Here it is Friday again, and it feels like just a few minutes ago that I was writing the last Friday summary. This week has been incredibly busy for both of us. Rich has been out for the count most of this week with a stomach virus and wandering his own house like a deranged zombie. This was not really a hack, they were just warning Rich’s neighborhood. As the county cordoned off his house with yellow tape and flagged him as a temporary bio-hazard, I thought it best to forgo this week’s face to face Friday staff meeting, and get back on track with our blogging. Between the business justification white paper that we launched this week, and being on the road for client meetings, we’re way behind. A few items of interest …
I appears that data security is really starting to enter the consciousness of the common consumer. Or at least it is being marketed to them. There were even more advertisements in the San Jose airport this week than ever: The ever-present McAfee & Cisco ads were joined by Symantec and Compuware. The supermarket has Identity Theft protection pamphlets from not one but two vendors. The cherry on top of this security sundae was the picture of John Walsh in the in-flight magazine, hawking “CA Internet Security Suite Plus 2009”. I was shocked. Not because CA has a consumer security product; or because they are being marketed along with Harry Potter commemorative wands, holiday meat platters and low quality electronics. No, it was John Walsh’s smiling face that surprised me. Because John Walsh “Trusts CA Security Products to keep your family safe”. WTF? Part of me is highly offended. The other part of me thinks this is absolutely brilliant marketing. We have moved way beyond a features and technology discussion, and into JV-celebrities telling us what security products we should buy. If it were only that easy.
Myopia Alert: I am sure there are others in the security community who have gone off on this rant as well, but as I did not find a reference anywhere else, I thought this topic was worth posting. A word of caution for you PR types out there who are raising customer and brand awareness through security webinars and online security fora: you might want to have some empathy for your audience. If your event requires a form to be filled out, you are going to lose a big chunk of your audience because people who care about security care about their privacy as well. The audience member will bail, or your outbound call center will be dialing 50 guys named Jack Mayhoff. Further, if that entry form requires JavaScript and a half dozen cookies, you are going to lose a bigger percentage of your audience because JavaScript is a feature and a security threat rolled into one. Finally, if the third-party vendor you use to host the event does not support Firefox or Safari, you will lose the majority of your audience. I am not trying to be negative, but want to point out that while Firefox, Safari and Opera may only constitute 25% of the browser market, they are used by 90% of the people who care about security.
Final item I wanted to talk about: Our resident wordsmith and all around good guy Chris Pepper forwarded Rich and me a Slashdot link about how free Monty Python material on YouTube has caused their DVD sales to skyrocket. Both Rich and I have raised similar points here in the past, and we even referred to this phenomena in the Business Justification for Security Spending paper about why it can be hard to understand damages. While organizations like the RIAA feel this is counter-intuitive, it makes perfect sense to me and anyone else who has ever tried guerilla marketing, or seen the effects of viral marketing. Does anyone know if the free South Park episodes did the same for South Park DVD sales? I would be interested. Oh, and Chris also forwarded Le Wrath di Kahn, which was both seriously funny and really works as opera (the art form- I didn’t test in the browser).
On to the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences:
- Rich did a webcast with Roxana Bradescu of Oracle on Information Security for Database Professionals. Here is the sign-up link, and I will post a replay link later when I get one from Oracle.
Favorite Securosis Posts:
- Rich: Launch of the Business Justification for Security Spending white paper. Whew!
- Adrian: The Business Justification for Data Security post on Risk Estimation. I knew this was going to cause some of the risk guys to go apoplectic, but we were not building a full-blown risk management model, and frankly, risk calculations made every model so complex no one could use it as a tool.
Favorite Outside Posts:
- Adrian: Informative post by Robert Graham on Shellcode in software development. Write once, run anywhere malware? Anyone?
- Rich: XKCD was a riot. [What my friend John Kelsey used to call “Lead Pipe Cryptanalysis’ ]
- Nine million, in cold hard cash, stolen from ATM’s around the world. Wow.
- I will be blogging more on this in the future: Symantec and Ask.com joint effort. Marketing hype or real consumer value?
- Very informative piece on how assumptions of what should be secured and what we can ignore are often the places where we fail.
- Addicted to insecurity.
- At least 600k US jobs lost in January.
- Google thought everyone was serving malware.
- This is an atrocious practice: the EULA tells you you can’t use your firewall, and they can take all your bandwidth.
- RBS breach was massive, and fast.
Blog Comment of the Week:
From Chris Hayes on the Risk Estimation for Business Justification for Data Security post:
Up to this point in the series, this “business justification” security investment model appears to be nothing more then a glorified cost benefit analysis wrapped up in risk/business terminology with a little bit of controls analysis thrown in.
I hope that the remaining posts will include something along the lines of “business justification” in the context of business goal alignment, risk tolerances levels of decision makers and differentiating between vulnerability, risk, threat event frequency, and loss event frequency- terms of which your model dances around.
I look forward to reading the remaining posts before passing final judgment. In the mean time, I would encourage readers to take a look at the FAIR methodology as well as look at the Open Group’s recently published “Risk Taxonomy” technical standard.
As opposed to what? Lots to consider on this topic.
It’s a really nice day here in Phoenix, so it is time to go outside and enjoy some sun.
Comments