November 9, 2007 - Volume 2, #152

Good Morning:
Happy Friday. Yes, it's an uncharacteristic Friday Incite, but perhaps you didn't notice I missed yesterday. After a quick jaunt across the country and back for speaking gigs and meetings, I was a bit run down and felt sea sick. But that may have been from watching my portfolio dip over the past few days. Yes, the old US stock market has been a bit tumultuous, as Cisco's 17% top line growth sent the market into a tail spin. Of course, it's not that simple, but Cisco's outlook on tech spending and failure to appropriately manage expectations relative to growth last quarter gave most of big technology a hair cut yesterday. Those of you who have ridden Google, VMWare and Apple the past few months were feeling some pain. 

But not me. Well not exactly. I actually have no idea what specific stocks I own. I, like millions of others, have outsourced stock picking in lieu of mutual funds. And no, that doesn't mean that I let some faceless guy in a suit with a headset on "advise me." I run 4 self-directed portfolios that have consistently beaten the markets for the past 5 years. Not to pat myself on the back (OK, maybe a little), I do this in a total of about one hour a month. Take that, 4-hour workweek guy.

Stocks rise, stocks fall and I go about my business, but it wasn't always like that. I remember back in the Internet bubble, I was one of those guys that had a Palm Vx with the sled modem so I could get email and make stock trades when I needed to. I had multiple back-up methods to ensure my trades got executed and subscribed to trading newsletters. I was probably trading for 1-2 hours a DAY. I was also making a LOT of money, but that was not unique. It seems almost every jackass that did any trading was making a lot of money in 1998 and 1999.

But alas, gravity hit me upside the head big time in late 2000 and 2001, like everyone else. I learned all sorts of key lessons on stocks like USi and Microstrategy. Something trying not to catch a falling knife. Those lessons cost me a fortune. So in grand Rothman tradition, I had made and lost a fortune by the time I was 32. Bully for me.

After beating myself up for quite a while (and still riding a huge tax-loss carryover), I looked for a better way with less stress and using the appropriate time frames to, in the immortal words of Peter Lynch, "get rich slowly." At the time, I was in my early 30s and finally figured out that life is a marathon and not a sprint. So I looked for an investment philosophy that played into that.

I'm also a quant guy and a systems guy. I look for better systems to accomplish a job. So a systems-based approach was something I was very interested in. Something that told me when and what to buy and when to sell it. I wanted to take emotion out of the equation. I had followed the mechanical investing boards at the Motley Fool for a while and even played my hand at running a few of my own systems. I found I did pretty well buying stuff, but selling - not so much.

After some more tooling around, I finally found a system that worked. Here is my secret for all of you folks out there. It's called Fund*X (www.fundx.com) and they provide a newsletter which provides detail on their mutual fund investing system. It's based on following trends (which every quant guy will love) and it's embarrassingly easy to follow. It's out-performed the broad market indexes over a 30 year period, through up and down markets. But check it out and see if it's for you. To be clear, I'm not giving you investing advice and I'm not recommending you do anything but go visit the site. It works for me and that's all I'm saying here.

I've got a lot to do today and watching the stock market gyrate isn't high on the list. Have a great weekend.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Hush - unless you are the Feds
So what? - So I guess that old adage about possession is 9/10th of the law is true. If you used HushMail's web service to encrypt and protect your email, then they can possess it and it turns out, they own it. And when the Feds ask really nicely and go through the proper Canadian authorities, law enforcement can own your mail too. I'm sure there are a bunch of crime lords, drug dealers, bot masters, terrorists and other similarly smarmy individuals a bit perturbed that HushMail turned over "private" mail to the authorites. Wired does a great peace highlighting the fact that if your mail is within someone else's service, it's in their control. To be clear, I don't think Hush is doing anything wrong here. We have law enforcement for a reason and I'm cool with that. Not sure if Captain Privacy groks it, but as long as it's in the fine print of the service agreement - it's OK with me. I guess it's back to the tried and true methods of forcing the bad guys to do the encryption themselves (PGP anyone?). But just remember, SaaS is a wonderful thing, but you really are beholden to the whims of your service provider. If you aren't cool with that, then don't use the service.
Link to this

Security isn't going away - not yet anyway...
So what? - Dark Reading's Tim Wilson rants a bit about people once again calling the accelerated rate of consolidation the beginning of the end of the security business. For the most part I agree with Tim. Security isn't going away, per se, but I do believe the security INDUSTRY has seen it's best days. Security really does need to be a feature within the broader set of technology services and I'm not sure how that really happens if we still consider the market a stand-alone entity. I do believe that there will continue to be innovation. There will continue to be investment. There will continue to be consolidation. That is the natural law of things. BUT, I also believe that security practitioners and vendors need to focus more on how we play into the broader technology ecosystem. It's not about us vs. them, good and evil, fire and brimstone kind of stuff anymore. It's about how we can add value to the business or make sure other folks don't take value away. We can't do that ourselves and thus we shouldn't expect that our little business will stand by itself. Not forever anyway.
Link to this


The Laundry List

Top Blog Postings

Think like a hacker
Great post here from Dan Morrill, who is calling for what he says is a "more flexible sense of ethics in information security." Actually, what Dan is talking about is the need to be comfortable with hacking yourself and being able to put on your bad guy hat and see where the holes are. Then you take the black hat off and go about fixing the issues. I call this discipline "security assurance" and I believe it's absolutely critical to being successful in information security. As Dan says (which sounds very familiar), the bad guys are always thinking about how to use technology for evil, so you better also be thinking about threat models as you consider new technologies. Remember, no one likes surprises and by not understanding what can happen when you roll out something or change a business process or basically do anything, then you will be surprised by the bad guys. And you will be working on your resume.
http://blogs.ittoolbox.com/security/dmorrill/archives/time-for-a-more-flexible-sense-of-ethics
Link to this

Does anyone care about CISSPs anymore?
Being the resident security management expert at SearchSecurity.com (yes, everyone that actually knows what they are doing was busy), I get a lot of questions for the readership about all sorts of things. Scarily enough, it seems that 40-50% are not about actually managing security, but rather about certifications and career management. Let me make this very clear (as I try to do in my Q&A's as well), a certification (including the CISSP) DOES NOT make you competent. It does not prove that you actually know what you are doing. There are plenty of organizations that will only look at candidates with a certification for certain jobs. I think that's pretty short-sighted because a lot of the best security folks I know DO NOT have any such certification. And some of the biggest dimwits I come across have all sorts of fancy letters on their business cards. Those are the kinds of folks that hang their degrees and plaques on their cubicle walls to make the feel some sense of self-worth. I've found precious little correlation between talent in being a security professional and any of the certifications that are available out there. Some folks, like Stuart King in this post, make the case that a cert like the CISSP is still important, and for some folks maybe it can open a few doors. My point is that because someone has a CISSP doesn't mean they are competent. 
http://www.computerweekly.com/blogs/stuart_king/2007/11/i-was-dissapointed-to-learn.html
Link to this

Mogull has a headache - get him some Tylenol
The Mogull's first semi-regular column on Dark Reading provides some detail into his background and the strange trip that's gotten him to where he is right now. But then he actually makes a good point that bears repeating. Come clean and come clean early when dealing with breach disclosure. I have a chapter in the P-CSO about incident response and disclosure is part of that process. Who needs to be consulted and when and why it's critical to have all this stuff defined BEFORE you actually have an incident. Rich takes traditional security thinking and applies it to the Tylenol scare in the early 1980's. It's both scary and enlightening, but highlights the importance of coming clean early. If J&J hadn't acted so decisively during that fateful week 25 years ago today, they may not have survived. But they did and they did. So how are you going to handle disclosure in your own organization? If you don't know the answer to that, you have a lot of work to do.
http://www.darkreading.com/document.asp?doc_id=138130
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite