Securosis

Research

Feeding at the Data Breach Trough

They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal. Given all the recent retail sector breaches (there are too many to even link), let’s take a look at who is going to profit. Mostly because we can. The forensicators are first in line. They are running the investigations and figuring out how many millions of identities and credit cards have been stolen. The next group feeding at the breach trough are the credit monitoring folks, who get a bulk purchase agreement each time to cover consumers who were compromised this time. The crisis communication PR folks also generate hefty bills. Customers are pissed and the retailer is on the evening news – not for the new store design. The company needs to start driving the message, which means they need PR heavies to start spinning like a top. Ka-ching. Of course security vendors win as well. There is no time to grab security budget like right after a breach. Senior management doesn’t ask why – they ask whether it is enough. Every security salesperson tells tall tales about how their products and services would have stopped the breach. Who cares if the offering wouldn’t have made a difference? Don’t let the truth get in the way of the new BMW payment! It’s a feeding frenzy for a few quarters after the breach. Sell, sell, sell! But it doesn’t end there – lawyers always get their piece of the action by launching a variety of class-action suits against the retailer. We haven’t yet (to my knowledge) seen a successful judgement against a company for crappy security resulting in lost identities, but it’s coming. Although it is usually just easier to settle the class action rather than fight it. The lucky winners in the class action might each get a $5 gift card. The lawyers walk away with 20-30% of the judgement. Yes, that’s a lot of gift cards. Internally the company needs to make sure this kind of thing doesn’t happen again. So they fire the existing CISO and look for another one. Then the security recruiters spring into action. The breached retailer is looking, but many others will either try to fill their own positions, or perhaps decide to make a change before they find themselves in the same unhappy place. Of course the new CISO had better take advantage of the first few quarters during the honeymoon, with a mandate to fix things. Lord knows that doesn’t last long. Soon enough retailers always realize they are still in a low-margin business, and spending on security technology like a drunken sailor hasn’t helped sell more widgets. But that flyer in the Sunday paper offering a 35% discount sure did. Finally, let’s not forget the shareholders. You’d think they’d be losers in this situation, but not so much. Wall Street seems to be numb to breaches by now. The analysts just build the inevitable write-down into the model and move on. If anything it forces companies to button down some leaky operational issues and might even improve performance. Of course the loser is the existing CISO and maybe the CIO, who get thrown under the bus. But don’t feel too bad for them. They will probably write a book and do some consulting while they collect the severance package and the road rash heals. Then they’ll get back in the game by being candid about what they learned and how they will do it differently next time. We have all seen this movie before. And we’ll see it again. And again. And again. Photo credit: “Pigs at trough, 1927” originally uploaded by King County, WA Share:

Share:
Read Post

Summary: Seven Year Scratch

Sometimes life sneaks up on you. Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be). It still carries weight to this day. We have a hell of a good brand in Securosis, but large swaths of the world have never heard of us. “Former Gartner” still helps open those doors. Even though the kind of work we do today carries very little resemblance to what I did back at the G. To be honest, I’m not even sure we are analysts anymore. It’s still part of what we do, but only one facet. Recently I have run into more of my former colleagues at various events. Black Hat, Boxworks, and other random analyst days and conferences. Most of them still work there, and all are shocked when I mention that I have now been running Securosis longer than I was at Gartner. This summer we passed the 7-year mark as a company. That’s exactly as long as I was at Gartner, and I wasn’t even an analyst for my first year. It’s longer than any other professional job I have held, and almost as long as I spent at the University of Colorado (8 years for my undergrad – it’s a Boulder thing). I still remember the first few months of the company. How I could barely sleep at night because I was so excited about what the next day would hold. Waking up early and jumping on my computer to blog, research, and spend entirely too much time on Twitter. Seven years is a long to maintain that enthusiasm. Since then I have added three children to my family, been through two major medical challenges, and built up the stress and overhead that comes from moving from a one-person shop with no clients… to one with partners, contributors, software platforms, and dozens of active clients (not counting all the one-off projects). I now literally lose entire days purely to dealing travel plans, invoices, and expenses. And really, no one with three kids under the age of five ever wakes up, on their own, with enthusiasm. But despite the overhead, chronic sleep deprivation, and stress of deadlines and commitments, this is the single most exciting time of my career. I may wake up a little rough around the edges, and feel like there is never enough time in the day, but I am engaged in my most compelling and challenging work since I first entered the workforce as an underweight security guard. About four or five years ago I placed a bet on cloud computing, and later on what is now known as DevOps. Those bets are paying off bigtime as those entangled disruptive forces trigger massive changes in how we deliver and consume technology. Aside from paying off financially (apparently there still aren’t that many people who really understand cloud and DevOps security out there), the work is… exciting. It’s a hell of a lot of fun. Every day I wake up not only with something new to learn, but with the confidence that I can use it to support my family as I gain and expand that knowledge. It is really hard to imagine a better job (without zero gravity or secret lairs). Although being interviewed by the Wall Street Journal on celebrity nudes was still kind of a surprise. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Wall Street Journal on the celebrity hacks. Rich’s article on the same issue at TidBITS. And a zillion other articles on the story. Mike quoted on context-aware security in SearchNetworking. Mike quoted on Wendy Nather being named a “Power Player” in Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted in the piece. Mike’s “Change Agent” – Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” that had an impact on how security has evolved… Check it out. Mortman Quoted about DevOps by the Hulminator. Chasing consistency across the wild seas of enterprise IT Favorite Securosis Posts Let’s be honest: we only had three posts by Mike this week, so we’ll call them all favorites. Other Securosis Posts Feeding at the Data Breach Trough. Incite 9/3/2014: Potential. PR Fiascos for Dummies. Favorite Outside Posts Mike Rothman: Infosec is a strange industry. Gunnar is right. There are many parallels between security and finance (another ‘strange’ industry). I’d add another to the list. Success in security is when nothing happens. If that’s not strange, I don’t know what is… Adrian Lane: 11 Reasons Email Is the Worst. This is fascinating – not for the insights into the limitations of email, but for its astute examination of human behavior. Worth the read! Rich: Not Safe for Not Working On by Dan Kaminsky. Dan really addresses the root issue here, at both psychological and practical levels. Must read. Gunnar: Hacker Breached HealthCare.gov Insurance Site. “If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.” Not the best excuse. Mortman: Bringing new security features to Docker. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.