I am in a bit of a pickle, and could use some advice.
Over the time I have been an analyst, I have learned that it is important to have the right distribution of research. My rule of thumb is 80-90% of it should be practical research to help people get their jobs done on a daily basis. Then you can spend 10-20% on future research that I promise not to call thought leadership.
Many analysts (and other pundits) fall into an esoteric trap, where they are so desperate to be seen as leaders that their research becomes more about branding and marketing, and less about helping people get their jobs done. It is totally fine to tilt at the occasional windmill, but everything in moderation. The corollary is that once you focus on the future too much you disconnect from the present and lose your understanding of current technologies and trends, and your subsequent predictions are based on reading science fiction and bad tech media articles. Those aren’t worth the bits they are printed on.
And yeah, there is a lot of that going around. Always has been, especially in conference keynotes.
This isn’t merely for ego gratification. On the business side you can’t survive long by selling research that doesn’t help someone get their job done. Many of my former Gartner colleagues lose track of this because they think people like their new “connected enterworld” junk, as opposed to paying for Magic Quadrants so they don’t lose their jobs when they buy something in the upper-right quadrant that doesn’t work. For a small firm like us, screw up the mix and it’s back to truck driving school.
My dilemma is that a lot of the research I’m working on appears to be ahead of the general market, but still very practical and usable. I am thinking specifically of my work on Software Defined Security and DevOps. It’s the most fulfilling research I have done in a long time, especially because it gets me back to coding – even at a super-basic level. But I am borderline tilting at windmills myself – relatively few organizations are operationally ready for it.
So it isn’t a load of hand-waving bullpoop – it is all real and usable today – but not for many organizations that lack the time or resources to start integrating these ideas. Not everyone has free time to play with new things. Especially with all the friggin’ auditors hanging over your head.
Anyway, I have been bouncing this off people since Black Hat and am interested in what you folks think. I would love to make a go of it and have at least half my research agenda filled with using APIs, securing cloud management planes, integrating security into DevOps, and the like, but only if there is real interest out there – I gotta pay the bills. Drop me a line at rmogull at securosis dot com if you have an opinion, or leave a comment on this post.
Thanks, and on to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike’s DDoS research quoted in the Economist… Really. Security issues are clearly becoming mass market news.
- Mike quoted in Dark Reading about Websense’s free CSO advisory offering.
- Don’t Be The Tortoise. Rich digs into his old book of parables at Dark Reading to point out that: “Agility may not always win the race, but you sure shouldn’t bet against it.”
- Incentives and Organizational Alignment (Or Lack Thereof). Mike’s latest Dark Reading column on Vulnerabilities and Threats.
- Rich on Threatpost – How I Got Here. I got to do my third favorite thing, talk about myself.
- Dave Mortman on Big Data Security Challenges.
- Rich’s piece on Apple’s security design quoted in a Techpinions article.
- Dave Lewis at CSO Online: Innovation And The Law Of Unintended Consequences.
- And more of Mr. Lewis: My (ISC)2 Report Card.
Favorite Securosis Posts
- Mike Rothman: The future of security is embedded. Gunnar weighs in on our little blog ‘discussion’ about how to prove value in a security operation. And no, I don’t really think Rich and I were arguing.
- Rich: Random Thought: Meet Your New Database. Some trends are real. Both Adrian and I, former DBAs and developers, would likely go non-relational with our next projects.
- Mort: PCI 3.0 is coming. Hide the kids.
Other Securosis Posts
- Tracking the Syrian Electronic Army.
- Third Time is the Charm.
- Security is Reactive. Learn to Love It.
- Deming and the Strategic Nature of Security.
- Incite 8/27/2013: You Can’t Teach Them Everything.
- Reactionary Idiot Test.
- VMWare Doubles Down on SDN.
- China Suffers Large DNS DDoS Attack.
- Friday Summary: August 23, 2013.
- “Like” Facebook’s response to Disclosure Fail.
- Research Scratchpad: Stateless Security.
- New Paper: The 2014 Endpoint Security Buyer’s Guide.
- Incite 8/21/2013: Hygienically Challenged.
- Two Apple Security Tidbits.
- Ecosystem Threat Intelligence: Use Cases and Selection Criteria.
- Ecosystem Threat Intelligence: Assessing Partner Risk.
Favorite Outside Posts
- Mike Rothman: Innovation and the Law of Unintended Consequences. Dave has been killing it in his CSO blog. This latest one deals with the fact that until we can do security fundamentals well, dealing with all of these shiny innovative security objects is like moving deck chairs on the Titanic.
- David Mortman: ITIL vs. DevOps: Slugfest or Lovefest?
- Rich: Dark Patterns: inside the interfaces designed to trick you. Really great design stuff.
Research Reports and Presentations
- The 2014 Endpoint Security Buyer’s Guide.
- The CISO’s Guide to Advanced Attackers.
- Defending Cloud Data with Infrastructure Encryption.
- Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment.
- Quick Wins with Website Protection Services.
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
Top News and Posts
- New York Times DNS Hacked.
- Android malware WAY worse than iOS.
- Russian spyboss brands Tor a crook’s paradise, demands a total ban.
- Obama administration asks court to force NYT reporter to reveal source.
- Amazon ‘wish list’ is gateway to epic social engineering hack.
- Former White House ‘copyright czar’ appointed CEO of powerful tech lobby group. Friggin’ revolving door. Shameful.
Blog Comment of the Week
This week’s best comment goes to Dean, in response to Deming and the Strategic Nature of Security.
Deming’s head would explode if he had to deal with security risks. Other risks are bad, but information security is worse.
- Distributions of impacts have fat tails. Their means keep increasing and their variances get larger the more data you have. The central limit theorem doesn’t even hold.
- Information and information losses are often intangible things like intellectual property and brand “goodwill”. Accounting rules discourage assignments of values to IP except under special circumstances like actually selling patent rights or writing off losses.
- Because malware developers and APT teams come up with new tools & techniques every day, the statistics of risk-generation processes aren’t ergodic, they’re not even stationary. Almost all of the assumptions of six-sigma theory are violated, and the whole agenda becomes a facade.
Under these circumstances, structuring your IT environment and business functions to limit the damage from any given incident is the most important thing that you can do. Outsourcing business functions (not infrastructure!) with strong penalties for SLA violations, nowadays to SaaS providers, adds diversity and transfers risk, which may be more than enough compensation for the loss of control that it also entails.