Tuesday, 28 August 2007

Interview with Rich Mogull

I had the great fortune to catch up with Rich Mogull on his recent departure from Gartner. Without too much pre-amble, here's what transpired:

RN: So, Rich, the question on everyone’s lips, why did you decide to leave Gartner?

RM: It wasn’t any single reason. As I posted on the blog I’ve been there for over 7 years now. It’s a great job, but I didn’t think it was great enough to be my last job. I’m only 36, no kids yet, and had just sold my bachelor pad (a condo in Boulder). The stars lined up and it was just the perfect time for me to make my move.

I did feel like there weren’t many challenges left for me at Gartner. I didn’t want to manage there, and I’d hit all the goals I set myself as an analyst. It really has been the best job of my professional career, and it’s a great place to work, but anything gets stale after a while.

RN: Most people dream of the day they could think Gartner is stale. Did they try and make you stay?

RM: They immediately dispatched their Quick Response Tactical Team to my home, but I rapidly disabled them using my superior martial arts skills.

RN: There was a ninja fight, and you won? Did you hurt anyone you wish you hadn't?

RM: My managers were great and very supportive, if disappointed. Leaving is never easy.

RN: Hmm… tell me about it. Any plans decided on yet for the future?

RM: For now I’m doing independent consulting and using the blog [Ed: OK, we get it!] as my home base. While I’m open for that “perfect opportunity” I’m definitely not looking for a position anywhere yet. There are a lot of things I’d like to do in this industry, and consulting gives me the freedom to move around. Long-term I’d like to be able to support my family AND spend time with them; those kinds of jobs are rare in our industry.

RN: Yeah, tell me when you find it, I'm right behind you in the line. I was hoping blogging would keep me grounded. It hasn't turned out that way at all. I guess traffic has slowed a bit since you haven't been able to cover data-security? You're obviously keen to get people back to your blog.

RM: Definitely! Data security has been the main focus of my work for over 5 years and I think we still need to do a lot of work on the topic. There’s a lot of disjointed information out there and very few people pulling it together into a way that makes sense and people can act on. What we have today is mostly people running around dropping point solutions in place because of an audit deficiency or a breach. Data security will eventually evolve into something more strategic, as have other areas of security, but it will just take some time. I plan on doing what I can to nudge things in the right direction and contribute to the dialog.

RN: Back to blogging about data security on a permanent basis to influence the industry then?

RM: I won’t be limiting myself just to data security. Data security is really morphing into a data and application security stack, since the ties are so close (at least for structured data).

Another area I’m fascinated with is security research- I think that’s probably one of the most important areas of work these days, since vendors are more focused on point problems and getting products out the door. Researchers are the ones that really push us, from the inside, to improve how we do security. Bad guys do it from the outside and force us to just respond, while the research types help us harden what we have and come up with some really creative ideas to reduce future risk.

RN: Good point, but I hope we'll be arguing about data security still. I need another sparring partner. I ended up agreeing with Hoff too much, and we need someone to kick us around a bit.
Talking of the industry as a whole however, what's your opinion at the moment? Where can I make some money?

RM: Overall the industry is a bit “heavy” right now. There are definitely more vendors than the market can support, and a lot of confusion as we try and balance compliance requirements with our actual risk. It’s not that I’m against a lot of vendors and products, but we’re seeing some crazy stuff where someone takes a good single feature and thinks it’s enough for an entire company. Let’s be honest, something like portable device control (USB blocking/auditing/etc.) isn’t a market in the long run. I’m not too worried though, I think this is a case where market dynamics will really take care of things for us. If there’s a good tech out there, odds are someone bigger will buy it and integrate it into a suite of some sort. If it sucks, it will just die. Some of the bigger vendors keep trying to charge more for every widget and don’t do integrations well, but I think we’re seeing early signals that the tide might be shifting, if only a little, on that one. Things are definitely more manageable than a few years ago in certain areas, but increasing complexity and greater adoption of less mature products to deal with point threats makes it hard for us to see that.

We’re also in a confusing time for security pros as the career tracks morph; and that’s something I want to write a bit about.

I think it’s all just the pain of one of those industry shifts that hits every now and then. Melissa and Code Red ushered in the days of network security and AV, and showed us that if you don’t secure the network, you can’t do business anymore. Today we’re seeing the twin attacks of compliance and web application/phishing/data exploits drive us towards better application and database security. Compliance is also forcing some of that professional shift since we’re having to deal more directly with executive management and learn to speak their language.

And it’s not like things will settle- the expanding proliferation of consumer devices and services is forcing us to rethink how (or if) we lock things down. That wave is hitting even before the compliance/data breach wave ends.

RN: You're making me tired just thinking about all the re-training.

RM: It’s all good, just a little painful at times. I like to think of it as job security.

RN: Who’s your favourite English blogger living in Spain?

RM: Uh... let me think... There’s this Bob Oldby dude that’s not too bad. Talks weird though...

RN: Ha ha. Good job there's nothing funny about your name or I'd have you on that.

Thanks Rich for a thoroughly entertaining and informative interview. Good luck with wherever the wind takes you, and keep in touch. I look forward to many arguments.

No comments: