Securosis

Menu

Research

Incite 6/8/2011: Failure to Launch

Mike Rothman June 8, 2011 No Comments

Shipping anything is pretty easy nowadays. When someone buys the P-CSO, I head over to the USPS website, fill out a form, and print out a label. If it takes 5 minutes, I need more coffee. Shipping via UPS and FedEx is similarly easy. Go to the website, log in, fill out the form, print out a paper label, tape it to the package, and drop it off. I remember (quite painfully) the days of filling out airbills (in triplicate) and then waiting in line to make sure everything was in order. As many of you know, Rich and Adrian are teaching our CCSK course today and tomorrow. It’s two days of cloud security awesomesauce, including a ton of hands-on work. I did my part (which wasn’t much) by preparing the fancy Securosis-logo USB drives with the virtual images, as well as the instructor kits. I finished that up Sunday night, intending to shippthe package out to San Jose Monday morning. So I get onto FedEx’s site (because it absolutely positively has to be there on Tuesday) and fill out my shipping form. Normally I expect to print the label and be done with it. But now my only option is to have a mobile shipping confirmation sent to me. What the hell is a mobile shipping confirmation? Is there an app for that? I read up on it, and basically they send me a bar code via email that any FedEx location can scan to generate the label right there. Cool. New technology. Bar codes. What could go wrong? I take my trusty iPhone with my shiny barcode email to the local FedEx Office store first thing Monday morning. The guy at the counter does manage my expectations a little bit by telling me they haven’t used the mobile confirmation yet. Oh boy. Basically, FedEx did send a notice to each location, but they clearly did not do any real training about how the service works. The barcode is a URL, not a shipping number. The folks at the store didn’t know that and it took them about 10 minutes to figure it out. It was basically a goat rodeo. The FedEx Office people could not have been nicer, so the awkward experience of them calling a number of other stores, to see if anyone had done it successfully, wasn’t as painful as it could have been. But the real lesson here is what I’ll tactfully refer to as the elegant migration. Maybe think about supporting multiple ways of generating a shipping label next time. At least for a few weeks, while all the stores gain experience with the new service. Perhaps do a couple test runs for all the employees. Why not give folks a chance to be successful, rather than forcing them to be creative to find a solution to a poorly documented new process while a customer is standing there waiting. When we launch something new, basically Rich, Adrian, and I get on the phone and work it out. It’s a little different when you have to train thousands of employees at hundreds of locations on a new service. Maybe FedEx did the proper training. They may have asked folks to RTFM. Maybe the service has been available for months. Maybe I just happened to stumble across the 3 folks out of thousands who hadn’t done it before. But probably not. – Mike Photo credits: “RTFM – Read the F***ing Manual” originally uploaded by Latente Incite 4 U Better close those aaS holes: The winner of the word play award this week is none other than Fred Pinkett of Security Innovation. In his post Application Security in the Cloud – Dealing with aaS holes, Fred does a good job detailing a lot of the issues we’ll deal with. From engineering aaS holes (who aren’t trained to build secure code), to sales aaS holes who sell beyind their cloud’s capabilities, to marketing aaS holes (who avoid good security practices to add new features or shiny objects), to management aaS holes (folks who forget about good systems management practices, figuring it’s someone else’s problem), there are lots of holes we need to address when moving applications to the cloud. Fred’s points are well taken, and to be clear this is a big issue we address a bit in the CCSK curriculum. Folks don’t know what they don’t know yet, which means we’ll be trying to plug aaS holes for the foreseeable future. – MR Payment shuffle: Will interoperability and commerce finally push the adoption of smart cards in the US? Maybe, or at least the card vendors hope they will, with European travelers starting to have troubles with mag stripe cards. It’s not like this hasn’t been tried before. I remember reading about Chip and PIN (CAP) credit cards in 1997. I remember seeing the first US “Smart Card” advertised – I think by Citi – as a security advantage to consumers in 1999. That didn’t go over too well. Consumers don’t much care about security, but you already knew that. Europe adopted the technology a decade ago, but we have heard nothing in the US consumer market since. Why? Because we have PCI, which is the panacea for everything. Haven’t you heard that? Why improve security when you can pass the buck. Yup, it’s the American way. – AL Closing the window: Last night RSA released a new letter to their customers about their breach, and the attack on Lockheed and other defense contractors. Lockheed confirmed in a New York Times article that information stolen from RSA was used to attack them. Fortunately Lockheed managed to stop the attack. If I wasn’t out in California to teach the CCSK class this week I’d probably write a more detailed post because it’s definitely a big deal. There is now no doubt that customer seeds were stolen. And whoever stole them (IPs linked back to China) used the seeds to attack at least three major defense contractors simultaneously, less

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.