Incites/Observations

Heartland CEO must take responsibility

Submitted by Mike Rothman on Thu, 2009-08-13 10:12.
::

Upon reading Bill Brenner from CSO's interview with Heartland Payment Systems CEO, Bob Carr, I kind of got a bit unglued. I wasn't the only one, as Rich Mogull provided a much more respectful and well reasoned response than I could to voice similar disdain for the idea of blaming a data breach on the QSA. And our buddies Michael Farnum and Martin McKeay were happy to summarize and add their own spin.

So Bill was kind enough to allow me to vent a bit on CSO. You can read it in all it's glory:  http://www.csoonline.com/article/499565/One_Man_s_View_Heartland_CEO_Must_Accept_Responsibility

Here are a few of the money quotes:

"I say that's a load of crap. It's about time organizations suffering from a data breach owned up to the fact that they made a mistake. You see, the fine folks at Johnson and Johnson didn't throw the pharmacy under the bus when Tylenol got poisoned in 1982, did they? NO! They accepted responsibility (even though it wasn't their fault) and re-established trust with their customers."

"That, my friends, is the responsibility of the internal security team. That's what they do, and that's what they get paid for. And in Heartland's case, that's what they clearly failed to execute."

"But you have to hand it to Mr. Carr. He is proving to be a master at misdirection."

Basically, I'm not in the excuses business and neither should you. Organizations need to man up and accept responsibility when something happens on their watch and it needs to start at the top, with the CEO. So Bob Carr, you should be wearing a FAIL WHALE hat right now, wherever you are.

 

Later than Hay: Incite's RSA 2009 Wrap-Up

Submitted by Mike Rothman on Wed, 2009-05-06 11:08.
::

Andrew Hay thought he'd be the last to post a wrap-up of RSA. How wrong you are my friend? There is no boundary to the lameness originating at Incite HQ nowadays. But enough of the self-inflicted beatdowns. Personally RSA was great this year. It's always great to see so many old friends, make some new ones and basically plug back into the security collective after spending lots of time in the wilderness over the past 6 months.

But that isn't really the right point to make. What were my general impressions of the big show this year? It gets back to the point that perception is reality. Always has been, always will be.

It's been entertaining to see what the pundits have been saying about this years RSA. Ahead of the show I made a statement about the show being indicative of the strength of the industry (link). Well I don't have much more clarity 3 weeks later, which is pretty indicative of the state of the industry. A few guys like Oltsik were largely pretty negative. Ogren and Stiennon were positive. And Pescatore (Post 1, Post 2) was right in the middle.

Me? I'm not as dour as Oltsik, but less optimistic than Pescatore. And Stiennon enjoyed too much of that vendor happy juice. Way too much. He's as excited as a 15 year old girl at a Jonas Brothers concert, which is horrifying.

Here were a few things of note that I noticed:

  • Since when is authentication cool? There were a lot of new vendors showing multi-factor authentication. I kind of figured I stepped into a time machine.
  • Less attendance is not a good thing. I saw a bunch of folks rationalizing the crappy attendance by saying there were fewer t-shirt hunters and more "buyers". Meh. We had our share of decent conversations, and our booth was packed for most of the show. But it's not like in past years, no amount of happy juice can get you there.
  • Compliance is just there. In past years, we saw everyone talking up their compliance capabilities. I didn't get the impression that was a key theme this year. It probably has to do with the fact that EVERYONE says it, so it's as good as no one saying it.
  • The death of TLA. That's right the three-letter acronym seems to be dead. Very little about DLP and NAC. Not too much on GRC also (since no one knows what the hell it means, it's a good thing). PKI? No where to be found. Thankfully SIEM is a four letter acronym, eh?
  • New UTM vendors. WHAT? I saw a few new companies hawking UTM like devices. Wow. Good luck with that.
  • Everything as a service. Yes, much of the conversation was around SaaS and the nebulous cloud. I have a lot to say about that, but it'll wait until later this week.

But most of all, I heard data points on both sides of the industry health discussion. If you wanted to hear happy thoughts, someone would tell you a happy thought. If you wanted to hear about the end of civilization, more than a few Chicken Little's were in the house.

The thing that I was most aware of was the underlying fear. Most of the folks I talked to thought things were getting better. But they weren't really sure. It was kind of like they were trying to convince themselves things were getting better. And if they clicked their heels together 3 times, they'd be taken back home. I've long said that optimism is good, but that doesn't mean it's justified or real.

Folks on the user side weren't sure if their projects were going to be funded, or if they'd even have a job when they got back. Not all of them, but a lot of them still were operating under a cloud of uncertainty. The vendors put on their happy faces and talked about how the 2nd half of the year looked strong. Of course, looking strong and being strong are totally different things, now aren't they?

Personally, I think the strong will be stronger and the one's that suck will suck more. Darwin is at work here. Some companies are announcing strong results and clearly taking share (see McAfee). Others, not so much (see SonicWall). The business environment is clearly accelerating the strengthening and weakening of many companies.

Even if we've hit the bottom from a macro standpoint (which a lot of folks are saying now), it makes me think we've still got some bumpiness ahead. For whatever that's worth.

Most Entertaining Acceptance Speech

Submitted by Mike Rothman on Fri, 2009-04-24 14:31.
::

I'm honored, flattered and totally undeserving of winning the "Most Entertaining" blog award at the Social Security Awards at RSA this year. Given I was late to the event (and Rich had to spoil the surprise by sending me a 911 text to get my behind to the Blogger meet-up), and Alan got a bit long in the tooth in giving out the awards, and my total shock at winning much of anything - I was a little at a loss for words. Which is the first time I can remember that happened.

And even if I was my usual loudmouth self, the looks from the folks at the party made it clear I was the only thing standing between them and another cocktail. That's a bad place to be, so I kept my comments intentionally short.

I didn't get a chance to say thanks to a lot of folks that made this possible. However undeserving I am, the people around me enable this. So let me send thanks to:

  1. The Boss - Yes, without the Boss to keep me honest and focused, none of this happens. She takes care of many things, so I can do what I do. And she supports me and loves me, even when I make that hard to do. I also know that she'll kick my ass if I don't thank her first. Every time someone gets up at an awards show and forgets to thank their spouse, she goes on a tirade. I won't make that mistake.
  2. The munchkins - Though I don't view what I do as very entertaining, my kids sure are. So thanks to Leah, Lindsay and Sam - who give me an infinite amount of material to write about. They also teach me something new every day. It's great to see things from their perspective, which keeps me young (even though I look old).
  3. My blogging peeps - Yes, the blogging community is integral to the success of all of us. There are too many to thank individually, so I'll just say thanks to everyone. We challenge each other, give each other a hard time, and make the end product much better. Incite is written by me, but it's clearly a joint production.
  4. The bad guys - Everything is relative. Without dark, there is no light. Without bad guys, we don't understand what is good. So we can't do what we do unless they are doing what they do - as objectionable as that is. So we can get mad at "the bad" or we can be thankful that they keep us employed, keep raising the bar and ultimately give us a lot to talk about.
  5. You - I've always said that I write for myself and I'm just lucky that other people find (entertainment) value in it. That was true at one time, but not anymore. Many people that came to my panels or the booth specifically to tell me they enjoy the Incite. Many also said they wish I had time to write more. Wow. It's a humbling experience and I coudn't thank those folks enough.
You can probably see why I kept my comments at the Blogger meet-up short. I suspect someone would have bounced a cue ball off my head if I rambled on like this at the event.

I wasn't quite sure what this blogging thing was about 3 years ago, but I ended up making a whole bunch of very good friends, building a business, and progressing along the road to happiness. After a brief detour, I recognize that continuing to write is very important to me.

So that's what I'll do.

RSA 2009: Art says Kumbaya

Submitted by Mike Rothman on Tue, 2009-04-21 12:12.
::

After getting out of the first two keynote speeches here at RSA, I have a few quick observations. First, I'm glad no one is alllowed to smoke in the keynote hall. RSA's Art Coviello and Symantec's Enrique Salem were so wooden reading off the teleprompters during their keynotes, even the slightest spark would have set them and the entire building ablaze. And neither of them announced anything of substance. Nothing really on new products, just some horse crap about the need to operationalize things and build an eco-system.

It seems the theme of Big Security at this year's RSA show is Kumbaya.

That's the message from Art and Enrique today. To combat the threat of the bad guys and "win," the industry needs to collaborate and organize. Personally I think this is a veiled response to the success of McAfee's SIA program. Neither announced a formal partnering program, but it's just a matter of time. If you can't beat them, copy them. That's the way of Big Security.

Here's the thing about "collaboration." End users don't care about whether the vendors work together. They just want their problem to be solved. They are frustrated that they aren't any more secure today (and probably less secure) than they were 6 years ago. And with the economic collapse, customers don't have the ability anymore to throw money at the problem and deploy technologies that have limited success and go thru the motions to put another widget in place. That game is over.

So all this stuff about collaboration is noise. It's to distract everyone that Big Security isn't getting it done. They aren't solving the problem. Basically the answer is what I've been saying for a long time (yes, before I went out and got a day job). You aren't going to get ahead of the threat. You need to react faster and contain the damage when you get hit (and you will).

I'm not saying we need to give up. Or stop trying to do the right thing. I'm saying we need to be realistic. Implementing a policy management environment to encompass the entire technology stack, as Art suggests, isn't realistic. Sorry to burst Art's bubble, but customer's don't have enough breadth or visibility to even dream about protecting the entire ball of wax.

It's good keynote fodder, but for the most part it's just more hot air.

PS: I posted a piece on the eIQ blog this AM about whether we should even both to try to "win" the battle against the bad guys: http://blog.eiqnetworks.com/2009/04/21/can-we-win/ 

RSA 2009: The Acid Test

Submitted by Mike Rothman on Mon, 2009-04-20 08:59.
::

For the first time in a long time, I'm not sure what to expect from this year's RSA conference. The early anecdotes indicated it may be a pretty weak showing this year. Then lately I'm hearing north of 15,000 people will attend. Perhaps they are including everyone in a 5 block radius of the Moscone Center in SFO, but that's neither here nor there.

To me, the health of the security industry will be gauged this week. Of course, everyone puts on their happy faces and basically lies their respective asses off. "Sure, business is great." "Scaling is our big problem." Blah blah blah. In this kind of economy, every company has issues. The question is how big the issues are.

So why did I think the conference was going to be weak? Basically because every other event I've been to since the economic meltdown has been mediocre at best, a total cluster-F at worst. End users have largely been keeping their heads down, not taking time to mingle at conferences. Basically, we've been trying to survive. RSA is the biggest dog in the security conference field, but still will folks get on a plane to see the sights?

Then I got the speaker notifications. I'm doing four panels and a peer to peer session. Now, I've certainly got an inflated opinion of my speaking abilities. And I've done sessions at the last 5 or so conferences that have gotten decent reviews. But to get 4 panels? Definitely means the gene pool of presenters is a bit thin this year.

On the other hand, lots of companies have been announcing decent earnings. Some have thrown in the towel (like Entrust), but quite a few are holding their own. It'll be interesting to see the tone at the AGC (America's Growth Capital) conference on Monday to get a feel for the market. 

I'll be at the conference all week, though as you can imagine, my schedule is pretty jammed packed with day job responsibilities, speaking gigs, and the like. If you can attend the sessions, my speaking gigs are:

  • Tuesday @ 1:30 PM: STAR-105: Is SaaS the Future of Enterprise Security? 
  • Tuesday @ 4:10 PM: BUS-107: Security Groundhog Day (this was the best panel last year - don't miss it)
  • Wednesday @ 9:10 AM: NET-202: Using SaaS to Solve the Network Management and Security Challenge
  • Wednesday @ 10:40 AM: P2P-203A: More Security with Less Monday and Fewer Resource (peer to peer session)
  • Thursday @ 9:10 AM: BUS-302: Which Security Tools take Priority in a Challenging Economic Environment

So as you can see, I've got a full speaking plate. And my sessions indicate what are clearly the two major themes of this year's show. SaaS and navigating the turbulent economy. Both are kind of related, but as in year's past when you heard about NAC or GRC or DLP, you'll hear about the conference theme until your ears bleed. This year, SaaS will be the most hated term by Thursday.

Hope to see you at the show, if you are here. Check out one of my sessions or swing by eIQ's booth (#2058) and pick up a log data is not enough t-shirt or hat. You'll also be able to see the 2nd half of the "Don't be like Dick" video.

 

Clicks and Mortar (Crime)

Submitted by Mike Rothman on Wed, 2009-02-18 08:49.
::
Today's Daily Incite

February 18, 2009 - Volume 4, #17

Good Morning:
Sometimes you read stuff and are both horrifyingly shocked and strangely impressed. The news of the ATM attack last November caused some shock waves early this month, when it was first announced. But in reading James Heary's analysis of the event, my blood ran cold. This folks is the future of crime. It's kind of a "clicks and mortar" approach to crime.

The ATM attackers were smarter than this...Just to revisit the situation, it seems that a global group of criminals compromised the systems of RBS Worldpay and were able to issue 100 payroll cards. These are not credit cards (and thus not subject to the fraud analysis that most credit card transactions would), but rather debit-like cards. So the attackers distribute these 100 "cards" to 49 cities around the world. Every time the money ran out on the card, they would go back into the system and refill it. In the span of 30 minutes are able to get $9 million out of ATM machines That's a pretty good take for 30 minutes of actual "work."

Why was this attack so successful? It seems the bad guys (assuming they are guys) did a couple of things very right.

  1. Know the system - The criminals knew that payroll cards have much less scrutiny than a credit card transaction or so it seems. How else could $9 million be pulled from 100 cards in 30 minutes. They also knew that by compromising the issuer's systems, they could refill the cards when the money ran out.
  2. In and out, no one gets hurt - The magic here wasn't just that the criminals got it done, it's that they stopped after 30 minutes. Given the number of intertwined systems used for the fraud, it was a safe bet that no one would put the pieces together fast enough to stop the attack. But if they tried to do it over 2 or 3 hours, the chances they'd be discovered and law enforcement would be mobilized grew dramatically. These guys got out before they got caught - uncharacteristic behavior from criminals.
  3. Leverage - Obviously a small group of thieves couldn't pull $9 million out of ATM machines in an hour. So they built an organization (or leveraged an existing one) to magnify the impact of their efforts. The more hands in a scheme, the more likely someone will talk - but the reality is this attack happened so fast and with cards that were not able to be traced, the risk was greatly diminished. And you can assume the folks on the street had no idea what the scheme was to restrict information to those that needed to know it.
  4. Coordination - Can you imagine the project plan that was needed to coordinate the logistics and pull this off? This is not a band of misfits ripping off the local 7-11 or Circle K. These folks are smart, structured, and brutally effective.
Finally there are a couple of lessons here for all of us paid to protect information.

  1. Do not underestimate our adversaries. This is the first and most important lesson. The folks trying to steal our stuff are good and they are getting better. If they see soft spots, they will take advantage of them.
  2. Question every business process. Clearly these payroll cards are a great convenience to the companies that use them. But every new process has it's risks and it's downsides. We need to make sure we ask lots of questions about fraud vectors PRIOR to the system being rolled out. Yes, I know that is somewhat Utopian (and more than a bit naive), but it's important. It all gets down to credibility (read the P-CSO if you need to learn more about that). It's a little late to be asking about the security of the transaction system after the bad guys have made off with $9 big ones.
  3. If it smells bad, it probably is. One of the hallmarks of my approach to security is to react faster. Now that applies to everything, not just security and system activity. I find it hard to believe that a $9 million disbursement from ATM machines in a 30 minute period was "normal." We need to look for the anomalies and there is a likelihood that the ATM usage was not normal and could have been flagged.
  4. Sometimes the bad guys win. Yep, the reality is in this case, there may not have been anything RBS could have done to stop the attack as it's happening. This is not the movies and the good guys don't always win. You can only hope that measures are being taken to make sure this same attack doesn't happen again.
And that brings up my final point, which is about discussion and disclosure. Word is traveling around the grapevine that another credit card processor has been compromised (like Heartland). You have to wonder if Heartland came clean right away and discussed exactly how the attack happened and why it was successful, whether other processors could have taken preventative measures to ensure the same attack vector wouldn't work twice.

Of course, this line of thinking is even more naive than anything else. First of all, there is no way a processor (or anyone else for that matter) can come clean. The Tort vultures will sue them into oblivion if they accept blame and discuss their shortcomings. Secondly, there is a stigma to being the folks that got nailed, so the inclination is to bury the information. But we lose a very important learning experience. Thirdly, the "powers that be" don't want anyone talking because that can impact an "ongoing investigation."

I can see all of these points, but I still think we are making it too easy for the attackers to find a new scheme and replicate it over and over and over again. By sharing a little information, we can stop a lot of fraud. But the system is stacked against this kind of disclosure, so it won't happen - which is too bad.

Have a great day.

Photo credits: “Crime Done Wrong” originally uploaded by 0x0000org 

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com



Selling Fear

Submitted by Mike Rothman on Tue, 2009-02-10 12:23.
::
Today's Daily Incite

February 10, 2009 - Volume 4, #14

Good Morning:
The reason we are all here is because throughout the past millions of years nature has adapted. As organisms, we have adapted as well. The things that didn't work got culled from the gene pool. Basically nature admitted it was wrong and adapted and survived.

Wrong. There is such a stigma to that word, but it's one of the most powerful words in the vocabulary. Because until you admit you are wrong, you cannot adapt and make yourself better. That's why I'm a big fan of wrong. The more times I'm wrong, the closer I am to being right.

Which is my constant rationalization for constantly screwing things up. As I discuss below (and in last week's Compliance is SO a Cost Center rant), there are times to be right and there are times to stay alive. Right now, for us security folks, it's about survival and that means we have to use tactics that may not make us feel great - but are probably the only chance we have.

Remember, you don't have to adapt. I think it was Deming that said, "It is not necessary to change. Survival is not mandatory." He was right.

Have a great day.

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Selling Fear

Give me a "F." Give me a "U." Give me a "D." What does that spell? That's right, fear, uncertainty and doubt. FUD FUD FUD.

I guess I have cheerleading on the brain. My 5 year old daughter is a cheerleader and she has a competition this weekend. So I'll be hanging out with over 50,000 of my closest cheerleading buds waiting for the 2 minutes she gets to do her routine. That will be the best 2 minutes of the weekend, but the good old fashioned F U D cheer got me thinking about how we security folks can "sell" our projects and agenda.

I spent many years trying to paint security in a positive light. It streamlines your business. It helps you roll out new business processes with trading partners. It allows you to me more mobile. It's all a load of crap. It's really just insurance, and the insurance folks have a much longer history of trying to sell the benefits of their stuff. To make life insurance a "positive" thing.


This is your new security sales guy...As anyone who's had to sit through a life insurance pitch knows, they do a pretty good job of convincing you some of the plans are really an "investment." They've had decades to refine their pitch. Yet, I wonder how many new Universal Life policies the insurance folks are selling nowadays.

I suspect it's not many because when everyone is tightening their belt, one of the last things on the list is an "investment" in some  insurance policy that will grow over time. So has the life insurance business gone away? 

I don't think so. I know most insurance brokers have morphed into financial advisors and have more in their bag than just life insurance, but play along with me. If there are any stand-alone brokers left, I suspect many will need to go back to selling fear, though I don't know this for a fact and I'm sure all my insurance buddies will tell me what an idiot I am. 

That's what I would do (which is maybe why I pimp security management software and not life insurance). Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen. So the customer can protect themselves for the least amount of money possible, which is likely a term life policy. Sure the assets are not growing, but most folks are more worried about making sure they have assets. 

Can you see the parallel with security? I sure hope so. So my good old FUD cheer can really be reduced to: Give me a "F!" Because uncertainty and doubt don't really come into play right now. It pains me to say it, but security projects need to driven by fear right now. Maybe it's fear of a compliance "problem." Maybe it's fear of a data breach. Maybe it's fear of some time in Leavenworth. Maybe it's fear of bad press. In today's environment pretty much any kind of fear is going to be your friend. Embrace the fear. Love the fear. It could save your backside. 

I know, this is making you sick. It's not why you got into security. You wanted to fight the bad guys. Not be a fear-mongering type. OK Brainiac, let's examine how we'd do it without fear. How about reducing staff through automation. I know a lot about that because that's what I do in my day job. It's not going to work because many staffs are already cut to the bone. I've had many conversations with folks and reducing staff is not enough to get a project through anymore. 

What about reducing risk? That's certainly something that every CEO and CIO are worried about. The words out of their mouths say they are worried about it, but economic turmoil increases an organization's tolerance for risk. It's all about resource allocation and when the decision comes down to funding a security project (which DOES NOT add value to the organization) or a new product, new facility, or maybe not cutting a bunch of heads, the security project is going to lose. 

That's why fear is maybe the only way to go nowadays. Get to know Ponemon's most recent data breach numbers.Hello Mr. CEO... I can't believe I just said that, but it's all about living to fight another day. He says a breach costs $202 per lost record. I think those numbers could fertilize half of America, but your CEO and CIO don't know that. Use Heartland and TJX and Hannaford Brothers to make your points. Discuss the hundreds of millions will takes to clean up these messes. Talk about recent breaches. Put together a slide with breaches from just the last month and add up the numbers (at $202 per record, of course). Make the number at the bottom of the slide REALLY big. Ask your senior management how they look in orange (jumpsuits). 

That's right, get your Chicken Little on. Fear is a tremendous motivator. This is what I mean about adapting to your environment because in this kind of economy, it may be the only motivator we have. So stop being so proud and do what you have to do. And then go home and take a scalding hot shower, knowing what you did was for the greater good. Which is to ensure you don't get thrown under the bus.

Photo credits: "three" originally uploaded by Hil; “The Grim Reaper” originally uploaded by helico 


Compliance is SO a Cost Center

Submitted by Mike Rothman on Thu, 2009-02-05 10:52.
::
Today's Daily Incite

February 5, 2009 - Volume 4, #13

Good Morning:
Another quick intro because I found such a "compelling" post on McAfee's blog that I just had to vent a bit. Enjoy.

Have a great day.

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Compliance is SO a cost center

Holy crap, I thought the idea of position security and/or compliance as a "profit" center died along with the dreams of millions Internet entrepreneurs during the .com implosion a few years ago. Evidently I was wrong. Check this out on McAfee's blog:

Is information security compliance a cost center?

No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).

 

OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on. But it gets better. Here are the justifications the author (Lawrence Pingree) uses to justify his position.

Normally I would excerpt an entire post, but this is too good to let it go. Check this out.

A compliance driven company GAINS these:

Business process improvements

    * Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization
    * Security separates duties so decisions that occur are more accurate and accountable
    * Security provides checks and balances reduce internal risks thus saving costs
    * Security reduces business impacts of change
    * Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
    * … and much more

Technical Improvements

    * Firewalls clearly reduce un-needed load on the network saving bandwidth costs
    * Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
    * Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
    * Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
    * Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
    * Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
    * Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
    * Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
    * Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
    * …and much more

Threat Reduction

    * Lower reporting costs for disclosure laws
    * No bad PR to respond to
    * Lower liability to your customers
    * Less outbreaks of worms/viruses (less system damage repair/replace)
    * … and much more!


Get me some of that crazy....It's hard to know even where to start. My first comment would be that a "Compliance Driven Company" is the next Heartland or TJX. Listen I've been trying to position security as a benefit and "revenue center" for the better part of my career. I'VE FAILED MISERABLY. And the rest of our industry has as well. Because of a very simple truth, which hurts my ego, but is absolutely true in the real world:

CEOs don't care about security or compliance. 

Period. They only care to the degree that they 1) end up in an orange jump suit, 2) end up on the front page of the Wall Street Journal. Other that than, they don't care.

And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.

All of the points in the post are not really false, but they are irrelevant. Most of that stuff is simple business common sense, but is still like pulling teeth - especially in a down economy. For instance, "Security separates duties so decisions that occur are more accurate and accountable." That's actually false because security doesn't separate duties. A business process (which is usually driven by Sarbanes-Oxley) may be defined to require separation of duties, but that requires more people. That costs more money, no? And there is no guarantee that the decisions will be either more accurate or accountable. It just means you have more cooks in the kitchen. 

How about this one: "Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach" Spoken like someone that works for an anti-malware company and hasn't really read the paper lately. Or even worse actually believes the crap in the marketing slicks. The best way to reduce the threat of identity theft is to fire all your employees or take away their computers. And even if this were true, how does reducing identity theft make security less of a cost center?

Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water. 

I could literally dismantle almost every statement in the post, but you get the picture. Folks like me have been trying to position security as revenue positive for a long time and it's not going to happen. So we sell using fear, uncertainty and doubt and we try to convince the buyers (whether you work internally or for a vendor, it's all the same) that it's cheaper in the long run to do the right thing. But you never go in trying to position squishy security benefits. CEOs and CIOs will slice you into little pieces and feed you to the fish.

OK, off soapbox. And part of me appreciates Lawrence's idealism. But I've just seen too much through the years to believe this will really change. So, click the link, get your chuckle for the day and get back to work fighting the good fight to convince your senior executives to do the right thing and accept the reality that we ARE a cost center.

Photo credit: “crazy bus” originally uploaded by bunchofpants


How'd Dilbert know about PCI?

Submitted by Mike Rothman on Wed, 2009-01-07 08:54.
::

I almost fell out of my chair when I saw this morning's Dilbert. It's probably about digital TV, but it could easily be about PCI as well. Maybe one of his neighbors sells for a WAF vendor...

 

Dilbert.com

Special Incite: Security and the Roller Coaster

Submitted by Mike Rothman on Tue, 2008-11-25 09:21.
::

I love roller coasters. The butterflies as you climb the first incline. The exhilaration as you release and hurtle downward at high rates of speed. The G forces and then it's over. I'm not a 10 times a day coaster rider. My kids are still too small to come along, so thankfully the Boss lets me go off for an hour and ride the beasts.

When you are on a coaster, you know it's going to end. Most likely in less than 2 minutes, so you can keep everything in context. Realize the fact that it's very unlikely you'll get hurt, so you just try to hold on and enjoy the ride.

Today's financial markets are like a roller coaster. The volatility is unprecedented and you can get whiplash trying to follow the twists and turns of the market. And it's going to get worse before it gets better - that much is clear.

The main difference is that we don't know exactly when it's going to end. We don't know if it's the proverbial two minutes, or two hours. Imagine being on a roller coaster for two hours. That would be agonizing. Right, now you get it.

As a security professional, the risk to our organizations is multiplying. Unfortunately many will lose their jobs. Pay raises and bonuses are pretty much out the window. Far too many will be struggling, and when folks are struggling - they'll do anything to survive.

Including stealing from you (and your organization).

Now is the time to increase vigilance. Clearly we aren't going to get a lot of new investment for new projects, but we have to pay attention. We have to be aware of the insider threat and we have to put fail-safes in place to make sure any attacks are contained.

Yes, this is the same stuff I've been preaching for years. But now it's even more critical to figure out how you can REACT FASTER to what is going on in your organization. In times of turmoil, people do strange things. And those strange things usually cost you money.

So as much as we'd like to close our eyes, raise our hands, and enjoy the ride, we can't. There will be time to do that later. Now we need to keep my eyes open and look for signs of foul play.
The next few quarters will not be fun. But what we do is critical. So open your eyes, feel the wind rush through your hair, and make sure you still have your wallet when you exit the ride.

Photo: "Coney Island Cyclone Roller Coaster" originally uploaded by bobjagendorf

123456789next ›last »