Securosis

Research

The Right Guy; the Wrong Crime

Internet troll “weev” sentenced to 41 months for AT&T/iPad hack Weev is a total sociopath (not just a troll), and I have no sympathy for him. He wouldn’t know altruism if it kicked him in the nads, and I have little doubt his goal was to harm AT&T with his discovery. But, by all appearances, this is a weak case and a stretch of the Computer Fraud and Abuse Act with consequences not only for legitimate security research, but for Internet use in general. But don’t make him a martyr or an antihero. Weev is vile scum, who appears to be getting off on all the attention. If he wins on appeal he is bound to end up in jail sooner or later, but at least then it will be for a real crime, and hopefully will not bad establish case law with chilling effects. Share:

Share:
Read Post

New Job Diligence

I am pretty upfront about my turbulent job history. Some of the issues were due to not doing enough homework up front before taking a job. But as I look back I am not sure I would have made different decisions about which jobs to take even if I had done more homework. A post at SCMagazine by Justin Somaini makes a couple good points about what questions to ask before taking a CISO job. Understanding a company’s standing is always important. Is the company losing revenue? Have executives and/or board members left? Is the company prime for a takeover? Are competitors dominating the industry? All of these questions help determine a company’s health: a factor that will be critical to know if you’re going to make the right move. While risks can pay off, you want to know what you are getting into. A company in turmoil will be more resistant to funding projects, hiring new staff, or making security a priority. Okay, that’s pretty obvious. You need a shot upside the head with a clue bat if you aren’t really scrutinizing the financials and market position of any potential employer. One of the worst aspects of security groups, let alone IT, is staff management. It is common to have to restructure a team based on skills gaps. So always try to determine how large the team is in relation to the overall company and IT staffing. Typical security groups for companies of 10,000 to 15,000 full-time employees will have 25 to 30 staff. This does not include IT operational teams that I usually leave in a separate group. Is last year’s attrition rate at the typical 10 to 15 percent? Is the staff located in key areas for the company? Are there cascading goals from corporate objectives? Are reviews done quarterly and historically attached to goals? What are the results of the latest employee survey? Has there been a layoff or hiring freeze in the past 18 months? As with financial assets, not having the right human capital will only make your job tougher, so ask the questions. I am not sure you will get real answers to these questions. If you are interviewing for the senior role on any team you should expect the senior management to tell you that you will be able to make the necessary changes to deliver results. Of course you can meet all the folks already on the team, but in my experience everyone is on their best behavior during the interview process. They will blow smoke in your hind section if they think they can salvage their jobs. So you won’t really know what folks can do and the internal douche quotient until you get boots on the ground and dig in. That’s why I highly recommend a rent-to-buy scenario. Take a 3-month consulting gig, with the expectation that things will work out and you’ll become permanent at the end of that probationary period. That mitigates risk on both sides and can prevent serious mistakes. I have a good friend who did exactly this prior to a relocation. Within a month he knew the situation wasn’t a good fit, and he exited gracefully after his contract was up. Let me throw one more point at you. There is no excuse for not making a few phone calls to learn what may not be obvious during interviews. Call some folks who will provide honest answers about culture and work environment. Yes, I’m taking about former employees. It still amazes me the number of folks who do not call me before taking a job I had – working for the same folks. I could have given them an informed perspective on some of the good and a lot of the bad. Of course it’s my opinion, but it’s another data point in a pretty important decision. But go in with your head up. Understand you won’t know everything you need to know. Things will be different. Sometimes you’ll be pleasantly surprised. Other times not so much. Which is part of the game. Photo credit: “Rent-A-Center store” originally uploaded by benchilada Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.