January 31, 2008 - Volume 3, #10
Good Morning:
If I've said it once, I've said it a hundred thousand times. The first
key to success is understanding how to manage expectations. Like with
the Super Bowl, I don't expect much. After watching the pomp and
circumstances this week, I'm just happy the G-men are there. If it's a
competitive game, all the better. If they win, my head may explode.
I'm working hard to temper my own expectations.
Why are expectations so important? Basically your impression of any
experience can be either horrible or great depending on what you
expected. Let me paint two cases in point. First, I've been doing a lot
of road work lately, which means a lot of airports, hotels and the
like. I expect the situation to be mostly miserable because I've been
doing this for a long time, and the attraction of life on the road
faded many years ago.
[1]This
week, I found myself in a airport with about an hour before my flight.
I figured I would grab a decent meal and chill for a bit. So I hit one
of the ever-present airport TGI Friday's and took a load off. I'm
maintaining a mostly vegetarian lifestyle now (I eat meat once per
week), so it can be a hassle to find things to eat in an airport. I saw
a
Portobello sandwich and jumped at it.
The waiter took the order and then came back about 2 minutes later with
the news that they were out of Portobellos, so that sandwich was a
non-starter. I shrugged and asked what else a vege could eat. There
wasn't anything formally on the menu, so he suggested a quesadilla
with roasted vegetables and no cheese (I've cut out dairy as well). I
asked if they had some guacamole to lube the sandwich a bit, and he
said none was made, but he'd talk to the chef.
My meal comes out maybe 10 minutes later, and it looks great. It tasted
great too. The waiter asked me about the guac, which was pretty tasty
too. Evidently the chef wouldn't make it, so the waiter
made it himself. Now that is service. And that is also totally
unexpected. I'm at an airport Friday's, not the Four Seasons. You see?
A fantastic experience because the waiter took a little
initiative and pleasantly surprised me.
The other case in point is also pretty unexpected because it comes from
Microsoft. I (like most other Mac-heads) jumped on the Black Friday
$100 rebate offer to buy Office 2004 that included a free upgrade to
the new Mac Office
2008. I filled out the paperwork and was prepared to wait 6-8 weeks
after product launch to get my new package.
So I was pretty surprised when I got home and waiting for me was the
shipment from Microsoft. Less than two weeks after the product was
released,
I got my stuff. That beat expectations by a full month. I haven't even
used the software yet, but I'm happy with it because I got it early.
It's not that hard. If you are candid with customers and meet
expectations (or even exceed them), you will be perceived as a star. On
the other hand, if you promise Jupiter, but only get to Mars, you are a
schmuck. Keep that in mind as you meet with senior management. Don't
commit what you can't deliver. That doesn't mean you don't expect more
from yourself and push yourself to do better than you've committed to.
But be careful what you commit too. You may not get another chance to
reset expectations.
Have a great weekend and GO GIANTS!!!!
Confucius says... picture originally uploaded by
randeclip [2]
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9]  [10] |
Top Security News
my
monthly eBizQ feature and podcast [11] on the topic yet?). Like
this article on Byte and Switch (Dark Reading's sister that focuses on
storage) which talks about why application security is important [12].
Of course, you have Ted Schlein from Kliener flogging the topic (he was
the early money into Fortify). But most interesting is the comment
DTCC's James Routh makes about putting packaged software vendors
through the ringer: "For
packaged software, we demand that the vendor provide us documentation
of static code analysis, dynamic code analysis, and manual code
analysis." As more and more customers start making these
demands, free market economics indicate that the vendors will have to
respond. That's a great thing for all of us. If you are looking for
more background and reading on application security, check out Dark
Reading's columns from folks like Gary McGraw of Cigital (4 ways to get started [13]) and RSnake (how to hire a web app security pro [14]).
Applications and data are the future of security - are you ready to
rumble?
Link to this [15]
convince the open source community that
Trend Micro's patent on gateway AV is a threat to the entire open
source community [16]. Actually, it's really just a threat to
Barracuda's margins. This patent has been prosecuted and enforced.
Trend won a case against Fortinet (which uses a proprietary AV engine)
and they had to stop selling boxes until they cleaned up their code.
The patent doesn't talk about any kind of specific AV engine, so this
crap about being a threat to the open source community is just
marketing hype. Theere are more
specifics about Trend's intentions in this post [17].
Say what you will about the patent system, and whether something like
gateway AV can or should be under patent protection, but until the
entire system
changes - you need to pay the man. The Trend man in this
case. It's a cost of being in that market, just like with Tumbleweed's
patent on the email firewall. You hate writing the check, but you do it
because spending a lot of money to fight it in court is a waste of
time and you are going to lose. Barracuda wants to make this about open
source and the open source fanboys are up in arms. But make no mistake,
this is about
profit and once again Barracuda is playing the open source community
like a fiddle to build their business.
Link to this [18]
mid-market CIO's don't want more budget,
they want educated users [19]. Wow! If it's true, that's a huge
sea change in the entire model that drives the security market. Of
course, they probably want to wave a magic wand and all their users
would be enlightened. The reality is security awareness is a long,
tough slog through the swamp. But as with any other type of educational
endeavor, you need to be consistent and persistent. You need to live
the process and lead by example. But it does point out the huge
opportunity that secure awareness training presents, especially as more
and more folks understand that another box with flashing lights isn't
going to solve the problem.
Link to this [20]
The Laundry List
- Wherefore art thou SDLC? Check out my latest eBizQ podcast with Security Innovation's Michael Gavin. We talk shop, mostly about why an SDLC is important and what not to do. - The Mike Rothman Security Report [21]
- Guidance should be hearing footsteps. The investigations software market will get more crowded, starting with Mandiant's new offering. - Mandiant release [22]
- Entrust grows and is profitable in Q4. Looks like Santa Claus didn't deliver coal to anyone this past holiday season. - Entrust earnings release [23]
- Websense also announces a good Q4, with less negative revenue synergies with SurfControl and better expense control. Street expectations will start ramping up just in time for the slowdown. Funny how that happens. - Websense earnings release [24]
Top Blog Postings
http://techbuddha.wordpress.com/2008/01/23/the-high-cost-of-securing-it/ [25]
Link
to this [26]
http://nexus.realtimepublishers.com/previews/SGITIL-preview.htm [27]
Link
to this [28]
http://securityrecruiter.blogspot.com/2008/01/career-advisor-top-five-reasons-cso.html [29]
Link
to this [30]
http://sm-blog.securitymike.com [31]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [32]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [33]