November 7, 2007 - Volume 2, #151
Good Morning:
It seems like years ago, but I recall watching the execution of Saddam
Hussein earlier this year with macabre curiosity - 4 times. The
thoughts running through my mind were along the lines of, "so this is
how a despot ends." Candidly, I think the unauthorized coverage made
the situation a lot more real to everyone across the globe, not just in
Iraq. Sure there were lapses of judgment in an emotional situation -
but the point was made that this was a new time and Iraq had the
opportunity for a new beginning. Whether they take it is another story,
but I'm definitely not going there.
The same kind of thinking went through my mind when I checked my
newsreader this AM and saw the story of Microsoft's CIO being "terminated" for a
violation of company policy [1]. It's not clear what
the violation was, but suffice it to say it probably was bad. It needs
to be to warrant a public execution like that. A C-level public
execution in Redmond. Yes, that sends a strong message about culture,
about acceptable behavior and about Microsoft's willingness to enforce
the policies. I feel for the guy who's head is now mounted on the
stick, but I suspect everyone at Microsoft got a pretty strong wake up
call.
Similarly when Boeing shot Harry Stonecipher for sending inappropriate
emails and having an affair with a junior employee, it sent ripples of
fear through other Fortune 100 mahogany board rooms. Oh crap, it can
happen to anyone. Will it change behavior? Probably not, people are
people and it's hard to deter human nature - but maybe they'll be more
careful about covering their tracks.
Yes, there is a point and that's the value of the public execution. I
talk about it frequently in my Pragmatic CSO writings, both the book
and the weekly blog post. For the most part, I think many of the large
public companies take ethics pretty seriously and enforce their
policies, if only to limit the liability of the board members. But I'm
not so sure about mid-sized companies. Those companies where taking out
the rainmaker because he has a drug habit or a likes to watch - well
you know - at work, would perhaps be a fatal blow to the business.
In that case, enforcing the policies may not be such a clear cut
decision. Of course, it should be - but it isn't. Then again, it's not
my rainmaker that I have to can and it's not my business that would be
at risk. I guess the only certainty is that it will cost money to
handle the situation. You either pay now to replace the business that
the rainmaker takes with him/her or you pay later to settle the hostile
work environment and harassment suits.
I guess those are the kinds of choices that need to be made every day.
I'm just glad I don't have to make them anymore.
Have a great day.
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [8]  [9] |
Top Security News
the Big Yellow announcing a managed service
to focus on analyzing targeted malware [10]. There are other folks
(like Cyveillance) that can scour the Internet for phishing and other
brand attacks. But is the a niche or a market? At this point, it still
feels like a niche. Sure, if I'm a huge customer with a seriously
valuable brand name, I'd sure like to know when some scumbag is trying
to capitalize on it. So I'll pay some money. But what about the broader
market? Personally, I use Google alerts to track when folks use my name
(or research) in vain. And the price is right. So it's an interesting
concept, but I'm not sure it's a market. Yet, as long as there are 800
security vendors, there will be a business in selling them information.
A case in point is Bit9, where it's not clear if their business is
selling endpoint control solutions, or whether they sell access to their application
executable database to folks like Kaspersky [11]. In terms of what
will be most lucrative over time, just think CommTouch is in the
business of selling anti-spam signatures. Right, not too lucrative.
Link to this [11]
this [11]
"Another Information Security Products Guide
Hot Company bought by Cisco." [12] Like these guys are actually
looking for "hot companies." Actually, in order to qualify, you don't
need anything but a checkbook and an envelope to send the check to
them. If it was so easy to buy an award and then get bought, everyone
would be doing it. Oh that's right, it seems everyone IS doing it.
Maybe one of these days some self respecting marketing person will
finally realize that it's about your product and your market, NOT the
pay for play awards that get you bought by Big Security. While I'm
putting together my wish list, maybe these same folks would realize
that customers don't care about these "awards" either.
Link to this [12]
The Laundry List
- One quarter at a time. Sourcefire starts the long road to rebuilding credibility by actually beating the beaten down numbers and guiding in line. How about that? - Sourcefire earnings release [13]
- More competition for Websense. IronPort updates their web filtering box. It'll be interesting to see how Cisco's channel will take to this mature product category. - IronPort release [14]
Top Blog Postings
http://www.mckeay.net/secure/2007/11/blame_tjx_and_the_assessors_no.html [15]
Link
to this [15]
http://www.nevis-blog.com/2007/11/why-blacklistin.html [16]
Link
to this [16]
http://securosis.com/2007/11/06/understanding-and-selecting-a-database-activity-monitoring-solution-part-2-technical-architecture/ [17]
Link
to this [17]
http://securitymike.blogspot.com [18]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [19]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [19]