June 1, 2009 - Volume 4, #26

Good Morning:
They say the Grim Reaper gets us all. Today Dr. Death visited our pals at GM in Detroit [1]. OK, not really Dr. Death, but his main henchman for business - Captain Bankruptcy. It's not like this wasn't expected, and (in my opinion) it will be healthy for the longer term viability for GM. It's hard to be competitive when a multi thousand dollar entitlement albatross what weighing down every car GM sold.
[2]
The idea is that bankruptcy will allow GM to sell assets, rewrite contracts (especially with the unions) and restructure to be competitive. As a guy who drives GM cars when I rent, but wouldn't buy one myself - I think the economic situation was one piece of it. They also need to be more nimble and build products that folks want to buy.

But the bigger issue here is the concept of periodic renewal. If you remember back to the mid-80's, the concept that GM would go bankrupt was absurd. But then foreign automakers came in and built a better product more efficiently. And 20 years later, GM is on the verge of going away, if they can't change things very quickly. Basically every company must fight to not get stale and doing the same things year after year breeds mildew.

It reminds me of when I was doing an internship at Mobil Oil (when Mobil still existed) back in college. I was living at home and taking a bus to a train into New York City. The commute took me about 90 minutes a day and amazingly enough some of the folks doing that same commute did so for 30+ years. 

These folks were tired and most seemed pretty beaten down to me. It's not hard to imagine that after 30 years of commuting 90 minutes each way, you'd be a bit stale. Now there are a lot of reasons that folks do the same stuff every day, but no one has a reason to let themselves get stale. In our business, where I can tell you the bad guys are anything but stale, complacency and losing vigilance will kill you.

So we can take a message from our friends in Detroit. If we aren't undertaking a process of constant renewal, things will get ugly and most of us don't have the option of a Government bail-out.

Have a great day.

Photo: "Demolition means progress" originally uploaded by churl [3]
Technorati: Information Security [4], CSO [5], Security Mike [6], Internet Security [7]

[8]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [9]

Incite 4 U

Better and better every day, every week. Imagine that, an Incite for two weeks in a row and I'll be starting to embrace "social media" more effectively this week, that I think will be a good thing. Stay tuned for that.

1. Obama says cyber-security is important - The big news on Friday was the publishing of the 60 day cyber-security review that took 120 days to complete. I know that counting is hard in Washington DC. But the message was a good one. Byron Acohido did a nice job of summarizing the key points [10], though every tech book and most of the blogging community wrote something about it. But there is a big difference between words and action. Over the next 120 days, in order to maintain any kind of momentum, there needs to be a clear and defined action plan for how we get to achieve the President's 5-point plan. It's not going to happen by itself, or just because Obama says so. We should all be cautiously optimistic and also prepare a set of talking points for senior management to understand if/how the new initiatives will impact your organization.
   
2. Metrics on the brain - When times get tough, the tough get counting. Isn't that how the saying goes? In security, counting has always been hard (as I've written about a million times), but we are making steady progress towards understanding what to count and then counting it. Dark Reading covers both [11] how the fine folks at the Center for Internet Security have published their initial consensus-based security metrics [12] work, as well as Project Quant [13] - which is being driven by the Mogull. CIS puts forth 20 interesting metrics (well mostly metrics, some are a bit hard to really quantify) and it's a good start. Remember, some metrics will be operational in nature and some more focused on quantifying our value up the stack. The more substantiation we can have for the security team, the more likely we'll be able to stay around, especially if things remain economically tough.
   
3. Should we call them VeriSell now? - VeriSign continues to dismantle the house that Stratton built, now selling the MSS business to SecureWork [14]s. Given VeriSign's focus on seemingly selling renewable low-value thingys to mostly smaller companies (like domain names and SSL certs), selling the MSS business makes sense - even if they had to take a $100+MM bath on the transaction. This also gives SecureWorks the leg up as the biggest of the independent MSS providers and they did it for a reasonable price. Of course, now the fun work begins of moving the existing VeriSign business to it's MSS platform to gain the economies of scale, but if you aren't getting bigger in this business - you are getting smaller.
   
4. Predict this Dave... - It's never too late to poke fun at vendor mumbo-jumbo. Back at RSA, McAfee's Dave DeWalt unveiled a vision called "predictive security," [15] which probably resides in the same bunker as the Holy Grail. I know, I know - I'm objecting to the words again as opposed to the concept of evaluating a crap load of data to figure out what is actually happening out there. But as my Dad the lawyer always tell me, the words are important. Mining data you are gathering from the field is NOT predictive. It's reactive. The concept is that by having this data, you can see patterns emerging and draw conclusions FASTER. But that is not PREDICTING anything, is it? And the astronomy and meteorology analogies are interesting because I wouldn't say weathermen have a great track record of really getting it right. Though I guess "faster reactive security" isn't really a catchy marketing term.
   
5. Picking that QSA - Chris Hayes provides a good structure to evaluate a QSA in this post [16]. Too many folks don't realize that picking a QSA is just like picking any other kind of service provider, and given the number of these folks that are popping up, it's a very competitive market on the verge of commoditizing. Of course, that means buyer beware must prevail to make sure you are getting adequate value, while minimizing cost. Also make sure anyone you talk to is well aware of the PCI Council's quality initiative [17] (pdf) and challenge them on it. Some folks want a PCI assessor to just give them the rubber stamp, but that is being pretty short sighted. They can and should point out issues that need to be addressed, before the bad guys force the issue.