The Daily Incite - June 20, 2007

Submitted by Mike Rothman on Wed, 2007-06-20 08:09.
Today's Daily Incite

June 20, 2007 - Volume 2, #96

Good Morning:
Continuing on my entrepreneurial ranting this week, let's talk about failure. You can't even think about starting something new (and it doesn't have to be a company, it could be a project, or a new way of thinking) without understanding that it may not work. I love failure and it's not just because I'm good at it. It's part of the process and I've learned a hell of a lot more from what I've screwed up, rather than what I've done right. A lot more.

To be clear, that doesn't mean I like to fail. Or that I don't take failures terribly personally and hard. I do, I am human. But after some contemplation and a few weeks to let the road rash heal, I can start to appreciate the hard lessons that the specific failure has taught me. There is always road rash and there are always lessons to be learned.

And that, my friends, is the key. It's not about the fact that you fail. It's about the fact that you take the time to understand why. That you LEARN from the experience and make sure you don't do it again. A key skill of mine is pattern matching. I can take a number of very disparate data points and see how they fit together to draw a conclusion. I think every analyst that doesn't suck does this, many instinctively. But if I don't take the time to understand and analyze the data points, I will be sure that I don't remember much of anything. And I will screw the same thing up again - guaranteed.

When I ran my marketing teams, the first thing I told them was that I EXPECTED them to fail. To mess things up and to do it with relative frequency. If you aren't messing things up, you aren't pushing out of your comfort zone and you aren't improving. How boring is that?

Let's take an audit for example, since many of you have to go through that rite of passage a few times a year. The audit is never clean. You never have everything done or what is the value of the auditor? So there are things you are failing at, to use a strict definition of the term. But then you go and figure out what you fix and the next time you tell a bit better of a story? Are you ever done? Of course not, security is not something you finish. But the auditor expects you not to mess the same thing up more than once.

That's all we can hope for. You will fail at something, probably sooner than later. The best case is that you don't make the same mistake twice.

Have a great day.

Technorati: ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

Deal: HP SPI's application security
So what? - Monkey see. Monkey do. Right on the heels of the IBM/Watchfire deal, HP announces the acquisition of my neighbors in Dunwoody, SPI Dynamics. Congrats to Bryan, Caleb and the team. You can read the neutered release, but it doesn't say anything. Who's doing PR for those folks anyway? Like Watchfire, I think this is a deal that HP had to do, but I do have some concerns for customers. Neither HP (nor IBM for that matter) has a security strategy. In fact, HP says they are going to strengthen security from the desktop to the data center, and then do some press to go out of their way to say they don't want to be a "security vendor." Huh? Did HP forget to take their lithium yesterday? Security needs to be integral to everything that a big tech company like HP does. Seriously - everything. And these organizations are not built to have security within all their disciplines. I think the tools and lab part of SPI will prosper with a lot more resources thrown at them. I think the assessment business will falter. To be clear, I'm all for better security-oriented dev tools. But this opens up a big opportunity for another assessment vendor to fill the gap, and the dwarfs (I don't know if there are seven) are trying to fill the gap already. More on that later.
Link to this

RIP: Security IPOs
So what? - Folks like Sourcefire, Guidance and Cavium get their deals done and everyone figures the stampede for security companies to go public will start again. Personally I don't think so. I figure there are maybe a handful left to file this year and that's about it. Why? As Priya goes into in this article on TheStreet.com (with some quotes from ,y favorite analyst), there isn't really anything groundbreaking in security nowadays. We are talking about incremental change, and it's hard to build a fast growth business on incremental change. There are too many folks that can increment with the best of them, and that creates growth uncertainty. We all know that Mr. Market hates uncertainty. And HP, IBM, Cisco and Big Security's money is just as green as anything else. I don't know why a company would want to go public. I've been there. It's a pain in the ass. In the aftermath of the HP/SPI deal, this quote in a Washington Post article pretty much sums it up: "What's becoming evident is that security is less and less a standalone component," said Peter McKay, Watchfire's CEO. "It's becoming a feature of something else."
Link to this

Change is good. But expensive.
So what? - No, I'm not making another preachy statement about life, even though change is good, albeit expensive. I'm talking about an analysis of the server configuration business that shipped earlier this week in the soon to be gone Network Computing. It's an interesting read for me because it's been a while since I caught up on systems management. I just keep thinking that I've seen this movie before. The fact is there has always been a battle between systems management and security. IT automation companies like Opsware and BladeLogic are inevitably going to clash with security companies like BigFix and ConfigureSoft. But that's not even where it gets complicated. Now with virtualization, the problem is only going to become more acute. How do you patch and securely configure perhaps thousands of Virtual Machines? Carefully. So as I've said before, the pricing models of the systems management folks need to evolve and their deployment model must also evolve. I'm not sure I want an agent running on each VM or do I? Clearly I'm still trying to get my arms around the entirety of the problem.
Link to this

The Laundry List

  1. Email security gets stale. I keep reading the same release talking about the same stuff from different vendors, but painting it as new. Sorry Tumbleweed, the new MailGate doesn't add anything new. But as they say with reruns, if you haven't seen it before - it's new to you. - Tumbleweed release
  2. Worst use of spam stats ever award goes to Borderware, who say - well I have no idea what they are saying. I think they are trying to poke competitive reputation systems, but who the hell knows? - Borderware release
  3. Does TOPS still bark? McAfee does beta with Total Protection Suite 2.0, allegedly addressing performance. Let me know how that works out. -  InfoWorld coverage
  4. I paid for it, I better win. Avinti gets some lab to prove their AV approach is better than the other guys. Have you ever seen one where folks paying for the report didn't come out on top? - Avinti Release

Top Blog Postings

Get me a tissue, we're talking metrics again
Alex Hutton rails a bit about the sad state of metrics in this post. For the most part, I agree with his contentions, what we are counting really has very little bearing on the metrics that help senior management run their business. I've agreed to be Jaquith's fall guy, I mean muse, I mean panelist to kick off the Metricon 2.0 shindig in early August. I'm being positioned as "against" metrics, but nothing could be further from the truth. I'm a business man, so I know that metrics are important. My point is that what we are counting thus far isn't doing the job. I don't have a silver bullet, though I do make some suggestions in the Pragmatic CSO. I've read Andy's book and I was left wanting for an answer. He frames the question well, but doesn't tie it back to the business. Not sure he really could have because everyone's business is different, and I think that's the complication. There is no standard way to speak the language of business. You need to figure out what is going to resonate with your management team, and the only way to do that is to talk to them. Remember, your desk is a dangerous place to spend your day.
http://riskmanagementinsight.com/riskanalysis/?p=218
Link to this

Solve the problem first? Or count?
Security Retentive puts its (I'm not going to make any gender specific assumptions anymore) spin on metrics in this post, but the post actually isn't about metrics. It's about mitigating risk. A lot of people do try to figure out what is broken and then fix it. Retentive figures they should harden some stuff (or more generically, put additional controls in place) to eliminate new issues and then go back and fix the older problems. I think this is pretty much one in the same, though I lean towards figuring out what is broken before randomly trying to harden stuff. Why? Because I could spend a lot of time hardening devices that have no bearing on my business, while other open exploits could knock down my most critical business systems. That's why the P-CSO process is architected the way it is. First I need to find out what is most important. Then I need to figure out where my holes are. Then I need to triage the issues with the potential to cause the most damage. According to me anyway.
http://securityretentive.blogspot.com/2007/06/building-effective-metrics.html
Link to this

Does compliance matter?
That's the question asked in this post. My short answer is yes. And no. Compliance is a funding source, so in that vein, it's critical. The idea of a perp walk is top of mind for many executives (still!) and they will continue to spend money to ensure that doesn't happen. It's money we security folks can make use of. And the accountability that regulations have brought to many security folks means they can't really run anymore. Well, they can run, but the ramifications are pretty severe. But the reality is that compliance itself doesn't make anyone more secure. None of the regulations are written to protect the entirety of an organization. HIPAA and GLBA are worried about their data types. SarbOx is worried about the integrity of financial controls. PCI is worried about credit card info. None of that means cradle to grave security. So my conclusion, compliance is a means to an end. The end is being secure.  
http://blogs.csoonline.com/does_compliance_really_matter
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite

http://securityincite.com/security-incite-rants/daily-incite