November 30, 2009 - Volume 4, #34

Good Morning:
Oh yeah. I'm back and it feels great. Just getting done with the long holiday weekend here in the States got me thinking about how thankful I am. So I'm going to go through the list in an "Inciteful" way. Then it's back to some pithy and totally subjective opinion of some recent security stuff. IN MY VOICE. The past 15 months I've had to speak (again) in someone else's voice and well... that ain't me. So it's nice to exercise the sonorous baritone a bit and though I'm no Barry White, the voice is definitely mine.

First and foremost, I'm thankful for The Boss. Yes, she is still my boss and no one provides more support for what I do than my wife. She was the first one to suggest that I really needed to get back to Incite and that it's the thing that makes me happiest. She's ridden shotgun through the highs and lows and back again. And hardly puked on my shoes through the turbulence.

Next up are my kids and family. The kids provide a ton of entertainment on a daily basis. When I'm not gnashing my teeth that is. But I need to continue working on my patience and there is no better way to do that than to have 3 kids running around. My family is well...my family. Yes, I love them. Yes, at times they make me crazy. And yes, I need to accept them and their idiosyncrasies. Just as they accept me and my nuttiness.

I'm thankful for all of the friends I've made in the industry. Many of which wrote to tell me how sorry they were I got laid off. It's great to have so many folks that "have my back," and are supportive of what I do. Of course, I'm not sorry about the way things worked out and I couldn't be more excited to be blazing my own trail again. But for every one of you that Tweeted or emailed or called, thank you. Really really thank you.

I'm thankful for the folks that have better things to do than secure their stuff. For one, a small percentage of them will be statistics which allow the vendors to keep spewing FUD at an unbelievable pace. That FUD keeps guys like me busy. I'm also thankful that these folks need a much more Pragmatic way to think about securing their stuff. They don't care about being "secure," they want to make the auditor go away and they don't want to get pwned. Of course, we all know those objectives are at odds with each other, but that evangelization process is what I love, so I don't want to change a thing.

I'm thankful for Big Research. They continue to well be Big, and that means pretty much lumbering around in their fat, dumb and lazy way. Using the same presentations year in and year out, and being a great backwards looking indicator. There are some great analysts in Big Research land, and I'm happy to call many of them my friends. There are also a whole lot of not so great analysts, and that creates opportunity for guys like me. But ultimately these are the folks that invented the IT research industry and I continue to ride their coat tails on a daily basis. 

I'm thankful for every single one of you that clicks on an email or opens up their RSS reader or even visits my web site to read what I write. Like everyone who gets a second (or third or fourth) chance, you appreciate it much more after it's been taken for a while.

Finally, I'm thankful for my time at eIQ. Every so often, a guy like me needs to be reminded that the grass is not greener on the other side. Statistically, you are probably as likely to win the lottery as you are to pick the right hot start-up and make a bunch of money. Ultimately the material spoils don't matter if you don't enjoy what you are doing. Especially when you can make a decent living doing what you like. So my latest trip back into corporate America reminded me of what I seem to have forgotten. That I need to be thankful for doing what I like, and that I should just do it. Which is what I plan to do.

Have a great day.

Photo: "Give Thanks" originally uploaded by Markus Rodder
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

As you can imagine, quite a bunch of stuff has accumulated since the summer. So I'll pick some timely topics to cover, as well as some important stuff from my archives. The plan is to publish on Monday, Wednesday and Friday for a while and get back to a consistent drumbeat of Incite to make you laugh, cry, maybe learn something, but most importantly long for the days when I wasn't writing so frequently.

1. IBM (maybe) takes out Guardium - We all knew it was just a matter of time before someone acquired the bigger Database Activity Monitoring start-ups. Looks like Guardium is the first to take the money and run. And with a reported $225 million of IBM's cash, they can run for a while. Clearly protecting the database is a key part of any security program and the DAM folks have shown it can be done at enterprise scale. IBM  likely paid a very healthy multiple (probably in the 7-8x bookings range) because Guardium was the first to cleanly support DAM for databases on the big iron. That is something IBM had to control. Adrian from Securosis provides his take on the deal as well.
2. Security success? Remember the Credibility Bank - I wrote the Pragmatic CSO in the latter part of 2006. It's hard to believe it's been 3 years, but I have to say the message continues to resonate and appear in places that I never expected. Not directly, but from a philosophy standpoint. Take this article in SC Mag about Seizing Management Power. You don't really "seize" power, rather you earn it. It's really about the need for security folks to talk business and persuade their peers that protecting information is good for their business. It all gets back to credibility. If you don't have it, you can't execute on any kind of security program. Pure and simple.
3. Maybe the CIO is your friend, but not mine... - Following up on the previous snippet about talking the language of business is a post from Mortman on the Securosis blog relative to the reality that most CIO level folks don't have a clue about how to be relevant to the business. The reality is, YOU as the security professional cannot be hindered by that. If your CIO get it, all the better. If not, you still have to build relationships with the business folks and still position security as good for the business. Mort's ideas on having someone to work with on messaging and making sure your stuff is professionally done is absolutely critical to building the credibility you know you need.
4. Valuing Assets, using Lindstrom's Razor - For a guy who shaves once a week, whether I need to or not, the idea of a Razor being wielded by Grumpy Pete is outright terrifying. Kind of like a slasher movie set in a data center. I can just see Pete hacking away at Jaquith's stilts (oh, I think those are his legs) or Hoff's halo (he is the almighty, isn't he?). But seriously, Andy does pose an interesting thought experiment based on Grumpy Pete's ideas on valuing assets using a floor value based on the amount of money you are willing to pay to secure it. Hmmm. Gunnar expands on this a bit as well. The reality is most folks have NO IDEA what they are paying to secure much of anything. They have a security rock and they hit pretty much anything they can with it. Very few organizations actually decide on an asset (or even a business system) basis what they are willing to spend to protect it. They should, but they don't. But it's a good though experiment anyway.
5. Profiling application traffic on a blade - Amazingly enough, the news that Check Point acquired FaceTime's application database didn't make the 11 o'clock news. They probably paid FaceTime in Starbucks cards. But the concept is interesting, in being able to deploy application profiling on a software blade on the gateway does open up a number of cool policies you can deploy, especially relative to egress filtering. This was clearly a cheaper way to get better application visibility than buying Palo Alto (which they should do anyway). Yes, the perimeter gateway is getting smarter, no the "secure network fabric" is nowhere close, and the reality is the action is what's happening inside the protocols and we security folks need to get a lot smarter on application attacks - stat!
6. Security "scorecards" - love and mostly hate - I've had a love/hate relationship with the concept of metrics for a long time. On one hand (love), I realize the importance of measurement and counting and all that other good stuff that creates pie charts for the CFO. But my pragmatic gene kicks in (hate) and I realize the effort required to really quantify the impact of security doesn't leave a lot of time or resources to actually secure much. I look at a post like Russell's diatribe on building an InfoSec Risk Scorecard, with a sort of numb bemusement. The post is great and the tips are right on. But it's just hard for me to see most security folks going through the effort. One of the tips really hits home: "If your bosses really need a good InfoSec Risk Scorecard, then they should be prepared to pay for it." Therein lies the rub, most bosses don't care about a security scorecard (they just want to be secure) and they are certainly not going to pay a lot for it. Thus, they ongoing futility of security metrics.
7. Tao votes for Leadership - It's funny, but the political hype machine is already talking about the mid-term elections happening next November. Solving the "cyber-security" problem continues to be a hot topic in the Fed space. Lots of folks think more efficient buying in an answer, or throwing a few more products at the problem. Richard is clearly voting here for leadership, not any of these other shiny objects (many espoused by the self-proclaimed cyber-war research czar Stiennon). And he's exactly right. We have to get sick of losing and then we'll devote the resources necessary to win. On an aside, is anyone else starting to puke every time I see the term "cyber-X." I know the Feds are spending money on security products, but a horrifying number of vendors are repositioning their stuff to address the "cyber" issue and in reality it's just another marketing shiny object and too many dim-wits can't tell the ruse for what it is.
8. Writing the LRD - This isn't really security-oriented, but I wanted to point to a great post on the Pragmatic Marketing site about writing a "life requirements document." So of you call them goals, others a set of guiding principles, but all the same - you can't be good at your job or particularly happy unless you've given some thought to what makes you happy and what you like to do. Too many of us just meander through our lives getting through each day and looking forward to watching a football game, drinking a brew with buddies, or playing catch with the kids. So that is an awful lot of time spent waiting for something else. So read the post and give the approach some thought. Personally, I set goals, but an LRD structure may work for some of you.