It’s Wednesday, and if my doctor’s predictions are correct I might be in front of the keyboard for an hour at a time today. Odds are I’m now in a recliner, watching bad TV, staring wistfully at my Guitar Hero Les Paul leaning against the entertainment center. You may think you’ve won Slash, but once my recovery is complete I’ll be more powerful than you can possibly imagine.

And I’m not even on the meds yet.

Yesterday Mike and I talked about his 2008 predictions around network security. Today we’ll talk about my favorite area, information-centric security, and educating consumers.

This brings us to another step-child of the security world, Data Loss Prevention (DLP). You’re predicting a stall, although I’d argue it’s been stalled for years with only about $70M in revenue in 2007. What’s your unva ished opinion of DLP- do you think it provides value other than preventing those accidental emails? What if we include content discovery?

You could probably make a case that the DLP business never even got started. The fact is it had the law of small numbers working in its favor. The entire market could grow at 80-100% when it was small. Now it’s a bit bigger and it’ll be a lot harder to show accelerating growth. Also combine that with the number of deals we saw last year and the fact that it does take time for small nimble start-ups to find their sea legs in the morass of a big security or storage player, and things look pretty dark for DLP in 2008. Your second question is a bit more interesting. I do believe that there is value in the promise of DLP. We need to start thinking about the data and how it’s used and where it goes. I just don’t think the current deployment models really reflect the answer to the customer problem. Sure, if you are worried about an account number or a SS# being sent out, the existing products work fine. But they don’t give you persistent control of your data assets, and I think that’s really the problem that customers need to address. Unfortunately this may be the biggest problem in all of IT. There are no simple answers to solve that one.

DLP is one of the few tools that focus on data security, or “information-centric” security, depending on who you talk to. You do predict greater focus on database security in 2008, but what’s your opinion for the long haul? Will we migrate away from networks and hosts as the focus of security? Or is there too much momentum with too many big companies tied to our current model to expect changes anytime within the next 3-5 years?

Database security is a feature. If the databases weren’t so security tone-deaf, there wouldn’t be a need for this technology at all. But they are, so there is. Over time, a portion of the functions get subsumed into the DBMS, a portion into the security management platform (log analysis and monitoring) and some into the network (intelligently blocking direct database attacks). Though that is truly a long term vision. 5-7 years, best case. The existing database security market has a lot of running room as these other things fall into place. I don’t think we’ll ever be able to neglect network and host security. A layered security model is really the only way to protect yourself from attacks we can’t even envision. That being said, we need to do a lot better job securing the data. The fundamental element of data, in terms of how it’s used and where it goes. As I mentioned before, that is a really big problem. Looking at the database traffic is a start. It’s not the long term answer, but it adds another layer of protection.

Last year you published the Pragmatic CSO. I think one thing that’s always made you stand out as an analyst is this focus on practicalities. I find myself recommending the book to someone almost weekly since there are so few just-get-it-done approaches to security. Why do you think we make our lives so much more complicated than they need to be, and what inspired you to finally write the P-CSO?

I wrote the P-CSO because I was frustrated. Security folks just don’t understand basic business realities and practices and it is hurting them. They can’t relay the value of what security does and they don’t understand how to play the game to get things done. If anything, I’ve screwed up a lot of things in business and I thought I could provide some perspective that someone who spent their entire career managing firewall rules could appreciate. Especially as they are about to get in front of the Board of Directors and tell them why they aren’t going to be the next TJX. That’s the thing about the P-CSO. It’s not a technology book. It’s a philosophy book. How security professionals need to think about the business of security moving forward. I really believe it’s the difference between success and failure.

You’re trying to do something similar for consumers with Security Mike; how’s that project going?

Security Mike is going well, but I haven’t put the cycles behind it that it deserves. I’ll be spending a lot more time with that project throughout this year. Security Mike is a big idea. If we can train the consumers out there to protect themselves more effectively, we cut off the oxygen that the hackers breathe. Yes, that’s a long term goal, but you have to start somewhere. The first hundred, then the next thousand, then ten thousand. If we can remove the low hanging fruit, the economic model of Internet fraud changes. The bad guys need to work a lot harder to make the same income. That’s the vision.

Thanks a lot for your time today. One last question, is it true someone sent you a holiday card addressed to “Mike Rothman and The Boss”? How did THAT go over?

She loved it. The Boss has a great sense of humor. How else do you think she could live with a jackass like me?


p style=”text-align:right;font-size:10px;”>Technorati Tags: