January 19, 2007 - #3

Mike's Pep Talk:

"The point is, ladies and gentleman, that greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit. Greed, in all of its forms; greed for life, for money, for love, knowledge has marked the upward surge of mankind."
- Gordon Gekko in Wall Street 

Greed is good. One of the classic lines in any movie, ever. Yes, Wall Street is another one of my favorites, and though the movie was really an indictment of the craziness of the 1980's in the stock market, the concepts are still very relevant today.

Yes, relevant even to security folks. Why? Because the bad guys are greedy. Greed isn't good, it isn't bad. It just is and there isn't anything we can do to change it. 

That's why security hasn't gotten better. That's why spam is still sent with reckless abandon. It's because there remains an economic incentive to do so. As long as phishing works to compromise private information, and spam works to pump stock and sell trinkets, and millions of machines remain zombies ready to launch attacks on the whims of unseen bot masters - it will be more of the same.

You see, lots of folks need angst in their life. They need to rail against something and point out the injustices that they are suffering. No, things aren't fair. No, the bad guys aren't going away. But Pragmatic CSOs don't think about this stuff. As I mentioned last week, P-CSOs focus on what's in their control. We get things done. We don't cry about inequity.

At the end of the day, the bad guys will be bad because there is money in it. So we need to continue to fight the good fight and make sure we are not an easy target for them.

Thanks again to the many of you that have bought the book so far. Initial feedback has been very positive, and with the addition of a hard copy book to the P-CSO family, you can get Pragmatic in the form factor you prefer. If you haven't already, head on over to The Pragmatic CSO website and pull the trigger. If you don't plan to, let me know why? You know where to find me.

In this week's issue:

• This week's P-CSO Tip: Understanding the role of VARs
• Pragmatic CSO: The Community (Coming Soon)
• See the P-CSO: RSA P2P Session
• P-CSO FAQ: Where's my damn poster?
• P-CSO in the blogosphere: What they are saying!

This week's P-CSO Tip

Understanding the role of VARs

I send a message to everyone that buys the book asking for feedback. And I really want it, good, bad and indifferent. I got a note this week from one of my VAR friends, and he wasn't exactly thrilled with how P-CSOs are taught to face one VAR against another to get the best price.

It got me thinking about what the role of VARs is and how it's changing. The fact is, Pragmatic CSOs need to be fully accountable and responsible for the security of their organizations. They can't hand that off to anyone, not even a VAR. That being said, VARs can act as a trusted advisor to help P-CSOs make better decisions - there is nothing wrong with that.

Where I have the problem is in paying the VAR for that via an inflated price on a security product. Feels to me like Wall Street "soft dollars" before the bubble burst. The Wall Street analysts would do good research and the investors would trade stocks through their firm. Or not. There was no way to really know. It was dirty then, and it feels dirty now. If you are my advisor, then charge me an advisory fee - don't hide it in extra margin on a product sale.

Products are products are products and unless you are buying them from Apple, the channel does not have to adhere to pricing standards. You want to get the best price, so if you are buying through a VAR - beat them down. But if they are advising you, set up some type of retainer or services agreement to make sure the VAR is compensated for the value they provide.

Pragmatic CSO: The Community (Coming Soon)

One of the things I refer to in the P-CSO book is the web community. The plan is to launch the community in February, with templates and other content to kick start your Pragmatic CSO process. There will also be forums to discuss each step and share experiences and best practices with your fellow P-CSOs.

But that's not it. There will a lot of value-added content within the community. It's not just for Pragmatic CSO's, but for pretty much everyone that is involved in the security business. I'm in the process of working on a pretty cool idea to get some other industry experts to participate in the community, so stay tuned for more news on that.

There will also be a Security Incite (my other job) research section in the community. I'll be publishing between 8 and 10 "Deep Incites," which go into detail in how to solve some of the biggest problems facing CSO's today. Problems like the insider threat, PCI compliance, leak prevention, mutual authentication, visitor access, etc.

A Deep Incite goes into a deep discussion of the problem and some architectural constructs on how to solve it. What's novel about that? Pretty much all research to date has focused on analyzing arbitrary technology categories. I think that's bass-ackwards. So you can get an analysis of the "NAC" market. But that doesn't help you unless you already know what the problem is and you've come to the conclusion that NAC is the answer. My approach looks at the problem and then the potential solutions. Not the other way around.

Each month, I'll also be doing a few quick interviews with some industry heavyweights to get their perspective on what's going on. Both CSO's and other folks will be represented, and don't expect your run of the mill boring podcast interviews. Expect 10 minutes or so of hard-hitting, no-holds barred perspective.

Once again, I'm swimming upstream in the face of traditional research. It's going to be cool. I'll provide further information closer to launch.
 

See the P-CSO: RSA P2P Session

RSA is coming up fast. The annual security shindig is in San Francisco, Feb 5-10. I'm doing three separate sessions there. I'm moderating a panel on the state of spyware (here) and another panel called "UTM Smackdown" here, where I'll get some opposing views on how UTM plays out waxing poetically and defending their positions. 

But the session that is going to be most interesting to P-CSOs is a Peer-2-Peer session that I'll be facilitating called "Successfully Selling Security Strategy." (details here) Aside from my cute alliteration, this is going to be a great discussion.

Why? Because these sessions are designed to be a DISCUSSION, not a presentation. I want to get a number of folks talking about how they sell their security plans to the senior executives. What works, and what doesn't? How can folks do this better? The session is on Wednesday afternoon at 2:45 PM. 

Hope to see you there.

P-CSO FAQ: Where's my damn poster?

As I've said numerous times, I'm learning new stuff every day. Like how to ship things out, including inventory, packaging, postage, international customs forms, and the like. Since I am also the shipping department, I'm figuring all of this out. 

The good news is that I've finally nailed down my process. The first batch of posters went out yesterday, and more will go out today. I've you've ordered the book within the past 4 days, you'll get both the book and poster by Wednesday of next week. You all should have your personalized PDFs as well, since I've also nailed down that process.

If you haven't gotten your stuff, please let me know. I've got tracking numbers for almost everything and we'll be able to find it.

P-CSO in the blogosphere

This week, Martin McKeay is still working through the manuscript and had this to say:  

Keep the comments coming. Both good and bad.