The Daily Incite – 11/30/09 – Giving Thanks

Today's Daily Incite

November 30, 2009 – Volume 4, #34

Good Morning:
Oh yeah. I’m back and it feels great. Just getting done with the long
holiday weekend here in the States got me thinking about how thankful I
am. So I’m going to go through the list in an "Inciteful" way. Then
it’s back to some pithy and totally subjective opinion of some recent
security stuff. IN MY VOICE. The past 15 months I’ve had to speak
(again) in someone else’s voice and well… that ain’t me. So it’s nice
to exercise the sonorous baritone a bit and though I’m no Barry White,
the voice is definitely mine.

I'm thankful the aliens didn't obliterate me this weekend.First and foremost, I’m
thankful for The Boss. Yes, she is still my boss and no one provides
more support for what I do than my wife. She was the first one to
suggest that I really needed to get back to Incite and that it’s the
thing that makes me happiest. She’s ridden shotgun through the highs
and lows and back again. And hardly puked on my shoes through the

Next up are my kids and family. The kids provide a ton of entertainment
on a daily basis. When I’m not gnashing my teeth that is. But I need to
continue working on my patience and there is no better way to do that
than to have 3 kids running around. My family is well…my family. Yes,
I love them. Yes, at times they make me crazy. And yes, I need to
accept them and their idiosyncrasies. Just as they accept me and my

I’m thankful for all of the friends I’ve made in the industry. Many of
which wrote to tell me how sorry they were I got laid off. It’s great
to have so many folks that "have my back," and are supportive of what I
do. Of course, I’m not sorry about the way things worked out and I
couldn’t be more excited to be blazing my own trail again. But for
every one of you that Tweeted or emailed or called, thank you. Really
really thank you.

I’m thankful for the folks that have better things to do than secure
their stuff. For one, a small percentage of them will be statistics
which allow the vendors to keep spewing FUD at an unbelievable pace.
That FUD keeps guys like me busy. I’m also thankful that these folks
need a much more Pragmatic way to think about securing their stuff.
They don’t care about being "secure," they want to make the auditor go
away and they don’t want to get pwned. Of course, we all know those
objectives are at odds with each other, but that evangelization process
is what I love, so I don’t want to change a thing.

I’m thankful for Big Research. They continue to well be Big, and that
means pretty much lumbering around in their fat, dumb and lazy way.
Using the same presentations year in and year out, and being a great
backwards looking indicator. There are some great analysts in Big
Research land, and I’m happy to call many of them my friends. There are
also a whole lot of not so great analysts, and that creates opportunity
for guys like me. But ultimately these are the folks that invented the
IT research industry and I continue to ride their coat tails on a daily

I’m thankful for every single one of you that clicks on an
email or opens up their RSS reader or even visits my web site to read
what I write. Like everyone who gets a second (or third or fourth)
chance, you appreciate it much more after it’s been taken for a while.

Finally, I’m thankful for my time at eIQ. Every so often, a guy like me
needs to be reminded that the grass is not greener on the other side.
Statistically, you are probably as likely to win the lottery as you are
to pick the right hot start-up and make a bunch of money. Ultimately
the material spoils don’t matter if you don’t enjoy what you are doing.
Especially when you can make a decent living doing what you like. So my
latest trip back into corporate America reminded me of what I seem to
have forgotten. That I need to be thankful for doing what I like, and
that I should just do it. Which is what I plan to do.

Have a
great day.

Photo: "Give
" originally uploaded by Markus Rodder

Technorati: , ,

The Pragmatic CSO

Pragmatic CSO:

Available Now!

Read the Intro and

"5 Tips to be a
Better CSO"

me on Twitter:



I’m not sure where I’m going, but I’ll get there in 140 characters – or

Incite 4 U

As you can imagine, quite a bunch of stuff has accumulated since the
summer. So I’ll pick some timely topics to cover, as well as some
important stuff from my archives. The plan is to publish on Monday,
Wednesday and Friday for a while and get back to a consistent drumbeat
of Incite to make you laugh, cry, maybe learn something, but most
importantly long for the days when I wasn’t writing so frequently.

  1. IBM (maybe)
    takes out Guardium
    – We all knew it was just a matter of
    time before someone acquired the bigger Database Activity Monitoring
    start-ups. Looks like Guardium is the first to take the money and run.
    And with a reported $225 million of IBM’s cash,
    they can run for a while. Clearly protecting the database is a key part
    of any security program and the DAM folks have shown it can be done at
    enterprise scale. IBM  likely paid a very healthy
    multiple (probably in the 7-8x bookings range) because Guardium was the
    first to cleanly support DAM for databases on the big iron. That is
    something IBM had to control. Adrian from Securosis provides his take on
    the deal
    as well.
  2. Security
    success? Remember the Credibility Bank
    – I wrote the Pragmatic
    in the latter part of 2006. It’s hard to believe it’s
    been 3 years, but I have to say the message continues to resonate and
    appear in places that I never expected. Not directly, but from a
    philosophy standpoint. Take this article in SC Mag about Seizing Management Power.
    You don’t really "seize" power, rather you earn it. It’s really about
    the need for security folks to talk business and persuade their peers
    that protecting information is good for their business. It all gets
    back to credibility. If you don’t have it, you can’t execute on any
    kind of security program. Pure and simple.
  3. Maybe the CIO
    is your friend, but not mine…
    – Following up on the
    previous snippet about talking the language of business is a post from Mortman on the Securosis blog
    relative to the reality that most CIO level folks don’t have a clue
    about how to be relevant to the business. The reality is, YOU as the
    security professional cannot be hindered by that. If your CIO get it,
    all the better. If not, you still have to build relationships with the
    business folks and still position security as good for the business.
    Mort’s ideas on having someone to work with on messaging and making
    sure your stuff is professionally done is absolutely critical to
    building the credibility you know you need.
  4. Valuing
    Assets, using Lindstrom’s Razor
    – For a guy who shaves
    once a week, whether I need to or not, the idea of a Razor being
    wielded by Grumpy Pete is outright terrifying. Kind of like a slasher
    movie set in a data center. I can just see Pete hacking away at
    Jaquith’s stilts (oh, I think those are his legs) or Hoff’s halo (he is
    the almighty, isn’t he?). But seriously, Andy does pose an interesting thought
    based on Grumpy Pete’s ideas on valuing assets
    using a floor value based on the amount of money you are willing to pay
    to secure it. Hmmm. Gunnar expands on this a bit as well.
    The reality is most folks have NO IDEA what they are paying to secure
    much of anything. They have a security rock and they hit pretty much
    anything they can with it. Very few organizations actually decide on an
    asset (or even a business system) basis what they are willing to spend
    to protect it. They should, but they don’t. But it’s a good though
    experiment anyway.
  5. Profiling
    application traffic on a blade
    – Amazingly enough, the
    news that Check Point acquired FaceTime’s application
    didn’t make the 11 o’clock news. They probably paid
    FaceTime in Starbucks cards. But the concept is interesting, in being
    able to deploy application profiling on a software blade on the gateway
    does open up a number of cool policies you can deploy, especially
    relative to egress filtering. This was clearly a cheaper way to get
    better application visibility than buying Palo Alto (which they should
    do anyway). Yes, the perimeter gateway is getting smarter, no the
    "secure network fabric" is nowhere close, and the reality is the action
    is what’s happening inside the protocols and we security folks need to
    get a lot smarter on application attacks – stat!
  6. Security
    "scorecards" – love and mostly hate
    – I’ve had a love/hate
    relationship with the concept of metrics for a long time. On one hand
    (love), I realize the importance of measurement and counting and all
    that other good stuff that creates pie charts for the CFO. But my
    pragmatic gene kicks in (hate) and I realize the effort required to
    really quantify the impact of security doesn’t leave a lot of time or
    resources to actually secure much. I look at a post like Russell’s diatribe on building
    an InfoSec Risk Scorecard
    , with a sort of numb bemusement.
    The post is great and the tips are right on. But it’s just hard for me
    to see most security folks going through the effort. One of the tips
    really hits home: "If
    your bosses really need a good InfoSec Risk Scorecard, then they should
    be prepared to pay for it.
    " Therein lies the rub, most
    bosses don’t care about a security scorecard (they just want to be
    secure) and they are certainly not going to pay a lot for it. Thus,
    they ongoing futility of security metrics.
  7. Tao votes for
    – It’s funny, but the political hype machine is
    already talking about the mid-term elections happening next November.
    Solving the "cyber-security" problem continues to be a hot topic in the
    Fed space. Lots of folks think more efficient buying in an answer, or
    throwing a few more products at the problem. Richard is clearly voting here for leadership,
    not any of these other shiny objects (many espoused by the
    self-proclaimed cyber-war research czar Stiennon). And he’s exactly
    right. We have to get sick of losing and then we’ll devote the
    resources necessary to win. On an aside, is anyone else starting to
    puke every time I see the term "cyber-X." I know the Feds are spending
    money on security products, but a horrifying number of vendors are
    repositioning their stuff to address the "cyber" issue and in reality
    it’s just another marketing shiny object and too many dim-wits can’t
    tell the ruse for what it is.
  8. Writing the
    – This isn’t really security-oriented, but I wanted to
    point to a great post on the Pragmatic Marketing site
    about writing a "life requirements document."
    So of you call
    them goals, others a set of guiding principles, but all the same – you
    can’t be good at your job or particularly happy unless you’ve given
    some thought to what makes you happy and what you like to do. Too many
    of us just meander through our lives getting through each day and
    looking forward to watching a football game, drinking a brew with
    buddies, or playing catch with the kids. So that is an awful lot of
    time spent waiting for something else. So read the post and give the
    approach some thought. Personally, I set goals, but an LRD structure
    may work for some of you.

*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at:

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman