Every year Mike, Adrian, and I get together for a couple days to review our goals and financials, and to make plans for the next year. This year we scheduled it in Denver, and by an amazing coincidence Jimmy Buffett was in town playing.
Really. I promise. Total coincidence.
I have been to more than my fair share of shows (and have to write this Summary on Wednesday because I will be at another show Thursday in Phoenix), but it was Mike’s first and Adrian’s second. Needless to say, a good time was had by everyone except Mike’s stomach. I warned him about the rum-infused gummy bears.
2013 was kind of a strange year for us. It looks like we grew, again, but a lot of it was shoveled into Q4. All three of us are running all over the place and cramming on projects and papers, hoping our children and pets don’t forget what we look like. I even thought about skipping our planning, but setting the corporate strategy is even more important than our other projects.
I went into this trip with an open mind. I knew I wanted to change things up a bit next year, but not exactly how. In part to do more direct end-user engagement, but also to allow me to continue my more in-depth and technical cloud and Software Defined Security work, which isn’t necessarily easily dropped into licensed papers and webcasts.
We actually came up with some killer ideas that are pretty exciting. I don’t know if they will work, but I think they hit a sweet spot in the market, and fit our skills and focus. It’s definitely too early to talk about them, and they aren’t as insane as building a new software platform, so launching won’t be a problem at all. We are going to hold back until January to start releasing because we need to finish the current workload and do the prep for the new shiny endeavors before we can talk about them.
And this is a great situation to be in. I just spent two days hanging with two of my closest friends and my business partners, catching a Buffett show and planning out new tricks for our collective future. I’m tired, and my brain is fried, but as I go back to the grindstone of the road and writing, I not only get to finish my year with some cool research, but I get to start planning some even more exciting things for next year.
Not bad.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike Rothman: The Great Securosis GitHub Experiment. That Mogull guy. Always pushing the envelope on openness and transparency. Interesting idea to use Github to manage feedback on our papers. Will be interesting to see if it works…
- Rich: Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust. I spent last week in crypto training and this paper is darn interesting.
- Adrian: Incite 10/23/2013: What goes up….
- David Mortman: Don’t Cry Over Spilt Metrics
Other Securosis Posts
Favorite Outside Posts
- Mike Rothman: Dan Geer’s Tradeoffs in Cyber Security talk. Dan Geer spoke. Dan Geer is awesome. Read. It. Now. And that’s all I have to say about that.
- Adrian Lane: iMessage Privacy. Regardless of whether you agree with Apple’s strategy, the post is a very educational look at security and how attackers approach interception.
- David Mortman: How to lose $172,222 a second for 45 minutes.
- Gal Shpantzer: Why the Sistrunk ICS/SCADA vulns are a big deal.
Research Reports and Presentations
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
- Continuous Security Monitoring.
- API Gateways: Where Security Enables Innovation.
- Identity and Access Management for Cloud Services.
- Dealing with Database Denial of Service.
- The 2014 Endpoint Security Buyer’s Guide.
- The CISO’s Guide to Advanced Attackers.
- Defending Cloud Data with Infrastructure Encryption.
- Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment.
Top News and Posts
- Apple and Adobe sandbox Flash in Safari on OS X 10.9.
- Google%20launches%20new%20anti-DDoS%20service%20called%20’Project%20Shield’
- Apple iMessage Open to Man in the Middle, Spoofing Attacks. Yes and no, and I wish I wasn’t traveling so much and could clarify how this appears to be overstated. Technically Apple could man in the middle, but it isn’t something random employees can do, nor do I think Apple would do it without a massive legal threat from the NSA or equivalent, which they would probably fight. Not that it couldn’t happen…
Blog Comment of the Week
This week’s best comment goes to DS, in response to Incite 10/23/2013: What goes up….
We’ve known for years (or should have known if we read the research) that security breaches don’t impact stock value. This is a trap many security folks find themselves in because they don’t understand their business, or business at all, so they use the most obvious and coarse metric of business impact.
…
The impact from a breach is complex and cannot be measured by one factor. There are fines and penalties. There are negative perceptions which can be leveraged against you (I can’t say how many sales calls I got from RSA competitors after their breach), there is lost productivity from having to divert resources to deal with customer complaints, there is lost focus on strategy while execs try to deal with the press requests and client enquires.
RSA’s breach cost around 100M if you believe the press. This is 100M not spent on developing new products or landing new customers, but instead spent preserving their base and protecting SecureID. This is not 100M well spent.
Comments