Good Morning:

Now that I’m two months removed from my [last] corporate job, I have some perspective on the ‘quarterly’ mindset. Yes, the pressure to deliver financial results on an arbitrary quarterly basis, which guides how most companies run operations. Notwithstanding your customer’s problems don’t conveniently end on the last day of March, June, September or December – those are the days when stuff is supposed to happen.

I can go for miles and miles and miles and miles and miles and miles. Oh yeah.It’s all become a game. Users wait until two days before the end of the Q, so they can squeeze the vendor and get the pricing they should have gotten all along. The sales VP makes the reps call each deal that may close about 100 times over the last two days, just to make sure the paperwork gets signed. It’s all pretty stupid, if you ask me.

We need to take a longer view of everything. One of the nice things about working for a private, self-funded company is that we don’t have arbitrary time pressures that force us to sell something on some specific day. As Rich, Adrian, and I planned what Securosis was going to become, we did it not to drive revenue next quarter but to build something that will matter 5 years down the line.

To be clear, that doesn’t mean we aren’t focused on short term revenues. Crap, we all have to eat and have families to support. It just means we aren’t sacrificing long term imperatives to drive short term results.

Think about the way you do things. About the way you structure your projects. Are you taking a long view? Or do you meander from short term project to project and go from fighting one fire to the next, never seeming to get anywhere?

We as an industry have stagnated for a while. It does seem like Groundhog Day, every day. This attack. That attack. This breach. That breach. Day in and day out. In order to break the cycle, take the long view. Figure out where you really need to go. And break that up into shorter term projects, each getting you closer to your goal.

Most importantly, be accountable. Though we take a long view on things, we hold each other accountable during our weekly staff meetings. Each week, we all talk about what we got done, what we didn’t, and what we’ll do next week. And we will have off-site strategy sessions at least twice a year, where we’ll make sure to align the short term activities with those long term imperatives.

This approach works for us. You need to figure out what works for you. Have a great day.


Photo credit: “Coll de la Taixeta” originally uploaded by Aitor Escauriaza

Incite 4 U

This week we got contributions from the full timers (Rich, Adrian and Mike), so we are easing into the cycle. The Contributors are on the hook from here on, so it won’t just be Mike’s Incite – it’s everybody’s.

  1. Who’s Evil Now? – The big news last night was not just that Google and Adobe had successful attacks, but that the Google was actually revisiting their China policy. It seems they just can’t stand aiding and abetting censorship anymore, especially when your “partner” can haz your cookies. The optimist in me (yes, it’s small and eroding) says this is great news and good for Google for stepping up. The cynic in me (99.99995% of the rest) wonders when the other shoe will drop. Perhaps they aren’t making money there. Maybe there are other impediments to the business, which makes pulling out a better business decision. Sure, they “aren’t evil” (laugh), but there is usually an economic motive to everything done at the Googleplex. I don’t expect this is any different, though it’s not clear what that motive is quite yet. – MR
  2. Manage DLP by complaint – We shouldn’t be surprised that DLP continues to draw comparisons to IDS. Both are monitoring technologies, both rely heavily on signatures, and both scare the bejeezus out of anyone worried about being overwhelmed with false positives. Just as big PKI burned anyone later playing in identity management, IDS has done more harm to the DLP reputation than any vendor lies or bad deployments. Randy George over at InformationWeek (does every publication have to intercap these days?) covers some of the manpower concerns around DLP in The Dark Side of Data Loss PreventionRichard Bejtlich follows up with a post where he suggests one option to shortcut dealing with alerts is to enable blocking mode, then manage by user complaint. If nothing else, that will help you figure out which bits are more important than other bits. You want to be careful, but I recommend this exact strategy (in certain scenarios) in my Pragmatic Data Security presentation. Just make sure you have a lot of open phone lines. – RM
  3. USB CrytpoFAIL – As reported by SC Magazine, a flaw was discovered in the cryptographic implementation used by Kingston, SanDisk, and Verbatim USB thumbdrive access applications. The subtleties of cryptographic implementation escape even the best coders who have not studied the various attacks and how to subvert a cryptographic system. This goes to show that even a group of trained professionals who oversee each other’s work can still mess up. The good news is that this simple software error can be corrected with a patch download. Further, I hope this does not discourage people from choosing encrypted flash drives over standard ones. The incremental cost is well worth the security and data privacy they provide. If you don’t own at least one encrypted flash memory stick, I strongly urge you to get one for keeping copies of personal information! – AL
  4. I smell something cooking – Two deals were announced yesterday, and amazingly enough neither involved Gartner buying a mid-tier research firm. First Trustwave bought BitArmor and added full disk encryption to their mix of services, software, and any of the other stuff they bought from the bargain bin last year. Those folks are the Filene’s Basement of security. The question is whether they can integrate all that technology into something useful for customers, or whether it’s just 10 pounds of shit in a 2 pound bag. You also need to hand it to Symantec’s BD folks, who managed to buy a company no one has ever heard of – Gideon Technologies. Evidently they do something with SCAP and presumably it will work with their BindView stuff. I can safely assume both of these deals were at fire sale prices – where are my damn marshmallows? – MR
  5. Heartland pays, Visa wins again – You just gotta love a business model where you build an insecure payment network and then manage to transfer all risks back to your customers, while continuing to skim a non-trivial percentage off the top of pretty much the entire global financial system. I appreciate how the card brands (and their wholly-owned subsidy, the PCI council) continue to tell us that chip and PIN or other more-secure payment technologies are off the table due to the costs, while making everyone else spend silly money complying with PCI. Then, when a company that passes their assessment is later breached, they’re told they aren’t really compliant, and it’s time to pay up the incident response costs. I’ve been told Heartland Payment Systems is far from the poster child for even adequate security, and their total bill from Visa is now a $60M settlement (including existing fines already paid). Never forget, at Visa the house always wins. – RM
  6. Security and Developers Disconnect – Ben Tomhave’s post over on Falcon’s View about The Three Domains of Application Security. These domains make sense to security professionals, but don’t map particularly well to the way application architects and application developers deal (or need to deal) with security. Most projects I have worked on differentiate between architecture, design, and implementation with software projects; because the goals and stakeholders are different. The process used (agile, agile with scrum, waterfall, spiral, repaid prototyping, etc.) affects security features and testing, as well as secure coding practices. Some organizations build security test cases at the module level and perform basic security verification with their nightly builds, while most defer to the QA organization for product testing. Who writes the test cases, what they cover and and what forms of testing (fuzzing, white vs. black box, anti-exploitation, etc.) are all over the map. Worth a read as these three buckets help conceptualize how to apply security to application development, but they bely the practical difficulties where the rubber meets the road. – AL
  7. Tailor your message to the audience – My curmudgeonly alter ego, Jack Daniel (with Kung Fu beard), made some interesting points in his post on communicating security to non-security folks. He’s absolutely right. Most folks aren’t stupid, but they aren’t interested in the nuances of a 0-day or the latest drop of BackTrack. So keep in mind the next time you speak to the dev team, or the network guys, or the DBA jockeys, or mahogany row: you need to make sure your language, your message, and your conclusions align with what the audience expects and can handle. Yes, it’s hard. Yes, it requires a lot more work. But it’s probably less work than remaining irrelevant. – MR
  8. For those looking for jobs – Thankfully it’s been a long time since I’ve had to look for a job. As much as we think the tech downturn may be “unofficially over” (according to Forrester anyway), it’s still hard out there for some folks. Yesterday, a note on one of the mailing lists I follow mentioned the fellow was out of work for a year and trying to figure out how to be more employable. I’d point him (and everyone else) to Mike Murray and Lee Kushner’s InfoSecLeaders site and specifically their career advice Tuesday posts. Yesterday’s was about getting an insulting offer, but there is a lot of great stuff on that blog. And Lee and Mike are great guys, so you can always approach them to answer your questions directly. – MR