The Daily Incite - 10/23/08 - Ops as a career

Submitted by Mike Rothman on Thu, 2008-10-23 06:31.
::
Today's Daily Incite

October 23, 2008 - Volume 3, #85

Good Morning:
One of the most important skills for anyone is the ability to adapt. Basically you have to understand what is happening around you, figure out the trends and position yourselves for success. The days of loyalty to one company and having the "company" manage your career are over. I get a lot of questions from folks (especially young folks) about what they should focus on. As with everything else, I have some opinions on where they should specialize in order to position for a great career. That's a cool lookin' data center

For the past 18 months I've been pretty consistent in telling folks to learn as much about applications as they can. We are undergoing a huge shift in how applications are built (with SOA-based modular apps) and the ability to protect those apps is an absolutely critical skill. And there is a real gap between the number of folks that know how to do app security and the demand.

I still think app security is a huge growth market over the next 5-7 years and we certainly can't plan for anything past that kind of time horizon. But I'm adding another discipline to my standard response, and that is OPERATIONS. That's right, the data center is becoming much more important in this age of *aaS (everything as a service) and companies both big and small are going to need experts to both build, manage, maintain and protect their data centers. 

As most of the first few waves of the Internet build-out were focused on racking and stacking servers, there wasn't a lot of opportunity to specialize. But now that Google has shown that managing huge data farms with proprietary technical goodies can provide competitive advantage, a lot of other companies will be looking to innovate in not just what they offer, but also how they offer it.

So take that for what it's worth, a longer term trend idea. Part of what I like to do is read between the lines and figure out the longer term impact on what we do and how we do it. It seems to me that most companies will be offering something to their customers as a technology enabled service and that means good operations people and folks that understand how to protect information in this kind of distributed computing-based world will be in high demand.

Have a great day. 

Photo: "Data Center" originally uploaded by Stan
Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4U

 

  1. According to the Big G (that's Gartner for those of you not familiar with my lingo), there is little change in the top 10 "strategic technologies" for the next year. This is more of an analysis of the most common buzzwords over the next year and as Bill Gates said many years ago, that we overestimate the ability to change [buzzwords] over the short term, but underestimate the [buzzwords] change over the long term. And this just proves it.
  2. Can DLP work? That's the question that Patrick Foley asks on his BlogInfoSec blog and it's a legitimate one. I think it depends on your definition of success. I know of plenty of companies that do some level of egress filtering of content to REDUCE leaks. I think totally preventing leaks (and managing expectations that is what you can do) is not reasonable. But reducing the low hanging fruit like obvious stuff (SS#, account numbers, etc.) is possible. Patrick also makes the point that it may not require a 6 or 7 figure investment either, but there are some simple blocking and tackling things that can be done to address the issue.
  3. In the better late than never camp, Aladdin uses it's second wish on launching a new research team and website to better track "eCrime," whatever that means. Vendors that are in the content business need to have a research team because the types of attacks are very dynamic and without having a dedicated set of folks that are looking at what's going on, it's hard to stay even close to the rate of innovation from the bad guys. So if you're vendors for email or web content security don't have a research team, they aren't going to be able to get it done.
  4. Those pesky internal Government auditors run the risk of tax audits for the next 100 years by pointing out that the IRS launched a bunch of new applications that weren't exactly secure. Or even close to being secure. Security folks know they have sufficient pull in the organization if they can stop deployment of an application because of undue risks. Clearly the IRS security team has some work to do in that respect.
  5. Metasploit swings the pendulum back towards openness with its new licensing approach. First it was open, then it was less open, now it is more open - as they adopt the 3 clause BSD license. I understand the initial reasons for tightening the licensing of the 3.0 version, but can really respect that fact that HD and team now think the project is strong enough to withstand a truly open model. And since testing is one of my critical keys to success for any security team, having a more open platform to use is a good thing.
  6. Gunnar once again beats the drum for integrating security into applications and other processes and he's exactly right. We do spend a lot of time playing defense, but must start devoting some serious cycles to "offense" or really evangelizing the need to consider security as a key part of any initiative. There really shouldn't be a "security" team, per se in the long run - but that kind of evolution will take many years. So in the meantime all we can do is continue to beat the drum for everyone to stay focused on thinking about data protection as early in any project as possible.
  7. Secure Computing figures they have another lucky seven to roll after getting the McAfee deal. There new roll is "seven technologies for advanced mail protection" or STAMP. That's pretty catchy marketing, no? Though then the discussion descends into "next-generation" mail security something or other. Customers don't really care how you do it, but they want to bad mail to stop showing up. If a STAMP works, great.
  8. McAfee is once again on the reinvention trail or at least trying to position their me-too NAC announcement as something that is novel. The idea of integrating an endpoint agent and a network device is not novel. Pretty much every other NAC vendor has done this (as Alan so kindly points out). Evidently the technology is the remains of Lockdown. Good luck with that. Little Red needs to go into the penalty box for offensive marketing. Basically they figure if they say reinvent enough times, maybe you'll even believe they are innovative.

Post new comment

The content of this field is kept private and will not be shown publicly.

More information about formatting options