An Information Security Place

I might adopt this as my theme song. Do I have to pay royalties?

[ev type="google" data="1384277706451157121"][/ev]

Remember the crazy video last year of the house with the Christmas lights timed to music? Well, they have now opened a business doing custom light shows. Crazy.

Vet

Mitchell Ashely wrote a piece on conflict of interest yesterday. It was specifically concerning analysts because of the firestorm of posts about some analysts recently jumping ship and going to manufacturers.

Mitchell’s post got me to thinking about some things specific to me (because I am my number one fan, and because the analyst sopa opera just doesn’t interest me too much). What I mean is my recent job change and how it effected my blogging.

If anyone is new and doesn’t know to what I am referring, you can read about it here. But in short, I recently moved from the security management world to the consulting / reseller world. This was quite a change, and I learned soon after the change that I would have to steer clear of some subjects on my CW blog because of, you guessed it, possible conflicts of interest. What I mean is, if Accuvant (my employeer) partners with a certain vendor, then it would be a conflict of interest if I wrote something negative about a competitor of that vendor. So CW said, basically, no posting about specific vendors at all.

Initially, I bristeld at these restrictions and considered dropping away from Computerworld. It bothered me because I felt like I was being told that I could not speak my mind (similar to what Mike Rothman went through recently at Network World – I am not apple-to-apple comparing what Mike went through to what I was looking at, since Mike was speaking his mind on his own blog, and Network World let him go for it, which is bogus). Basically, did I want some organization telling me what I could and could not say?

Then, I got to thinking about the issue a little more closely, and I realized a few things. One, this is their sandbox (I got that analogy from Rothman), so I had to play by their rules. Second, they are a business that has to protect their objectivity (though some people will argue whether any of these technology media outlets are objective)., Third, and this mattered the most to me, I could still post my personal views on my personal blog. I know this didn’t protect Mike, but so far I have had no issues with my editors at CW, and I think that will stick.

So the conflict of interest issue was settled in my mind because I still have a free voice at my personal blog. If CW was to ever let me go for something I posted there or on my personal blog, then c’est la vie. I can go on.

Vet

If you don’t follow my ComputerWorld blog, well…. you should! Presently I am a once-a-week blogger over there (though I don’t always get to it that often), but I will soon be a regular three-posts-a-week blogger. They have lost a couple of bloggers due to burn out, so the editor over there offered me a spot.

The bloggers they lost were writing a post a day, so I hope the three posts a week won’t be so hard and I can last a while. Anyway, I am excited about it.

Thanks to all of you who read my stuff and actually think I have something constructive to say.

BTW, here’s the PhotoShop job Alan Shimel did on me while disagreeing with my online shopping post at CW.

Thanks Alan for letting me have the picture. That made my day, even if you were tearing me apart!

Vet

Looks like Cesar Cerrudo cancelled the “Week of Oracle Database Bugs” project.  That’s a shame.  Ellison is about as hypocritical as they come when talking about MSFT’s security problems.

Here’s the article.

Vet

So the presentation went over very well. Let me break down a bit why I went to talk to Alert Logic and some specific points on the talk.

Sam Van Ryder is a friend of mine who is a sales guy at Alert Logic. He wanted me to come in and present to the sales staff what a Security Manager’s job entails. I jumped at the chance because it gave me a chance to show sales people what trench warfare in security is all about.

How I approached it was from the standpoint of an SMB security manager type. Since this type of security manager is usually low on resources and high on duties (and since this is the most common type today), I figured showing them the daily grind of the just how much work a security manager has to do. I broke the day down like this:

7:35 AM – 9:00AM Check security logs
9:01AM – 10:30AM Check spam filter
10:31AM – 12:00PM Answer voice mails and email
12:01PM – 12:45PM Lunch (maybe)
12:46PM – 1:59PM Run network scans
2:00PM – 2:59PM Check helpdesk tickets
3:00PM – 3:45PM Install patches
3:46PM – 4:30PM Tune IDS/IPS
4:31PM – 6:45PM Administrative crap
6:46PM – 7:30PM Drive home (maybe)
7:31PM – 7:29AM Worry

That all got a good laugh, but I assured them that this is often not far from the truth, and this was not everything a security manager had to deal with.

To give them a more in depth look from the technical side, I reproduced my post about all the many and varied security devices a security manager has to work on (IDS, IPS, firewalls, routers, switches, email gateways, etc.) and the maintenance on them.  Then I hit them with the many non-technical issues a security manager has to deal with, like employee issues, meetings, project management, budgets, etc. I could see that many in the room had not thought about those as being security manager tasks.

I went a little deeper into the amount of research a security manager must do and how much training (user, IT employee, and self) must be done and kept track of.

Then I talked about the compliance issues that security managers deal with. I did it without going too deep and boring them, but I wanted them to realize how important compliance was in today’s world (especially PCI).

I talked about how security managers prioritize projects, though I honestly said that I could not really talk about how others do it. I described how I tried to keep a schedule as best I could, and how it was typically unsuccessful because of everything that popped up during the day.

Then I spoke about what makes a successful security manager and how admin crap was necessary to the job but tended to take away focus on securing the network and could lead to security problems.

Then I produced a list of what talents and skills a security manager must have to be successful:

•Has strong technical skills and knowledge
•Has strong documentation skills
•Can talk to employees and exec’s in layman’s terms
•Can lead and mentor a team
•Has strong project management skills
•Has the talent and the patience to deal with corporate politics

Before you start commenting and adding to this list, realize that my purpose here was to show just how varied and wide a security manager’s job must be. And I admitted that I was not good at the last one and that it was the main reason I got out of the security management role.

Finally, I told them about how they could help the security manager. My answer was, “Give the gift of time” (if you see this in any of the Alert Logic marketinf materials anytime soon, I told them they could have it – it’s not really unique, but they liked it).

I explained that good reporting capabilities for any type of device and service such as theirs is one of the most essential time-saving tools a security manager can have. Give me a pretty (and functional) portal that I can place in front of my CIO where he can run his own reports and leave me alone, and I will pay a couple more grand right up front.

Also, make the device where it actually contributes to security and is not just a compliance widget.

There was some other stuff, but a lot more came out in the Q&A session after the presentation that was great.

• I told them that cold-calling sucked very much bad.
• I told them to not just ship a POC box out and expect it to get installed and demo’ed in the month that is typical (help out with the install and keep in contact).
• I told them to sell through channel partners (resellers) instead of direct and use the resources (SE’s) provided by channels

That was basically it. I felt very good about it, and I received several positive comments. I’ll talk about Alert Logic as a product sometime soon (from what I have seen of it).

Vet

I have a speaking gig for the Houston office of Alert Logic today.  I will be talking to the sales team to let them know about the job of a security admin / manager and how they can help him / her in the job.  I will try to discuss the points of the talk later this afternoon or tomorrow.

Vet

Mike posted some rants about his vendor pet peeves this morning. I like these two alot:

Don’t spend time on your background – In 90% of the cases, I’ve trolled your website before our briefing. So I’ve read the executive bios. You don’t have to tell me you did this or did that. I pretty much don’t care. If there is something interesting in your background that I want to discuss, I’ll bring it up. I’m not a bashful guy.

Where’s the beef? – Especially if we’ve spoken before, just get right to it. You’ve asked for my time, so don’t waste it by telling me stuff I already know. Give me a 2 minute update on your business (which may take longer if I have questions or want clarification) and then tell me why I care about your news or ask for my advice on something you are thinking about. Not much annoys me more than hearing stuff I already know.

Mike is an analyst, and vendors want him to talk about their stuff. But it is amazing that the pitch is the same if you are an analyst, an in-the-trenches professional, or a sales engineer like me. Basically, vendors have this desire to tell you everything about the history of their company. History is important, make no mistake. But like Mike says, if you are coming into my company with a pitch, I have already done my research.  Just get to what needs to be said.

As a sales engineer, I try to know my customer.  The vendor should make the same attempt by asking me to whom he is going to be speaking so he can modify his pitch.  And I watch my customer when the vendor is pitching.  If the customer is more technical, and they start looking kinda bored and start twitching or something, I pick up on that and push the vendor as needed.

Basically, get to the good stuff.  If the customer wants the fluff, he will ask for it.
Vet

I just came across a new security blog this morning. Andy, IT Guy has been writing since August, and he has some good insights into security. He commented about my Generalist vs. Expert post, which also shows that he has excellent taste in security blogs .

Welcome Andy. Happy blogging and good luck.
Vet

I have been thinking about the idea of generalists vs. experts in security (which probably translates into any field). I tend to look at the generalist as a jack-of-all-trades (joat), where the individual knows a wide range of subjects. Some people would say a mile wide and an inch thick, but I think generalists are often much more knowledgeable than they are given credit for. The strength a generalist can lend is a wide variety of experience to help solve problems in many areas. The weakness is if you need a very focused skill or knowledge base, the generalist will probably not have it.

A specialist (or expert) is generally looked at as an inch wide and a mile deep. But unlike the generalist, this is probably a fair statement for most specialists. This person is extremely knowledgeable in one or two areas. The expert can give you advice to likely solve any problem that arises in her area. But experts tend to be very tunnel-visioned and may not be able help in other areas.

I would say that a generalist has the advantage of being able to fit in many organizations, so the career path for such an individual may be better because of this. I know that I have a fairly broad knowledgebase, and it has helped me in my career because I had experience in a lot of different areas.

However, from the direction of value to the industry, I think experts have an advantage because they can answer in depth questions with much more certainty than generalists can. If you frequent forums and knowledgebases, you will find that the questions asked there are almost always very pointed questions about a particular product in a particular scenario. This type of question plays into the specialists hands.

As an example, I can see a huge value in the expert knowledge of the people in Accuvant’s assessment practice.  These people totally kick ass in what they do, and it adds a HUGE amount of value to Accuvant’s offering.

I think generalists tend to end up in roles like security evangelists and pre-sales engineers (though I know a couple of SE’s who are very broad and deep in their knowledge of security).

So I guess you can argue this all day without coming to a consensus.  And though I have have essentially taken the generalist path in my IT and security career, I don’t think either is “better” than the other.  It really depends on your proclivity and your basic talent.

Vet

I just upgraded to Firefox 2.0, and I found a cool little extension while searching around.  It is called Live Writerfox.  Basically, it uses Microsoft’s Windows Live Writer to blog a page or selected text.  Pretty sweet if you use Windows Live Writer.

Vet

 

Before you read this post, go take a look at my “Rules” for my blog.

 

OK, now that you are back, let me piss off some people.  During this election season, I have to say that most of the security bloggers out there stayed out of the fray by sticking to what their blogs are about, namely: security.  And my blog rules state that I will do the same.  Basically, if you want to discuss a law or other political issue that pertains to security, then fine.  I will do the same.  Martin McKeay and I have had our friendly blog disagreements concerning phone tapping, phone tracing, tracking terrorists, and privacy stuff.  Alan Shimel and I have done the same to a degree.  All that is fine because that kind of stuff is relevant to security.  You can make judgements and assumptions as to our political leanings based on what we have posted (and maybe the region of the country we each live in), but that is no guarantee as to where we stand because we have made no definitive statements on the subject (I haven’t read all of Martin’s or Alan’s stuff, but I haven’t seen it in any of the stuff I have read).

I say this because I read a couple of posts from security bloggers during this last election season that, in my opinion, are just a little off.  One post was by the Great One, Mr. Schneier himself.  He says he is glad to see the Republicans get some of the brunt of the electronic polling problems.  He backs off of that kinda quickly, but it shows his bias clearly.  Another is by a blogging buddy of mine, Christian Koch (might not be a buddy after I writie this, but I hope all is still well).  In his post, he doesn’t even try to hide his feelings at all (not saying that he should have to, but you will see where I am going with it below).

First of all, I want to say that I respect everyone’s views, even if I don’t agree with them or understand them.

Second, if you have a blog, then it’s your fingers doing the typing, so you have full freedom to write about anything you want.  I get that, and I would never say you can’t. 

However, don’t we, as security bloggers, owe it to our readers to stay a level above all this mud slinging and give content that is relevant to security?  It seems a tab bit like false advertising if you have a blog that is advertised as a security blog and you use it to blast a politician or a political party because you don’t like their politics.

And another reason not to show which side you are on is because it tends to taint your readers’ opinions of you from then on.  If you try to come at an argument with logical, non-biased opinions, your debate will still be tainted by your blantantly-stated political beliefs.  That is no better in my mind than if you stated that you liked TippingPoint IPS better than anyone else’s, then tried to go into a debate about IPS products and tried to stay neutral.  There is nothing wrong with stating your opinion on the matter because you are free to say what you want.  But your opinion will be tainted from then on.  And you would never again be able to be neutral on the debate (at least, not for a long time) because you can’t switch to neutral once you have got in gear.

Anyway, my two cent’s worth.  You may think I am just frustrated because I did not like the outcome of the election.  But you really can’t make that statement, because I have never said which side I am on, regardless how many clues you think I have given.  So there!

And Christian, just to hopefully ease hurt feelings, I thought the cartoon in your post was pretty funny.

Vet

Working on NSM today.  Pretty sweet util that integrates the configuration of Juniper’s NetScreen security products into a single console.  They have most of their security products on it now.  SSL VPN is still not there, but it is coming.  Very cool stuff.

Vet

This article just kills me.  Wikipedia is about as reputable and reliable as a submarine with screen doors, yet people continue to go there for info.  It amazes me.

Another thing that is funny is that Wikipedia was mentioned in a play at my church this weekend.  Our church has a big Sunday School group that is made up of the kids and their parents.  There are lessons that have skits, etc. in them.  One of the actgors was playing a kid who was doing research for a school project, and he said his parents told him to use “The Google” and to stay away from Wikipedia.  I laughed out loud I thought it was so funny!

Vet

Some points:

• Whether or not you are worried about all the problems with electronic voting machines, you need to go vote. 
• Whether you are Republican, Democrat, Green Party, Libertarian, or Independent, you need to go vote.
• Whether or not you are fed up with Washington, you need to go vote. 
• Too many people have paid the ultimate price to give you the right to vote for you to sit on your ass watching TV tomorrow. 
• It is your duty.

 

Go vote.

Vet

Want to help Texas watch our border with Mexico without travelling?  Sign up here!

Vet

A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.  It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in a blatant attempt to drive more traffic to my site. 

Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.

So, how to be a good SE.  First, let’s define the term “SE”.  In many to most cases, that term means System Engineer.  In my case, it means Security Engineer.  Both perform the same function, however.  At least they do in what I am referring to here, and that is in their pre-sales role.

A pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.  This may be the perception, but it is almost always not the case.  The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.  For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.” 

If you can’t tell, I have been reading “The Dilbert Principle”.

But in all seriousness, the reality is that the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.  That is also the salesperson’s job.  And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.  A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.  So the SE has to be that buffer.  And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.

In case you didn’t get that, I’ll type it again.  The SE is EXPECTED to be the buffer.  That means that the SE is expected to be honest in his appraisal of the situation.  He is looked at as the guy who works for a living, just like the technical people in the trenches.  He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.  Even if the SE has never held a true operations type job, he still will be perceived as such.  That perception is what garners trust in the SE, and that trust CANNOT be broken.

What many people may not know is that pre-sales SE’s typically get bonused on sales (they don’t get the same compensation as salespeople, but they do not have as much at stake either).  And just like salespeople, SE’s with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good – money, electronics, etc.).  This is called a spiff.  These two things together can cause serious temptation for the SE to not make the customer’s needs the number one concern.

But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.  Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it - and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).  But you must be able to look long term.  The desire for an immediate reward must be superseded by the customer’s needs. 

And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.  It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.  That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.  So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.

So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.  You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done. And just so you know, I do not mean only monetary reward.  The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.

Vet