I've sat through a number of presentations and sessions about security and virtualization in recent times and can't help thinking that people are falling into the old trap of going after the possible rather than the probable.
Most discussions I've seen around security and virtualization center around subtle threats to the hypervisor layer, and whether its possible to jump from one virtual machine to another. Then there are the circular discussions about whether its provably more secure to perform AV and intrusion inspection from inside the virtual machine, or have the host perform all the functions.
All pretty tedious if you ask me. I reckon we've some much bigger problems in a virtual world.
I'm no big fan of overly complex approaches to risk management, and recent economic events have made me even less so.
There was a great article in the Economist about a conference for the American Securitization Forum - the wonderful people that brought us all these complex debt products that are giving banks no end of bellyache. Ironically the conference was held in Las Vegas, and a wonderful quote came from hedge fund manager John Devaney, who said "I'd like to thank the market for dealing me a direct hit. As a trader if you don't get sucker-punched every once in a while, you don't understand what risk is."
Also, there were a few good articles last week about how money managers had retreated from the market because they'd lost faith in the ability to model risk effectively.
If only it were so easy for information risk professionals, who often protect far more than just money - we protect innovation, national security, and even human life in some cases. It's not quite so easy for us to take a direct hit.
OK, for arguments’ sake let's suppose we’re in a recession. What does that really mean for us security folks?
To answer that question, let’s turn the question on its head. What did security spending look like when times were pretty good? Say from early 2005 to 2007 for example - did we see an upturn in spending? Our research found that security spending was flat or declining as a proportion of overall IT spending during that period. So then why, when the economy goes south would we spend less on security?
The vast majority of organizations spend money to counter threats and incidents that they’re seeing, and to comply with governmental and contractual requirements. Neither of these two factors are hugely dependent on economic cycles.
Huge IT contract + Politicians + Lobbyists + Soft IT market + Legions of government contractors + Newly created government agency + More politicians + Career civil servants
What does that make? A hugely expensive, difficult, political and organizational undertaking, and plenty of scope for fingerpointing -- and that's what we've got.
Full disclosure here: I was working for Unisys for the first three years of this contract, and only a non-US passport kept me from working on this engagement (and believe me I thanked my lucky stars every morning when I woke up that I wasn't).
I'm not a huge Unisys defender in general -- I saw plenty of gaffes from the sidelines, and like any large systems integrator Unisys has its fair share of inefficiencies and dead wood -- but Unisys is being accused of everything under the sun, from covering up the problems, to kicking puppies and being mean to its gradmother. I'm just not convinced anyone else would've done much better -- and has anyone noticed the alarming regularity with which government agencies blame their contractors compared to their commercial counterparts?
Allow me to put on my "Good Housekeeping" trite advice hat for a second...
As the leaves turn an autumnal hue, many of our end users' thoughts will turn towards preparing their yard for the winter. Why not turn this into an opportunity for both environmental responsibility and security awareness by promoting composting?
Discarded credit card offers, bank statements, mixed with old leaves, kitchen waste and yard clippings will quickly become unreadable without them ever having to be left in the trash on the curbside. And come next year will they'll be a useful fertilizer for the lawn or beds.
Perhaps adding a horticultural element to a security awareness program will reach some people we've not managed to reach before. A good guide to composting can be found here. Just a thought, eh?
Investors Bank and Trust CSO Jeff Bardin wrote an interesting blog post in May about how companies "taken private" by private-equity firms were cutting back on audit and security staff now that they were no longer subject to Sarbanes-Oxley.
This got me thinking that perhaps the recent credit crunch might be good for us security people in a couple of ways. First of all, less credit means less cash available to finance these deals that endanger the security budget. More importantly though, businesses are going to be more attuned to how making risky business decisions can have far ranging effects, and before taking these decisions they should be more informed about how big those risks are. Heightened awareness of risk-reward principles can only be a good thing for a security guy who is able to talk about risks in business language, and draw parallels between what is happening in the marketplace with the way an organization takes decisions around security.
I think it is a credibility play for both companies. Verizon Business needed a credible security services story, and Cybertrust needed a credible financial story. Although Verizon Business had managed security offerings and expertise through the acquisition of NetSec (part of the MCI deal), those capabilities and services were primarily focused in the US market. By acquiring Cybertrust, Verizon Business establishes itself as a global security services player. So what does Verizon get from the deal?
There's been a lot written about the deficiencies of DRM over the last couple of days, with some justification too. Recent efforts have been pretty shoddy, with very little effort devoted to allowing content creators to get true credit for their work and more to serve corporate interests. There's some pretty complex political wranglings to sort out here, between the content providers and hardware and software manufacturers. Does this mean the end of DRM? I doubt it.