Incites/Observations

I've always been a big fan of 37Signals. They used their blog to magnify their unique take on design and have built a good business providing applications that are focused and easy to use. But the key word now is "business."

I am all too aware of copyright law and the need to enforce the uniqueness of specific design elements that can be deemed proprietary. But I believe 37Signals stepped over the line of practicality when basically sending a cease and desist order to Mike Murray because he was a bit too honest relative to his admiration for 37Signals design.

Mike's account of the situation is here.

I guess it would be nice for 37S to eat their own dog food a bit. They talk about being open and this new generation type of company. Small, focused, effective. But in reality, they are like everyone else - very corporate. They have employees and bills to pay and investors to keep happy. So they felt compelled to come down on a sole proprietor that was just sending them some props (as you are supposed to do in Web 2.0).

The sad thing is that Mike never needed to mention where he got the inspiration for his design. He would have gotten "away" with it. You don't think 99% of design is inspired by something else? Of course it is. The look and feel of 37Signals' Getting Real page is neither unique nor novel and I suspect unless Mike literally copied their CSS layout, they wouldn't be able to enforce much of anything.

But the statement was made. Jason Fried runs a business, not a movement. I guess it was bound to happen, since success makes company's act differently. It's still disappointing. Really disappointing.

And no, I'm not linking to 37Signals site anymore. They'll probably sue me for self-publishing my book, since they inspired that go to market model.

1. Push the thinking forward - it's not enough to pat yourself on the back, you need to push things forward. There is no better venue for a thought leadership message, and it's a tremendous waste if you tell everyone what they already know.
   
   
2. Glitz and polish - Fancy graphics, snappy music, remember this is a PERFORMANCE. Don't stand there and lecture to me. Or sit down and chat with me. Get up and wow me! (No pun intended with the Vista tagline). You want the keynote speaker to be charismatic, in control, on message, and focused. And have their hair combed (hint, hint to Bill Gates)
   
   
3. Cool demos - Doing a world-class demo is a real art. Too bad so many security companies do such a crappy job at it. Again, this is a great opportunity to SHOW integrated solutions and compelling value propositions to customers. What is going to make their jobs easier? How are you going to impact their workflow?
   
   
4. Highlight partnerships - Again, security is an eco-system and not even the companies that can afford to get a keynote (and yes, these folks are paying for it). So highlight how you are positioning your security technology within the context of a customer's environment.

A quick post before I get on with the festivities of Super Bowl Sunday. I do have to admit I'm pulling for the Colts (sorry all of my friends in Chi-town). It would be great to see Tony Dungy win the big one, and I think Peyton's time has come to enter the halls of the elite QBs of all time. But most of all I hope to see a fun, entertaining game and that the Gods of Heartburn don't come to visit after all the wings, pizza and beer I plan to shove down my gullet.

Tomorrow AM, I'm off to see the wonderful wizard of the RSA conference. So what should you expect to see? Here are a few thoughts. You can also check out Amrit's thinking here, which is pretty consistent with my own.

1. NAC - Network access control will be everywhere. For those vendors that don't have a strategy, they will by the end of next week. Everyone will be buddying up to Microsoft as well. All of this will make life much more confusing for folks trying to figure out which end is up.
   
   
2. Consumer - I think we will see a lot of noise about securing the consumers at this year's show. Whether it's phishing defense or dealing with bots or just the evolution of products that were formerly known as AV - the consumer is the next frontier for Big Security.
   
   
3. Data protection - I'm right here with Amrit on this one. There will be a lot of noise about back-end and data center security. I tend to all this "information security," and given all the privacy breaches - this will be big news. This is last year's NAC. By that I mean, we will hear a lot about it, but very few solutions. The noise will be deafening at the 2008 RSA show, and maybe we'll have something to buy by 2009.
   
   
4. PCI - The new new thing in compliance is PCI. A close second will be FFIEC, but that feels like old news. So all of those folks that were flogging the HIPAA and GLBA horses three years ago, and SarBox for the last two years - have a new love now. And its name is PCI. Of course, there is no product you can buy for PCI compliance, but that won't stop every vendor from saying their stuff is the silver bullet. Don't you just love RSA?!?!?
   
   
5. Risk Management - This year's catch-all category will be risk management. It's not clear what it means, but many vendors will be talking about it. They figure there is now some poor sap with the "risk" word in their title, thus they need to have a story and product around it. And folks like McAfee want to have their cake and eat it too, so they call what they do "security risk management," just to make sure they can appeal to anyone in any organization.
   

I'm not sure of much, but I'm sure the 1st day keynotes (Bill Gates, Art Coviello and John Thompson) will disappoint. None are very compelling speakers (where is John Chambers when you need him) and unless all of the above announce big deals - the big speeches will be ho-hum.

I also know that most end users that go to the show will leave more confused they they came. That's just the nature of the beast in a market where everyone sounds the same and you have 800 companies (over 300 will be at the conference) chasing after the same customers.

I'll do another post about where to see me at the show, and since I'll be in the air tomorrow (and it's Super Bowl Sunday) - there will be no Incite tomorrow. But I'll be back on Tuesday with a vengeance and I'll also provide my thoughts on the keynotes at some point on Tuesday as well.

I had a really strange experience over the last couple of days, and I feel compelled to rant about it. There is intrigue, confusion, and murder. OK, well not murder, though that probably would have made the story more compelling. Basically when I got home last Friday night, I saw a cable line run from the post on my front yard (which is on the left property line), across my yard, up my driveway and was connected to the cable drop on the side of my house.

I went in and asked the boss what the deal was. She said some folks from Comcast (my local cable company) came by and ran the wire. When she asked them what they were doing, they claimed to have an order to run a line into our house. She figured I was up to something. But for the first time in a while, I wasn't.

This was very strange. I didn't request any such thing. I have DirecTV. But then my "security mindset" went into overdrive. Why would the cable company just randomly run a line to my house? Was there some kind of new device that could hack a network through the cable wiring, even if you don't use a cable modem? Seriously. This is what was going through my mind. My paranoia was kicking in, big time. I couldn't be sure and i wasn't taking any chances. I unplugged the cable, neatly wrapped up the 100' of wire around the post and went about my business. I foiled the hackers, YEAH!

Until this morning that is. I was squirreled away in my office writing today's Daily Incite and my wife came running down telling me some guys were outside marking up my yard. I proceeded to go outside and chatted with the nice Southern boys that were marking the utility lines. Gracious, these southerners are. Basically they explained their responsibility to mark the utility lines if they get an order to do any digging. I told them it must be some kind of mistake, but they went about their business anyway.

But that's wasn't all. As the guys were marking up the yard, a truck with a trench digger pulls up. I flagged them down and told them there were in the wrong place, especially since they planned to rip up my yard. They showed me the work order, which was for my address, but had someone else's name. I was very confused, but the workers graciously took off. Which was good because there were three of them and they had a trench digger. I'm pretty tough, but I think my chances against a trench digger aren't very good.

Even worse, if I wasn't home I'd be the proud owner of a cable line run to my house that i didn't need and a torn up yard, just in time for winter when it would take months to grow over.

The utility line guys were kind enough to point me to the wiring contractor that put in the order, so I called them and left a pretty nasty message to call off the dogs. Then I called Comcast. Amazingly enough, the sales person was helpful and told me there was an order just to run a drop into my house. No cable order behind that. No order for Internet service. Just to run the line into my house. Why would they do that without an order for service? Even more confusing is that I already have a line to my house since the previous owners used Comcast.

The sales person pointed me to the "problem service" group who could help me. So I called them up. The service rep was also very helpful, and ultimately canceled the order after being as confused as I was.

But I wasn't done. I still couldn't get it out of my head as to how and why that order was placed. Again, my paranoia was getting the best of me. I figured maybe it was an address screw-up, so I looked up the guy's name on the order form and found his listed number. He lives in another part of Alpharetta. But the number put on the order corresponded to his number. So I called his house. His wife was very gracious, but had no idea what I was talking about. So that was a dead end.

So I did some more digging. It turns out the name of the guy on the order was actually the FIRST owner of my house. I'm the third owner. Man that is strange.

So after putting the pieces together, this seems to be some kind of fraud. To what end I'm not sure, but that's what it seems to be. Here's how it must have gone down.

1. Fraudster finds my address, somehow knows I'm not a Comcast customer and looks up the first owner in the public records.
2. Takes the first owner's name and finds someone in the same area with the same name.
3. With the name and legit phone number, calls up Comcast and requests a line run to the house.
4. Comcast puts the wheels in motion, and if I wasn't home to stop the workers, all hell would have broken loose.

Yeah, seems far fetched to me also, but I can't think of any other explanations.

Who benefits if a bogus order is placed and actually completed? The wiring contractor? Actually they do, so this is the most likely scenario. So I questioned them (the utility guys gave me the number). It seems this kind of thing happens fairly frequently. Evidently Comcast has to foot the bill to patch up the yard and the contractor gets paid, whether the service was ordered or not. The only hole in the theory is how does the contractor gets assigned the work order? Unless they can guarantee the order gets sent to them, the scheme doesn't hold water. Maybe they have someone on the inside routing the "bogus" orders to them. That's a possibility.

Was someone trying to annoy me? Maybe. But that seems pretty unlikely though I am a pretty annoying type of guy. Was someone trying to poke at Comcast? Once again, maybe. But what is the payoff besides costing Comcast money?

The real problem is that Comcast does absolutely no verification before they enter in a work order and rip up someone's yard. Seriously, NO VERIFICATION. In two seconds they could have figured out that the name on the work order was not the owner of the house. They could have called the number on the work order, just to verify and "schedule" the visit. There are lots of things they could have done including check and see that I already had a line running to my house, but they do none of that. That's the idiocy.

Comcast got lucky that I was home and was paranoid enough to ask questions. I probably saved them a couple thousand bucks when all was said and done. Though I could use a new sod job in my yard.

I guess the moral of the story is there is fraud everywhere, not just in our little cyber-world. But it's fraud just the same.

The Mogull is doing everyone a public service again today by republishing his tips for safe online shopping (here). As I mentioned the first time he posted these tips, it's good stuff. Rich does talk about the "horror of Black Friday." and that's what I want to talk about this morning because I just don't get it.

Back when I lived in Virginia and before I was married, my Mom came down for Thanksgiving and we decided to go to an outlet mall called Potomac Mills on Black Friday. I guess I needed socks or something similarly ridiculous. We drove around for about 30 minutes trying to find parking and then proceeded to be surrounded by thousands of my closest friends, who like a pack of rabid dogs were struggling to save 30 cents on some friggin' trinket. We fought all day and it was a purely miserable experience that is still etched in my mind probably 15 years later.

Suffice it to say that was the last time I've ventured anywhere near a mall on Black Friday.

But my questions have never really been answered about this annual ritual. So maybe some of you can help me. I'm not sure how much help a bunch of security practitioners are going to be, but what the hell? I haven't really been able to tap into the audience of crazy people that go into mosh pits to save 30 cents.

1. What's the rush? - Since I don't celebrate Christmas, I've never really understood why there is such a rush to get the gifts on Black Friday. I also happen to be a last minute type of guy, so I'm usually running out to get my anniversary present on the day of my anniversary (which is tomorrow by the way). Can't it wait until December 1? Do you think the retailers aren't going to have good sales then? Especially if sales on Black Friday suck...
   
   I also have to admit that my wife is kind of like a chipmunk. She hoards gifts all year round. So when the Disney store has a sale, she comes back with a carload of stuff. I always ask, "who's that for?" and she has no clue. Given that I have 3 kids who have friends (it seems like hundreds of them) who all have Birthday parties, the boss is absolutely correct in stocking up the present closet (yes, it's a closet and yes, the kids have figured out where it is - which is bad). We end up saving a lot of money doing this.
   
   
2. Where do all those people come from? - I live in the suburbs of Atlanta, so I guess I know there are millions of people around. But I never really see all of them at the same time. But it seems that on Black Friday, they all want to go to the same set of stores. You see, I don't like people too much (except you, of course). So the idea of surrounding myself with thousands of panting carnivores looking to sink their teeth into a bargain (or your leg if you get in their way) just doesn't seem like fun to me. Is it? I'm still confused.
   
   
3. Aren't you still full from Thanksgiving? - Maybe this is just me. But after I binge all day on Thanksgiving, the only think I want to do for most of Black Friday is puke and try to shake my hangover. I have a real hard time moving. I guess there is that segment of society that is actually active and after eating too much really wants to go work it off. So walking around a mall in gridlock traffic would seem to be a good answer for that.
   
   
4. Are there ever any fights on Black Friday? - I know the way I get when there are too many people around. And if I was competing with others for that last PS3 or Tickle me Elmo (or whatever toy is hot this year) and I ended up on the short end of the stick, it wouldn't be pretty. I remember the Governator starred in some crappy holiday movie (called Jingle All the Way) about this years ago, but I missed it, so I'm still mis-informed. I guess there is some "Black Friday Code of Ethics" that govern who gets what, no?
   
   
5. Have these folks heard of the Internet? - I've also heard that there is this thing called the Internet, where you can buy stuff any time of day and you don't have to search for parking for 20 minutes. The retailers tend to have even better bargains than if you show up at the stores because it's cheaper for them to fulfill your order that way. You can shop from the comfort of your fat boy chair and pretty much get anything your little heart desires. And with the crack staffs of FedEx and UPS working overtime, you can order up to about December 22 and still get your stuff for the big day. But the malls are still packed on Black Friday. Go figure.

I can only speak for myself, and Black Friday just isn't something I'm going to deal with. So instead, my family and I (including the in-laws and brother and sister in law) are venturing down to the Georgia Aquarium bright and early on Black Friday. I'm sure it will be mobbed too and I'll get to be surrounded by thousands of people who as opposed to foaming at the mouth to save 30 cents will be foaming at the mouth to see a hammerhead shark and a Beluga whale.

But the kids will love it and being around family this holiday season is what it's all about. So like many of you that venture out to shop on Black Friday, I'll take a few deep breaths every 10 seconds or so, make my way through the crowd, and think about how lucky I am. Enjoy your holiday (if you are in the US, that is...).

OK, one more for today, since I've been meaning to discuss adapting to market realities for a while. I read a bunch of VC blogs because I continue to be fascinated by that game, and how VCs have needed to adapt their models to play into the market realities.

Having been an entrepreneur a number of times, I can tell you that this post from Josh Kopelman (here) is right on the money. You plan is wrong. Period. Whether it's your business plan, product plan, marketing plan or sales plan. It's wrong. It may be very wrong or just need some fine tuning, but no one that I've met is Carnac, so you better be flexible.

I can only tell you that is exactly the case for me at Security Incite. My first ideas were around building sales tools for security VARs. I had direct experience that the VARs I dealt with weren't very good at marketing and I knew I could help them. So I started doing some research and realized it was going to be a hard road. There is little perceived value in marketing for VARs, so they wouldn't be very interested in paying a premium for tools from me.

I could have continued down the road I was on because maybe my early research was flawed. That is always a possibility and many a hard-headed entrepreneur found success even when everyone else told them they were crazy. But this wasn't really a disruptive idea, so I figured the market was telling me something. Basically I didn't feel so passionately right about my idea that I was willing to bet the ranch that everyone I spoke to was wrong.

So I went to Plan B (I always have a Plan B), which was to build a subscription research business in security. That became Security Incite. I always loved research and believed there was a seam in the market to provide actionable advice to mid-sized businesses struggling with information security issues. To date, I haven't made much progress on the subscription business because I realized pretty quickly that I was an unknown quantity in research. Some folks remembered me, but not enough and it was a little presumptuous to ask for money before establishing your chops as someone that could add value. I also didn't have the marketing budget to build a name for myself fast, nor did I think that was the right approach to build sustainable value. So I recalibrated and focused 2006 on building up my audience and creating a "brand" of what kind of research I wanted to do.

That's how The Daily Incite came about. Basically when I took the NetworkWorld writing gig, I wanted to have some type of offer for folks that came to visit my site. I was hopeful that would drive a lot of traffic. Unfortunately I was wrong, but that's a story for another day. So I wrote the Buying Security Products eBook as that offer. But that didn't give me any stickiness, so I figured I would do a daily newsletter as well, which would give me the opportunity to be visible with my readership almost every day. I couldn't be happier with the reception that TDI has gotten in the market.

But based on many of the relationships I developed over the year, it became apparent to me that there was still something missing. The end users I talk to enjoyed my daily ranting, but it wasn't necessarily helping them do their job. They weren't making progress because their issues were more fundamental than just staying on top of what is going on in the business. So I concocted The Pragmatic CSO process as a way to help. Based on the early feedback I've gotten just from the announcement, I know I've hit a nerve.

So that is really the point. The best laid plans are just that. Plans. It's only when you get out there and do stuff that you figure out what the market really needs. And you'll be wrong. I know I was. But that's all part of the process. If you can adapt and be flexible, and you listen to the market - success can be yours.

I've had a number of interesting conversations over the past week that has taken me to the conclusion that selling products to the enterprise is not interesting anymore. I get the large enterprise is where the money is, but still. Most folks I know that target large enterprise are frustrated and grumpy. Kind of like I was over the past 8 years. I figured it was just the road rash of spending 8 years trying to develop enterprise markets and my frustrations with grumpy customers that are never happy and take 6-12 months to make up their mind.

Nope. I think we are looking at a secular change in the go2market strategy for security vendors. Why? Because selling to the enterprise is a pain in the ass. First, you have to have a built-out offering with lots of bells and whistles. The enterprise requires complexity because their environments on complex. They require lots of features because they have big problems to solve. And they won't buy anything until it's all there. That's just the way it is.

But a combination of open source, consumer technology, more mature security channels, and the success of some vendors going the small route has given vendors hope that they can actually build a business without catering to the enterprise.

From a historical perspective, Start Up 101 had you building a big software product over about 18 months and selling it for hundreds of thousands dollars to large enterprises. At some point, maybe the mid-market would need it and then you can sell it to them for cheaper (but without changing the product). But the focus was always the large enterprise. Then Barracuda changed everything. By introducing a low-cost, mass market appliance for email security and selling a crap load of them, Barracuda showed it could be done. You also saw salesforce.com and some of the anti-spam service providers (Postini really) also go that route to market and find success, without being reliant on big enterprise deals.

This is something I've seen coming for quite a while. Back in 2002, after we sold SHYM to Authentica - I came up with the idea of a simple, cheap mass market disk-based backup appliance. Disk was getting cheaper by the day and customers hated tape. At that point, I didn't have the financial means to self-fund it, so I tried to get funding and never got it done. 2002 was a hard year to raise money and targeting the SMB was the 3rd rail of VC funding. There are a bunch of companies that do "backup appliances" now. I suspect if I had an analogy like Barracuda back then, I could have just said "I want to be the Barracuda of backup appliances" and walked out of the meeting with a couple of million bucks.

But I digress. I spoke to one former colleague who is contemplating what is next and he wants to "Barracuda" a market. Look at some set of companies selling big fat license deals to enterprises and undercut them with a cheaper alternative targeted at 80% of the requirement for 20% of the cost. That's how you spur mid-market adoption and crush existing enterprise markets.

Another friend told me he wants to start a new company as well, targeting the mid-sized business as well. He'd rather "work in a coal mine" than go after the enterprise market. I was cracking up because that's a funny perspective, but he's right. To be clear, it's not like getting to the SMB market is easy. You need a different sales model and marketing engine. Very different. But it's possible, and that's more hope than we've ever had in this space.

Forbes calls it the "cheap revolution." I call it wake-up time. On the back of large enterprise is not the only way to build a company.

During my daily tech blog scan, I came across a post from Om Malik on whether the VC model is broken (here), given the big news that Sevin Rosen wasn't going to raise another fund. He also pointed to another point of view from Fred Wilson of Union Square Ventures (here).

I've got a little bit of experience with this, given that I've founded a venture-backed startup, worked for three others, and am a limited partner in a VC fund. I'm with both of these guys in saying the model needs to change, but strongly believe there will always be room for venture funding. But not 2000 different VC partnerships and $30 billion a year in investable capital. You just can't put that much money to work cost-effectively.

Why? Because it just doesn't cost that much money to get a start-up going nowadays. Unless you are building custom silicon (and you need to have a damn good reason to do that now), it's all software. Software is cheap to build and cheap to bring to market. Most of the new fangled stuff is either delivered as SaaS (meaning you cobble together a LAMP-based platform - Linux, Apache, MySQL, PHP and maybe pay a couple hundred a month to host the site) or as open source. Either way, your cost to take a product to market is a fraction of what it used to be.

Fred Wilson puts forth a few new rules of the VC road, and I am on board with these:

We've got to raise smaller funds.
We've got to do less "hard tech" and more "soft tech"
We've got to figure out how to make great returns on $100mm to $250mm exits
We've got to limit our IPOs to our very best companies

I actually think that $100-250 million is going to be a big exit moving forward. Anyone in the VC business (focusing on security anyway) or thinking about becoming an LP in a fund better make sure they are comfortable seeing how money can be made with a $75-100 million exit as the top end. Maybe not a home run, but probably a nice 5-6x multiple all in. The big outcomes ($250 million +) will be few and far between. Very few and very far between.

The deals we've seen of late have validated this. The days of 14x multiples on sales are gone, unless you've got minimal sales (like SiteAdvisor) and then the sales multiple is big - but the deal size isn't.

So what? If you are an end user, why do you care? Because you are going to see a lot more of the walking dead in the security space. You need to be extra careful when selecting strategic vendors. These walking dead have raised enough money to get to cash flow positive, but end up not being able to grow significantly because of a limited market opportunity and outsize expectations about what they are worth.

Or maybe they haven't raised enough money and then they have to do a fire sale to salvage anything. Either way, customers are left holding the bag.

I really wanted to let this whole NetworkWorld fiasco go. It burned up most of my day yesterday and based on the very positive feedback I've gotten from lots of folks, from Martin McKeay (here) to lots of kind emails and calls - I know I did the right thing by standing my ground and not apologizing for my opinion.

But when I saw Paul McNamara's discussion of the situation (here), I just can't hold my tongue. Evidently John Dix is above dealing with his own situations in his own words, so he sends a hatchet man to tell their side of the story. I don't have a hatchet man. I make my own bed, so I sleep in it.

It's funny, both Paul and Dix, repeatedly use the term "business partnership." It seems that because these guys paid me $600 a column, they deserve special treatment. Is that their definition of a "paycheck?" Not in my book, that's hardly beer money. I provide content, they pay me money. There is no shared risk. No shared reward. I'm a freelancer, a mercenary. If my column takes off, they still pay me the same $600 - regardless of how much advertising they sell. There is no partnership here. There is no exclusivity.

And let me deal with the whole "biting the hand that feeds me" thing. I BITE EVERYONE'S HAND. As I wrote to Dix, I'm an equal opportunity offender. I don't give a shit if you pay me money or not. I treat you all the same. Users, vendors and other analysts alike. Maybe I treat you shabbily at times, but I'm also there to publicly pat you on the back if you do it right. Just don't EVER think anyone is entitled to get special treatment because of a financial arrangement.

NetworkWorld learned that the hard way. Some folks can't deal with that, and that's fine. They can opt not to do business with me, as NWW has. I don't have any issue with that.

But don't hide behind some bullshit ethical compass that requires me to accept your definition of "responsibility" to a "business partner." I agree that with freedom of expression comes responsibility. I didn't lose sight of anything. We differ on who my responsibility is to. I always work on behalf of the end user, regardless of who is paying the bill. Not the media and not the vendors. I was taking my responsibility very seriously when I wrote the initial piece.

And we also differ on what is "scathing." It seems they didn't have an issue when I lit Joel Snyder on fire (here) because of a piece he wrote in NWW. That was scathing. This was gentle by comparison. Maybe that's what Paul's referring to when he says it's not the first time I've bit the hand, but that's being disingenuous. They never voiced an issue with me about that piece. Not once.

To be annoyed that I pointed my readers to their "competition" is another empty justification. I do that EVERY SINGLE DAY. The Daily Incite has links to everyone. It's a surprise to them that I read everyone's stuff and think some is better than others? Perhaps they would have me just do an extract of NWW's security coverage for TDI every day. Give me a break.

And to say I've blogged myself "off a cliff?" Talk about self-importance syndrome. For some reason, I think I'll survive. Maybe, dare I say it for chance of tempting the fates, even prosper. There is life after NWW, I assure you.

I started Security Incite and I work for myself because I NEED to have the ability to tell someone to pound sand. I am not and will never again be beholden to someone else to pay my bills. I will never abdicate my responsibility to do what's right and to tell the truth, regardless of how hard it is or how much money it costs me.

McNamara is way off the reservation with his ideas that corporate blogging is not taking off because of the candidness of the conversation and the risk of "potential trouble." The days of political correctness and stifling conversation are over. My friend Chris Roeckl mentioned in a comment that you "never pick a fight with a company that buys paper by the ton and ink by the barrel." The power of the blogosphere is that we ALL buy ink by the barrel now.

As with every new media, there will be some at the front end of the curve and some at the back end. Corporations have a choice. Get involved in the conversation or don't. But make no mistake, the conversation is going to happen. It's as simple as that.

I'm taking today to catch up on some blogging that has been lagging, so let me take on the meme about whether security is getting better. Are we winning or losing the battle? What does the future hold?

Bruce Schneier starts the discussion (here) in his usual fashion, thought provoking and irreverent. Bruce makes some good points and I agree with most of them. Clearly the economic motives have changed for hacking, I've only said that a million times. The environment is much more complicated now and only getting more so, so we aren't going to get any relief from new stuff. SOA and web-services, virtualization, and fat browsers are all going to complicate life and make things less secure - that's a fact.

But I think trying to address the economic levers is a fool's errand. You are trying to change human nature and overhaul behavior, undermining free markets. That's not a good strategy. So I don't think we'll make much progress is stopping crime or making it less lucrative. I'm pretty sure folks have been trying to do that for as long as there's been crime.

Jerri Ledford (here) and Alan Shimel (here) also weigh in on the discussion. Jerri getting into line with Bruce and Shimel picking apart some points being the optimist that he is. Yes, there are some aspects of life that are better. Patching is smoother (at least from Microsoft) and security is closer to the top of mind, though that's in danger of changing if we don't start delivering demonstrable results. We also do see less DDoS attacks, but that's because there isn't much money in it.

So what do we have to look forward to? I'll say pretty much the status quo. Since the beginning of time, you've always had a couple of different types of users.

1. The Enlightened - These folks aren't necessarily the early adopters, but they are the real adopters. They do stuff that makes sense and for the most part are protected. They can react quickly when something happens, and when you talk to them - you know they know. These folks will handle the coming complexity just like everything else, thoughtfully and effectively. This is maybe 5% of the population.
   
   
2. The Lucky - These are the folks that you sit with and they think they have all the answers. They buy the product du Jour from the vendor du Jour, and when you challenge them, they push back in a huff of righteousness - well we haven't been hit, so we are cool. To be clear they are lucky, not good. There is a big difference. This is at least 40% of the companies out there. Before long, they'll become the next type of user...
   
   
3. The Compromised - These folks have religion because they were tossed out of the car at a high rate of speed. They've had a problem and then they've thrown money at it. I could also have called these folks the "unlucky." Most of the stuff they've bought has been useless so 6-8 months after the issue (and after the hangover from their spending orgy subsides) they have a feel for what they are doing. Most find the path to enlightenment. Some revert back to being lucky. At any given time, this is about 15% of the users out there.
   
   
4. The Ostriches - These folks play Russian Roulette every day. They don't do much because either they can't get the funding or they are just plain stupid. They keep their head in the sand and hope that when something happens, they don't get caught holding the bag. This is the remaining 40% out there and sooner or later they'll get compromised and then either transition to being lucky or enlightened.

Great, now we get my arbitrary categorization of users, but who cares? Well, as we see things continue to evolve and become more complicated with more attack vectors across more attack surfaces, you'll see the same characteristics emerge. The enlightened will be fine (and guys like me will learn from them every day), most of the lucky will remain lucky until they are not, and the ostriches will keep their head in the sand until they can't.

It's the newly Compromised that are most at risk. It's going to be a lot harder to close all of the exposures once you have an issue. Virtualization is going to make stuff harder and the mix of operating systems having to be dealt with over the next 3-5 years isn't going to help either. So once the mandate comes down not to get nailed again, these folks are going to have to spend more and spend it smarter to even have a chance. And most won't even know where to start.

Of course, I'd like everyone to be enlightened. To implement layered security. To train their employees on security best practices. To treat infrastructure security differently than data security. To think before they spend. To have a plan (and practice) what to do in the event of a situation. To learn how to tell the story of security in business terms.

But I'm not naive. I know that human behavior will prevail, and that leaves plenty of opportunity for guys like me to prosper for a long time to come.