The Daily Incite - 12/11/09 - Starbucks Seat Lottery
December 11, 2009 - Volume 4, #38Good Morning:
Nowadays I face very tough decision on a daily basis. You know, when should I work out? Do I get the Veggie Patty at Subway or is it the one day a week I indulge with a burrito? Should I shave? You know I shave once a week, whether I need to or not. These are serious, tough decisions. And I'm the kind of guy that can face these decisions.
But no decision is more
important than where I work in the afternoon. You see, being a work at
home vagabond, I need to get out of the house. Every day. Personal
hygiene is an issue to begin with, so without the excuse that I have to
primp up to get my Venti Pike - it wouldn't be pretty.
So around my house I have the choice of maybe 4-6 different coffee shops. To minimize my impact on the environment, I try to select a shop in proximity to my lunch spot. I'm thinking of buying some carbon offsets to make up for those indecisive days when I drive the extra 10 minutes to a different coffee shop.
I also go to different coffee shops in no set pattern. I wouldn't want the folks tailing me to be able to profile my habits. You know, when the assassins come, I want to make it at least challenging to find me.
Yet lately I've been choosing wrong. I liken the coffee shop
decision to playing the lottery. It's the Starbuck's seating lottery.
If you don't get a good seat, you may as well just write off the entire
day. Have you ever tried writing snark from one of those cushy purple
chairs? This ain't Passover folks, I can't be inciteful when I'm
reclining. I need to be focused. I need to have a hard wooden chair.
Yesterday I got to my selected shop and there were no seats. Crap. It was like 40 degrees outside, so it's not like I could sit on the patio and pound away at my trusty MBP and snark. The nerve of these folks. First of all, don't they know it's my friggin' office. I pay rent. At the rate of about $2.25 per day. Of course it's a good deal, and some folks pay more rent than me (they splurge on the $4.50 pumpkin latte), but all the same, these folks have to go.
So what to do? I guess I could ask someone if I could share
the table, but man that's weird. I saw some guy do that a few weeks
ago. He just plops down and then starts some inane conversation about
what he does, and where he lives and all sorts of other things.
Surprisingly enough, the kind woman who let this interloper sit down
actually engaged him in conversation. I guess maybe that is what humans
do. I wouldn't know much about that.
So basically I did what most other vagabonds do. I went to the struggling cafe down the street, and hoped they haven't gone out of business already.
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
me on Twitter:
I'm not sure where I'm going, but I'll get there in 140 characters - or less...
Incite 4 U
- Data is cool, analysis is better - The folks at Verizon Business released their DBIR supplemental report this week and it's got some good stuff in there. Read. It. Now. I like the report because it's not just a listing of data designed to generate PR clips. Most of the data out there is used to ensure that lazy tech writers always have something they can crank out on deadline. Survey this, survey that. 85% of hackers take cream in their coffee. 42% use an pwned netbook in a crowded coffee shop to social engineer 17% of the grandmothers in a local old age community. You know, data. But what the VZ guys do with the data is very cool. Mort highlights a few things, but I think we are getting to the point where this data is not only statistically reliable, but it's also representative of the broader market. And that means we are pretty much screwed, but at least we can quantify the screw.
- Redefining security success - Bejtlich does an interesting thought experiment in his "Let a Hundred Flowers Blossom" post. Basically, the idea is to stop worrying about controls and start focusing on outcomes. Meaning, an organization can do as much or as little security as they want, as long as it takes longer than X for an attack team to successfully penetrate the defenses, it's all good. It's an interesting idea, but is counter to the childish way we do security today. Basically it's like nursery school. You get a check list and you do the checklist. No one cares about success or even outcomes, as long as the check list is filled out. This will create issues of documenting compliance, but from a philosophy standpoint I think this could work in a company. But probably not for every company.
- Budget time, yay! - It's that time of year, budget time. This is when we all fight for our share of a declining pie and the grumble about what an ass the CFO is and how does he/she expect us to be able to do anything with that amount of money. And then you get calls from analysts that want to know how big your budget is. And we get surveys that say 70% of companies will boost tech spending and security is a priority. Maybe it's 1 or 2 on the wish lists of people buying things. But to be clear, no one has any idea how budgets will shake out. You see, there is a pot of money and through 2010 that pot may be smaller or it may get bigger. It may be used for Project A or maybe be reallocated to Project B. The folks that answer these surveys have no idea. Overall it feels like things are getting a bit better, but who knows. I'm still saving for a rainy day because there is a good likelihood it'll keep raining in 2010.
- Actually buying something with that budget - Pretty entertaining post on Cassandra Security about the real process of buying and selling security stuff. Part of this is the black magic that you never learn until you work for a vendor. Things like the unnatural acts to get a deal closed in a quarter (as opposed to when the customer needs to buy). But also from the customer's perspective, how to play the game, not only to squeeze the vendor, but to make sure the deal gets done. There are checklists for sales folks and also for the end users. As Brian says, a lot of this is common sense, but we all know that common sense is in short supply.
- Are there any security "software" companies left? - Yes, that title was a bit of a red herring, but it underscores the realization that customers tend to be right, and the vendors need to adapt to meet the needs of the customer. So the idea of a pure-play security software company probably doesn't make a lot of sense moving forward. Maybe not today, but by 2011 I'd say any security company of size will have to have a hybrid model. Where their software is PACKAGED as something a customer can implement, can run in someone's data center or probably can run in a private or public cloud. If you look at a company like Fortify, they are moving in this direction by rolling their own services capability, but also by partnering with a services shop like White Hat to fill the gaps. Of course, the underlying life blood of any of these companies is still software, but it won't necessarily be sold as software.
- Microsoft, the silent but deadly security competitor - Given I talked about plungers last time, I had to throw some flatulence references into today's piece. But that's the thing about Microsoft. They don't really talk too much about their security products, since most of the PR effort is spent spinning the issues around Patch Tuesday and their SDL efforts. But to be clear, Microsoft keeps clicking along, targeting their markets and rolling products. Like their recent announcements of enhanced security gateway functionality. Sure looks like a UTM type thing to me, which is perfect for their sweet spot in the mid-market. And they also acquired Sentillion, which does IAM and single-sign on for healthcare companies. So although most of the big security companies don't say Microsoft is a competitor, it's always dangerous to disregard them.
- The Happiness Genie - Very interesting thought experiment from Scott Adams on the Dilbert blog. Man, it must be a good gig to write comics because he seems to have plenty of time to think of weird scenarios and post them to his blog. The general idea is whether you would be happier if a happiness genie gave you $10 million, but a lot of folks you know would get $20 million. Or if you get (only) $5 million, but no one else gets anything. Hmmm. I'd like to think $10 big is enough for me, even if my friends get double that. But if I'm being honest, who knows? And that's really the key, be honest. The answer is OK, even if you are a greedy bastard that would be happier keeping their friends in a life of squalor.