An Information Security Place

In my previous stint for a reseller, I was in the trenches doing implementations with very little pre-sales work.  But now, in an almost pure pre-sales engineering role, I get the benefit of seeing things from a reseller’s point of view and the manufacturer’s point of view.  Instead of having my head down letting all the sales people play their games, I get to be right in there with ‘em.  And I am getting to see a world that I have never seen.

I knew there were a lot of things about the IT and security world that I did not know.  I know there still are.  But the distinctions I find between the end-user world (security and IT management) and the reseller and manufacturer world are spectacular.  And to be honest, even though the differences are obvious, it is hard to put a finger on it.  Really defining it is difficult.

I guess it may come down to the basic pressures of the job being different.  A security or IT manager has day-to-day pressures of taking care of a network and the staff that runs it.  A sales person (even a sales engineer) does not have that constant pressure.  So the intensity in the look just doesn’t seem to be there.  Yes, the sales folks have to meet quota, but that’s not a constant, daily driving force.  Deals usually come in bits and spurts.  Thought the sales person always wants that next deal, the over-arching responsibility of a day-to-day operation is not there, and it shows.  Even the sales engineer, who many times has been in the shoes of a security or IT manager or admin and has dealt with those pressures, knows that the anxiety of operations is not there, and it shows there as well.

I know I will learn more differences over the coming months as I get used to the job.  And I know that I will not be able to share some of those differences (I can’t give away all the secrets - my boss reads my blog sometimes).  But if I ever do get back into security management, I know the knowledge will serve me well.  Not that I plan on leaving any time soon.  This is too much fun!

Go listen here.

Thanks again to Alan and Mitchell for having me on the panel.  And thanks to the panel for a great discussion.

Vet

I forgot to mention that I was a guest panelist on Alan Shimel’s SSAATY podcast last night.  This was a great panel.  I had a great time, and I think we really hit some key points and offered some solutions to security admins and managers out there that need some help selling security to execs.

The panel consisted of yours truly along with Martin McKeay (Network Security Blog, ComputerWorld), Bobby Dominguez (Sykes) and Mike Rothman (SecurityIncite, NetworkWorld).  It was hosted by Alan and Mitchell, two of the best podcast hosts I know, and though I have never met either face to face, I know they are both good guys.

One person that was scheduled but ran into some emergency security management duties was Michael from mcwresearch.com.  I understand why he couldn’t be there, but I really missed his insight.  I would have loved to hear some of his horror stories.

BTW, I was VERY impressed by Bobby Dominguez.  I have never talked to Bobby, but I figured out very quickly yhat he has a vast amount of experience, expertise, and just plain ol’ smarts.  You REALLY need to listen to this guy.  Hopefully he will start a blog soon himself.  He has a lot to offer the community.

Martin is always good to have on a discussion like this because he has a lot of experience in this area.  He never ceases to impress.

And Mike Rothman, well…, he’s Mike.  What else need be said?  And we actually agreed on something in the podcast, if you can believe it!  Actually, Mike and I agree on a lot of things.  We just like to disagree to make it exciting.

And of course, there’s me.  ‘Nuff said!

Anyway, the podcast should be up soon.  Go look for it in the next few days at Alan’s blog.

Vet

…but this transition is taking most of my time.  I promise I will be posting soon.  I am travelling to Dallas for the rest of the week, so I will try to hit some stuff this weekend.

Please keep coming back.  This blog is not dead!!!!  Really!!!!!

Vet

Karn Griffen over at the the Information Security Gurus blog mentions my post about getting out of security management.  He has a good post today about how we should all be getting out of the front lines when there are so many possibilities with outsourcing.  He also commented on that same post, where he said the following:

If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters I’m looking for, why would I bother with a full-time person (or more) to do these things.

While I agree with Karn on this point, the question that comes to my mind is if you can’t convince an exec that security is needed at all, then why would he  / she do either?

The big problem is that execs often cannot justify security at all as a cost.  The ramifications to not spending money on security are still so light.  Much of the legislation out there still does not have teeth.  The media is getting tired of printing stories about this stuff because readers are tired of it.  Some non-governmental regs like PCI are starting to get somewhere, but that is not anywhere close to where it needs to be.

So unless you can convince your execs that security is needed, they ain’t gonna spend money on it, no matter if you outsource or insource it. 

But let’s play devil’s advocate here and assume that all exec’s get smart and buy off on security.  Then, the SMB exec’s get even smarter and see Karn’s point that they can outsource.  Where does that leave guys like me getting out of operations and trying to sell security?  Should I be selling to SMB’s now when I know they would be better served by outsourcing?  Do I sell to MSSP’s?  Better yet, do I have to start working for MSSP’s, sitting in a chair watching packets go by?  Do I lose even that job to ever-more sophisticated UTMs / IPSs / heuristic filters that can figure this stuff out better than I can?  Does the UTM take over for those MSSPs where there are only 2 or 3 viable options for them to filter traffic for their clients, essentially killing much of the security market?  Are the enterprise-type clients enough to hold up the market?  Does the technology get so good that even enterprise clients can use it?  Does my job just go POOF in 5 – 10 years?  AAAAAAAHHHHHHHHH!!!!!!!!!!!

Karn, you are on to something, but I’m not sure it’s good.  But good or not, is it inevitable?

Vet

Thanks to Mike Rothman for pointing this out.  Seems like McGruff is trying to take a byte out of cyber crime.  I haven’t seen McGruff around for a while, but like Mike, he is a familiar icon that was very  effective in crime education.  I am all for this.

Vet

OK, let me start this out with a disclaimer: I am going to work for Accuvant (as most of you know by now since I can’t stop blogging about it), and they are a big Juniper reseller.  They do not sell Cisco, so they drink the purple Kool-Aid.  Also, I am a fan of Juniper when it comes to many of their security products (I love their SSL VPN and their firewall / VPN devices, but their IPS leaves something to be desired).  All that being said, you might think I am going to say something positive about this deal between Juniper and Symantec.  Well, you’re right and wrong.

First, I agree with Mike Rothman’s comments:

…adding Symantec’s anti-spam, IPS signatures, and vulnerability research to Juniper’s products will make them better and I think it will actually happen. Why wouldn’t Juniper do this, given they are pretty much irrelevant in the IPS space and don’t really have a compelling UTM platform? They’ve got nothing to lose.

I also agree with Mike that this mostly comes from a “We Hate Cisco” reaction.  I don’t think Cisco is the best out there in most things that they do.  They do many things decently, but they are not the top in quality.  But they ARE Cisco, and they are taking so much of the market for the simple fact that nobody ever got fired for buying Cisco.

The fact that Richard Stiennon hates this deal is not surprising.  Stiennon is negative on just about anything that ever happens in security nowdays simply because he doesn’t agree with the direction security is taking, namely “host plus network security”.  However, his perspective that Juniper and Symantec have not taken advantage of opportunities given to them is correct.  Symantec is the epitome of the “bumbling giant”.  I don’t think Juniper is anywhere close to that yet, but Stiennon has to lump them in because, again, he is negative about anything to do with NAC, UTM, etc.

I don’t like this deal because it is with Symantec.  I just don’t like how Symantec works and I don’t like John Thompson (especially after his keynote at RSA 2005).  But I like this deal from the fact that it can help Juniper leverage Symantec’s knowledge.  Juniper NEEDS to become a premier security knowledge source on the par of Symantec or TippingPoint if they ever hope to be completely respected in this arena.  Building boxes ain’t gonna do it.  What I am hoping is that they use Symantec to maybe help them learn how to do this themselves.

Vet

When I was looking to make a move out of security management, I knew I had a few choices as to what I wanted to move into.  I knew I wanted a pre-sales type of position, but I wasn’t sure about the type of company I wanted to work for.  Should I go for a vendor, or should I get back into the channel?  A few things came to mind:

1. Working for a vendor would force my hand on what products I could recommend.  So, if I knew of a solution that was a better fit for a company, I couldn’t suggest it and stay loyal to my employeer.  That was a negative for me.
2. Working for a reseller could possibly force my hand to some degree on what products I can choose, but at least I would have a bigger pool of products from which to work.  That was a positive for me.
3. A negative that comes from number two, however, is the fact that many resellers are nothing but vendor sluts and will sell anything to make a buck.  I am not adverse to making money, but I believe that if you are a reseller, you should be able to support the products that you sell.  I really did not want to get into the whole “we’ll take you to a ‘Stros game if you put our box in front of your client.”  I’ve been there, and I don’t want to deal with that again.  It just ain’t ethical.
4. I wanted to work for a company whose focus is security, but I wanted an organization that was diverse enough in that field to offer other opportunities in the future.
5. Another negative that often comes with vendors and resellers is high pressure sales.  I did not want to work for an outift that constantly called the client asking when they were going to cut a PO.  That reflects bad on everyone that works for that organization, no matter if you are a sales guy or an engineer.
6. I wanted to work for an outfit that had a good reputation, plain and simple.

Taking these factors into consideration, I looked for a company that could pass muster on most (preferrably ALL) of these areas.  I also preferred that I had done work with in the past since I would have a good feel for them and would not haave to rely solely on others’ opinions.

The first factor would be the hardest to pass if I went to work for a vendor.  That is because I don’t know of ANY vendor whose products fit every company in every situation.  There just ain’t no such animal.  And even though I interviewed (and ALMOST got the job) with a big vendor, I still had some hesitation because of this.

So that left me with a reseller.  I wanted a company with higher standards, who didn’t sell every possible product, and who could support what they sold.  That led me to Accuvant.  I had worked with them in the past, and to be honest, I never bought a single prodcut from them.  To be clear, that was not because they lacked the skill to sell or didn’t have any products I wanted.  It almost always came down to timing (I met them when I was looking at outsourcing some security tasks, then they came in with a possible SEM product after I had already purchased another) and their lack of full time staff here in Houston.  But their sales guys and engineers were always willing to help out, and they NEVER pressured me to buy.  They were diverse in their offerings because they could do security consultation and implementations of technologies.  And to top it off, they also had a great reputation in the industry, both from vendors that they partner with and with other security managers that I dealt with.  So, they basically fit all my criteria. 

Now this may sound like a commercial for Accuvant, and to some degree it might be.  But because this is such a big thing for me in my career and this blog, I wanted to explain the decision of the company for which I decided to work.  Also, many of these reasons for choosing them as an employeer also work when you are looking for a reseller or consultant, so many of you security managers out there who need a quality security company to help out, they might be a good choice.  And if you are in Houston, you will get me as your top notch security engineer!

Vet

…is crap like this.  I am honestly tired of having to worry about keeping up with the latest security flaw and making sure my IPS has the latest filters and trying to make sure my network admin is keeping the patches up to date and yada yada yada.  It just gets old.

A while back, I published a list of all the things I do on a daily / weekly / monthly basis as a security manager.  When I look back at that list, I am seeing about nine tenths of it as reactionary chores.  And I am tired of being in such a state of constant reaction, even when I do everything I can to be proactive.  It just gets old. 

I realize this may sound discouraging.  Believe me when I say I don’t want to give up the fight.  I just want to help some other people fight the fight instead of being on the front lines every day. 

When I first thought about it, it kinda felt like the front line troops were going to lose a man to battle fatigue.  But to clarify by carrying the military analogy a little further, think of me as a REMF (ask your military buddies – they know what that stands for).  Basically, REMF’s are the people who sit in the back away from the front lines.  They drive fuel trucks, they fix broken vehicles, they cook food, deliver MRE’s, deliver ammunition, etc.  They are support.  They don’t always get a lot of respect.  But without the support the REMF provides, the grunt, the M1A1 tank crewman, the Apache pilot, and the howitzer gunner can’t fight the fight.  So you gotta love the REMF, even if he is not looking at bullets every day.

It may sound like I am trying to convince myself that I am making a good move, and to some degree I probably am.  I know this is the move I am supposed to make.  I feel that deeply.  I just want people to know that I am not giving up.  I am just moving to the back lines.  Is there some fatigue?  You betcha.  But I am not going to be the guy who Patton slaps.  I’m gonna be the guy driving the ammunition to the front line so you can shoot at the bad guys.

Of course, if the guy who brings the ammunition had to convince the tank commander every time that his ammunition was better than that other guys ammunition, and that his ammunition fit better in the gun tube and would make pretty lights when he shot it down range, then our military would be in a bad way.  OK, so maybe the analogy doesn’t play all the way through, but work with me here, OK?

Vet

I posted a few days back about some transition going on with me. So, I got some ’splainin’ to do. Well, here it is. I am changing jobs. I know, what’s the big deal? But this is more than a job change for me. The last few years as an Information Security Manager have made me realize that the technical side of my job, though still a good part of what I do, is starting to fade into the background. As I get more and more resources in place and grow the security infrastructure, I am starting to focus more and more on personnel manangement and security maintenance, with the project and technical work becoming much less frequent. Basically, my skills is sufferin’. And they are suffering at a time in my life where I just can’t afford it. I am only 34 years old (today, in fact – happy B-day to me!!), so I think the move into management is not for me yet. Maybe it never will be,but I definitely know it is not the time now.

So, I decided to make a change. I wanted a job where I would get to see different technologies and get to be a lot more technical. However, I wanted to stay in security and not go out into another technical job that pushed me back into network engineering. So, I started looking a while back to see what was out there. I did not put a lot of effort into it. I figured if it was supposed to happen, then it would happen.

Well, it did. On Friday, I accepted a position as a Security Engineer with a security reseller and consulting company. Basically, it is a pre-sales engineering job with a lot of consultation, design work and some implementation work. There a couple of reasons I decided to make the move: 1) I believe this will keep my technical skills up, and 2) it is going to allow for a lot of freedom that I have been looking for.  This is the company’s first permenant presence in Houston, so I will be starting the office (we will be bringing in a sales person in a couple of months – any sales people looking for a job, shoot me an email at m1a1vet-at-infosecplace.com).  That is exciting to me.  And I will be able to work from home for a while, so I will be seeing more of my family. Basically, I am excited about this, and I think it will be good for me and my career.

I guess I should tell where I am going! The company is Accuvant.

I will spare you the marketing hype, but I can say that they are a top-notch security company. They have some really quality folks over there, and I know I will learn a lot from them. I have worked with them over the last year or so, and my experience has been nothing but positive.

Just to explain, the reason I am making such a big deal about this here ay An Information Security Place is because this move might have a big bearing on my blogging. I have worked for VAR’s before, but my view of the security industry is likely to change quite a bit. I have spent the last three years as a security manager, sothat will always be there and will affect my thinking. But I take my blogging very seriously (though I have a great time doing it), so I have to recognize that this is going to affect what I blog about and how I see issues.

I know many people read my blog because they are security practitioners and they like that I have the same viewpoint. I promise those people that I will do my best not to betray those views. Security management is a part of me. But I will also be seeing things from the reseller perspective. I think that will give me a fresh outlook that will only add to what I can think and write about.

So, that is what’s going on with me. I plan on always keeping this site and my Computerworld blog going strong, but please understand if I have some dry times in the next few weeks as I move over. Thanks for reading. Please stick around and see the things that are to come.

Vet