We announced the launch of the Contributing Analyst and Intern program earlier this week, with David Mortman and David Meier filling these respective roles. I think the very first Securosis blog comment I read was from Windexh8r (Meier), and Chris Hoff introduced me to David Mortman a couple years ago at RSA, so I am fortunately familiar with both our new team members. We are lucky to have people with such solid backgrounds wanting to join our open source research firm. Rich and I put up a blog post a few weeks ago and said, “Hey, want to learn how to be an analyst?” and far more people signed up than we thought, but the quality and and the depth of security experience of our applicants shocked us. That, and why they want to be analysts.
I never considered being an analyst at any point in my career prior to joining Securosis. There were periods where I was not quite sure which path I would take in my line of work, so I experimented with several roles during my career (CTO, CIO, VP, Architect). It was a classic case of “the grass is always greener”, and I was always looking for a different challenge, and never quite satisfied. But here it is, some 15 months after joining Rich and I am enjoying the role of analyst. To tell you the truth, I am not really sure what the role is exactly, but I am having fun. This is not exactly a traditional analysis and research firm, so if you asked me the question “What does an analyst do?”, my answer would be very different than you’d get from an analyst for one of the big firms. A couple weeks ago when Rich and I decided to start the contributing analyst and intern positions, we understood we would have to train others to do what we do. Rich and I kind of share a vision for what we want to do, so there’s not a lot of discussion. Now we have to articulate and exemplify what we do for others.
It dawned on me that I have been learning from Rich by watching. I had the research side down cold before I joined, but being on the receiving end of the briefings provides a stark contrast between vendor and analyst. I have been part of a few hundred press & analyst meetings over the years, and I understood my role as CTO was to describe what was new, why it mattered, and how it made customers happy. I never considered what it took to be on the other side of the table. To be harsh about it, I assumed most of the press and analysts were neither technical nor fully versed in customer issues because they had never been in the trenches, and really lacked the needed perspective to help either vendors or customers in a meaningful way. They could sniff out newsworthy items, but not why it mattered to the buyers. Working with Rich dispelled this myth. The depth and breadth of information we have access to is staggering. Plus Rich as an analyst possesses both the technical proficiency and the same drive (passion) to learn which good software developers and security researchers possess. Grasp the technology, product, and market; then communicate how the three relate; is a big part of what we do. And perhaps most importantly, he has the stomach to tell people the truth that their baby is ugly.
Anyway, this phase of Securosis development is going to be good for me and I will probably end up learning as much of more than our new team members. I look forward to the new dimension David and David will bring. And with that, here is the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich was quoted in SC Magazine on Trustwave’s acquisition of DLP vendor Vericept.
- Rich spoke last week at the Phoenix OWASP chapter.
Favorite Securosis Posts
- Rich: My first rough cut post on data security in the cloud. I had another halfway finished, before our blog software ate it. I got bit in the aaS by our SaaS.
- Adrian: I have been wanting to talk about Format and Datatype Preserving Encryption for the last three months and finally got the chance to finish the research.
Other Securosis Posts
- Say Hello to the New (Old) Guys
- Data Protection Decisions Seminar in DC next week!
- Critical MS Vulnerabilities – September 2009
- Cloud Data Security Cycle: Create (Rough Cut)
Project Quant Posts
Favorite Outside Posts
- Adrian: Bruce Schneier’s post on File Deletion highlights the issues around data retention in Cloud/SaaS environments.
- Rich: Amrit Williams and Peter Kyper on the state of the security industry.
Top News and Posts
- Critical Microsoft Vulnerabilities grab the headlines this week.
- Ryan Naraine’s update on one of the vulnerabilities.
- Some Defenses for the TCP DoS vulnerabilities posted at Dark Reading.
- Ignoring the article hype angle, cross VM hacking is interesting research, even if unrealistic.
- Government to accept Yahoo, Google and Paypal credentials. Holy hackers, Batman, it’s full of holes. You know, holey.
- Nice post on Ars Technica on Anonymization and data obfuscation.
- Trustwave acquires Vericept.
- iPhone 3.1 anti-phishing seems to be working (or not) oddly.
- Firefox will now check your Flash version, which is pretty darn awesome and should be in every browser.
- Court allows woman to sue bank after her account is leeched. Expect to see more of this, since this sort of crime is dramatically increasing.
- Ever travel? Check out everything the TSA stores about you.
Blog Comment of the Week
This week’s best comment comes from pktsniffer in response to Format and Datatype Preserving Encyrption:
Your right on the money. We had Voltage in recently to give us their encryption pitch. It was the ease of deployment using FFSEM that they were ‘selling’. I too have concerns regarding the integrity of the encryption but from an ease of deployment perspective it’s a very nice solution. The problem that we face is moving data from one system to the next via one or two integration layers makes recoding or changing DB structures somewhat complex (read time consuming).
It will be interesting to see how the PCI standard evolves with regards to what it considers acceptable in the crypto world.