Right now I’m probably lying in bed with some weird motorized ice pack strapped to my shoulder, and (hopefully) some pain meds running amok in my system.

I suspect most of you are a little more comfortable at the moment, but hopefully on fewer drugs.

Before diving under the knife, Mike Rothman agreed to an email interview. I’ve known Mike for something like 5-6 years now (I think). If you read this blog, the odds are pretty darn high you also read Mike’s Security Incite. It’s the best nearly-daily analysis of what’s going on in the security world. Rather than providing a simple list of links, Mike includes his own analysis on 3-4 news stories and 3-4 blog entries a day. Mike is also author of the Pragmatic CSO– a must-read for every aspiring security manager.

He’s also the crazy SOB that convinced me you can make it as an independent, so I might be a little biased in his favor.

Here’s the first half of the interview, and we’ll finish it off tomorrow…

Thanks for joining me today, Mike, especially since it’s actually a week before today, and right now I’m probably drugged up with my arm in a sling, sitting on the couch watching Knight Rider.

Who knew that the Rich Mogull has a time machine? If you patented that you really would be a Mogull. Anyhow, I hope you are feeling better and on your way to a speedy recovery.

[It seems Mike doesn’t realize Knight Rider is coming back. What’s old is new, Mike.]

Rather than having you talk about your past, I’d rather use this time to talk about some of your predictions for the future. Every year you publish your “Security Incites”, a mixed bag of predictions for the coming year. Some of them seem very specific and measurable, while others are, shall we say, a little fluffier. Is there a method to the madness?

In fact there is. I’m constantly synthesizing information. From everything I read, every question I get, every conversation I have. Through the year I am assessing and re-assessing my positions. I go back and revisit the Incites in July and December, and by February I have a pretty good idea how they should evolve for the next year. Then I sit in a dark room, meditate for a while, and the Incites just come to me. The reality is that some of the Incites lend themselves to firm, quantifiable predictions and others not so much. Some I use to make a specific point that I think is important.

Let’s talk about a few of the predictions that really stand out (for me at least). You’re predicting that 2008 will be the year network security crosses the line and finally becomes just part of the network fabric. A lot of pundits have been predicting this one for years now- what’s going to make 2008 so special?

I believe that customers are voting with their dollars. They don’t want overlay solutions for network security anymore. They want their networking provider to get it right, and with the macro-economic headwinds a lot of folks expect, these customers are in no rush to roll out the technology. They have been willing to wait thus far and sooner or later the products from Big Networkers won’t totally suck. If anything, those folks are persistent and they throw a ton of money at it. They will get it right and I think 2008 is the year the security capabilities built into switches are good enough to meet most of the customer requirement.

In that same prediction you bring up Network Access Control, the red headed step-child of network security. You’ve been one of the more lukewarm voices on NAC; is it a failure of the technology? Or just the market reality that big vendors see this as a way for greater lock in?

To be clear, I don’t have anything against red-heads. 🙂 NAC’s issues in the market stem from two issues. First, it doesn’t solve a problem that customers think is important or urgent enough to solve. The big NAC vendors are talking about having maybe 1500 customers or something like that. And they are probably lying about that. Let’s take a market like anti-spam – which was a REAL problem – Barracuda sold to 30,000 companies in two years. If it was that big of a problem, more customers would be buying the solutions. It’s as simple as that. The second issue has to do with expectations. The NAC vendors did themselves a huge disservice by promising the world to customers. They set an expectation they couldn’t possibly meet and now you’ve got customers that are disappointed and they are telling their friends to hold off until the technology matures. Who knows when that is going to happen?

So, will any NAC vendors survive on their own over the next, say, 3 years?

The NAC business will suffer a severe shake-out. Quite a few will get bought, with maybe the first 1 or 2 selling for a big multiple. And no, I don’t know which 1 or 2 that will be. We will see a lot more like Caymas, just going away. Or Vernier, which got out of the NAC business altogether. That’s life in the big city.

Come back tomorrow to hear Mike’s views on DLP, consumer security, and holiday card pranks.