February 28, 2008 - Volume 3, #20

Good Morning:
I've gotten soft. I've lost the competitive edge. It's hard to admit, but it's true. I just don't have the stomach anymore for a knock-down, drag out fight. I'm fed up with finding the negatives of an opponent and fed up with the zero-sum game. For most of my life, it was all about I win, you lose. Or vice-versa. Now I'm tired of that.

The thing that set me off is the increasingly vitriolic run for the Democratic Presidential nomination. It's crunch time and as I should have expected, the campaign is getting pretty negative. When a candidate is backed into a corner, they tend to act pretty desperately and with a short term perspective. I find it disheartening and annoying, but I get it. A run for the White House is a zero-sum game. Either you win or you don't. So inevitably the discussion will turn negative because it's too hard to focus on the good, when the bad is so inflammatory and gives the 24/7 news circuit something to talk about. But it's annoying nonetheless.

I think Lenny Kravitz is right: "It Is Time For A Love Revolution. [1]"

No mud slinging [2]The same thing applies to a lot of the security markets. Selling products to customers is a zero-sum game also. You make the sale and put food on your table or your competitor does and puts food on their own table. Are you drinking their milkshake? [3] Or are they drinking yours?

When you view it as survival, then people will go to strange (and disheartening) ends to win. I used to see it every day. I used to do it. If you've ever bought something for more than $100K, you know what I mean. At some point in the sales cycle, the gloves come off. It became less about what my product can do, and all about what their product couldn't. And what the customer needs was usually not part of the discussion. I win, you lose. That was the mentality. I know it's a fact of life and how things work, but it's annoying nonetheless.

That's why I'll never take a marketing job again. I would rather take a job as an athletic cup tester. You know, the guy that puts on an athletic cup and gets kicked in the nuts 1000 times a day to stress test the product. I don't know if that's even a job, but if it was I would take it.

I just can't envision myself doing what it takes to win in a highly competitive market. I'm not sure I ever was able to do what it takes. I fooled myself and played the game, but it was very unfulfilling. Of course, it took almost 3 years of being out of it to have that epiphany.

Thus, I've made the distinct and very personal choice to focus my efforts on the positive. If what I do isn't a win-win for everyone, then it's not too interesting for me. I don't want to achieve "success" by bringing someone down. And I'm incredibly fortunate to have found a way to do exactly that. Have a great weekend.

PS: This week we'll finish up the Days of Incite. I posted #7 yesterday and #8 is cued up for later this morning.

Express Your Inner Bean Counter [4]
It's time for an audit revolution [5]
Best of Breed DOA [6]
Weaving security into the network fabric [7]
Night of the Internet Dead [8]
Laptop encryption hits the big leagues [9]
The SDLC is your friend [10]
Protect the Vault (that's where the money is) [11]
Get the Jumper Cables for DLP [12]

Photo credit: marcn [13]

Technorati: Information Security [14], CSO [15], Security Mike [16], Internet Security [17]

[18]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [19]

Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
[20]
Security Mike's Guide to Internet Security

Security Mike's Guide to Internet Security

[21]

Top Security News

VMsafe technology [22], they are opening up the hypervisor to 3rd parties to integrate value-added security functions - but with rules anyway. And as Pete points out, no one is bitching about it [23]. Certainly not like Big AV running to the EU when Microsoft locked down access to the Vista kernel. Anyhow, VMware is playing the game like a maestro right now. Open up the interfaces, but on their terms. Throw some scraps to the dogs to keep them fed, for a little while anyway. And eventually control the entire secure virtualized platform themselves. Oh yeah, that wasn't in the announcement - but make no mistake, it's coming, and the rest of the security business won't realize it until it's a done deal.
Link to this [24]

Andrew Conry-Murray at InformationWeek about the "circle of blame" that is PCI [25]. In all the chaos in trying to get "compliant" (whatever that means), we have lost the real reason for PCI. That is all about risk mitigation for the banks and to eliminate US Federal oversite of the retailers. If they could figure out some way to blame the retailers for online theft, then they could restrict their losses and increase profits, right? That was the plan anyway. Of course, it's all under the mantra of doing the right thing for customers, but let's be very clear that if there wasn't a huge economic impact - there would be no PCI DSS. And the banks don't care too much about who ends up paying for the fraud (whether it impacts retailer profits or ultimate end pricing), as long as it's not them. Got to love free enterprise, no? The article also goes into the subjectivity of PCI compliance and how some of the retailers are able to game the system. This shouldn't be surprising, given that people have been gaming the "system" since the beginning of time. Ultimately companies need to decide whether they are going to protect data or not. If they are, then they need to think about security - not because a PCI mandate has forced their hand. Security FIRST, it still stands.
Link to this [26]

Sourcefire announced it's Q4 and Full Year Results yesterday [27] and they were mixed. Revenue was at expectations, but earnings were below estimates due to heavier investments. The Street hated the numbers. Stock was trading 8-10% lower in the after-hours market last night. More interestingly, CEO Wayne Jackson is stepping aside and President Tom McDonough was not mentioned as a candidate to succeed Jackson. That doesn't mean Tom isn't a candidate, but they are going to look outside as well. I guess after missing the first 2 quarters since being public and just eeking out greatly reduced expectations since then, you have to wonder whether Wayne was tossed out of the car at a high rate of speed. Of course, we'll never know the back channel discussions that go along with CEO changes, but ultimately we need to reassess the entire IPS market and figure out if there is any there there. Rumors abound of another dedicated IPS company getting out of the hardware business and with TippingPoint being spun out at some point from 3Com, you have to wonder whether any of these dogs will hunt over the mid-term. The answer is a resounding no. Mr. Market is speaking and stand-alone is not on menu. They all seem to want combination platters, which is yet another sign of the maturity of the network security business.
Link to this [28]

The Laundry List

ProofPoint raises another $28 million. Total money in is $86 big. The inevitable acquisition will need to be at a big number to make the mezzanine guys happy. - ProofPoint release [29]
NetQoS dusts off the old "anomaly detection" term, but revisiting history doesn't help customers understand what to do with it. Although these folks are focused on application response time, which is an interesting take on react faster. - NetQoS release [30]
What ever happened to IM security? Nothing, that's what happened. St. Bernard bundles it into it's content security appliance. If a tree falls in the woods, does anyone hear it. - NetworkWorld coverage [31]

The Daily Incite - February 28, 2008

February 28, 2008 - Volume 3, #20

Top Security News

Top Blog Postings