April 24, 2008 - Volume 3, #40

Good Morning:
If I had a couple of bucks for every CTO that has tried to school me in marketing, I wouldn't have to be peddling Pragmatic CSO books at every opportunity. If I had one for every CEO who thought they could do the job better than me, I'd be spending a lot more time at the beach. But thus is the frustration of marketing. Everyone thinks they can do it, until they have to, and then they realize stress testing athletic cups is a more rewarding position.

At least Misha of AlertLogic was funny in his attempt to tell me why I was wrong to call out his company for their blatantly misleading "PCI is easy" marketing campaign. He figures there are some days I fill your inbox with baloney. I love baloney. Actually I like salami better, but I don't eat meat much anymore - so I maybe sending around some baloney is my way of making peace with the meat gods - who I now shun.

His tactics are pretty predictable. Make light of your critic and try to undermine their credibility. Compare the work to some well known gossip rags. Right out of the Campaign '08 play book. Maybe Misha fancies himself a roll in the political arena after he's done with this nasty security work. 

If you read the comments on Misha's post, he's got it right about me and my ability to take a counter-punch. I'm a big boy and I don't share a controversial opinion without expecting some return fire back. That's all good. In fact, I know quite a bit about their offering, and exactly how it can help with compliance and how it can't. This isn't about their service. It's about their marketing. It's when you read the other comments (especially from my friend Farnum) that you see that Misha has missed the point entirely.

It's not just a webcast title. Or an email marketing subject line. It's a philosophy.

Most folks think that if no one outright complains about something that it's OK. They seem to forget that most folks vote with the delete button. The vendor just loses attention and awareness and ultimately that impacts a company's credibility. Farnum is exactly right, that kind of sensationalist marketing is abrasive and annoying to folks that are in the trenches trying to do the right thing every day. Most technical folks don't understand how marketing impacts the perception of their organization. They think it's about the product (or service). They don't get that until you do marketing right, you don't get a chance to even show your product.

No CSO is going to take the time to send any offender (and of course, there are more folks guilty of "easy compliance" than AL) a note telling them they have stepped over the line. They just shop somewhere else. I guarantee AlertLogic loses every deal they don't see.

And that's the point. A long-term sustainable business is based on building credibility with buyers and then meeting their expectations every day. You can target the mid-market with National Enquirer-esque headlines and that will work for a while. But if you can't deliver, then Mr. Market will catch on. He always does. You can run, but you can't hide. Unless they figure out a way to sell out to some big dumb security company and get out of Dodge before Mr. Market figures it out.

To be clear, I'm saying that AlertLogic cannot make PCI compliance easy, simple or affordable. No vendor can because security is neither easy, simple or affordable. It has nothing to do with their service. It has to do with how hard it is to protect information. If Misha had a way to make security easy, I guarantee his company would own the security business - and unfortunately (at this point in time anyway) they don't.

Security marketers have a choice. They can try to focus on customer problems or they can go with sensationalist headlines. I've done both through my career. I've found that taking the "easy" route is always harder. Always.

Have a great weekend. And buy my book (I thought I'd just throw some more baloney in there for good measure).

Photo: "Spotted at Berkeley Bowl: I didn't know that you can buy sour grapes" originally uploaded by Raymond Yee

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

ITIL ya to pay attention
So what? - Don't we have to get somewhere before we start worrying about process improvement. I'm fascinated by the worldwide infatuation with ITIL. I know a lot of big companies basically print out the frameworks and figure they've been entrusted with the holy tablets from Mt. Sinai. They haven't. I understand it's convenient to have someone else do the thinking about a big "framework" that tells you all about all the things you need to do. And for mature operational functions (think network and mainframe), I think the idea of a nicely cogent framework makes a lot of sense. This NetworkWorld newsletter on networking stuff has some stats to back up the adoption rate of these frameworks. But for security? I guess it's the same issue I have with 27001/2 and COBIT. If folks think this is a silver bullet and it's going to give them a cookbook on how to do their job, then they are on some kind of funky peyote. But if they understand the framework is a starting point to figure out where they need to focus and to break the project up into digestible chunks, then I'm OK with it. I just fear we have a lot more of the former than the latter.
Link to this

Digging deeper into Hannaford
So what? - Never one to let the lying dogs lie, Brian Krebs digs a bit deeper into the Hannaford Bros. breach. Evidently they were PCI compliant and had some sophisticated defenses in place. Unfortunately they weren't the right ones. So now these folks will spend millions more to close probably every possible hole. Oh yeah, that's not possible. So they'll close a lot of holes, they'll spend a lot of money and they'll probably be OK. Note I said probably because they can't get to everything. Krebs focuses a lot on how to attack data in transit and that is clearly a new and clearly exploitable attack vector. So the arms race goes on. The early adopters will be start making some investments to more effectively segment networks where payment data resides (to protect it from insiders or compromised inside devices). The standards folks will work that into PCI 3.0, and most of the world will get there in 5-7 years - maybe. And between now and then there will be a lot more Hannaford's.
Link to this

My network security box is killer
So what? - I think McAfee's new branding (along the lines of "killer security" and "McAfee hacks hackers") don't really get the message across about what they do, but I don't really understand the whole describe your business in a sentence type of approach. Anyhoo, the Little Red is getting back into the network security business with a new blade server platform. They say it's the fastest thing since sliced bread. Whatever. It'll run their IPS (now called just the Network Security Platform, since IPS is all you need - don't you know?) and their content security blades. Both as separate boxes and it seems as a suite. Yes sports fans it's 75% of a UTM solution, running on a blade server. Maybe those Crossbeam were on to something. But MFE doesn't have a firewall or a VPN or authentication to put on the blades. But they do have a checkbook, so this is a problem that can be solved with money.
Link to this

The Laundry List

Top Blog Postings

CISO's aspire to be CIO? Really?
This post over on bloginfosec.com by Frank Cassano is pretty interesting. He wonders whether security officers should be in line to ascend to the CIO position at some point. Clearly (as Frank contends) many are overlooked, but are they qualified? A small percentage (dare I say the Pragmatic one's) probably would make good CIOs. They understand the business, have good relationships with the business leaders, and are skilled in persuasion amongst their peers. All good qualities for the CIO. But are they the political animals that many CIOs have to become? I'm not so sure. Frank believes a key skill for the new CIO is to be able to manage risk. Isn't that everyone's job? I guess it's how you define risk. Personally, I think the CIO should come from the business most of the time. The CIO job is also focused not just on the systems that run the business, but also how to get things done in an organization. Getting someone from the outside can be dangerous, unless they are a superstar and come with so much credibility that no one gets in their way.
http://www.bloginfosec.com/2008/04/11/cio-the-next-career-step-after-being-the-ciso-why-not/
Link to this

Bejtlich's Ten
The Zen master has been hitting the road, doing the conference circuit a bit and has drawn some conclusions about the themes of these shows. A few are about grokking the reality that we are hosed. That's right, compromises happen and almost everyone is being targeted, especially the low hanging fruit. I know it's hard to believe, but most of these themes fit very nicely into the network security monitoring religion Richard has been preaching for years. The awful truth is that we are hosed, and as theme #2 states: "We can not stop intruders, only raise their costs." I know that's an uplifting message for today, but it's the cold hard truth. So why bother? Because raising their costs is one of the best defenses. Many of these folks go after the easy targets. If you aren't easy, then you probably aren't worth the effort.
http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html
Link to this