Last Friday was the end of the third calendar quarter. For you math majors out there, that’s the 3-month period ending September 30. Inevitably I had meetings and calls canceled at the last minute to deal with “end of quarter” issues. This happens every quarter, so it wasn’t surprising. Just funny.

Basically most companies report their revenues and earnings (even the private ones) based on an arbitrary reporting period, usually a calendar quarter. Companies provide significant incentives for sales reps to close deals by the end of each quarter. Buying hardware and software has become a game where purchasing managers sit on large purchase orders (POs) until the end of the quarter to see what extra discounts they can extract in exchange for processing the order on time. I guess other businesses are probably like that too, but I only have direct experience with hardware and software. Even small companies can enjoy the fun. We subscribed to a new SaaS service last week and the rep threw in an extra month on the deal if we signed by Sept 30th.

So the last week of the quarter runs something like this: Sales reps pound the voice mails of their contacts to see if and when the PO will be issued. They do this because their sales managers pound their voice mails for status updates. Which happens because VPs of Sales pound the phones of sales managers. It’s a good thing phone service is basically free nowadays. A tweet from Chis Hoff reminded me of the end of Q craziness as he was sweating a really big order coming through. I’ve never had the pleasure (if you can call it that) of waiting for a 9 figure PO to arrive, though I have done my share of hunching over the fax machine thru the years.

But the whole end of Q stuff is nonsense. Why are orders any less important if they come in on October 3? Of course they’re not. But tell that to a rep who got his walking papers because the deal didn’t hit by Sept 30th. That’s why I like cash. I can pay my mortgage with cash. We can buy cool Securosis bowling shirts and even upgrade to the iPhone 5, even if AT&T forced us to pay full price since we already upgraded to the 4S and weren’t going to wait until March to upgrade. Cash is king in my book.

As the CFO, I don’t have to worry about accruals or any of that other accounting nonsense. It’s liberating. Do work. Bill clients. Get paid. Repeat. Obviously cash accounting doesn’t work for big companies or some smaller businesses. And that’s OK. It works for us.


Photo credits: cash is king originally uploaded by fiveinchpixie

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Against Denial of Service (DoS) Attacks

Securing Big Data

Incite 4 U

  1. Now this is some funny NMAP: Bloggers know the pain of fending off the Hakin9 folks’ endless attempts to get free contributions to their magazine. I just delete the requests and move on. But a bunch of pissed off (and very funny) security folks decided to write an NMAP article that, well, you have to read to believe. The title is: “Nmap: The Internet Considered Harmful – DARPA Inference Cheking Kludge Scanning.” [sic] Right, they refer to the remediations as DICKS throughout the article. Really. How funny is that? And they used some white paper generator, which spit out mostly nonsensical gibberish. Clearly no one actually read the article before it was published, which would be sad if it wasn’t so damn funny. Just another reminder that you can’t believe everything you read on the Internet. Fyodor provides additional context. – MR
  2. Hope is not a DDoS strategy: Looks like Distributed Denial of Service (DDoS) attacks have hit the big time. That happens when a series of attacks take down well-known financial institutions like Wells Fargo. Our timing is impeccable – we are currently writing a series on Defending Against DoS attacks (see the posts linked above). The NWW article says banks can only hope for the best. Uh, WTF? Hope for the best?!?!? Hope doesn’t keep your website up, folks. But these attacks represent brute force. There are many other tactics (including attacking web apps) that can be just as effective as knocking down your site, without melting your pipes. Mike Smith has it right when he says Information, not Hope is key to Surviving DDoS attacks. Mike’s post talks about how Akamai deals with these attacks (at a high level, anyway) for themselves and their customers. Like most security functions nowadays, there is enough data to analyze and draw conclusions. Find the patterns and design mitigations to address the attacks. Or hope for the best, and let me know how that works out for you. – MR
  3. Cloudicomplications: Those of you who follow me on Twitter may recall my epic struggles with OpenStack about a year and a half ago. We decided to use it for the private cloud lab in the CCSK training class, and I was stuck with the task of building a self-contained virtual lab that would be resilient to various networks and student systems, given the varied competence of instructors and students. OpenStack was hella-immature at the time and building the lab nearly ended me. Last week the latest version (Folsom) was released and it is supposedly much more mature, especially in networking, which was the part that really complicated the labs. But as Lydia Leong at Gartner reports, open isn’t really open when the project is run by competing vendors operating out of fear. What does this have to do with security? And why would I be linking to another analyst firm? Because she makes the good point that by ignoring portability and interoperability, we are staring down open source (sorta) virtualized networking, potentially incompatible APIs, custom identity management that looks interoperable on the surface, and all sorts of other complexities and incompatibilities in what should be running on a common core. Personally I’m trying to decide whether my health is good enough to attempt updating the lab to Folsom. It’s not looking good. – RM
  4. Not where, but how: It appears from Verizon dangles carrot to bring cloud to healthcare that Verizon is missing the point. You don’t need to bring Cloud to Healthcare with colo facilities. If they want to get companies to put medical data in the cloud, they are missing the simple path: sell Compliance as a Service. The big scary reason big companies don’t move medical data to the cloud is because they can manage to governance and compliance standards when they control their data. Cloud providers don’t offer required compliance controls, so would-be customers don’t have a choice. The cloud service providers should package SoD (separation of duties), reports, access control, logging, and the basic controls all customers must have into their service – a HIPAA community if you will – and charge more. Companies pay to have someone help with that burden, and not dealing with it isn’t really an option. Lack of out-of-the-box (and assessor qualified) compliance is the impediment – not the location of the data. – AL
  5. Who’s got what now? Every now and then I like to step away from on enterprise security to talk a bit about privacy, which affects every one of us as individuals, no matter what we do for a living. First, I want to give Facebook a bit of respect. It looks like they put a lot of thought into how they manage user privacy and third party advertising, with a multilayer system of hashing and identifiers supporting targeted advertising without passing your info directly to advertisers. On the downside, retail outlets (those quaint things made of bricks) may be able to tie you to Facebook ads via your email address. Is this the biggest privacy issue we face? No. Did I write this to harp on Facebook? Nope. But every day we share little bits of our digital identity wherever we go; from location to cell phone companies, to email and phone numbers, to what we look up online and from where. This is an unprecedented level of information about you (and me), which the many fine readers of this site will be expected to secure. But remember that security isn’t always privacy, and society is only at the earliest edge of confronting the privacy implications of social networking. – RM
  6. Who’s keeping score? CVSS scoring of vulnerabilities does not drive customer action. It is merely a yardstick used by various security vendors to gauge the relative severity of issues. To most IT managers charged with patching, and code developers tasked with fixing vulnerabilities, it’s a meaningless number. Nobody uses it. So while I do believe we are seeing the Rise of Data-Driven Security, as proposed in this Threatpost article, CVSS scores are not a valued metric. How do I know? Far too many firms lag months, if not years, in patching – regardless of CVSS bug scores. Moreover, development teams prioritize security code fixes based upon dynamic scans and white box code analysis, not CVSS scores. We’re seeing a change in how security resources are deployed based on metrics, but CVE alerts aren’t one of them. – AL
  7. Security Information Sharing? Wouldn’t that be nice: Dennis rants a bit on Threatpost about how legislation isn’t the answer to our security issues – sharing threat intelligence is. He is exactly right: “Other organizations could benefit from the collective intelligence gathered by their peers in other targeted companies, giving them crucial insight into the way their adversaries operate.” Just one issue: it’ll never happen. Okay, never is a long time, but I don’t expect much progress during my working career. It’s counter to the philosophy of intel to actually share it. I was talking to a F10 CISO a few weeks back, and he pointed out that the more people have intelligence, the less value it has. Period. Dennis makes an impassioned plea to revisit that perspective, but it won’t happen. Those in the know will hoard that data until, well, forever. It’s no less of a polarizing issue than religion. No matter how many ways you make the case, they aren’t interested. Sharing is just not the God the intelligentsia pray to. – MR