licensing the engine to Microsoft seemed to be RSA's answer. I still hold to the reality that large enterprises can look at a stand-alone solution because their liability is a lot greater - everyone else should be playing around with their mail and web gateways and tuning those regular expressions. Yes, it's a lame answer - but can you go spend 6 figures on a DLP thing now? Right.

 

Incite #10: Hack thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

Grade: C

Driven perhaps by the loud mouths that continue to talk down pen testing, this was still an uphill battle for those enlightened security professionals that actually wanted to see what was really at risk. I'll admit to being a little early on this one, but over the next 2 years it will play out. Why? Because most of the new attacks target applications and a lot of the application scanners actually have exploit-like code built in. So application testers (right, Q/A folks) will become "pen testers" as we expand the definition of pen testing. The economic environment has probably put the kibosh on any kind of formal "security assurance" group for the time being - but that is another one I believe will play out, though it may be part of the audit team over time.

The Daily Incite - 12/9/08 - Veggie Thanksgiving

Submitted by Mike Rothman on Tue, 2008-12-09 09:01.
::
Today's Daily Incite

December 9, 2008 - Volume 3, #93

Good Morning:
It's funny, in that I made a very major life change back in May and I haven't really talked about it. And I pretty much talk about everything here at the Incite. I maybe have alluded to it, I think. But then again maybe not. And given that I can't even remember what I had for breakfast this morning, the odds that I can remember what I wrote since May are nil.  Now this is eating... 

So it's time to come clean. Back in May I ate the last piece of meat I'll have for the foreseeable future. That's right, I'm now a vegetarian.  I've been evolving in this direction for the past year and pulled the trigger rather spontaneously in Seattle on a long weekend with the Boss.

After eating a fine piece of meat in a fancy restaurant, I turned to her and said, "I'm done." And that was that. The date was May 3, and I haven't looked back. Sometime I miss chicken wings, but not really.

I'm doing this for health reasons, since I'm no tree hugger. There is a lot of bad stuff in my genetic tree and I plan to harass and annoy my wife and kids for another 50 years or so. I've done some analysis and figured one of the better ways to do that is to stop eating meat. So that's what I'm doing.

I have to say that everyone I deal with has been very supportive. Our friends and family have been overly accommodating and have no issue (nor do they take offense) when I bring my supply of trusty Boca burgers or hijack their wok to do a quick stir fry. But it did create an interesting Thanksgiving.

I didn't want to do one of those veggie turkeys, since something about that seemed weird to me. So I made a vegetarian baked ziti and we stocked up on things like corn souffle and tons of vegetables, stuffing and mashed potatoes. It was a bit of carb overload, but amazingly enough it worked out fine.

And there is no meat in pumpkin pie or Cool Whip. At least some Thanksgiving traditions can stay traditions. Now the next challenge will by my annual Super Bowl party. What am I going to do if I'm not knocking down 40-50 wings? Guess I'll cross that bridge when I get to it...

Have a great day.


Photo: "vegetarian Thanksgiving" uploaded by hlkljgk
Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4U

Wow, it's been a while. Holidays will do that. So I'm not going to cover either useless (like the Apple AV tussle) or the uninteresting (pretty much everything else). I guess with the downturn, there just isn't that much news. But don't get lulled into a sense of false security. The bad guys are out there and they are waiting to pounce. Now is the time to make sure you know what's going on, before you don't.

  1. Barney deal or something more significant? Microsoft gets their DLP on by partnering with EMC/RSA. This is an interesting deal, but only because it foretells the end of stand-alone DLP. Yes, it's a feature (I've been saying that for a long time), but more importantly it's all about the data (I know, duh!). Integrating the recognition engine into the data stores and applications is ultimately what has to happen. It'll take a while, but this isn't the last deal of this type that we'll see. How long before the other big tech players either partners or buys one of the last remaining vendors? And everyone else falls into that category as well. Rich covers the deal in much greater depth than a hack like I can.
  2. Cybersecurity on par with jihad and weapons of mass destruction? Really? That's what the Commission on Cyber-Security thinks since they are telling the incoming administration they need to pay attention. They do, but as we learned with the recent attacks in Mumbai, the war in Georgia (the former Russian territory) and how we do war nowadays, cyber-activities are usually the flanker of the attackers. It's not the main attack, but it can certainly magnify the impact of a traditional attack. Yes, they need to pay attention, but I figure the guys with automatic weapons should take precedent.
  3. What's next, banning cell phones? Based on a recent compromise, the Pentagon has banned thumb drives. What about iPhones? Or any other devices that can take an SD card. Maybe next they'll decide to glue all the USB ports on all the laptops in use in any military application around the world? Maybe it's time to buy stock in Elmer's. Or at a minimum, the device software that can control what a USB port does or doesn't do. But if these vendors want to get $30/seat, it's not going to happen. Price it to move and it will because controlling the endpoint is a legitimate need.
  4. On Ryan Naraine's vacation, the folks at Zero Day asked a number of contributors to write some controversial and/or compelling stuff to get the discussion going. My attempt is poking some fun at the set of folks that would rather chase the latest exploit, then do the blocking and tackling that security is all about. Where better to make fun of zero days than on the Zero Day blog?
  5. I've spoken pretty extensively about cost containment of late and the Tao Master illuminates the issues further in this post. In a downturn, smart companies not just invest in the things the need to do, they also take the opportunity to streamline processes and evaluate staff to make sure the right folks are doing the right stuff. When things get better (and they always do), these companies are well positioned because they've eliminated the fat and made sure the process works for everyone. Richard talks about 7 things you can do, but I particularly like the ideas around centralization, standardization and cutting through bureaucracy.
  6. Is virtualization cool with PCI or not? Well they better figure it out, and do it soon. As covered on SearchSecurity, the cat is pretty much out of the bag. Ultimately it's not about if, it's about how to support virtualization safely - given the need for segmentation of credit card data from everything else and all the other goodness in the 12 requirements. I just hope the PCI standards folks don't over regulate virtualization until it becomes less interesting to think about doing.
  7. The good news is that CSOs are no longer alone in being thrown out of the car at a high rate of speed. As Stiennon points out, there are a number of instances of late where the CIO and even higher are taking out to the woodshed over a data breach. This is both good news, since it's hard to get activity out of the executives unless they think they'll be popped as well. But the news isn't all good because guess who usually paves the trail and softens the blow and gets most of the road rash? Right, it's still the CSO. And to be clear, the CIO is still going to blame you when they are interviewing for their next job. Things change, but not that much.
  8. Holy smokes, Certicom is still around? Evidently and worth at least a little something to RIMM, who offered $53MM in an unsolicited deal. Why wouldn't Certicom jump at anything, especially a 76% premium? They are going to look for another suitor to pay more. Good luck with that. I guess they still are drinking the Elliptical Curve Kool-Aid. Here is a newsflash. No one cares about encryption and certainly not an under-utilized algorithm that has to be running up against the end of its patent life cycle. Just goes to show that there is a partner for everyone.
  9. The good news about opinions is that everyone has at least one. Jack Daniel rants a bit here about the fallacy of pen testing. Looks like he's been studying at the temple of Ranum of late. Listen, he makes a number of good points, but really misses the truly big one. Pen tests are not about giving clue to security folks, it's about making the case for change within the organization. OK, there are some security folks that learn things from pen tests. But most need some ammo to go into the executive suite and make the case for why investment or process changes are needed. No one listens to the internal security hack. Everyone listens to the pen tester, with the fancy business card and the stories of compromising cool environments.
  10. Farnum discusses FUD (fear, uncertainty and doubt) a bit in this post and he makes a bunch of good points on his ComputerWorld blog. In effect, this is good advice for all of the practitioners out here that end up sitting across the table from guys like me every day. To be clear, I'm trying to sell you something - just like everyone else. Sometimes I tell stories, sometimes I refer to statistics, but those are transparent devices to get at the heart of the problem. How to make you better at your job. If any sales person can't do that, then you are wasting time meeting with them.
  11. Shocker alert, the folks in the boardroom don't care about security. I know, hard to believe. It's not like they are dealing with things like liquidity crunches, a failing economy and an uncertain future. But the point is the same, CISOs are not doing a good enough job to make the case for why security is important. It gets back to the Reasons to Secure and having a program that allows you to make the right case to the right people. No it's not easy, but things are going to improve until the right folks start getting the message. Yet, also deal with the reality that most of that message will be lost until it's clear the company will be able to keep the lights on through the downturn.

Pragmatic CSO Newsletter #69 - Management Training

Submitted by Mike Rothman on Mon, 2008-12-08 08:55.
::
Pragmatic CSO Weekly

December 8, 2008 - Management Training - #69

Mike RothmanMike's Pep Talk:

"It would be better if you begin to teach others only after you yourself have learned something."
-- Albert Einstein

I am a fortunate guy. The journey I'm on continues to amaze and astound me. I viewed The Pragmatic CSO as my opportunity to give a little back based on all of the great people that have taught me the ropes through the years. Though I don't have as much time to devote to P-CSO pursuits as I'd like, which is clearly evidenced by the lack of newsletters and podcasts of late, it's time to revisit the content and give folks that haven't been exposed to it another chance to get Pragmatic.

I've partnered with the folks at the Business of Security site to run a series of webcasts and virtualYou're in the army now... peer group sessions to run folks through the boot camp I put together a year ago. In this kind of economic environment, it's all the more critical that every security professional be focused on adding value and selling the benefits of security. Being Pragmatic is certainly a time-proven method to doing that.

The first session doesn't cost anything and will be held this Thursday via webcast. I'll run through the current state of security, and go into depth on the first section of the P-CSO - "Plan to be Pragmatic."

Even better, through the generosity of the Business of Security folks (and my employer, eIQ) I'm able to offer attendees to the session a 50% discount on the book and/or PDF. But to get the discount, you need to attend the session. 

SO, if you've been waiting to for the price of the P-CSO to come down - this is your chance.

There will also be a special discount for folks that want to participate in the peer group sessions. More details will be available during the session.

Here is the link to the registration page. I hope to see you on Thursday.

Photo credit: Army.mil

My eBay account got compromised

Submitted by Mike Rothman on Wed, 2008-12-03 08:37.
::

Yes, it can happen to you. It happened to me over the weekend. I got a bit suspicious as I was taking my family back to the airport and some strange emails started showing up in my inbox. Questions from some folks in Hong Kong about shipping an “unlocked” iPhone to Russia. Huh?

So my Spidey sense was tingling by the time I got to the house and I received maybe 3 or 4 of these strange messages. I headed right to Incite Central to log into my eBay account and see what the hell was going on.

Ruh oh. It was already locked. That’s when I got a message from the fine folks at eBay saying my account had been compromised as someone was using it to send bad emails to other eBay members. They also mentioned that the account was not used to list or bid on other items, just the email issue. There were instructions on how to “reclaim” my account.

I went through the process, which was through an online chat. The folks verified my identity (and the address I had on file was at least 10 years out of date, uh!) and reset my password. Then I had to change my account information, but the account was still locked. So I went through the process again, and after another identity verification, I was able to update my information.

Then my personal containment plan went into effect. I promptly changed the passwords to any account listed in eBay. It turned out to only be one email account, but I changed a bunch of other accounts – just in case. I figured better that than having a full on breach.

What happened to start this mess? A weak password. Pure and simple. I had set up my eBay account before I got strong password religion (and 1Password to manage them).

This was a low cost reminder for me of the importance of constant vigilance. I hadn’t updated my eBay info in 10 years and I used a terrible weak password. I got lucky. It could have been much worse.

Hat’s off to the eBay folks, who figured things out even before I did (and it didn’t take me long). Their system was proactive and straight forward to reclaim my identity. Any online provider can and should learn from this.

But the final lesson is yours. Check your stuff. Stay alert and use strong passwords. Remember it can happen to anyone. Even you.

Photo: "eBay Live 2005" originally uploaded by Jochen Siegle/TechShowNetwork

Special Incite: Security and the Roller Coaster

Submitted by Mike Rothman on Tue, 2008-11-25 09:21.
::

I love roller coasters. The butterflies as you climb the first incline. The exhilaration as you release and hurtle downward at high rates of speed. The G forces and then it's over. I'm not a 10 times a day coaster rider. My kids are still too small to come along, so thankfully the Boss lets me go off for an hour and ride the beasts.

When you are on a coaster, you know it's going to end. Most likely in less than 2 minutes, so you can keep everything in context. Realize the fact that it's very unlikely you'll get hurt, so you just try to hold on and enjoy the ride.

Today's financial markets are like a roller coaster. The volatility is unprecedented and you can get whiplash trying to follow the twists and turns of the market. And it's going to get worse before it gets better - that much is clear.

The main difference is that we don't know exactly when it's going to end. We don't know if it's the proverbial two minutes, or two hours. Imagine being on a roller coaster for two hours. That would be agonizing. Right, now you get it.

As a security professional, the risk to our organizations is multiplying. Unfortunately many will lose their jobs. Pay raises and bonuses are pretty much out the window. Far too many will be struggling, and when folks are struggling - they'll do anything to survive.

Including stealing from you (and your organization).

Now is the time to increase vigilance. Clearly we aren't going to get a lot of new investment for new projects, but we have to pay attention. We have to be aware of the insider threat and we have to put fail-safes in place to make sure any attacks are contained.

Yes, this is the same stuff I've been preaching for years. But now it's even more critical to figure out how you can REACT FASTER to what is going on in your organization. In times of turmoil, people do strange things. And those strange things usually cost you money.

So as much as we'd like to close our eyes, raise our hands, and enjoy the ride, we can't. There will be time to do that later. Now we need to keep my eyes open and look for signs of foul play.
The next few quarters will not be fun. But what we do is critical. So open your eyes, feel the wind rush through your hair, and make sure you still have your wallet when you exit the ride.

Photo: "Coney Island Cyclone Roller Coaster" originally uploaded by bobjagendorf

123456789next ›last »