The Daily Incite - 2/27/09 - Free Agency

Submitted by Mike Rothman on Fri, 2009-02-27 10:13.
Today's Daily Incite

February 27, 2009 - Volume 4, #20

Good Morning:
Although the NFL season has been over (for all intents and purposes) for a month, I feel more connected to what's going on this year than I have before. Why? NFL blogs. Both ESPN and have some great blogs that keep you connected with everything that is happening. Whether it's the combine or even free agency, football junkies can stay on top of what's going on with an RSS reader and minimal effort.
No, it's really about value...
Ah free agency. That annual time of year when smart money usually stays on the sidelines and stupid money parties like it's 1999. Even this year, when money is tight everywhere (even Commissioner Goodell took a 20% pay cut - down to like $7 million a year, ouch) there will be some high profile signings. And we can look forward to the coming years when there will be those same high profile flame-outs, but they will have a few more Bentleys courtesy of NFL stupid money.

That got me thinking to how to apply a free agent mentality to our industry. The reality is there are folks with a unique skill set or a set of accomplishments that will always be valued. And headhunters are kind of the "agents" of security folks, except they work for the "owners." So basically you need to act as your own agent and find out which of the owners needs to bolster their defensive line.

That's right, even though the economy is crap and most security professionals are keeping their heads down, now is a good time to start networking and seeing what's out there. No, I didn't spike my coffee this morning. I'm serious. Smart companies are always looking to UPGRADE their talent. That's right, even though there is a low likelihood there is something open - that also takes the pressure off from any meetings you'd have.

So maybe it's time to test the free agent market. Who knows, maybe you'll be the next Albert Haynesworth.  

Have a great weekend.

Photo: "Michelle Yeoh: He was the highest bidder" originally uploaded by chrisjohnbeckett
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4 U

I'm sure you know some folks that never make a mistake. The kinds that no matter what happens, it's someone else's problem. They are perfect and everyone else sucks. Sound familiar? Well it seems that guy is now the PCI Security Standards Council. Their leadership is not willing to accept any responsibility or intimate that their wonderful 12 requirements may, in fact, not be perfect.

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he's never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

I had a rip roaring rant all lined up in my mind and then I saw Rich become totally unglued about it. Rich correctly intimates: "With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact." 'nuf said.
  1. It's all about inertia. - So the earnings season for security/network related companies is in full swing. We had strong earnings from McAfee a week ago and now we see SourceFire, Blue Coat and Guidance holding their own. Why are some companies doing well and others (like Trend Micro) not so much. I tend to think there are three thoughts here. The first is companies with a large exposure to Federal business is certainly going to do OK, since the Feds continue to spend money on cyber-defense. Second, are companies that have huge inertia, meaning large customer bases and big maintenance streams. It's easier to just renew the maintenance on pretty much anything when expenses are being scrutinized, so that's got to be part of it. Finally, a lot of security companies really executed poorly over the past few years, and a few got new management in place that is sucking a bit less. And there you have it.
  2. Data must drive decisions - Security metrics is truly quicksand. We all want it, yet we can't really agree on what needs to be there. I know folks like CIS are driving progress in the area (which is great), but we still have a long ways to go. This month's Fortune Cookie from Intel's Matthew Rosenquist resonated with me. "A worthless metric is one which fails to drive decisions, even when the metric result radically changes." That's exactly right. Now the data we need to gather and analyze can be for two audiences. Us and them. We need operational data that helps "us" prioritize what needs to be done. We also need higher level, business centric data to substantiate value to "them," you know - the guys writing the checks.
  3. A whole lotta ROSI - It shouldn't be a surprise, but I'm still no fan of trying to pain security within any kind of ROI context. Grumpy Pete and I have had battle royales over this in the past and now Fratto is weighing in. He uses Ed Moyle's thinking about saving money (as providing ROI) through increased efficiency and then brings up a great point. "What is never talked about is where that savings comes from." That's exactly right. And his conclusion is also right: "Efficiency is a side effect, not a goal." I ranted a while back about the challenges of using efficiency to justify expenses now, given that most staffs are already cut to the bone (it was my Selling Fear post). Whether it's fear or value, selling something other than efficiency is probably your best path in these times.
  4. The price tag of PCI - Found a set of interesting numbers (from Gartner I think) on the PCI DSS Compliance blog. Level 1's report spending almost $3 million on PCI. Level 2's do $1.1 big. Those are big numbers and they are going up, but we don't get a feel for percentages, and that would be most interesting. How much of a companies security budget/spend is being consumed on PCI or any other reg? I suspect it's a lot, although a lot of the stuff for PCI can be used for security ops and other regulations. The point is to figure out how to get some of these leveraged projects paid for and it seems PCI is still a good place for that. Even though you know Russo will point the finger at you, at least he's helping you pay for stuff.
  5. Shut up and drive. - One of the tactics that can be particularly useful to folks trying to gain credibility internally is to start up a security steering committee. This would get involvement from all sorts of folks within the organization that can make your life miserable if they aren't on your team. There is a good piece on SearchSecurity about how University of Washington is using the steering committee to get things done. I'm always looking for good, leveraged ways to get face time and ensure the senior team is on board with the program and the tactics. So this sound like a great idea to me. I'm kind of pissed I didn't think about it. There is always P-CSO 2.0.