March 3, 2008 - Volume 3, #21

Good Morning:
It takes some serious stones to bet the ranch. A friend from college was in town this weekend, with his 3 kids, and we were chatting a bit about the NBA. I'm not a big basketball fan, but I can appreciate how some of the Western conference teams have pretty much bet the ranch to get more competitive this year. The Lakers, Suns and Mavs made huge trades and basically leveraged their future to win today. The Cavs did the same thing in the Eastern Conference, after the Celtics started the ball rolling in the off season. Pro sports are all about winning NOW, and the free agent markets are all about bringing in the talent, whatever the price.

[1]These teams have bet everything on a bunch of stars in their mid-30s, most already in the twilight years of their careers. Can Shaq do it again? Does JKidd have enough left in the tank to take the Mavs deep into the playoffs? That's what makes the game exciting, and I know these moves will likely have a positive effect on ratings and excitement as the season winds down and the playoffs begin.

Which is what it's all about. We can (and should) learn a lesson here relative to risk and reward. A lot of the decisions we make relative to security are not about changing the game, or leveraging our future - it's about doing things as cheaply as possible to provide the bare minimum amount of risk management to keep your organization off the front page of the newspaper, right? Security folks don't really get the opportunity to bet the ranch, and I posit that's a good thing.

With very rare exceptions, security folks operate on a shoestring budget, without even the bare minimum of resources required to get things done. None of our senior teams are "betting the ranch" on a new security system that will change the way you do business, dramatically increasing value.

That means we have to operate differently, a bit under the radar and heavily utilize grassroots efforts in evangelizing why security is important and how it helps to achieve the "reasons to secure." The RTS are laid out in all their glory in the Introduction to the Pragmatic CSO [2], which you can get by registering on the web site.

I've been giving a lot of thought to the idea of how to make security relevant in the board room. And compliance is not the way. You can get attention through compliance, but not relevance. I think the P-CSO philosophy is a great start, but it's not enough. Do you smell something burning? Yep, it's the sweet scent of the rusty gears turning in my head. I just may have an idea or two to get things moving in this area.

Have a great day.

PS: I finished up all of the Days of Incite last week (YAY!). You can check out all the posts using the "Days of Incite [3]" tag on the Security Incite site (say that 10 times fast).

Technorati: Information Security [4], CSO [5], Security Mike [6], Internet Security [7]

[8] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [9]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [10] [11]

Top Security News

Moody's is trying to do exactly that. [12] Evidently they've got a couple of big financials to start leaning on some companies to get involved. I think this is going to go over like a lead balloon. First of all, given the CDO and sub-prime mortgage fiasco, Moody's ratings have been outed as a sham and investors funds have gone down the toilet with them. But more importantly, what about accountability? Will Moody's assume some of the liability of rating a company a 1 vs. a 4. If the 1 (which is is the best rating) turns out to be TJX, can you go after Moody's right after you send the disclosure letters to your customers? Again, I think not, and that's the issue. I guess I don't get why this is any different than something like PCI, with the exception that this is about enriching Moody's and not really reducing anyone's risk.
Link to this [13]

NetworkWorld has the details [14]. This is a pretty strange choice, if I do say so myself. Why not buy the company? There are quite a few options, and SYMC will plunk down some big bills if they think there is a market there (Brightmail, Vontu, anyone?). If anything, they are driving their own price up when they ultimately have to acquire and control the technology. In the meantime, they aren't integrating the technology into their EndPoint management console, so it's just a purchasing arrangement. There is no benefit to getting this from Symantec, besides maybe getting another round of golf, courtesy of your favorite SYMC rep. I can understand taking this OEM approach with the anti-bot program (which is Sana's technology), since that is an unproven market and it makes sense there to hedge their bets. But full disk encryption? I guess they missed my Incite on the topic [15]. If I was Sophos or Trend or even Microsoft, I'd acquire GuardianEdge in about 3 months, right after the SYMC field understands how to sell it - if only just to kick the Big Yellow in the McNuggets.
Link to this [16]

Rob Newby's blog [17], his employer Ingrian Networks has been acquired by SafeNet [18]. Rob thinks it's a "VERY smart move," but what is he supposed to say, especially when there is uncertainty about his job? "Oh, I hate this deal. Crap, I need to look for another job." As entertaining as that would be, it would also be stupid on Rob's part to do anything but be complimentary of the deal. Though I tend to agree with him. On the surface this seems like a good deal. SafeNet has a lot of customers (especially in the US Fed market) and they do encryption. The Ingrian platform is complimentary to SafeNet's existing products and Ingrian gets the deep pockets that come with a multi-billion dollar hedge fund calling the shots. Ingrian's investors probably get out with their scalps attached as well, which is always a good thing.
Link to this [19]

The Laundry List

Top Blog Postings

http://securosis.com/2008/02/19/interview-with-mike-rothman-part-1/ [25]
http://securosis.com/2008/02/20/interview-with-mike-rothman-part-2/ [26]
Link to this [27]

James Governor's blog [28]. His colleague O'Grady weighs in as well [29]. Personally, I hate analyst events, and rarely go. Why? Because listening to canned speeches and mingling with my "competitors" is a waste of time. I pride myself on adding value. I'm certainly not going to be smart and give any good ideas to most of the other jokers in the room. If I do get one on one time with any of the senior folks, they are not really paying attention, they've got too many whores to entertain. I also love the really big vendors that do me a favor by offering me free admission to their big customer conferences every year. They don't even cover expenses to get to the event. Now that is the height of arrogance. But I digress. Basically, the best approach to having an analyst event is to not have one. Pick 5 of the analysts that provide the most value and do a strategy day with them. It's a lot more effective on both sides. And don't take it personally if I don't show up to your analyst shindig. There's nothing in it for me.
http://www.redmonk.com/jgovernor/2008/02/14/7-tips-to-run-a-great-analyst-event-dos-and-donts/ [30]
Link to this [31]

Top 5 ways to piss Mike off [32]" back from 2006.
http://www.web-strategist.com/blog/2008/02/01/what-a-great-analyst-briefing-looks-like/ [33]
Link to this [34]