April 24, 2008 - Volume 3, #40
Good Morning:
If I had a couple of bucks for every CTO that has tried to school me in
marketing, I wouldn't have to be peddling Pragmatic CSO books at every
opportunity. If I had one for every CEO who thought they could do the
job better than me, I'd be spending a lot more time at the
beach. But thus is the frustration of marketing. Everyone thinks they
can do it, until they have to, and then they realize stress testing
athletic cups is a more rewarding position.
At
least Misha of AlertLogic was funny in his attempt to tell me why I was
wrong to call out his company for their blatantly misleading "PCI is
easy" marketing campaign. [1] He figures there are some days I
fill your inbox with baloney. I love baloney. Actually I like salami
better, but I don't eat meat much anymore - so I maybe sending around
some baloney is my way of making peace with the meat gods - who
I now shun.
His tactics are pretty predictable. Make light of your critic and try
to undermine their credibility. Compare the work to some well
known gossip rags. Right out of the Campaign '08 play book. Maybe Misha
fancies himself a roll in the political arena after he's done with this
nasty security work.
If you read the comments on Misha's post, he's got it right about me
and my ability to take a counter-punch. I'm a big boy and I don't share
a controversial opinion without expecting some return fire back. That's
all good. In fact, I know quite a bit about their offering, and exactly
how it can help with compliance and how it can't. This isn't about
their service. It's about their marketing. It's when you read the other
comments (especially from my friend Farnum) that you see that Misha has
missed the point entirely.
It's not just a webcast title. Or an email marketing subject line. It's a philosophy.
Most folks think that if no one outright complains about something that
it's OK. They seem to forget that most folks vote with the delete
button. The vendor just loses attention and awareness and ultimately
that impacts a company's credibility. Farnum is exactly right, that
kind of sensationalist marketing is abrasive and annoying to folks that
are in the trenches trying to do the right thing every day. Most
technical folks don't understand how marketing impacts the perception
of their organization. They think it's about the product (or service).
They don't get that until you do marketing right, you don't get a
chance to even show your product.
No CSO is going to take the time to send any offender (and of course,
there are more folks guilty of "easy compliance" than AL) a note
telling them they have stepped over the line. They just shop somewhere
else. I guarantee AlertLogic loses every deal they don't see.
And that's the point. A long-term sustainable business is based on
building credibility with buyers and then meeting their expectations
every day. You can target the mid-market with National Enquirer-esque
headlines and that will work for a while. But if you can't deliver,
then Mr. Market will catch on. He always does. You can run, but you
can't hide. Unless they figure out a way to sell out to some big dumb
security company and get out of Dodge before Mr. Market figures it out.
To be clear, I'm saying that AlertLogic cannot make PCI compliance
easy, simple or affordable. No
vendor can because security is neither easy, simple or affordable.
It has nothing to do with their service. It has to do with how hard it
is to protect information. If Misha had a way to make security easy, I
guarantee his company would own the security business - and
unfortunately (at this point in time anyway) they don't.
Security marketers have a choice. They can try to focus on customer
problems or they can go with sensationalist headlines. I've done both
through my career. I've found that taking the "easy" route is always
harder. Always.
Have a great weekend. And buy my book (I thought I'd just throw some
more baloney in there for good measure).
Photo: "Spotted at Berkeley Bowl: I
didn't know that you can buy sour grapes"
originally uploaded
by Raymond
Yee [2]
Technorati: Information
Security [3], CSO [4],Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9]  [10] |
Top Security News
This NetworkWorld newsletter on networking
stuff [11] has some stats to back up the adoption rate of these
frameworks. But for security? I guess it's the same issue I have with
27001/2 and COBIT. If folks think this is a silver bullet and it's
going to give them a cookbook on how to do their job, then they are on
some kind of funky peyote. But if they understand the framework is a
starting point to figure out where they need to focus and to break the
project up into digestible chunks, then I'm OK with it. I just fear we
have a lot more of the former than the latter.
Link to this [12]
Brian
Krebs digs a bit deeper into the Hannaford Bros. breach [13].
Evidently they were PCI compliant and had some sophisticated defenses
in place. Unfortunately they weren't the right ones. So now these folks
will spend millions more to close probably every possible hole. Oh
yeah, that's not possible. So they'll close a lot of holes, they'll
spend a lot of money and they'll probably be OK. Note I said probably
because they can't get to everything. Krebs focuses a lot on how to
attack data in transit and that is clearly a new and clearly
exploitable attack vector. So the arms race goes on. The early adopters
will be start making some investments to more effectively segment
networks where payment data resides (to protect it from insiders or
compromised inside devices). The standards folks will work that into
PCI 3.0, and most of the world will get there in 5-7 years - maybe. And
between now and then there will be a lot more Hannaford's.
Link to this [14]
separate
boxes [15] and it seems as a suite [16]. Yes sports fans it's 75% of
a UTM solution, running on a blade server. Maybe those Crossbeam were
on to something. But MFE doesn't have a firewall or a VPN or
authentication to put on the blades. But they do have a checkbook, so
this is a problem that can be solved with money.
Link to this [17]
The Laundry
List
- Hershey + Rack = Passwords. Like you are surprised? Yes, we still have a lot of security awareness training to do. - WSJ coverage [18]
- News Flash: We have an email security problem. Yes, it's April 2008, not 2005. Someone should tell the author of this piece he's about 3 years late. - eWeek article [19]
- Laptop theft preventable? Sure, just weld the device to your CEO's hands. - SearchCIO-midmarket tip [20]
- McNulty out at Secure Computing without a reason, besides maybe the blown Q1. Ryan is interim, and a CEO search is beginning. - Secure Computing release [21]
Top Blog Postings
http://www.bloginfosec.com/2008/04/11/cio-the-next-career-step-after-being-the-ciso-why-not/
[22]Link
to this [23]
http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html [24]
Link
to this [25]