January 02, 2008 - Volume 3, #1

Good Morning:
It's 2008 and I think a guy like me needs a theme song. I'm doing a lot of public speaking now, and it would be great to have all sorts of pyrotechnics and a thumping theme song when I enter the room to do my thing. Kind of like when folks like the Undertaker enter the arena during a WWE extravaganza. If any of you've seen my panel moderating style - that is probably a good analogy, no? So what theme song should I pick?

Well, it needs to be angry, since most of the folks I speak to are security professionals, and they are a pretty grumpy bunch. It needs to be aggressive and in your face because that's my "persona." It needs to be hard rocking. No one is going to get excited to a speaker walking into the room to the Carpenters or Air Supply. And finally, it needs to bring you back to happier days. Even though the song is angry and in your face, it needs to remind you of simpler times, happy times. When you could be angry because it was fun and different, not because you had to.

I pick "Welcome to the Jungle" from Guns 'n Roses. Yes, I'm sure that was very predictable. You know me too well. There were a number of other songs I considered, like AC/DC's Big Gun and Van Halen's Hot for Teacher, but I thought Guns anthem was most reflective of the challenges that we security folks deal with every day.

So all of you conference organizers down there, check with the venues to make sure some fireworks in the conference facilities won't violate fire codes and makes sure you have a couple of kickin' amps to get the crowd feeling good when I go on stage.

But there is a deeper thought a work than stroking my oversized ego by defining a theme song. It's about themes. I saw this post on Andy Wibbel's blog and I think it's a great thing to think about. What is your "theme" for 2008? Losing 25 pounds and not being such a prick all the time are good resolutions (yes they are on my list too), but that doesn't really give me an idea about how I should be weighing all of the personal and business decisions I face. What is my rallying cry for the year, my mantra?

It's actually pretty easy. In my old age, I'm getting kind of Zen. I'm trying to eat more naturally and I'm trying to enjoy the ride, as opposed to always being focused on what's next. For all I know, this is next. I'm starting volume 3 of the Daily Incite today and who knows, I'll blink my eyes and we could be on volume 10. So I may as well enjoy it, as opposed to always feeling bad about all the other stuff I "should" be doing.

I've always been in a rush. Since as long as I can remember. Even though I wasn't quite sure where I was going, I wanted to get there at a high rate of speed. At this point, things are moving fast enough. My kids are growing, my hair is gray, and my folks are now grand-folks. If anything, each new year is passing faster than the last.

So I'm going to make a concerted effort in 2008 to "BE SLOW." No, that doesn't mean I'm going to be inching along the highway at 40 mph. But I'm going to enjoy the ride, I'm going to be thankful, I'm going to let things happen - as opposed to be too preoccupied with making them happen.

I'm very lucky that I have the ability to slow down. It doesn't mean I'll be working less, but I'll be working on the stuff I want to do. That means I'll inevitably need to fire some clients and turn down some gigs that I probably would have done in 2006. If it's not fun, I'm not interested. If it's not going to engage my brain, make a difference, and if I won't feel good about doing the work - then I won't. I'm going to try some new stuff, but I'm going to focus on making all the stuff I already do more successful - as slowly as a guy like me can go.

I wish you all a slow 2008 and that you take some time to enjoy the ride.

Entrance - The Undertaker image originally uploaded by Jesus V

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

The two most dangerous words: "I wish"
So what? - Of course, you want to send your best wishes for a happy and healthy New Year to all your friends and colleagues. But beyond that, the idea of wishes have no place in your daily operations. Sure, I can be all Zen and let things fall where they may - but you probably can't. Not yet anyway. So when I see Larry Dignan's "wishes" for 2008, I think they are all good and well (like having real penalties for data breaches and moving away from the O/S monoculture) - but they don't have a snowball's chance in hell of actually happening. Like Apple is really going to take QuickTime security seriously. There will be lots of lip flapping, but those changes in big companies are like brain transplants. I'll get back to my ongoing evangelizing of the REACT FASTER doctrine. It would be great if even one on Larry's list actually happened, but that's not likely. So I focus my efforts on making sure I can recover from the next set of attacks targeting my devices, my people and my data. I guess I wish that REACT FASTER won't be every 2nd and 3rd word out of my mouth in 2008.
Link to this

Security dominates the IT agenda? - HOGWASH
So what? - I will acknowledge that a lot of people pay lip service to security. They need to, there are regulators to appease and customers to pacify. But the reality is, if security is dominating the IT agenda in 2008 as NetworkWorld covers, then we are screwed. Figuring out how to make more money or spend less money should be dominating the IT agenda EVERY YEAR. Yes, you want to do it securely. Of course, you want to protect your data. But ultimately when the job of the CIO is to protect data and not to add value to the business, then you may as well collapse the tents and buy a Subway franchise. Security needs to be built-in and transparent. Security really "arrives" when we stop talking about it. When it's just part of the fabric, when we actually do a threat model BEFORE we start building an application, when we stop focusing on stopping every new attack and start focusing on making sure we can withstand whatever attacks are coming down the pike. Yes, we are a long ways off that day, but since we are wishing for stuff, can't a guy wish himself out of a job?
Link to this

PCI is dominating the agenda
So what? - Are you ready for PCI Year 2? It's not going away, sports fans. And Visa has to overcome the black eye they got by giving TJX a 2-year compliance exception when 100 million of their credit card numbers were being pilfered. I think 2008 will bring some goodness to the PCI world. Users are starting to understand that PCI is just representative of the decent security practices they should have been doing all along. But that doesn't mean that we won't see every vendor and their brother trying to "capitalize" by using the PCI bogeyman. For example, Qualys is now pushing their PCI scanning service pretty hard. OK, what does this solve like 1 or 2 of the PCI requirements? Listen, I'll be the first to say that scanning (and more importantly, pen testing) is critical to being secure. But does that mean you are compliant? I hope not, but in these days of cutting every corner, I'm sure a lot of organizations will just default to a scan and self-questionnaire and a good amount of prayer that today is not their day. I also thought this new offering from NSS labs was kind of silly. They are going to "certify" network equipment in that it meets the PCI standards? What the hell does that mean? Everyone knows a firewall configured correctly meets a number of the requirements. But a firewall configured incorrectly? Right, not so much. But if a vendor has $45K sitting around, I'm sure I could help them spend it.
Link to this

The Laundry List

Top Blog Postings

Big is the new small - Year 3
I introduced the concept of "Big is the new small" back in February of 2006. It was my first big research position and it was right. Can't you let a brother gloat for a minute? As we continue to see lots of consolidation and M&A in our little industry, there will always be the push and pull of innovation versus size and stability. Shimel rants a bit about the fact that there is a need for innovation and there will always be a need for innovation. He's right, but with caveats. The lifeblood of the security business is really the deep VC pockets that funded crappy ideas for way too long. It's gotten a LOT harder to get security companies funded nowadays and that will have an adverse affect on the number of start-ups and inevitably on the innovation that eventually gets subsumed into the bigger aggregators. For every big Vontu-like exit, you are going to see 10-20 deals in the $35-70 million range and a bunch more that just go away for piece parts (like Caymas and NeoScale). Everyone on the vendor side needs to calibrate their models and expectations for that reality. The investors certainly are, so that means Security 2.0 or 3.0 or whatever is going to look a lot more like Web 2.0 - small, rapid iterations, open source and meant to be flipped quickly. Dennis Fisher also comments a bit about consolidation and it's ultimate impact on the security market and he's right. We do have to see how all this stuff shakes out, but to think it'll be same old, same old means you aren't paying attention.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/12/is-security-the.html
Link to this

The Mogull doesn't predict
At least Rich didn't use the "probabilities" of his old shop when doing his non-predictions for his Dark Reading column. He makes a bunch of good points here, but I think misses the point of security market evolution. Of course, we should be focusing on anti-exploitation technologies - but the reality is there is a very structured way that security people get comfortable with new attack vectors and then take action to fix them. First they need to scan. Why? Because they aren't convinced there is really a problem until someone can run a test against their stuff and show them DEFINITIVELY that there is a problem. Then you have to deal with how urgent a problem is it? Can they buy a widget to solve the problem or does it take a process or structural change? Web application attacks will come of age in 2008 and that means that it'll be easier to convince customers that they have a problem, but it's not clear how to actually fix the problem. So we are in the first few innings of what is likely an extra-inning game against web application attacks. And no matter how hard we try, I don't think we can make the process play out any faster. Although pushing on a string is a lot of fun.
http://www.darkreading.com/document.asp?doc_id=141258
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite