January 20, 2009 - Volume 4, #7

Good Morning:
Today is a historic day. Period. In the US, we will inaugurate a new President - who will face a series of crises not seen for 50 years. The new President seems like the right guy at this point in time, but it's not clear Hercules or even Zeus could get us out of this mess. 

But given that yesterday was the MLK holiday and today is the inauguration, I wanted to comment a bit on fighting for what is right. You see, it's easy to turn a blind eye to the injustices of the world. Just go along, on your merry way without a care about a lot of folks doing the wrong thing.

Whether it's folks putting one over on the system by stealing money or taking advantage of the defenseless, there are lots of folks that are pretty much despicable. But there are a number of folks that don't accept the status quo and they do what is right.

Even when it's dangerous and hard.

Like the folks that spearheaded the civil rights movement, which we celebrated yesterday and will celebrate during the inauguration. Or the folks that fought against Nazi oppression by protecting families marked for death based on what they believed. Or the folks in South Africa that rose up against Apartheid. There are tons of examples and lets celebrate those folks as well.

Unfortunately as we continue on through history, there will be no lack of folks that do the wrong thing. So those of us that fancy ourselves to be good people will have plenty of opportunities to try to make it right. It seems human nature is like that.

Have a great day.


Photo: "You gotta fight for your right to be arty" originally uploaded by marcusjb
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

It's brutal out there. I keep hearing day after day about other people I know that have been laid off, many by technology firms. It seems the "in" thing to do was to lay off 10-15% of staff during the holiday period. Talk about a Grinch. But the reality is that we are going to see a lot more of that, since I don't think we've scratched the surface on the slowdown that is coming. I hope I'm wrong and I also hope that my many friends looking for new gigs have a quick search. But in case I'm not, make sure you are clear about your value proposition to your organization and that you are thinking about Plan B. Hopefully you won't need to use it.

1. Is "Security First" a generic term? - Probably, so I guess I wouldn't have been able to copyright it. Though it is good to see a number of folks like Martin using the Security First concept to illuminate one of the most important concepts we all face. Compliance is how we get things funding, but security is how we do our jobs. If you aren't clear on that, then there is a Breach blog post with your name on it. Anton has been ranting about the dangers of compliance first for a while, and he's exactly right.
   
2. They are all talking, but I don't think many are listening - The folks in the software security business are great folks. I know most of them and they are passionate evangelists that spend much of their time urging developers to do the right thing. They've used logic, fear, guilt, and lots of other tactics to get the message across. Jack Danahy of Ounce makes many of these arguments in his See No Evil byline in NetworkWorld (which must be pretty desperate for page views to give a vendor this much real estate). Jack makes a great case, but unfortunately the folks that need to listen are not, and these are the same folks that fought the standardization of things like seat belts. They represent the status quo and until there is OVERWHELMING evidence of the true costs of not dealing with the issue, I'm afraid that they won't. Which is bad for everyone.
   
3. The anal probe won't hurt a bit - Shrdlu rants a lot about a post regarding how to interview "geeks" and I'm totally in agreement. Hiring is tough and making a bad hire costs your organization a LOT of time and money. That means that any hiring process is going to be invasive, intrusive and likely uncomfortable for the candidate. We doing the hiring are looking for the good, the bad and the ugly and sometimes that means we need to ask questions that may not make sense to the "geek." That's fine, if and when they geek gets into management and has to be accountable for what their group produces, then they'll understand. I'm pretty fortunate in that I usually know most of the folks that would be working directly with me, or know other folks very well that can vouch for them. But I still ask a lot of questions and I don't feel bad about that.
   
4. Big Yellow R&D yields... - Not a lot. When was the last time you thought of Symantec as innovative? Right, it's been a while. The market leader typically has a disincentive to be innovative because it risks upsetting the apple cart being pulled by their cash cow. Can I mix a few more bad cliches in there? Jon Oltsik makes the case that Symantec is now investing in R&D. I hope he's right because sooner or later the cash cow gets slaughtered and if there aren't a number of calves running around. You become Novell. It would be interesting to do an analysis of SYMC's revenue streams and see how much of their net new revenue each year comes from in-house development vs. acquired technology. I honestly don't know the answer and maybe it's just a marketing problem. But when I think innovation, it tends not to have a yellow tint.
   
5. I'm still a sucker for cool hardware - I don't know what it is, but there is still something to flashing lights and lots of throughput. Maybe I appreciate the challenge of hardware engineering. Maybe I yearn for the days when our biggest decisions were Cisco or Wellfleet. Nowadays for most companies it's about which model of Cisco gear to use, and when you see how David Newman put the new ASR 1000 through it's paces, you see this ain't your Daddy's router. It runs 20Gbps through the box while doing QoS, security and a bunch of other stuff. Obviously targeted at large enterprises and small service providers, this isn't a box for everyone. But when thinking of the sheer horsepower required to actually do security within the network fabric, and we'll need these kinds of boxes. Especially as Moore's Law continues to take hold and drive costs inevitably down.
   
6. Maturity and hammers - I've used the saying, "when all you have is a hammer, everything looks like a nail."  Alex's idea that maturity is based on the ability to measure (from this early December post) is true, but only if you are focused on quantifying risk. There are a lot of different ways to qualify security maturity, especially program maturity and not all of them involve measurement. A mature security program has as much to do with perception as it does with metrics. In my opinion anyway. I believe that some programs that are weak on metrics (how many do we know that have strong metrics) can still be mature in perception, where the CISO is respected and part of the discussion. That only happens with maturity. Though Alex may disagree, mostly based on what he does for a living, I'd still argue that metrics are only one piece of security maturity.