logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - September 6, 2007

By Mike Rothman
Created 2007-09-06 08:39
Today's Daily Incite

September 6, 2007 - Volume 2, #129

Good Morning:
What is the key to happiness? Yeah, I know - it's a deep question and probably a little heavy since we are all shaking out those summer cobwebs now that September has arrived and we need to get back to work. I ask because like most of you, I'm still looking. I haven't found the answer, even though I think I'm closer than I was two years ago. Actually, I'm not sure there is an answer. Maybe it is that "one thing" that we learn about in City Slickers.

I went to a party last night with a bunch of old friends and colleagues. Some were happy, quite a few were sad. The folks that were happy spend a lot of their time doing stuff they like in an environment they enjoy. The ones that are sad aren't, but it seems they are too comfortable to make a change, even though they hate what they are doing.

What's that about? If anything, seeing old friends reiterated how much I enjoy what I'm doing now. Sure there are days where I miss the battle and the camaraderie of being in the foxhole of security as customers and competitors are firing live ammo at you. Sometimes I wonder if I'm getting soft and losing my aggressive streak because I don't need to "go for the throat" on a daily basis anymore.

I've come to realize that those days are in my rear view mirror. I don't need to bite the heads off of bats anymore to get a rush. The stuff I learned in the field was invaluable to make me a better analyst and teacher and mentor and friend. But being able to get past it and embrace what I really enjoy is a good thing. I've stopped questioning my path and started enjoying the trek.

So I'm assigning you some homework this weekend. Are you doing what you love to do? Do you even know what you love to do? If you can't definitively say yes to both of those questions, then you have some thinking and contemplation ahead of you. Spend some time figuring it out. You'll be glad you did.

Ultimately you decide how you spend your day and it's in your power to change things. Not mine. As much as I wish I could shake some of my complacent friends, smack them upside the head, and get them to take some action because they are stale and they are wasting time - I can't. I hope they remember that time is the only thing we don't get back.

Have a great weekend.

Technorati: Information Security [1], CSO [2]

The Pragmatic CSO [3]

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com [4]

Top Security News

a tip on SearchSecurityChannel about how VARs looking to get into managed security need to find security engineers [5]. The advice is pretty light, but it makes a very important point. It's not just VARs that need these folks. End users and vendors also need to hire great security engineers as well. This is become a systemic issue, by the way. We are definitely not training enough folks to keep pace with the growth of the attack surface and the need for businesses of all sizes to do security more seriously. So what to do? We're going to need to grow some. That means big companies need to start a "farm system," where capable and young technologists learn the security trade. This will involve some formal curriculum and training, but also a lot of learning in the school of hard knocks. In a perfect world, we can hire great folks that already know exactly what we need them to know. Of course, this world is far from perfect, so count on growing your own.
Link to this [5]

NetworkWorld has an interesting article that tries to explain how software pricing works [6], but doesn't do a great job because there really isn't a good explanation. Pricing is based upon perceived value and real ability to pay. It costs less than a dollar to generate a DVD with code on it. But large enterprises will pay HUNDREDS of thousands for that software. Right, it's about value and competition and ultimately what a vendor thinks their customers will pay. It's not really more scientific than that. It was very interesting to live through Barracuda's entry into the anti-spam market, where they very quickly reset smaller company's perceived value for the technology. And once that perceived value goes down, it doesn't go back up. I learned that the hard way.
Link to this [6]

Tim Greene does his beat reporter best to regurgitate Cisco's propaganda in his NAC newsletter. [7] Cisco is clearly trying to spin a story that the NAC appliance is about a non-disruptive means to add NAC and their NAC framework is a more "strategic" direction. Now the time has come to merge the two into "one-derNAC." Of course, a few of the NAC dwarfs (Shimel [8] and McLean [9]) need to have their say about Cisco's plans, but that shouldn't be a surprise. When Cisco passes gas, these guys suffocate, so they are going to have an opinion. But back to the topic at hand. Let's be clear, the NAC framework was the direction until two things happened. First, no customers were interesting in the NAC framework. It was too early, it was too heavy, and it didn't solve any customer problems. Details, eh? Second, they bought Perfigo and then had something less disruptive that customers were kind of interested in. Ergo, this wasn't a "planned" set of options to provide customers - this was real-time improvisation based upon market realities. Which, by the way, is fine and the right way to do things. I just object to trying to recast the past to make it seem like this was the plan all along. That's a load of crap.
Link to this [9]

The Laundry List

  1. Did we learn anything from the sub-prime mortgage woes. "Creative financing" are words that probably shouldn't be used together, especially not when talking about big channel deals. - SearchITChannel coverage [10]
  2. Deal: Citrix gets into the perimeter SOA and XML security and acceleration market by taking out QuickTree. Yet another feature added to perimeter boxes. - Citrix release [11]
  3. Great, now every Web 2.0 wanna-be is going to be writing viruses. CrunchGear highlights the emergence of malware toolkits. This may be the hot present this holiday season. - CrunchGear [12]
  4. Less value for higher prices and grumpy customers who continue to write the checks. Who said technology research was a crappy business? - ARcade blog [13]

Top Blog Postings

http://rationalsecurity.typepad.com/blog/2007/09/we-used-to-worr.html [14]
Link to this [14]

Mogull speculates that if this was happening every day, then folks would stop shopping at TJX [15], but I'm not so sure. Most folks just don't care. And the folks that do care, know they are only liable for $50 and the banks usually don't enforce that. Of course, it's good for the security business if these institutions never catch on and keep pumping money into the security industry. So I won't tell if you don't. OK? Mum's the word.
http://securitybuddha.com/2007/09/04/security-and-privacy-are-not-competitive-advantages/ [16]
Link to this [16]

http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx [17]
Link to this [17]

http://blog.securityincite.com/ [18]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [18]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-6-2007

Links:
[1] http://technorati.com/tag/information%20security
[2] http://technorati.com/tag/CSO
[3] http://www.pragmaticcso.com
[4] http://www.pragmaticcso.com/
[5] http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1270570,00.html
[6] http://www.networkworld.com/news/2007/082807-pricing-network-vendors.html
[7] http://www.networkworld.com/newsletters/vpn/2007/0903nac1.html
[8] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/09/ciscos-view-of-.html
[9] http://blog.consentry.com/blog/2007/09/cisco-onenac-an.html
[10] http://searchitchannel.techtarget.com/originalContent/0,289142,sid96_gci1270142,00.html
[11] http://biz.yahoo.com/bw/070905/20070905005381.html?.v=2
[12] http://crunchgear.com/2007/09/04/write-your-own-virus-programming-skills-not-required/
[13] http://blogs.hillandknowlton.com/blogs/arcade/archive/2007/09/04/are-you-getting-less-for-more-from-your-analyst-firm-subscriptions.aspx
[14] http://rationalsecurity.typepad.com/blog/2007/09/we-used-to-worr.html
[15] http://securosis.com/2007/09/04/a-short-take-on-why-good-security-isnt-a-competitive-advantage/
[16] http://securitybuddha.com/2007/09/04/security-and-privacy-are-not-competitive-advantages/
[17] http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
[18] http://blog.securityincite.com/