When I joined eIQ, I did a "POPE" analysis on the opportunity, to provide a detailed perspective on why I made the move. The structure of that analysis was pretty well received, so as I make another huge move, I may as well dust off the POPE and use that metaphor to explain why I'm merging Security Incite with Securosis.

People

Analyzing every “job” starts with the people. I liked the freedom of working solo, but ultimately I knew that model was inherently limiting. So thinking about the kind of folks I'd want to work with, a couple of attributes bubbled to the top. First, they need to be smart. Smart enough to know when I'm full of crap. They also need to be credible. Meaning I respect their positions and their ability to defend them, so when they tell me I'm full of crap - I'm likely to believe them. Any productive research environment must be built on mutual respect.

Most importantly, they need to stay on an even keel. Being a pretty excitable type (really!), when around other excitable types the worst part of my personality surfaces. Yet, when I'm around guys that go with the flow, I'm able to regulate my emotions more effectively. As I've been working long and hard on personal development, I didn't want to set myself back by working with the wrong folks.

For those of you that know Rich and Adrian, you know they are smart and credible. They build things and they break them. They’ve both forgotten more about security than most folks have ever known. Both have been around the block, screwed up a bunch of stuff and lived to tell the story.

And best of all, they are great guys. Guys you can sit around and drink beer with. Guys you looking forward to rolling your sleeves up with and getting some stuff done. Exactly the kind of guys I wanted to work with.

Opportunity

Securosis will be rolling out a set of information products targeted at accelerating the success of mid-market security and IT professionals. Let's just say the security guy/gal in a mid-market company may be the worst job in IT. They have many of the same problems as larger enterprises, but no resources or budget. Yeah, this presents a huge opportunity.

We also plan to give a lot back to the community. Securosis publishes all its primary research for free on the blog. We'll continue to do that. So we have an opportunity to make a difference in the industry as well.

To be clear, the objective isn't to displace Gartner or Forrester. We aren't going to build a huge sales force. We will focus on adding value and helping to make our clients better at their jobs. If we can do that, everything else works itself out.

Product

To date, no one has really successfully introduced a syndicated research product targeted to the mid-market, certainly not in security. That fact would scare some folks, but for me it's a huge challenge. I know hundreds of thousands of companies struggle on a daily basis and need our help. So I'm excited to start figuring out how to get the products to them.

In terms of research capabilities, all you have to do is check out the Securosis Research Library to see the unbelievable productivity of Rich and Adrian. The library holds a tremendous amount of content and it's top notch. As with every business trying something new, we'll run into our share of difficulties - but generating useful content won't be one of them.

Exit

Honestly, I don't care about an exit. I've proven I can provide a very nice lifestyle for my family as an independent. That's liberating, especially in this kind of economic environment. That doesn't mean I question the size of the opportunity. Clearly we have a great opportunity to knock the cover off the ball and build a substantial company. But I'm not worried about that. I want to have fun, work with great guys and help our clients do their jobs better. If we do this correctly, there are no lack of research and media companies that will come knocking.

Final thoughts

On the first working day of a new decade, I'm putting the experiences (and road rash) gained over last 10 years to use. Whether starting a business, screwing up all sorts of things, embracing my skills as an analyst or understanding the importance of balance in my life, this is the next logical step for me.

Looking back, the past 10 years have been very humbling. It started with me losing a fortune during the Internet bubble. I've sold the company I founded for the cash on our balance sheet because we couldn't find enough customers. I tried to start two other companies - to no avail. I've gotten fired (or laid off) three times. Quite a decade, eh?

Yet, I persevere. I lived through that and had lots of successes as well. Each of those experiences helped me get to this place and become ready to do this. And I'm ready. So hold on, it's going to be a great ride.

Note: I'll be writing over at Securosis moving forward. The blog is http://securosis.com/blog, and you can sign up to get our writing via email the link is on the blog web page. See you there.

Photo credit: "Pope" originally uploaded by bayat

I was laid off from eIQ yesterday. I know it was a tough decision for the folks up there. Business decisions can be that way. I feel for them that they feel bad. They shouldn't.

Am I disappointed? Yes. But not for the reasons you'd think. I really enjoyed working with some members of the team, and I'll miss that. Some parts of the job were fun and interesting. I'll miss that too.

But most of the stuff I won't miss. At all.

As I was thinking back, it turns out the tenure of my last 3 vendor jobs has been exactly 15 months. I know, kind of strange, eh? Don't think they have an actuarial table to predict that. Yet this last experience has finally brought me to the realization that working for a vendor isn't the best use of my skills. Sometimes I'm a little slow on the uptake.

There are lots of reasons a vendor job isn't the best fit, but three really stick out like a sore thumb. The first is competition. I used to be very very competitive growing up. Life was a zero sum game and I wanted to win - everything. I used to joke that I wanted to be king of all I survey. As I've gotten older, my need to win is much less acute. So the hand to hand combat of working for a vendor in a competitive market space is not only tiring, it's soul crushing.

After my experience at CipherTrust, I figured that I didn't like the competition because I was on the losing team. But that's not it. I'm not interested in tracking the time it takes the competition to copy my messaging anymore. Win or lose, I'm tired of the competition. And if you don't want to compete every day for every deal, you shouldn't be working for a vendor in a competitive space.

I also don't like breaking things that aren't broken. So the first 6 months with a vendor are fine. Things are broken and I fix them. The positioning. The web site. The product marketing and sales toolkits. The product strategy. But after about 12 months, everyone thinks things are broken again. Shiny objects start flashing that "need" attention. And that takes focus away from what is really important. You are forced to go through this dance of trying to figure out what is broken and what isn't. And the answer "I did it right the first time" doesn't really fly (I tried that the first time, it didn't go very well). These gyrations are so much fun, I'd rather give myself an enema with a branding iron than reposition the company around the latest hot buzzword.

But neither of these are the real kicker, there are parts of every job you don't like. For me, it's all about the passion. The best performers I know are really passionate about what they are doing. They just love what they do and would do it whether they were getting paid or not. I can tell you I was not passionate about my last 3 vendor gigs.

And to do something all day, every day that you are not passionate about is tiring and soul crushing. So I did my best each day and would anxiously await the day when they would pay me to not do marketing, which happens to be about 15 months after I start.

But ultimately this gets back to me. When I left TruSecure, it was them. At least that's what I convinced myself. 17 months later (2 months to get the CipherTrust job and then 15 months there) I left CipherTrust and it was still them, but I was tired of working for someone else. So I started Security Incite.

I joined eIQ because it seemed the stars were aligning and it was going to be different this time. 15 months later, it's not different. And it's not them. It's me. And I'm OK with that. Really, truly OK.

You see, life is a journey and I'm finally starting to realize that there is no right path or wrong path. There is only the path. eIQ and my other vendor experiences were part of that path. But as I look ahead, my path doesn't involve working for a vendor.

Given that Thanksgiving is next week, I'm going to lay low for the next few weeks. Get back into a routine of taking care of myself first. Writing the manifesto that accompanies my new Happyness content (Bill Brenner of CSO did a piece on the talk). Talking to old friends and plotting my next move.

So that was a long winded way of saying: INCITE RIDES AGAIN on November 30.

It's good to be home.

Photo credit: "Hi-Yo, Silver!" originally uploaded by arellis49

As I mentioned yesterday, I've taken the plunge and decided to start Tweeting (@securityincite). Whatever that means. Basically there were a number of things that contributed to me being "late to the party," as a number of security twits (yes, that's what they liked to be called) reminded me.

First, I'm always late. For those that associate with me personally, there is "Rothman time," which is usually 10-15 minutes behind everyone else. I've been working on that, but it's a struggle. And the Boss is worse. "Boss time" is usually 15 minutes behind me.

Second, I was scarred as a young boy when my Mom dropped me off at a birthday party 2 hours early. She had to work - the nerve of her. It was a surprise party, so not only wasn't the birthday boy there, no one was there. I had to hang out with the kid's Mom for 2 hours. It was gruesome and painful and to this day, I'll drive around the block 50 times rather than show up 5 minutes early.

Third, I was never an early adopter. My house was the last house to get cable TV in the early 80s. By the time I got Atari, my friends all had Intellivision. Right, I got the Commodore 64 after everyone had an Apple IIc. We didn't have a lot of money, so I didn't get all the cool toys, and I realized it's not so bad - given 95% of shiny objects end up in the trash bin within a week. And with today's multi-tasking, ADD ridden, texting, Ritalyn taking kids, it's getting even worse.

So I don't have a Wii. And my oldest just got a DS. Bah humbug. I tell them to go read books or play in traffic. I didn't have no stinkin' DS. Or even the ticker on CNN to keep my attention for hours at a time.

Practically (dare I say Pragmatically), it's very hard for me to do full Daily Incite's more than once per week. So I'm figuring when I see interesting articles, then I can tweet about them and keep my analysis/commentary to 140 characters. I know many of you will appreciate that.

140 characters is good for me. That's kind of scary. Not much real estate. My first boss in research, a wild man named Joaquin Gonzalez , would thump me like a drum when I went into "flowery prose" mode. The worst insult he had for someone (OK, maybe not the worst, but close) was to say they wrote like a consultant. He told me good writing is dry, "dry like a martini." Why say it in 5000 words, when you can say it in 1000? Now I need to make the point in 140 characters. That is a good exercise for the verbose.

For those of you still resistant to Twitter, congrats. You are a later adopter than me, and that is pretty impressive. I'll highlight my Tweets in at least one post per week, so you'll know what I'm thinking - though not in real time.

So I'll see many of you in the Twittersphere, which is as stupid a word as blogosphere. You can find me at http://www.twitter.com/securityincite or @securityincite for you twits out there.

Calling myself a twit. I'm sure my Mom is tickled. Probably as tickled as me telling the surprise birthday party story (for the zillionth time).

Photo credit: "Twitter is down (the street.)" Originally uploaded by monstro.

First off, I want to thank the many of you that sent me notes wondering if I'm OK. Of course, there is always Shimmy, who constantly shows his Photoshopping skilz. I'm just fine, actually I'm great. And that's what I want to talk about today.

For a long time, I've been counseling readers, friends and clients about the need to constantly evaluate your priorities, pretty much every day. If you are in a security role, you understand how important this is. There are always new attacks, new devices, new applications, and users that do stupid things to keep us busy.

If you don't make sure you are working on the highest priorities, you are wasting time and not providing value to your organization. And in this kind of economy, none of us can afford that.

So basically I'm eating my own dog food and about a month ago decided to evaluate my personal priorities. I only have 24 hours a day and I wanted to make sure I was spending it in the most effective way. Turns out, I drew the conclusion that I needed to focus - for the first time, in a long time - on myself.

I've started spending 1-2 hours a day on personal development. That could mean a lot of things and I'm not necessarily going to go into great depth. Suffice it to say I'm focusing on improving myself, both on the outside and the inside.

Alas that means I don't have as much time as I used to for the Daily Incite. As I get into a better rhythm of juggling my personal, family and job priorities, I hope to return to a 2-3 times a week frequency on the blog.

In the meantime, I'll be looking into doing a little bit of link publishing through a service like de.licio.us or something similar. Basically I'll be able to post some interesting content, add a quick comment (in Incite style) and have it automagically published to the blog and posted to the email list.

Thanks for your patience.

Photo credit: Alan Shimel

I'm constantly amazed by life's little surprises. If you would have told me I'd take a job before the end of 2008, I'd have laughed. But only after calling you a number of things I wouldn't say to my kids.

It's true. I've been named Senior Vice President of Strategy and Chief Marketing Officer of eIQnetworks. I've rejoined forces with Jim Geary, one of the co-founders of SHYM to work with the existing team and take eIQ to the next level.

No, I wasn't expecting this. No, I wasn't looking for a job. No, I didn't "need" to. Yes, I'm probably nuts for taking another vendor job. But a number of pretty cool things came together and compelled me to make this move.

I should always remember that "never" is a very long time. Given my short attention span, the idea of "never" doing anything again is pretty silly.

First things first, you may not have heard of eIQ. We (wow, it's weird to refer to a vendor as "we") provide a security management platform that transforms the way security, audit and compliance professionals do their jobs. Our product set fits very cleanly into my world view of how security management needs to evolve and what the products in the space need to do.

Yep, I've pretty easily slipped my slick marketing hat back on, eh?

Security Incite will live on!

Obviously, I can't continue to parade around as an "independent" analyst. So as of today I'm no longer President and Principal Analyst of Security Incite. I think I'll just call myself Chief Blogger. That's right, I'll still blog right here and do my usual "no bull" analysis of what's happening in the security space.

I'm also going to evolve the Daily Incite to a more reasonable format for a part time "hobby." No it won't be daily (but I'm too lazy to change the logo), but that shouldn't be a surprise because it hasn't happened daily in about two years. I'll probably do 2-4 snippets twice a week or so. I'll also continue to do at least one detailed post a week based upon what I'm seeing in my travels and working with customers.

I'm not going to talk (much) about eIQ on the Security Incite blog, though tomorrow I will dig a bit deeper into my rational for making this move. Obviously I'll disclose when any of my posts would/could be influenced by my employer or slam my competition. Surprisingly enough, we're launching a blog at eIQ, so add that to your feed reader. Myself and a few of my colleagues will be blogging about security and compliance management over there.

Part of my job as SVP, Strategy is to be very visible in the community. So I'll be doing a lot of speaking engagements, trade show appearances, and meeting with enterprise customers. If you are interested in having me come speak to your group, I'm game - just drop me a note. I'll even bring a few Pragmatic CSO books to raffle off.

I'm humbled and grateful that all of you have joined me on this journey for the past few years. You've challenged my positions, told me about what is really happening out there, and become good friends. As I move into this new role, I hope you'll stick with me as I continue to poke fun at idiocy, fight mediocrity, and try to make a difference in how security professionals do their jobs.

At some point, I expect to open shop again as an analyst because I really do love the role. But until then, I hope you are still able to enjoy the Incite of yet another vendor puke.

Photo credit: "old time clock" originally uploaded by mbtrama

Nothing like getting a little present on a summer Monday. I wanted to point out that a review of the Pragmatic CSO was  posted today on Slashdot. You can check it out:

http://slashdot.org/article.pl?sid=08/07/28/1330215

Overall, Ben Rothke provided a balanced and positive review of the book, which really hits on the key points I try to highlight not only in the process, but also in my weekly newsletters and podcasts.

 

It's that time of year. As my friends across the pond say: "HOLIDAY!" We call it vacation in the States, and I'm taking a bit of time off in July. It's time to hit the beaches, see some family, expand my mind, and hibernate a bit. Oh yeah, I'll also be working on two super-secret projects that will hit after the summer.

Thus my publishing schedule will be a bit sporadic through the rest of July. As in previous years, I'm doing an Incite Redux series to revisit each of the 10 Security Incites for 2008. The series will start next Monday (July 7) and go for 10 days.

Thus tomorrow (7/3) will be the last Daily Incite until July 22. I'll probably do an extended laundry list a few times while I'm away and maybe post a Special Incite or two - if I'm so motivated. If I decide to hit the beach a bit early... No Incite for you!

And I'll post a Pragmatic CSO newsletter next week (7/9) and then resume the P-CSO podcast on 7/23.

I hope everyone enjoys their July and us Yankees can enjoy a safe and fun July 4 holiday.

Photo credit: "Sunrise Over Rocks, Lighthouse Beach" originally uploaded by Captain Capture

As I described in this introductory post, I'm really excited to be announcing Security Mike's Guide to Internet Security. It's a 10-Step process broken up into 3 sections to help consumers protect themselves and their kids from hackers, identity thieves, and other online mayhem.


You will be able to get the Guide for $27 until November 15. When the Portal launches the price is going up to $37.

If you want to find out more about the program, register on Security Mike's web site and you'll get the Special Report: 6 Easy Steps to Protect Your Identity. This is Step 6 in Security Mike's process and you can get it for free. These are things that EVERYONE should be doing, so register and download the document today.

I also mentioned a couple of bonuses. The first is a little guide on "How to Uninstall Symantec and McAfee (without killing your machine)." Since a hallmark of Security Mike's approach is that consumers don't need to pay for security software anymore, you'll want to get rid of those heavy "suites" that slow down your machine and lighten your wallet. This report shows you how to do that.

The second bonus is "How to talk to your kids about Internet Security." These are pretty hard discussions to have, but it's absolutely critical that you address the issues. This special report will provide some ideas and tactics for you to do just that, in Security Mike's no-nonsense way.

Remember, the pre-sale period ends on November 15. So don't delay. You can save some money and get the bonuses.