Incite 7/10/2012: Freedom

Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom. I thought it would be great for each of us Securosis guys to describe what Freedom means to us for last week’s Incite. Alas, the best laid plans got derailed when it got to be late on Tuesday and I wanted to start my holiday. No Incite for you. Adrian put everything in context by remarking, “You are free not to do it.” Nice. But here’s the deal – I take freedom for granted, and if you live in a free society, you probably do too. I don’t think about the struggles involved in maintaining a free society. A couple times a year (you know, Memorial Day), I remember the brave military folks away from their families making sure my biggest issue is which Starbucks I choose to write at that day. The Boss and I try to impress upon the kids how lucky they are to live in a free environment. They learn about the Holocaust to see the worst in people. They’ll also read and hear about other oppressive regimes, and be thankful for where they were born. But if I’m being honest with myself, I haven’t felt free for most of my life. A conversation I had recently with Mike Dahn reinforced that. I was captive to my own expectations. Regardless of the fact that I could do anything (besides break the law, I guess), I always felt a responsibility to do what was expected of me. I compared myself to some vision of what I should be. What I should achieve. But that vision was only in my head. It wasn’t like my folks told me what to do. All those expectations made me feel like a failure, even though I achieved quite a lot. That epiphany became the impetus for my Happyness talk. I wasn’t until I let go of those self-inflicted expectations that I’ve been able to make strides toward being happy. Of course, I have good days and not so good days, like everyone else. But tossing my own expectations has given me the freedom to live my life – not anyone else’s. Not setting specific goals means I can enjoy the journey, not fixate on how far I have left to go. The US celebrates Independence once a year. But I get to celebrate my own Independence every day. And I don’t plan on taking it for granted. –Mike Photo credits: Independence, Oregon originally uploaded by Doug Kerr Incite 4 U It’s not the message, it’s how you say it: Sometimes you read something that hits very close to home. Bejtlich’s perspective on the importance of how you deliver the message resonated. The Boss chides me all the time about the fact that no matter what I’m saying, the kids shut down because I’m barking at them. “But they don’t listen! I need to get their attention,” I respond. And she just laughs. No matter what I say, they only hear more yelling. So when Rob Westervelt said a panel at an April security conference got contentious, clearly the folks in the audience didn’t get the message. It’s not that any of the panelists were wrong, but if you don’t package the message in a way that will get through to the other party, there is no wrong or right. Only wrong. So keep that in mind next time you present to business folks or chastise a user for doing something stupid. – MR The cloud is down. No it isn’t. Yes it is: Last week there was another cloudastrophe when Amazon AWS had an outage in their main US data center. The root cause was a combination of weather and a failure in their emergency power procedures. I don’t overly blame them, since it’s really hard to effectively test every scenario like that. But it’s a reminder that not only can the cloud go down, but it can be difficult to architect availability for such a complex system. Extremely difficult, as Netflix shared in a killer post discussing why they went down. Now, for the record, this was a major personal disaster because my 3 year old couldn’t watch “the Apple TV” (which also had a “rough morning” Tuesday due to low bandwidth). This isn’t a security failure but it does highlight the complexity of fully moving to cloud and how that impacts fundamental design and DR/BC scenario planning. Security is no different than availability and we are all going to learn some of these lessons together the hard way. – RM No access, no problem: Brandon Williams asks how do we arm small and medium businesses (SMB) for the change in threat landscape with the switch to EMV cards? His premise is that if the EMV credit card format comes to the US, we expect to see a shift from “card present” to “card not present” (i.e., Internet sales) fraud, mirroring the trend in Europe. The cards are harder to forge, the terminals perform some validation, and the infrastructure supports real point to point encryption instead of the mockery we’ve seen for the last decade or so. But does that mean SMB is at a disadvantage? I don’t think that’s the case. The terminals are expensive, but SMBs have lower overall switching costs to EMV. By combining it with tokenization, they have removed sensitive data from their environments, and pushed much of the liability back on payment processors by not being privy to payment data. Logically there is little difference between an Internet sale and an EMV transaction – payment gateways offer plug-ins and edge tokenization services perform equivalently to EMV without a card reader. As the merchant

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.