Here it is Friday again, and it feels like just a few minutes ago that I was writing the last Friday summary. This week has been incredibly busy for both of us. Rich has been out for the count most of this week with a stomach virus and wandering his own house like a deranged zombie. This was not really a hack, they were just warning Rich’s neighborhood. As the county cordoned off his house with yellow tape and flagged him as a temporary bio-hazard, I thought it best to forgo this week’s face to face Friday staff meeting, and get back on track with our blogging. Between the business justification white paper that we launched this week, and being on the road for client meetings, we’re way behind. A few items of interest …
I appears that data security is really starting to enter the consciousness of the common consumer. Or at least it is being marketed to them. There were even more advertisements in the San Jose airport this week than ever: The ever-present McAfee & Cisco ads were joined by Symantec and Compuware. The supermarket has Identity Theft protection pamphlets from not one but two vendors. The cherry on top of this security sundae was the picture of John Walsh in the in-flight magazine, hawking “CA Internet Security Suite Plus 2009”. I was shocked. Not because CA has a consumer security product; or because they are being marketed along with Harry Potter commemorative wands, holiday meat platters and low quality electronics. No, it was John Walsh’s smiling face that surprised me. Because John Walsh “Trusts CA Security Products to keep your family safe”. WTF? Part of me is highly offended. The other part of me thinks this is absolutely brilliant marketing. We have moved way beyond a features and technology discussion, and into JV-celebrities telling us what security products we should buy. If it were only that easy.
Final item I wanted to talk about: Our resident wordsmith and all around good guy Chris Pepper forwarded Rich and me a Slashdot link about how free Monty Python material on YouTube has caused their DVD sales to skyrocket. Both Rich and I have raised similar points here in the past, and we even referred to this phenomena in the Business Justification for Security Spending paper about why it can be hard to understand damages. While organizations like the RIAA feel this is counter-intuitive, it makes perfect sense to me and anyone else who has ever tried guerilla marketing, or seen the effects of viral marketing. Does anyone know if the free South Park episodes did the same for South Park DVD sales? I would be interested. Oh, and Chris also forwarded Le Wrath di Kahn, which was both seriously funny and really works as opera (the art form- I didn’t test in the browser).
On to the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences:
- Rich did a webcast with Roxana Bradescu of Oracle on Information Security for Database Professionals. Here is the sign-up link, and I will post a replay link later when I get one from Oracle.
Favorite Securosis Posts:
- Rich: Launch of the Business Justification for Security Spending white paper. Whew!
- Adrian: The Business Justification for Data Security post on Risk Estimation. I knew this was going to cause some of the risk guys to go apoplectic, but we were not building a full-blown risk management model, and frankly, risk calculations made every model so complex no one could use it as a tool.
Favorite Outside Posts:
- Adrian: Informative post by Robert Graham on Shellcode in software development. Write once, run anywhere malware? Anyone?
- Rich: XKCD was a riot. [What my friend John Kelsey used to call “Lead Pipe Cryptanalysis’ ]
- Nine million, in cold hard cash, stolen from ATM’s around the world. Wow.
- I will be blogging more on this in the future: Symantec and Ask.com joint effort. Marketing hype or real consumer value?
- Very informative piece on how assumptions of what should be secured and what we can ignore are often the places where we fail.
- Addicted to insecurity.
- At least 600k US jobs lost in January.
- Google thought everyone was serving malware.
- This is an atrocious practice: the EULA tells you you can’t use your firewall, and they can take all your bandwidth.
- RBS breach was massive, and fast.
Blog Comment of the Week:
From Chris Hayes on the Risk Estimation for Business Justification for Data Security post:
Up to this point in the series, this “business justification” security investment model appears to be nothing more then a glorified cost benefit analysis wrapped up in risk/business terminology with a little bit of controls analysis thrown in.
I hope that the remaining posts will include something along the lines of “business justification” in the context of business goal alignment, risk tolerances levels of decision makers and differentiating between vulnerability, risk, threat event frequency, and loss event frequency- terms of which your model dances around.
I look forward to reading the remaining posts before passing final judgment. In the mean time, I would encourage readers to take a look at the FAIR methodology as well as look at the Open Group’s recently published “Risk Taxonomy” technical standard.
As opposed to what? Lots to consider on this topic.
It’s a really nice day here in Phoenix, so it is time to go outside and enjoy some sun.