January 27, 2009 - Volume 4, #10

Good Morning:
It's the little things that indicate things are going to get worse, before they get better. It's not just the daily drum of layoffs from one big company after another. It's the fact that at least twice over the past week, I haven't been able to get a seat at Starbucks to do some writing. Maybe it's just anecdotal, but I think there are a bunch more folks considered "free agents" because they are looking for their next gig.  [1]

With my job history, I've been there. I know it's much better to stick with the daily routine, even though you've got no where to go. It's important to dress nicely, get out of the house, have lunch with folks, make lots of calls, send lots of emails and keep the activity level up.

I get a lot of messages from folks asking if I know of this or that. Sometimes I do see a fit and I'm happy to make an intro. Other times I don't and I feel bad. Because I've been there.

We shall overcome. This too shall pass. It always does. But this post from Fred Wilson got me thinking about greed [2], especially given the job carnage. The stimulus package in the US will hit at some point over the next few months. And the Government will be spending money. It's impossible to manage $750+ BILLION in spending. There will be waste, there will be pork, and there will be corruption.

It'll be interesting to see where cyber-security ends up on the list. I think the Federal investment will continue (at least that's what I'm seeing in my day job), and part of me is happy about that. That big part of me that has to write the mortgage check every month and wants to be able to provide a comfortable lifestyle for my family.

I can only hope at least some of us have gotten past the greed of the past 20 years. I know that's being way too idealistic, but we can hope, no? Given the reality that there will still be shyster's in the mix that are focused on gaming the system as opposed to making it stronger, my real hope is that there is proper oversight to find  egregious corruption and make a public example of them.

Yes, I hope some of that stimulus is earmarked to expand the Federal penal system, so there is plenty of room for the white collar scum that will inevitably emerge. Have a great day.


Photo: "Using vinegar for a natural clean" originally uploaded by elycefeliz [3]
Technorati: Information Security [4], CSO [5], Security Mike [6], Internet Security [7]

[8]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [9]

Incite 4 U

It's amazing how much buzz continues to permeate around the Heartland breach. We'll get to that in a bit, but I do want to address Anton's position that I've gone insane [10] based on my rant yesterday about the Irrelevance of PCI [11]. Firstly, I've been insane for a long time. But no one has convinced me that I'm wrong. Maybe it'll take 3-4 years (HIPAA was still an area of focus for 3-4 years after it started it's long downward slope towards irrelevance), but unless something changes - it'll happen. There are lots of different perspectives regarding how to address these issues and new attacks, and it'll take a while until the right path becomes clear. But my position remains, the PCI Security Standards Council can get a little proactive and dictate the path or they can let the hackers continue to  set the agenda. It's their call.

1. In the category of too little, too late - Speaking of Heartland, now the CEO is pushing the "industry" to adopt end to end encryption [12]. It's interesting that this guy has gotten religion once he's been front page fodder for a week. But more importantly, I wonder if everyone realizes that end to end encryption isn't a panacea either. Sure it's better and would have eliminated the sniffers stealing track data off the wire. But if the servers and/or applications are pwned, encryption is not going to help.
   
2. Mort's crystal ball - Looks like my friend David Mortman has stepped into my slippers as security management expert at SearchSecurity. Here are his thoughts on 2009 [13]. Pretty straightforward stuff. Compliance remains the driver (driven by new notification laws) and web-based app security continues to garner a lot of attention. Then he throws in the virtualization word, but within the context of more outsourcing and the further embracing of service providers to help execute on security strategies. I agree with most of the stuff, but to me the biggest issue for 2009 is how to do more with less. We ain't getting more resources folks, regardless of what the budget says.
   
3. Justifying data security, good luck with that - You have to hand it to the Securosis guys. Besides being fun to hang out with, they are pretty fearless when it comes to trying to slay conventional wisdom and put numbers towards justifying data security [14]. As they are finding out, it's hard to do. Because every company is different and every culture will respond to different pressure points. Oh, the other issue is that logic tends to have very little place in the discussion, when the decision is to protect data or upgrade a factory. Maybe it's just me, but the factory usually wins. But I do hope Rich and Adrian do make progress because a taxonomy on how to stage the discussion is critical.
   
4. Where is Barnum when you need him? - A few weeks ago I was appalled that Certicom was fending off a hostile takeover attempt from RIMM. It turns out I was wrong. It seems PT Barnum was right and VeriSign is today's sucker - rescuing Certicom and paying $73 million for the company [15]. Huh? That's a really big number for a toolkit. But I do have to hand it to the bankers for Certicom. They found maybe the only guy that's been able to truly monetize a toolkit - Jim Bidzos. That's right, the RSA guy is back, but on the other side of the deal this time. I guess he forgets that the RSA deal made him rich, but didn't help the Security Dynamics guys all that much.
   
5. Virtualization Security - Big Hat, No Cattle - Andreas and his Nemertes colleagues recently did a security survey and they found out that no one really cares about virtualization security [16]. Just 10% of the respondents have anything deployed and I guess I'm wonder what's the matter with them. That seems about 8% too high, especially in this environment. But it's a matter of time. At some point, the risks will become clear and we'll need to act. The question is whether future versions of our existing tools will get us there, not whether it'll be an issue. And the good news is we won't have to worry about it too much this year.
   
6. Would you like that crow baked or fried, Mr. Schultze? - On one hand, it's embarrassing to hit the fire alarm, when there is no fire. Especially when you have to send a note to your customers saying, "Never mind." But you also have to give credit to the folks at Shavlik that did the right thing [17]. They owned up to the mistake. Yet this is a direct effect of the vulnerability/exploit mania that is much of the security business today. From both a PR and a defense standpoint, it's literally a race to evaluate the patches and assess them. And mistakes are going to be made. The good news is that most customers have change control processes that forces them to think before they act. Most of the time that's a good thing.
   
   

Now time to go take my lithium or whatever were in the magic pills that Anton sent me to address my insanity. Hopefully he has plenty in his own stock to get through the day. My holiday present to him should have been a rope, since being the PCI guy, his house is built on quicksand.