It’s definitely a presidential election year here in the US. My Twitter and Facebook feeds are overwhelmed with links about what this politician said and who that one offended. We get to learn how a 70-year old politician got arrested in his 20s and why that matters now. You also get to understand that there are a lot of different perspectives, many of which make absolutely no sense to you. Confirmation bias kicks into high gear, because when you see something you don’t agree with, you instinctively ignore it, or have a million reasons why dead wrong. I know mine does.

Some of my friends frequently share news about their chosen candidates, and even more link to critical information about the enemy. I’m not sure whether they do this to make themselves feel good, to commiserate with people who think just like them, or in an effort to influence folks who don’t. I have to say this can be remarkably irritating because nothing any of these people posts is going to sway my fundamental beliefs.


That got me thinking about one of my rules for dealing with people. I don’t talk about religion or politics. Unless I’m asked. And depending on the person I might not engage even if asked. Simply because nothing I say is going to change someone’s story regarding either of those two third rails of friendship. I will admit to scratching my head at some of the stuff people I know post to social media. I wonder if they really believe that stuff, or they are just trolling everyone.

But at the end of the day, everyone is entitled to their opinion, and it’s not my place to tell them their opinion is idiotic. Even if to it is. I try very hard not to judge people based on their stories and beliefs. They have different experiences and priorities than me, and that results in different viewpoints. But not judging gets pretty hard between March and November every 4 years. At least 4 or 5 times a day I click the unfollow link when something particularly offensive (to me) shows up in my feed.

But I don’t hit the button to actually unfollow someone. I use the fact that I was triggered by someone as an opportunity to pause and reflect on why that specific headline, post, link, or opinion bothers me so much. Most of the time it’s just exhaustion. If I see one more thing about a huge fence or bringing manufacturing jobs back to the US, I’m going to scream. I get these are real issues which warrant discussion. But in a world with a 24/7 media cycle, the discussion never ends.

I’m not close-minded, although it may seem that way. I’m certainly open to listening to other candidates’ views, mostly to understand the other side of the discussion and continually refine and confirm my own positions. But I have some fundamental beliefs that will not change. And no, I’m not going to share them here (that third rail again!). I know that rational people can disagree, and that doesn’t mean I don’t respect them, or that I don’t want to work together or hang out and drink beer. It just means I don’t want to talk about religion or politics.


Photo credit: “Laugh-Out-Loud Cats #2204” from Ape Lad

Security is changing. So is Securosis. Check out Rich’s post on how we are evolving our business.

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Resilient Cloud Network Architectures

Shadow Devices

Building a Vendor IT Risk Management Program

Securing Hadoop

SIEM Kung Fu

Recently Published Papers

Incite 4 U

  1. That depends on your definition of consolidation: Stiennon busts out his trusty spreadsheet of security companies and concludes that the IT security industry is not consolidating. He has numbers. Numbers! That prove there is a steadlily increasing number of companies ‘selling’ security. I guess that is one way to look at it. I think it’s a pretty myopic way of assessing an industry, but hey, what do I know? Here’s a fact. Of the 1,400+ companies on Stiennon’s list, how many are actually selling anything (above $10MM in sales, or even $1MM for that matter?)? How many will be around in 18 months? 12 months? Does it even matter how many companies are in the space? I say no, because here’s what I hear all the time. Security pros want to deal with fewer vendors. Period. It turns out that Mr. Market is not wrong over the long term. There will be a shake-out in the industry, and it will begin soon. Maybe the total number of companies will continue to increase. Evidently there is an infinite number of crappy, undifferentiated ideas for security companies. The real question is what happens to share of wallet, and I’m confident that buyers will be consolidating their spending. – MR
  2. Which way do I go? When it comes to threat analytics, there are many, many services out there. For firms wishing to mine their own data, there are lots of technologies to parse dissimilar data types, and many platforms to do “big data analytics”. But at Dark Reading Kelly Jackson Higgins points out that Threat Intelligence has a Big Data Problem as firms are getting too much of a good thing. Enterprise security’s problem is not a lack of data, analytics tools, or threat feeds. Nor is it a question of whether in-house SoC is better than external services. It’s not even about false negatives or even false positives per se – rather the key questions are “Which analyzed data should I pay attention to?” and “How do I really prioritize?” Having 11 threat feeds is at best information overload, and third party ‘criticality’ rankings are often out of touch with the real risks a company faces. It classic analysis paralysis, as firms figure out which reports are meaningful, map them to risks, and then figure out what they can address in… let’s call it an “enterprise time frame”: the coming year. Having the analysis is the first step, but making it useful is still in the works. We’ll get back to you on dealing with the problems. – AL
  3. Sometimes it is better to be lucky than good… And that is the story of my career, and most of the folks I know. I really liked this coverage on the RSA Conference blog of the Centrify CEO’s talk on how his company was targeted by financial fraud and it almost worked. You have heard this story a hundred times. Email comes from the CEO to accounting to initiate a funds transfer. The funds are moved, and then it becomes apparent that the request was fraudulent. Thankfully Centrify had a policy that required multiple approvals on substantial wire transfers, otherwise the money would be gone. Kudos for sharing. And this is a good reminder that separation of duties and multiple approvals are good things. – MR
  4. Big data, small adoption: O’Reilly published Spiderbook’s research on the size of The Big Data Market, conducted by data mining public press releases, forums, job postings, and the like. And there is some interesting data in the survey: results suggest that only a small percentage of companies in the world use Hadoop, and many that do struggle due to a shortage of technical talent. Does anyone not lack technical talent today? Spiderbook went on to say that outside financial services adoption is low, but they found that large firms are much more likely to embrace big data than small ones. To which I say “Duh!” – large enterprises with huge amounts of interesting data went looking for something that could provide analytics at scale without costing millions of dollars. Our research shows large enterprises have a better than 50% Hadoop adoption rate, but it is only being used for select new projects. I maintain Spiderbook’s adoption numbers are likely on the low side; both because organizations are not particularly open about their use of Hadoop given the ‘skunkworks’ nature of many projects, and because attendance at industry trade shows for the major commercial Hadoop vendors suggests more companies are actively running it – or too much idiotic VC money being burned on campfires. Which is our way of saying you probably have Hadoop in your company, and if you’re in IT security, you’ll be dealing with a cluster full of sensitive data sooner rather than later. Get ready. – AL
  5. Is anything good or bad? I generally refute the premise of this recent NetworkWorld article: Is DevOps good or bad for security? The reality is that some aspects of DevOps (just like anything else) are ‘good’ while others are ‘bad.’ Getting poked in the eye is ‘bad’, right? Unless it’s an optometrist removing fixing cataract. Then it’s good. DevOps clearly put pressure on security teams. That may be bad because there is a distinct lack of skills. But it’s good because it forces security teams to embrace automation, and insert security into development and deployment processes. That article is basically a lovefest, talking about the benefits of DevOps, but if you do it wrong it’s a security train wreck. As with most things, there are no absolutes. Wnd we believe in the long-term value of DevOps (we’re betting the company on it), but we aren’t naive – we know that there are challenges. – MR
  6. BONUS: Generalissimo Franco is still dead! This breaking news just in: Oracle stuns the industry by moving ‘The Cloud’, big data and DevOps – all of it – into a single machine. News at 11. – AL