December 11, 2009 – Volume 4, #38

Good Morning:
Nowadays I face very tough decision on a daily basis. You know, when
should I work out? Do I get the Veggie Patty at Subway or is it the one
day a week I indulge with a burrito? Should I shave? You know I shave
once a week, whether I need to or not. These are serious, tough
decisions. And I’m the kind of guy that can face these decisions.

But no decision is more
important than where I work in the afternoon. You see, being a work at
home vagabond, I need to get out of the house. Every day. Personal
hygiene is an issue to begin with, so without the excuse that I have to
primp up to get my Venti Pike – it wouldn’t be pretty.

So around my house I have the choice of maybe 4-6 different coffee
shops. To minimize my impact on the environment, I try to select a shop
in proximity to my lunch spot. I’m thinking of buying some carbon
offsets to make up for those indecisive days when I drive the extra 10
minutes to a different coffee shop.

I also go to different coffee shops in no set pattern. I
wouldn’t want the folks tailing me to be able to profile my habits. You
know, when the assassins come, I want to make it at least challenging
to find me. 

Yet lately I’ve been choosing wrong. I liken the coffee shop
decision to playing the lottery. It’s the Starbuck’s seating lottery.
If you don’t get a good seat, you may as well just write off the entire
day. Have you ever tried writing snark from one of those cushy purple
chairs? This ain’t Passover folks, I can’t be inciteful when I’m
reclining. I need to be focused. I need to have a hard wooden chair.

Yesterday I got to my selected shop and there were no seats. Crap. It
was like 40 degrees outside, so it’s not like I could sit on the patio
and pound away at my trusty MBP and snark. The nerve of these folks.
First of all, don’t they know it’s my friggin’ office. I pay rent. At
the rate of about $2.25 per day. Of course it’s a good deal, and some
folks pay more rent than me (they splurge on the $4.50 pumpkin latte),
but all the same, these folks have to go. 

So what to do? I guess I could ask someone if I could share
the table, but man that’s weird. I saw some guy do that a few weeks
ago. He just plops down and then starts some inane conversation about
what he does, and where he lives and all sorts of other things.
Surprisingly enough, the kind woman who let this interloper sit down
actually engaged him in conversation. I guess maybe that is what humans
do. I wouldn’t know much about that.

So basically I did what most other vagabonds do. I went to the
struggling cafe down the street, and hoped they haven’t gone out of
business already.

Have a
great weekend.

Photo: "Second
(office) Cup" originally uploaded
by sylvaincarle
Technorati: Information
Security, CSO,Security
Mike, Internet
Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I’m not sure where I’m going, but I’ll get there in 140 characters – or less…

Incite 4 U

1. Data is cool,
   analysis is better – The folks at Verizon Business released their DBIR
   supplemental report this week and it’s got some good stuff in
   there. Read. It. Now. I like the report because it’s not just a listing
   of data designed to generate PR clips. Most of the data out there is
   used to ensure that lazy tech writers always have something they can
   crank out on deadline. Survey this, survey that. 85% of hackers take
   cream in their coffee. 42% use an pwned netbook in a crowded coffee
   shop to social engineer 17% of the grandmothers in a local old age
   community. You know, data. But what the VZ guys do with the data is
   very cool. Mort highlights a few things, but
   I think we are getting to the point where this data is not only
   statistically reliable, but it’s also representative of the broader
   market. And that means we are pretty much screwed, but at least we can
   quantify the screw.
2. Redefining
   security success – Bejtlich does an interesting thought
   experiment in his "Let a Hundred Flowers Blossom"
   post. Basically, the idea is to stop worrying about controls and start
   focusing on outcomes. Meaning, an organization can do as much or as
   little security as they want, as long as it takes longer than X for an
   attack team to successfully penetrate the defenses, it’s all good. It’s
   an interesting idea, but is counter to the childish way we do security
   today. Basically it’s like nursery school. You get a check list and you
   do the checklist. No one cares about success or even outcomes, as long
   as the check list is filled out. This will create issues of documenting
   compliance, but from a philosophy standpoint I think this could work in
   a company. But probably not for every company.
3. Budget time,
   yay! – It’s that time of year, budget time. This is when
   we all fight for our share of a declining pie and the grumble about
   what an ass the CFO is and how does he/she expect us to be able to do
   anything with that amount of money. And then you get calls from
   analysts that want to know how big your budget is. And we get surveys that say 70% of companies
   will boost tech spending and security is a priority. Maybe
   it’s 1 or 2 on the wish lists of people
   buying things. But to be clear, no one has any idea how budgets will
   shake out. You see, there is a pot of money and through 2010 that pot
   may be smaller or it may get bigger. It may be used for Project A or
   maybe be reallocated to Project B. The folks that answer these surveys
   have no idea. Overall it feels like things are getting a bit better,
   but who knows. I’m still saving for a rainy day because there is a good
   likelihood it’ll keep raining in 2010.
4. Actually
   buying something with that budget – Pretty entertaining
   post on Cassandra Security about the
   real process of buying and selling security stuff. Part of
   this is the black magic that you never learn until you work for a
   vendor. Things like the unnatural acts to get a deal closed in a
   quarter (as opposed to when the customer needs to buy). But also from
   the customer’s perspective, how to play the game, not only to squeeze
   the vendor, but to make sure the deal gets done. There are checklists
   for sales folks and also for the end users. As Brian says, a lot of
   this is common sense, but we all know that common sense is in short
   supply.
5. Are there any
   security "software" companies left? – Yes, that title was
   a bit of a red herring, but it underscores the realization that
   customers tend to be right, and the vendors need to adapt to meet the
   needs of the customer. So the idea of a pure-play security software
   company probably doesn’t make a lot of sense moving forward. Maybe not
   today, but by 2011 I’d say any security company of size will have to
   have a hybrid model. Where their software is PACKAGED as something a
   customer can implement, can run in someone’s data center or probably
   can run in a private or public cloud. If you look at a company like Fortify, they are moving in
   this direction by rolling their own services capability, but
   also by partnering with a services shop like White Hat to fill the
   gaps. Of course, the underlying life blood of any of these companies is
   still software, but it won’t necessarily be sold as software.
6. Microsoft,
   the silent but deadly security competitor – Given I talked
   about plungers last time, I had to throw some flatulence references
   into today’s piece. But that’s the thing about Microsoft. They don’t
   really talk too much about their security products, since most of the
   PR effort is spent spinning the issues around Patch Tuesday and their
   SDL efforts. But to be clear, Microsoft keeps clicking along, targeting
   their markets and rolling products. Like their recent announcements of enhanced security gateway functionality.
   Sure looks like a UTM type thing to me, which is perfect for their
   sweet spot in the mid-market. And they also acquired Sentillion,
   which does IAM and single-sign on for healthcare companies. So although
   most of the big security companies don’t say Microsoft is a competitor,
   it’s always dangerous to disregard them.
7. The Happiness
   Genie – Very interesting thought experiment from Scott
   Adams on the Dilbert blog. Man, it must be a good gig to write comics
   because he seems to have plenty of time to think of weird scenarios and
   post them to his blog. The general idea is whether you would be happier
   if a happiness genie gave you $10 million, but a lot of folks you know
   would get $20 million. Or if you get (only) $5 million, but no one else
   gets anything. Hmmm. I’d like to think $10 big is enough for me, even
   if my friends get double that. But if I’m being honest, who knows? And
   that’s really the key, be honest. The answer is OK, even if you are a
   greedy bastard that would be happier keeping their friends in a life of
   squalor.