RSAC Guide 2015: Go Pro or Go Home

In the United States there’s a clearly defined line between amateur and professional athletes. And in our wacky world of American sports we have drafts, statistics, hefty contracts, trophies, and rings to demonstrate an athlete’s success. In other sports and other parts of the world, the lines between amateur and pro athletes can be a bit murky. Take rugby, for example, where club teams compete in a bracket system to earn their spot up (or down) the ranks of European rugby series. Imagine the Seahawks moving down to a lesser series next season as a result of their 2015 Superbowl loss, and you start to understand the blurred lines of some professional athletes. But in the security world the pressure runs both ways. Our entire profession no longer needs to prove the world has a security problem – the headlines scream it nearly every day. And while some people still think they are playing club security, it turns out they moved up to the World Cup and never really noticed. In the matter of only a few years, our entire industry rocketed into the majors, like it or not. And to further muddle our metaphor, no fair few armchair quarterbacks are in the big leagues and now need to put up or shut up. All right, maybe we pushed that a little too far. Here’s the situation: information security is on the front lines of protecting our economies and infrastructure. It’s a level of validation many security professionals have wanted for years, but now that it’s here it exposes personal and professional weaknesses. There is massive demand for pragmatic security pros who can get the job done, but not enough of us to fill all the positions. It is a scarcity that must be filled, despite the skills shortage. This creates a revolving door as people pop up to positions of trust, fail to meet the requirements, and get pushed back down. You’ll see this skills shortage play out throughout the conference. On the floor it will show as more and more companies offer services and emphasize automation and reduction of operational costs. In presentations it will manifest as professional development and making do with less. Behind all of it is the challenge: how can you go pro and stay there? The answer isn’t easy, but it isn’t a mystery. Follow our going pro advice, and your rankings will soar. Seek these five I’s to “Go Pro” at RSA: Integration: Create more value by connecting data points for automated actions and defense. You’ll see a lot of talks and solutions touting integration this year at RSA. Seek out and soak in anything that could help your environment. Iteration: Explore continuous improvement through DevOps and Agile methodologies. Things that build security in, rather than trying to protect things from the outside. Intelligence: Effectively applying threat intelligence will boost your abilities. Out of the 350 breakout sessions at RSA this year, it seems like 178 involve threat intelligence, so you have plenty of opportunity. As Michael Jordan says, “Talent wins games, but teamwork and intelligence wins championships.” Innovation: Show you can go pro by sifting through marketing fluff and find the real innovation at RSA. Oh yeah, it’s there, hiding in the haystack, and around the perimeter of the show floor. Information: Don’t just consume it – give it back. Just remember that data is valued more than opinion. Opinions are like… well, you know the saying. RSA is the Goliath of information security conferences. Despite our critical raised brows at many of the vendors’ sugar-coated crap, the truth is there’s a huge opportunity to learn and teach throughout the week. If you can’t find some value on your path to going pro – that’s your problem. Share:

Read Post

RSAC Guide 2015: Key Theme: Change

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise? This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change. –Rich This year at RSA the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption – cutting-edge alongside bleeding-edge – where the world comes to talk security. While those percentages may be fabricated horse puckey, the underlying message here is about our perception of — and influence over – real change. “It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds a skeptical doubt that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement. Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk – when we are frustrated, confused, or just pissed off – we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different way is better than the current crappy we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooten said “Failure is not fatal, but failure to change might be.” If we keep changing – if we keep taking more shots on goal – eventually we’ll score. But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSA, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time. by Jennifer Minella, Contributing Analyst This article first appeared on the RSA Conference blog at Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.