January 5, 2009 - Volume 4, #2

Good Morning:
The holidays are over. Though as I was driving around my neighborhood, it seems not everyone has a new calendar. Some folks still have their decorations up, which is pretty annoying. Though I'm sure those wreaths will be pulled down and the lights dismantled over the next week - or else the neighborhood decoration police start squeeling a bit.  [1] 

More importantly, this week is about setting the tone for the rest of the year. My kids need to go through a serious detox. We've been a bit lax about sleep patterns over the holiday break, but that's got to end. When I poke my head into the oldest's room tomorrow AM at 6:30, it'll be a real shock to her, and probably to me as well. Maybe getting her a Space Invaders alarm clock will help. Probably not.

If you can't get your priorities in focus and make some progress on that list this week, then it's probably not going to get a lot better throughout the rest of the year.

I'm not going to belabor the points I made on Friday about commitment to change. Whatever you want to do this year, it needs to start today. Before you know it, the ball will drop on 2009 and another year will be in the books.

So stop reading my drivel and get to work. Have a great day.


Photo: "Space Invaders Alarm Clock" uploaded by _ES [2]
Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

[7]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8]

5 for 2009

Before I jump back into my cycle of news commentary, I thought it made sense (on the first real work day of 2009) to give a little perspective on what I expect to happen this year. A lot of folks have made predictions (though seemingly not as many as in previous years) and I want to be clear, I am not in the prognostication business anymore - so these are just a few things to think about as we head into 2009.

1. Budget tightening - Unfortunately, I was right in my macro-economic projections from last year. I figured Q3 would be bad and Q4 horrible. The security business seems relatively insulated, but I don't expect that to continue through 2009. The reality is budgets will be tightened throughout the year as the depth of the malaise sets in. So it's wise to take an approach like MCW [9], which is to figure out what you can do with NO new funding or resources.
2. Product line extensions - Given the need to do more with less, it's going to be hard to get new vendors into the mix. But you will see a lot of existing vendors start to wrap more and more functionality into their existing "suite," which then allows customers to bring in new capabilities into a maintenance renewal. Of course, we've seen big security vendors adding more capabilities to their offerings for years. The difference we'll see this year is the vendors bundling in more value-add to maintain renewal dollars - as opposed to seeing those go away. The best example of this will be full disk encryption, which will emerge as a feature of the endpoint suite.
3. Fire sales - Given the difficulty of placing new products in customers in 2009, and the focus of Big Security to add value to their existing offerings - there will be a lot of carnage in security start-up land. VC funding will be scarce and cash flow will be challenging for these small vendors. So you'll see a lot of asset sales and companies going away. Customers need to be very focused on this both for new purchases (which will be minimal) and even renewals. It's reasonable to check a vendor's balance sheet and make sure they've got a decent plan to exit 2009 in one piece.
4. Services are everywhere - In this kind of environment, customers are increasingly looking at service offerings to allow them to reduce capital expenditures and address the skills gap (since it'll be very hard to add headcount). The biggest issue is going to be a lot of shysters offering services they can't deliver on. Smaller MSSPs may not have the infrastructure and processes to support the 24/7 types of oversight that security requires. So it's reasonable to really dig into any of these providers and make sure they can answer the right questions.
5. Hype deflation - Pssssst. That's the sound of the air coming out of the virtualization security balloon. Not that virtualization won't continue happening. Of course it will. But in the absence of any verifiable attack on a virtualized stack, there won't be much to talk about. That won't stop Hoff (and others) from trying, though. There is a chance that the PCI council will make a strategic mandate on virtualization, which could blow up the balloon. But I think they are much more likely to make a nebulous statement and decide to do nothing. Also expect new categories like network-based entitlement management to struggle, since there isn't really a compelling need for these boxes.

Yes, there will be more attacks. Yes, there will be more zombies. Yes, there will be more patches. But that's not new and candidly, it's just not interesting anymore. Though customers should focus a lot more on more effective security operations and automation - odds are they'll just focus on getting through the day.

Thus I expect 2009 to be The Year of Surviving. That's right. I don't think there will be an overall theme this year besides trying to make it through each day, week and month. Over the past few years there has been a lot of new technology categories that emerged - many of which are important to the overall theme of information protection. These new offerings, like web application firewalls and database security gateways, have been clicking along and growing - but not exploding. I don't expect any security market to really break out this year.

I think if we look back at 2009 and got some stuff done while keeping our heads attached to our bodies - it'll be a good year.