I get some priceless email on occasion, and I thought this one was too good not to pass along. Today’s Friday summary introduction is an anonymous guest post … if it missed any cliches I apologize in advance.

Internal Memorandum

To: Employees
From: Mega-Corp Executive Team
Subject: Messaging
Data: Friday, September 25th, 2009

Due to growing media scrutiny and misquotes in major trade publication (because you people can’t get the pitch right), we ask you to be cautious in dealing with the press and analysts. Please. All we ask is that our employees “stay on message.” We, Mega-Corp, Inc., pay (way too much) to have (young imbecilic twits at) large advertising agencies (put down their drugs and alcohol long enough to) work closely with our (also over-paid) CMO to carefully develop media strategies to effectively leverage our assets to increase consumer awareness and increase sales, thus generating a win-win situation for all. We cannot allow rogue employees to torpedo our finely crafted multi-media approach by deviating from the platforms that have been developed. This will ensure that all of our clients receive the same message. It is also designed to increase brand awareness by striking just the right balance between being edgy enough to appeal to the hipper, young crowd while at the same time conveying stability to our long-term clients. It is especially important at the present, due to current market conditions. While our competitors are focused on their competitive disadvantages, we see this current market as a great opportunity for growth. Our marketing campaign has thus placed its emphasis on all of the added benefits that the new product line now offers. We will not allow iconoclastic employees to remain fixated on their complaints that we have increased prices. We believe that the new price line is a bargain for the new features that we have added, and our marketing campaign is designed to educate our clients and potential clients about the new features that they will be receiving. It does not help when our branch-office employees continuously snipe that the clients do not want the new features. That is only true because we have failed to educate them sufficiently about the benefits of those features. We are confident that if we all work together, to remain on message and educate our clients and potential clients about what we have to offer, we can expect double-digit growth over the next eight quarters. In do so we that our competitors will not be able to catch up to our technological advances during that period of time and thus we will not be forced to offer new products for the next 30 months. In fact, we are so confident of this that we have right-sized our R&D department, thus proving once again that we can be lean and mean. I also know that many of you have seen reports that suggest we plan further layoffs of up to 30%. We have no idea where the 30% figure came from and can say without equivocation that no such reduction is currently planned. Of course we will always remain nimble enough to provide reasonable value to our shareholders but I know that all of you believe that is our most sacred obligation and would want nothing less. In concluding, I cannot stress enough the importance of staying on message and delivering a united theme to the public as we continue to unveil our marketing strategy across so many different media platforms, including the new emphasis on social media. There can be no doubt that our innovative use of Twitter will in itself dramatically increase sales over the next several quarters. I look forward to seeing those who do remain with us next year when we gather via video-conferencing for the annual employee meeting.

Thank you for your attention in this matter (or you will be part of the next 30%),

Mega-Corp Executive Team

The Death Star,
Moon of Endor,
Outer Rim

And with that, on to the Friday Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Adrian and Rich at BusinessWeek with the Truth, Lies, and Fiction with Data Encryption video.
• Rich and Martin on the Network Security Podcast, Episode 167.
• Oh Gn0es … I am having reservations about posting this, but it is Rich Mogull and David Mortman on stage at Defcon 17 Security Jam 2. Rich may panic and delete this link later so catch it while you can!

Favorite Securosis Posts

• Rich: Cloud Data Security: Archive and Delete.
• Adrian: My post on Database Encryption Benchmarking.
• David Meier: So it’s not new, but I thought Building a Web Application Security program was the best internal post this week.
• David Mortman: Database Encryption Misconceptions.

Other Securosis Posts

• A Bit on the State of Security Metrics
• Stupid FUD: Weird Nominum Interview
• Cloud Data Security: Share (Rough Cut)
• FCC Wants ‘Open Internet’ Rules for Wireless
• Incomplete Thought: Why Is Identity and Access Management Hard?
• Cloud Data Security: Use (Rough Cut)

Favorite Outside Posts

• Adrian and Rich: We have never picked the same post before, but what Star Trek Predicts About the Future of Information Security is that good. It’s not every day bloggers get to geek out to the point we bring up “gold-pressed latinum”, or make security decisions based upon subjective personality assessments of violin-playing androids with cats. Very clever post.
• Meier: One word: ‘awesomesauce’.
• Mortman: Has Technology Killed Privacy?

Top News and Posts

• New BeEF
• The best AES tutorial out there… in stick figures
• Remote exploits available for SMB2 vulnerability
• Microsoft workaround for the SMB vulnerability
• Bank sends mail to wrong Gmail address, then sues Google. Right, I’m sure that will work. Maybe they’ll have better luck if they spill hot Google on their lap.
• Great NAC white paper by Jennifer Jabbusch
• NSS runs a good malware test
• Free SSO for Google Apps?
• 4 Dangerous Myths about Data Disposal, Debunked talking points
• Why a hardware security model may not be as good as you think
• Blam! It was like patch Tuesday on a Wednesday for Cisco.
• Another reason to hate lawyers
• Netflix is smart. Very smart.

Blog Comment of the Week

This week’s best comment comes from ds in response to Incomplete Thought: Why is Identity and Access Management Hard?:

I’d argue that most companies have both technology and process problems and cannot (but try to) solve bad process with (often dubious) technology, hence they fail and assume it was the fault of their slick IDM.

I also think that there is a major difference in what a top line IDM product offers when compared to a more niche workflow powered provisioning system, and that the vendors in this market don’t highlight this well enough (e.g., Quest’s ARS may be just the trick for a SMB using only AD for AAA, but they want to sell against the big boys with virtual directories and other complex solutions). Dividing this market makes sense.

After all the dust settles, IDM is a perfect example case of a process problem that could be, but doesn’t have to be, supported by technology to be more efficient. Companies need to nail down some key challenges first:

-How do IT and HR find out about job change activities (joining, moving, leaving). Don’t assume HR will know… sometimes a job change is simply an informal promotion or an assignment to a special project. If there isn’t a solid notification route, fix that first. Doing so builds relationships, surfaces problems that support the effort and ensure buy in at all levels. Then move on.

-What is the motivation for better identity management (e.g., regulatory or commercial compliance?). Knowing this can help constrain initial scope. Without limits, the project will grow too fast and fail.

-What systems are in scope.

-Who in the business “owns” those systems.

-Who in the business “uses” those systems (and why/how).

While certainly not exhaustive, the above simple facts can help build a closed loop process.

1. When someone changes roles, IT gets notified <how>.
2. A request is placed by <manager or employee> to gain access to a system
3. If employee request, manager <must?> approves
4. If approved as “in job scope” by manager, system owner approves
5. IT (or system owner in decentralized case) provisions necessary access. Requestor is notified.

Process for new hires, terminations and other elements in the lifecycle are just as easy to think through. Org wrinkles may make them more or less complicated, but essentially the point is to have an approval process where the right folks make the decision. Knowing and keeping track of those folks is a challenge, but not impossible.

Long story short, don’t think technology until the process is in place.

(or not so short … but well stated)