I am in a bit of a pickle, and could use some advice.

Over the time I have been an analyst, I have learned that it is important to have the right distribution of research. My rule of thumb is 80-90% of it should be practical research to help people get their jobs done on a daily basis. Then you can spend 10-20% on future research that I promise not to call thought leadership.

Many analysts (and other pundits) fall into an esoteric trap, where they are so desperate to be seen as leaders that their research becomes more about branding and marketing, and less about helping people get their jobs done. It is totally fine to tilt at the occasional windmill, but everything in moderation. The corollary is that once you focus on the future too much you disconnect from the present and lose your understanding of current technologies and trends, and your subsequent predictions are based on reading science fiction and bad tech media articles. Those aren’t worth the bits they are printed on.

And yeah, there is a lot of that going around. Always has been, especially in conference keynotes.

This isn’t merely for ego gratification. On the business side you can’t survive long by selling research that doesn’t help someone get their job done. Many of my former Gartner colleagues lose track of this because they think people like their new “connected enterworld” junk, as opposed to paying for Magic Quadrants so they don’t lose their jobs when they buy something in the upper-right quadrant that doesn’t work. For a small firm like us, screw up the mix and it’s back to truck driving school.

My dilemma is that a lot of the research I’m working on appears to be ahead of the general market, but still very practical and usable. I am thinking specifically of my work on Software Defined Security and DevOps. It’s the most fulfilling research I have done in a long time, especially because it gets me back to coding – even at a super-basic level. But I am borderline tilting at windmills myself – relatively few organizations are operationally ready for it.

So it isn’t a load of hand-waving bullpoop – it is all real and usable today – but not for many organizations that lack the time or resources to start integrating these ideas. Not everyone has free time to play with new things. Especially with all the friggin’ auditors hanging over your head.

Anyway, I have been bouncing this off people since Black Hat and am interested in what you folks think. I would love to make a go of it and have at least half my research agenda filled with using APIs, securing cloud management planes, integrating security into DevOps, and the like, but only if there is real interest out there – I gotta pay the bills. Drop me a line at rmogull at securosis dot com if you have an opinion, or leave a comment on this post.

Thanks, and on to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Dean, in response to Deming and the Strategic Nature of Security.

Deming’s head would explode if he had to deal with security risks. Other risks are bad, but information security is worse.

  • Distributions of impacts have fat tails. Their means keep increasing and their variances get larger the more data you have. The central limit theorem doesn’t even hold.
  • Information and information losses are often intangible things like intellectual property and brand “goodwill”. Accounting rules discourage assignments of values to IP except under special circumstances like actually selling patent rights or writing off losses.
  • Because malware developers and APT teams come up with new tools & techniques every day, the statistics of risk-generation processes aren’t ergodic, they’re not even stationary. Almost all of the assumptions of six-sigma theory are violated, and the whole agenda becomes a facade.

Under these circumstances, structuring your IT environment and business functions to limit the damage from any given incident is the most important thing that you can do. Outsourcing business functions (not infrastructure!) with strong penalties for SLA violations, nowadays to SaaS providers, adds diversity and transfers risk, which may be more than enough compensation for the loss of control that it also entails.