Saturday, 29 September 2007

Digging deeper

I wrote yesterday about the reactions I am getting to encryption. 5 or 6 years ago when I talked to people about the same products which I am representing now, people who were interested were enthusiastic, but few and far between. Now they are less enthused, but there are far more of them. It's as though there's a finite amount of enthusiasm about encryption in the world, and it's slowly spreading around. Encryption enthusiasm entropy if you will.

The reality of the matter is that exactly the same number of people need encryption (i.e. everyone with any confidential information), but now compliance is forcing some of them who weren't interested in taking it any further into doing so. So I remain ambivalent towards compliance. On the one hand it is necessary to drive security forwards, on the other, it pushes people in the wrong directions. On the one hand it drives sales, on the other it makes people resent good intentions.

I've talked about compliance and the state of the market for too long now however, I don't think there is much more that can be said. If you want to know anything about compliance, read PCI Compliance Demystified where I haven't posted for too long, risk, read, and for the state of the market you can't get much better than Mark Curphey. If I start talking about data security, Rich will only do it better, and in more detail, then Hoff will jump in and make things complicated, but with great pictures.

So whilst I'm still after finding my niche, and whereas I deal with all of these issues still, I'm going to try a few more technical posts for a week or so, primarily to prove to myself that I still can, but also to get back to familiarity with the subjects I'm dealing with now. I hope you enjoy the 'back to basics' approach I am taking, and appreciate that it is purely for my own benefit. In the meantime, keep reading the guys I mentioned above, and I'm sure I'll go back to normal again soon.

Friday, 28 September 2007

Shifting sands

I have traditionally worked for companies where I end up talking in quite a lot of technical detail to people who often have better technical knowledge, and sometimes better security knowledge than I do. I'd be surprised if anyone else hadn't.

In my last job as a Product Manager, everyone I spoke to was more technical than me on the development side, and the customers I spoke to were the market leaders, the visionaries and early adopters. These are often better informed and better read than those who follow.
Before that, as pre-sales manager at a distributor, I dealt with network and security architects, product specialists and SEs on a daily basis. I often had to ask people to repeat themselves or slow down and explain - and this was before I went to Spain.

Previous to this I was at another vendor, in a similar position to that which I find myself now. Those of you who are regular readers will know they were a competitor of my current company, but I am not the kiss and tell type (not that I kissed any of them). I was the product specialist, but people usually knew more about the networks, or why they needed the security, than I did.
Encryption has never been mainstream, it is part of our everyday usage of the internet, but it's built in, so we barely notice SSL sessions being set up, or passwords being stored in an encrypted file on a server unless we are in the business.

Recently, i.e. this week, I have been traveling the country, visiting new customers, installing new kit and talking about security - as I planned to do from the start, and I'm really enjoying it. However, "The Customer" has changed. Whereas before I usually dealt with a technical guy who had demanded to use encryption in his project because it would help achieve something for the business, now the business is demanding that the technical guy use encryption to satisfy a regulation. They don't like it. They aren't as interested in it. It makes my job a lot harder.
The technology is easier to use, it breaks less often, it fills a specific business need, and is quicker to set up. The technical meetings are kept light hearted, because if they ever get in depth, I am the bad guy, no longer "the interesting guy".

I guess I should be glad, encryption is finally becoming more popular to the business, if not amongst the workers. I should be glad because I will get paid on what the business gets paid. I can't help feeling a little bit sad at the fact that the people I am working with just want to get it done though, rather than sharing in my interest as they have done before.

I guess it's my job to change that.

Tuesday, 25 September 2007

The Word on the Street

I'm glad to see that everyone has an opinion on the Jericho Forum. Even if some of you are completely wrong! Obviously I won't be proven right until the last firewall and IDS box is disconnected and Richard Stiennon is carted off to the asylum, but it's closer than you think.

Mostly though, your opinions have little effect on what the market actually decides, which is, of course, why I'm right. I'm selling what I'm selling (Ingrian Networks), because of what I believe in, not the other way around. It just so happens that business in the UK is absolutely flying at the moment. I'm only on day 3 of official activities and I've got a list of "to dos" as long as your arm. Most of them learning more about the stuff I love and can't stop talking about.

I like to keep myself informed however, and having been away for a few months, I wasn't sure of how the market in the UK was looking. When I left for Spain, the economy was strong, load balancers were selling like hot cakes, SIEM/SIM was the exciting new thing on the block and at least 3 vendors (Bluecoat, F5 and Juniper) were converging on devices which did pretty much the same thing, but from different angles. I was waiting to see which would sell best.

Despite knowing lovely ladies in each (Lucy at Bluecoat, Louise at F5 and Sarah at Juniper), I haven't stayed in touch with the market movements, and would probably get biased reports anyway. So, what's the solution? My old friends in distribution, they NEVER lie.

I spoke to Bruce, the Business Development Manager at Equip/Horizon just this evening, and he seemed downcast. Apparently, since the economy's taken a hit, the business has started to dry up. Then he perked up a bit, seeming to enjoy the challenge, saying that he needed to find a way to differentiate better and drive business forwards. Knowing Bruce, he will do it.

But why has our economy taken a hit? Well, when the subprime mortgage crisis hit the US, the banks in the UK stopped borrowing off each other, imagining each other to own some of the US debt, and clamming up, like a clam. When the borrowing stopped, the cash stopped flowing, banks which relied on interbank dealing to make their profits threatened to disappear overnight (Northern Rock), until the government stepped in to rescue them.

The economy is looking shaky as a result, manufacturing has obviously taken a hit as no-one has faith in the high street, which in turn means no-one has faith in anything else you can buy. Thus, no-one is buying what I like to call "stuff".

I blame the Americans.

Monday, 24 September 2007

We shall fight them at the perimeter...

I was interested to read all the Jericho stuff going around recently. One thing I wanted to put right immediately was Stiennon's reference to Jericho being like the Flat Earth Society. That's completely the wrong way around. Everyone used to believe the world was flat, up until, ooh, I don't know maybe Aristotle, Strabo or Ptolemy, who all wrote about it. Yes, the Ancient Greeks knew way in advance of Columbus. That's not the point though, only in the last 2000 years have the educated believed, then proved, then observed that the Earth is in fact round.

Networks are nowhere near as old as the Earth. However, people laughed, mocked, criticised and ostracised those who believed in the round earth theory before it was commonly accepted - even though it was right. Jericho is much more like the round earth theory. It is old school network security
which hasn't moved with the times. The Flat Earth Society are a bunch of misinformed people who hang on to old thinking, ignore proof and science and construct paranoid theories because it suits their ends. I'm saying nothing more.

I have met with Andrew Yeomans a couple of times, once when I was a spotty young thing, once more recently, and I am fairly familiar with the Forum's work as a result of these meetings. After I posted a sarcastic message on Hoff's recent post about how Andrew failed to recognise me at InfoSec (hardly surprising now I have blossomed into a rugged hunk of a man) I had a mail from him, apologising. After I'd cleared up the coffee that I'd spat all over my desk, I dropped him a mail back to see how things were going.

First of all he pointed me here: as many of my questions were for personal reasons, and I wanted to know how I could get involved. Then he must have got sidetracked, because he went on to clarify things in a much more verbose way. Rather than spoil this with too much of my own moribund rhetoric, here's the salient points, straight from the horse's outbox:

"One key message is that "de-perimeterisation" is the business problem, not the proposed security solution. If we believed we could still maintain a neat defensive perimeter around our networks, I'm sure we would do so as it makes our work easier. But the business requirements drive us to do business - on equal terms - with partners; they ask us to outsource the management of IT assets; and they ask us to support connections for business partners within our networks. And those requirements mean that the traditional firewall defences are just becoming less useful as a true security measure, as we've already let outsiders into the networks."

This sums up my feelings about the current state of security very neatly. Anyone still crapping on about network security these days has missed the boat and needs a new haircut. Sorry, I knew if I started saying stuff it would end up sounding bitchy... back to AY:

"We still see some point of firewalls and other types of network defence, but they are in transition, moving from the old days of attempting to provide confidentiality and integrity, into the new view of providing availability or quality-of-service. So the firewalls filter out network junk; but the networks and systems should be designed to continue to function even if that junk got through."

So, Andrew even doffs his cap to the firewall/IDS crowd, but then makes the real point which is at the heart of all of this - the systems should be designed to continue to function, whatever gets through. Then, in time, the perimeter stuff is totally UNnecessary. This isn't his view, it's mine, I don't see the point of these lumbering great boxes all round the perimeter. As he says, they just become availability management boxes, and that can be built into software. OK, I admit they have their place now because the data security hasn't yet been built in, but they will disappear in favour of something more... virtual? distributed? a framework? A virtual distributed framework? Software at any rate. Take off the blinkers, look at the patterns, look into the future.

Is that the problem we have here, the Jericho Forum is looking too far forward for anyone to take it seriously? For all the talking I would have expected bloggers at least to understand these points a bit better, that they are not going to arrive on your doorstep in the morning. If I wanted to sell something that was popular now I'd make yet another NAC device.

"We realise that this has not always been understood in the media, so have been thinking of ways to present this more clearly. I came up with the term "Collaboration Oriented Architecture" though there's still debate whether that is the best terminology.

We have had debates whether this is de-perimeterisation or re-perimeterisation or micro-perimeterisation or whatever. The terminology might help the product marketing buzzword people, but it's not proven very useful when it comes to designing a security architecture. Of course we have Policy Decision Points and Policy Enforcement Points; and you could join these and say that's where the perimeter is. But when those PEPs and PDPs go round mobile items of data, it's a moot point to say it's a perimeter at all. As for "fractal perimeters", that might sound buzzword compliant, but I won't believe it has any real meaning until someone measures the fractal dimension."

Yes, "fractal perimeters" does indeed sound like some marketing turd with a linear constant greater than or equal to 1. Please ignore them as if your reputation depends on it. It will do. It doesn't even sound buzzword compliant to my ears, just bollocks, but Andrew is far too constructive and polite to say that.

I hope that's cleared a few things up for you nay-sayers and non-believers. Andrew parenthesises at the end of his mail, in case you were wondering: Great Britain coastline has a fractal dimension of around 1.24.

Sunday, 23 September 2007


As Rich noted a couple of weeks back, I'm a Newby again. Today is my first (official) day with Ingrian Networks. I'm up at the break of day, which is how I prefer it after the fog has cleared, and have a few moments to reflect before a quick drive up the M3 in my shiny new car.

It feels like yesterday still that I was sitting in a top floor office in central Barcelona, sweating and swearing, trying to sell software. Already I'm back in the UK, back in my flat, and back to work in what seems like such a short time. I could use another 6 months holiday to be honest, but then I'd run out of money, my wife would leave me and the house would be repossessed, so on balance, I think I'm better off working. And what better way to fill my days than talking about something I love: encryption. Actually, Ingrian's portfolio is broader than just encryption, it is db and application security, data security (yipee!), key management and encryption. All of these words get me more excited than the average human is supposed to about such terms. All except one, which is a new departure for me. And about bloody time.

I am quite recent to application security, and whilst I follow Jeremiah Grossman, RSnake et al. as much as possible, it has always seemed like a different art to what I know. From today that's going to change, and I'm going to be cutting my teeth in public (if that doesn't sound too weird). I will be writing my learnings here and hopefully be put straight on a few things where needed. I'll keep on throwing the data stuff around too, but maybe I'll become a bit more rounded, and more technical, in the coming months as I settle in to my new role.

After that, the role will be evolving with me, the aim is for Ingrian in EMEA is to grow significantly in the coming year to 18 months, I will be heading up the technical/services side, with Jon (Shaw) heading up the Sales team across the region. I love the smell of business, especially a successful one, and this has all the hallmarks of being a great move for me. Watch this space, and hopefully there will be some meaningful security in here soon!

Friday, 21 September 2007

The Horns of Jericho

Hoff and Mogull, 2 people I admire very much, have been blethering on at each other about Jericho for what seems like weeks now. I gave up reading after the first "yeah, but..." to be honest, but tried to set a few things straight in an argument which was essentially about two sides of the same coin, and not really anything to do with the Forum itself, but the media coverage it gets. Like blaming Prince Charles (sad looking chap, big ears, married a horse) for being the Queen's son.

I received an email from Andrew Yeomans for my troubles, a more gentle and kind man you could not hope to meet. He sounds incredibly busy, and was bemused as to what all the fuss was about. So on behalf of Andrew et al. who don't have as much free time as me:

The Jericho Forum has been around for donkey's years (I don't have exact figures, but consider the average age of a donkey, and they're about that old). When it was first set up, everyone said "ha ha, that's crap, it'll never catch on" and compared them to Chicken Little. Some years later (i.e. now) everyone is saying "ha ha, everything they're saying is obvious", or "ha ha, they're saying it wrong".

I'm not going to pull out the old cliche about laughing at Christopher Columbus or Edison (or is that a song...?), but really, look at what you're saying, and consider why you're saying it guys! Personally, I've backed the JF stance since I first heard it from Andrew's own lips 7 years ago, before he was on the management board. As a movement it has it's own momentum, and the people who are part of it's management team are merely sticking to their guns. They are all hugely respected security officers in their own rights. That the message hasn't changed should be admirable, not risible. It means they got it right first time. That it is only a set of guiding principles is GOOD in my opinion. That the media reacts with FUD is no concern of the JF.

Bloody foreigners.

Weak and noisy

My wife reminded me yesterday that when we first met I impressed her with a great line which has had her swooning ever since. I explained to her that as most women were after the strong, silent type, I was finding a lot of unnecessary competition, and as a result was trying to corner the weak and noisy market.
Well, she married me didn't she?

After a couple of weeks getting re-acclimatised and moving back into my flat, I have things mostly the way I want them, and to be honest, as close as I'm going to get apart from moving my desk around to please my wife's aesthetic sensibilities. I start work for real next week, but today I had a gentle start by catching up with some old colleagues at Equip Technology, now part of the monolithic Horizon Group. I love catching up with old friends, especially when I get such a warm welcome, and a hug from the girls (don't tell the wife!)

The atmosphere there has changed a little, not necessarily for the worse, things seem less chaotic then when I was there (hmm... should I be admitting this?) but so much so that no-one really seemed to be having to talk to each other. After I had caught up with the people selling Ingrian kit, I took some of the technical guys out to lunch, and we chewed the fat (metaphorically and literally).

First of all, the market looks set to explode over here, I finally hit it at the right time. Mind you, I've waited 6 years for this, and I've done it in a pretty roundabout way. With all the movement between QSAs, resellers and distributors having to raise their game to add value, this is exactly the right time for a key management/encryption product to hit the market over here. It's maybe a little complex for a lot of people, and the technical guys were concerned that they would be running before they could walk. I tried to reassure them that this would not be the case. I haven't had the training myself, but my knowledge of this area is reasonably good, and I've worked with security devices and software my whole career.

Secondly, it seems to me that organising a very close team of guys into a larger company has taken some of the soul out of it. I don't think this is lost completely, just a matter of communication. What made Equip an exciting place to work was (apart from the fact you were in danger of being hit by a football at any point on any given day) that there was constant talking, chatter and well, noise I guess. The guys told me that things were a lot better organised now, but I sensed that they missed the office banter a bit.

This is why I didn't stay at Equip when they were taken over, and took the plunge into a small company in Spain. I hate being lost in the noise of a massive corporation. I like being heard (hence why I blog). I like feeling that I influence the way people think, or at least talk. My reasons for leaving Spain were somewhat different, and not least because of the fantastic opportunity I now have to grow the team with Ingrian in EMEA.

What all of this brought home to me is how important communication and education are at all levels of security, even in a very technical environment. There's no point in sitting in silence, you'll end up losing out. These are smart guys, and if they don't get it, not a lot of other people will. I'm going to be doing the shouting on their behalf, because I enjoy it anyway. I will also have my work cut out to communicate some pretty complex ideas, but I'm really looking forward to it. In the meantime I think I'll just shout about things which interest me here.

Tuesday, 18 September 2007

Smiling already

Wow, I must have been getting used to Spanish telecoms. I just got my new broadband installed and it flies. I can now download a 30Mb file in a few seconds, where it was taking minutes with Telefonica. So what have I missed whilst the posting's been thin on the ground?

Uncle Mike Rothman has turned into Security Mike I see, which made me smile, not least because of the rather flattering avatar he's used. Don't get me wrong, Mike's a handsome devil, but have you seen the arms on this guy?

A bit of news today which made also made me smile, but this time in disbelief, was the story that Intel have bought Havok. "Who?" I hear you ask. I did some work with these guys over in Dublin 3 years ago, and there were about 10 of them sitting in a freezing cold darkened room, coding some arcane magic called a Physics Engine. It's amazing stuff. If you've ever played Half-Life 2, you'll have run along in the water shooting at imaginary fish. The realistic gun interaction with bullet, and bullet interaction with water, is courtesy of Havok. They have worked on some major games. So why the need for a security fiddler?

What Intel don't know (OK, they probably do, but it makes better gossip this way) is that 4 years ago the source code for HL2 was leaked and displayed on the Internet. This was traced back to a developer at Havok, I'm not sure they ever knew which one, and they called in a consultant at DCSR to fix the problem. DCSR were a Vormetric reseller, and thus Havok became my first account in Europe. It was incredibly complicated, and they had a huge amount of code to protect. I won't divulge any more details of the account as I don't want the SEC on my back, and I now work for the competition.

Another thing which made me smile today was a chat I just had with a guy called Richard Morrell. I had a mail from him earlier today to ask me a couple of questions. Richard was a founder of SmoothWall, which most of you will have heard of if not used, and was most recently working for Zimbra, which was purchased by Yahoo! yesterday for $345m. Well done Richard.

What I didn't know until today was that Richard wrote SmoothWall in Oliver's Battery, which is less than a mile from where I am sitting now. He has a house in Colden Common, which is about 5 miles away, and is coming back next week. He's read my blog, and wanted to talk about Kinamik whom I have just left, but it appears we have much in common. He's coming home next week for a few days and said he'll call me for a drink.

Small world, interesting place.

Monday, 17 September 2007

Jobs and cars

I'm waiting for a phone call and whiling away a few moments before I have to speak. My old company, Kinamik, are hiring a CTO and the recruitment agent wants to talk to me to get the lowdown on the business and the people. The right CTO there could be the difference between make or break, he will have to be good, whatever the market decides. I think that's what I'll say...

I start my new position next week, and have a very busy schedule already, visiting 4 customers next week, and 2 the following so far, plus a visit to our distributor (where I also used to work) and a reseller (where I didn't). So to get around to all of these people I had to go out and buy a car this weekend. I was looking at the BMW 535d Sport, because it has 2 inline turbos which means you get zero lag and will continue accelerating up to 155mph, more torque and higher bhp than the M5! But the one I was looking at got sold the day before I was going to see it. Bah! Humbug.

So instead, I settled for the 530d, not quite the same pull, but still a bit of a monster, and at £5k cheaper, I'm very happy with it. How nice it is to think and save in terms of pounds and pence again. It's black too, with slightly tinted windows so I look like a gangster, or a gangster rapper at least.

The job's all kicking off next week, but I'm off for my first meeting on Friday, followed by a long lunch and a trip to the gym in the evening to compensate for the guilt. I like to ease into work, but next week is going to be full on. I expect I'll start to talk about databases in my sleep soon, and it will certainly be interesting to get up to speed with application security again.

Moving around can be painful at times, but it gives you such a good overview of what's happening around the world and around the markets that it can be well worth it. Moving around in a big black beamer just makes you feel cool. At last. :)

Sunday, 16 September 2007

Watch this space...

In case anyone is interested: I get my new broadband connection on Tuesday, at which time blogging will resume on a more permanent basis.

I have to say I'm enjoying not being tied to my screen so much, but I miss the interaction. Only shrdlu has noticed me being MIA at all however, so maybe I'll just keep quiet for a little longer and soak up some of the wonderful sun we're having (in my coat obviously, this country's still bloody freezing!)

Back soon.

Friday, 7 September 2007

Compliance and disclosure

I've had a lot of wishes of good luck since I moved back to the UK, and announced my move to Ingrian, and I want to say thank you to everyone who's contacted me in a more public way.

My first mail was from Brian Honan in Ireland, a senior consultant with his own firm, who wrote to me to wish me luck for my move. I wrote back to ask him what he was involved in and he happened to mentioned that he was pressing for a breach disclosure law over there.

In the last 10-20 years a transformation has happened in the Irish economy, particularly Dublin, the capital city where Brian is based. There was a boom from 1990-2001, characterised as "The Celtic Tiger", in which time the economy there grew from one of Europe's poorest to one of its wealthiest, much as Spain has done in the last few years with its construction industry, Ireland did so with its technology and innovation. With growth come growing pains, legislation, particularly around electronic transactions, is usually the last thing to be put in place. Breach disclosure has often been an afterthought.

Then Jon Robinson, after wishing me luck with the move, picked me up on something else yesterday which I thought I was fairly clear on in my own mind. Compliance, do we need it? I've always believed in it, thought of it like an embarrassing geeky younger brother to security (the cool one, good at sports, knows karate), but just let it run, and used it to push my wares when needed. We all know compliance does not equal security, we all assume that we need to comply for the greater good. But who are we doing it for, and why? Why should we be forced?

I started to get my ideas down on screen, and it struck me just how much compliance is a double-edged sword, and it's really not had the effect that it was supposed to as yet. Instead of being the great security driver, it is more of a great security leveller: it's making us think (at last).

The things I am hearing about compliance and disclosure laws from the States are:

1. Disclosure doesn't hurt a business. The pain for customers to move outweighs the pain of being breached. They see breaches as temporary, and trust brands. If anything, breach disclosure acts as free publicity.

2. Compliance is not specific enough in either technical or business terms, it's like the Sword of Damocles, perpetually hanging over those in power, waiting for someone else to disturb it.

3. Businesses in the States are moving in droves to take their data away from storage, and where possible, just keeping pointers to data (credit cards, SSNs, etc.) in other people's storage, which means there is no need for the same level of data security.

4. Because of this, QSAs and consultants in the US are moving into Europe in unprecedented numbers, to address a market which isn't aware of these methods yet.

5. If you are compliant, you don't have to disclose breaches. HOWEVER, if you are compliant and have a breach, are you better off disclosing, or keeping schtum? There have been a few cases recently where people have just come right out and said it, even when there was no need.

Is compliance really the answer we have been looking for, or just a sales tool?

The bad thing about compliance is that it is a stick measure, dressed up as a carrot. Something to beat you with which the people behind it are saying "if you comply, you'll be safe". But you aren't. Just because you are compliant, does not mean you are secure. Ironic? At the very least. As a result there is so much confusion that the consultants who know security can clean up, but then, they are liable, and the security landscape is ever changing. If I was any one of my clients I'd be extremely upset about compliance.

The good thing about compliance is that it turns security into business issues which need to be addressed by CEOs and CFOs. This is good for consultants (again) and vendors however, not the average consumer. I've said in a previous post that consultants are up for a good run in the near future due to the state of the market at present, but there is going a lot of competition from some big US firms (that I've also mentioned recently), because of the way compliance is forcing sensitive data out of the corporate infrastructure.

I think we'll see a few more small consulting firms being bought up by large US companies in a bid to take over the European market before it dries up like it is doing in the States, and like the vendor world, it will be increasingly a case of start-ups being started as acquisition targets rather than going concerns in their own right. I find this a bit sad, just like I did with supermarkets taking over from corner shops, but this is the price of progress I suppose.

Maybe if I get in quick I can still become a millionaire, but then millionaires are ten a penny these days. Who wants to be a millionaire when we're talking in billions?

Full disclosure

What's all this then?

After my post about Ingrian's "60 days to Compliance" program, I got a mail from Mike Rothman saying that he had merely been pointing out the inaccuracies in it "for the people", and it was an "irresponsible piece of marketing". I don't want to get into a slanging match with him on those points as I have nothing but the utmost respect for Mike and value everything he says, but I stand by my position: It needs to be taken in context, and anyone looking at it will necessarily possess the intelligence to apply the correct context. Plus, I'm not going to get into a full blown argument without admitting that there is a reason for my renewed interest in Ingrian.

The offer

As I've revealed in many previous posts, Ingrian have been close working colleagues for many years, through their time with the i100 SSL box, which at least one reader will remember with fond memories (you know who you are Owen), up until now with their superb DataSecure offering, one of which I am sitting next to as I type. I've worked with the kit throughout that time, in every job I've had, apart from SE for Vormetric, when I very much worked against it! Recently, I was offered the chance to work with Ingrian more closely, and help grow the EMEA arm of the company: that is, to work for Ingrian Networks full time.

Well, what can I say? It seemed to be written in the stars, but I needed to consider it carefully. I was glad to be able to consult Mike on it in fact, as I've been keeping it close to my chest for some time. In the course of our conversation however, Mike observed that I should probably stop pimping myself out to Ingrian here and come clean to avoid losing face.

What's to disclose?

I didn't believe I was pimping myself when I wrote the post, I still don't, I have never written anything I don't fully believe in, and have never received a penny for anything I've written here. But if there's a danger that people will lose respect for what I'm saying without it, then here's my admission in full:

I had spoken with Jon Shaw, the RSM for Ingrian EMEA on several occasions, usually as part of my previous role in distribution where I helped put the two sides of the agreement together, but also at Kinamik, where we had a vendor partnership. He had often asked if I would be interested in working more closely. I had always said yes, but we agreed that we would wait until a suitable position came available, and I was free of commitments.

The thought process

When Jon called me last month to finally offer me a job, it was a less difficult decision to make than it would have been before March. I was just leaving to take a short holiday, and didn't enjoy it much because of the stress I was under. I explained in a previous post that it has not been the happiest of times recently, and the pull to get back to the UK and family was strong. When I got back to Spain I had all but decided to make the move. It still took me 3 weeks to finally make the decision. I still feel indebted to Kinamik for all I have learned and taken from my time there.

Rothman The Advisor

Mike said I should make it clear that my move to Ingrian is because of my interest in data-security and to show that I wasn't acting under instruction from them - doing it for the money, that is.

On the contrary, my interest in data-security is almost entirely down to Ingrian, rather than the other way around. One of the first and most exciting people I worked with in data security was a guy called Morgan Flager, who is now a venture capitalist, so maybe I AM in it for the money. I don't come cheap these days, but then I guarantee a certain amount of market knowledge and success. The blog though, that's my baby. No-one works entirely for love, but I say what I like here, and no company owns me.

Morgan inspired me whilst we were both young, he made it interesting, and I've followed data-security ever since. I now have regular exchanges with Rich Mogull, who allowed me to interview him here when he left Gartner recently . I've followed him my entire career, so that was really exciting for me.

I guess because I believe, nay KNOW, I'm not pimping out my blog (although MTV should note, that "Pimp My Blog" is a great idea for a new show) that I missed the fact it might seem that way. I'm grateful to Mike for pointing it out so I can set the record straight at the same time as breaking my important news.

Reasons for blogging

I'm not blogging for the money, I'm in it for the chance to discuss security. I'm not moving to Ingrian because I'm interested in data-security, I'm interested in data-security because of Ingrian, and we'll both do very nicely from it. No-one has any influence over my blog, apart from those whom have helped carve out my career over the last 7 years, so Ingrian tend to feature quite highly, but then so does Mogull, and I'm not working for him.

(or "Pimp My Mike")

Here's a thing, I've just been checking my keywords, and although I refer to Ingrian 8 times in 120 or so blogs, my number one personal tag of all time is STILL "Mike Rothman" with 9 entries, (make that 10!) second only to "data security" at 14. Even Lord Mogull of Securosishire only gets 6, Thomas Ptacek and Tim Berners-Lee get just one each. What does that tell you?

Home time

So I'm back in the UK. I still have a flat in Barcelona, but I'm resident in Winchester, Hampshire, England one more. I'm feeling happier already, but I will miss Spain, and especially the people at Kinamik who have made my time there so enjoyable.

Hopefully being home won't cheer me up TOO much and ruin the niche I've carved for myself.

Thursday, 6 September 2007

How to make tea (the English way)

Well here I am, back in the UK. It's bloody freezing, I'm wearing a jumper for the first time in months... and that's the only thing I can find to complain about. I actually quite like wearing a jumper too. I have a real cup of proper English tea, made the proper way. Allow me to elaborate.

The Queen has a teapot which she doesn't wash, she makes all her own tea, and it is made the PROPER way. If you are anything other than English, and have English visitors, make yourself seem incredibly worldly-wise and make them feel at home by doing the following:

1. If you have tea leaves, put them in a strainer over your teapot. If not, put teabag(s) into the pot. The pot should be caked in years of previous tea makings for extra flavour. This is not gross, really.

2. Boil a kettle.

3. AS THE WATER BOILS, pour it over the tea leaves, scalding them and releasing lovely fresh tea.

4. Present English guest with a cup (empty), the teapot, some milk, sugar and teaspoons.

5. Allow guest to pour own drink, which should be done tea -> milk -> sugar -> stir. Drink.

The above technique will avoid having to dunk teabags like they are some sort of flavour enhancer for warm water. It will avoid offending your guests by assuming they like grey water with sugar in the bottom, etc. Also, we like milk, not lemon. There's a reason for this:

In days of old, before the US was even discovered, cups were made from clay and baked hard. This clay was brittle, but the Brits still knew that to make a proper cuppa, you need to boil water, and scald the tealeaves. The problem with this was that when boiling water hits a clay cup, it tends to smash it as the clay expands rapidly on contact. To avoid the rapid expansion, a small amount of milk was placed in the bottom of cups, thus stopping the rapid expansion and making a perfectly drinkable drink.

Over time, china cups replaced clay ones, so this reason is often overlooked, and the order of making tea can be interchanged, especially nowadays when individual teabags are made for cups, which forces the milk to be added afterwards if you are to scald your leaves.

More advice on how to be good to your British guests soon. I'm telling you this for a reason you know. If you're in the Redwood City area, I could well be round your house soon, and I expect proper tea.

Wednesday, 5 September 2007

How security is driven

I'm not afraid to say that I hate firewalls. I also think NAC is fundamentally flawed, another sales driven exercise which has no place in pure security thought. It's incomplete, half-baked, evolving at best and network-based, like early firewalls in many respects. Oh how this is going cause ructions. I don't begrudge anyone doing it, so before Alan, Mitchell, et al. get medieval on my ass, I'm glad someone's having a go, and filling a gap in the market.

Then again, there is little that can be considered as pure security at the moment, and as I said yesterday, security needs to move with the times and not get caught totally in the technical. However, firewalls and NAC prove to me how dangerous it is for security to get caught up entirely in the business too. These are both technologies that are solely there to address a business issue tangibly, that is, in a way that the average CEO does, rather than properly, like the average CSO should.

I don't think these technologies will last forever, although NAC seems to be doing OK now. I could argue that firewalls have been dead for years, and what exists now is a hybrid. In the same way, I hope NAC will be the beginning of a move towards proper data security. It certainly seems that it could be something which ties user and data security in a more complete way, the problem with it is now is that it is not understood by those using it.

So, just as firewalls have become UTM devices at the perimeter, so we will eventually find a data-security device at the centre of our networks in the future. NAC should not be everything which is needed, but built-in here. But is NAC taking us in the right direction? Probably.

However, the point here is that security hasn't identified a hole in the network and moved to fill it, it has identified a hole in the market, and the security barely makes sense. Evolution is necessary where people are involved. I understand this, just as I understand that sometimes people need a kick in the bum with something like compliance. However, just as we couldn't have predicted that Facebook wouldn't be the amazing success it is today back in 1985, we couldn't have predicted that compliance was going to cause us so much pain and lead us down so many blind alleys. Some people have cleaned up in all the confusion. ATW, by appearing to have all the knowledge, are now enormous, and spreading.

There was a link to my blog yesterday from Jon saying: "He thinks we need to force people to be secure through compliance regulations. I disagree. Screw regulation and screw compliance. If someone wants to do business with a company that had a breach, then let them."
I think this is the view of a lot of people in security nowadays. We've tried so hard to educate people, but they still won't buy from us. OK, that's slightly cynical, but it really is the case. We're all in this for the money, we don't do security just because we love it, it's interesting for sure, but it's also pretty well paid. And people won't buy what they don't need or want after all. All compliance does is force a need, but if people still don't understand it, they will buy what appears to cover all their needs the cheapest. Therefore security gets chased down a rabbit hole instead of improved. Odd.

Some of the best "solutions" (for want of a better word) in security remain untouched because people don't understand that they need them, why they need them, or even that they should be looking at them. The only way we are going to hope to change that is by educating slowly, evolving and moving through some bridging technologies to get there. Firewalls have evolved into UTM, which is almost right, NAC will evolve into part of a link between UTM and data-security. Data-security is really only just beginning, but I have a fair idea of how this will pan out, I've given various views on this already, but this is very much my area, so I will continue in good time.

Security as a business

Some of my favourite and most admired bloggers have got into a fairly cyclic argument which is rehashing something we've been over several times in different guises. Mark started with a piece on how security isn't a competitive advantage these days. Isn't this just the old "ROI is not real ROI" argument disguised as something new?

Chris got stuck in as can only be expected these days, saying that there were too many generalisations in this argument, that he wasn't looking at it from both sides, the vendor and the buyer. Each of course looks at security in different ways. But this is a different argument to that which Mark was making I think. What both posts confirm is that security is what Richard B calls "Table Stakes". You don't get to play the game without it. Now I don't always agree with Richard 100%, he comes up with a lot of fresh and sometimes crazy ideas, but this time he has it on the button, and in a very concise way.

Now Rich M has got in between them both with his own economics take on why this is the case. It's true, security doesn't affect consumers in the ways we would expect or hope as security practitioners hoping to make some money from our skills.

I think anyone working in security, especially at a vendor, knows only too painfully well that security and privacy are table stakes. This is why we need compliance to get people off their arses and looking at security in the first place. If security were attractive, PCI, HIPAA, GLBA, SOX, CFR21, etc. wouldn't need to exist. But with compliance, security turns into marketing rather than technical skills. This suits me fine in fact, I've been a sales engineer for many years, and know these arguments inside out, but I think this goes some way to explaining our ambivalence towards compliance.

Compliance does not equal security, we hear that all the time. Compliance is a business driver, and for security to survive as an industry we need to bow to it. Security as a purely technical discipline is no longer viable, yet to hear the amount of complaints about compliance, PCI in particular, you would think it was nothing but. Security as a business is dangerous however, and is taking security a long way from being secure in many cases.

I'm going to continue this in a separate post, because I have plenty to say on it. This may have to wait however as I'm leaving Spain today and have to pack!

Tuesday, 4 September 2007

Outward bound

I won't be doing many more posts from Spain I suppose. I will miss the place. Run-down, chaotic, smelly and disorganised as I can be, Spain has suited me well. :)

Every time I look up something about Barcelona I end up at some sort of travelog type site which more often than not has complaints about the rudeness of hotel staff, the long waits at cafés, the way people walk into you in the streets, the strange odours wafting from every drain and subway, insanely dangerous building practices... the list goes on.

The very things that annoy everyone else about this place, I have come to love in a short time. Staff are not rude, they are just finishing something else. They'll come and treat you like they have time for no-one else and nothing else in a moment if you wait and smile when they approach. The long waits at cafés are to allow you to rest and bide your time. You're in a café! People walk into you because they are busy, the streets are bustling, and hey, if they bump into you, you get to talk to them AND have some physical contact. The smells from underground remind you that this place is evolving. In 20 years time it might be so sanitised that the character is washed away, like Milton Keynes or something. Sorry to the people of MK for this, but, really, what are you doing there? The only hope you have is to make your own smells to put the character back in.

The insanely dangerous building practices - when I first arrived I opened an account at Barclays Bank just off the Passeig de Gracia. The new office was opening later in the week, ON the Passeig de Gracia. You could see it being finished off. Later that week I had to go and collect my bank details, but no, the branch office was shut, so I went to the main office. Still being built, so where do I get my bank details? I have a job starting in a week! There was a guy hanging off a scaffold with a drill, bits of stone and sparks flying off it, right over the entrance. The scaffolding was teetering on a plank of uneven and recently rotted wood. The whole looked set to topple through the glass entrace to the bank at any moment. No-one in their right mind would have walked UNDER the scaffold.

I stood for a good 10 minutes watching, working out where the back entrance was, hoping for some clue as to how to get my bank details AND retain my life. Finally a man in a suit walked casually through the door without looking up, and continued on his way. A minute later, 2 others. These were clearly customers. I ventured inside, ducking low, and there was the lady who had served me previously, with my details ready.

For anyone who has thought "bloody Tony Blair/George Bush/Gordon Brown/Nanny State" in the past months/years (delete as appropriate), this is the kind of freedom we could be enjoying! Also consider that Spain has one of the highest death rates from car accidents in any given year however, and think where you would rather be on the curve. I'm in 2 minds. I've really enjoyed being in Spain, but I am in one of the major cities, which is supposedly quite sophisticated. I don't think I would want it less so however.

There are regular power cuts, my neighbours are loud and ignorant to our pleas of peace, parties go on around us until the small hours, and they don't bloody invite us. This is not something I could cope with permanently, and although it still feels like I am leaving somewhere I call home, it will be good to get back.

Hasta la vista, baby

I hinted last week that there was going to be some further news and pulling together of threads relating to me and this blog. Today marks a major milestone in that pulling together. Today is my last day as Director of Product Management for Kinamik Data Integrity.

This is a day of mixed emotions for me. I've been with Kinamik for 8 months, I've really enjoyed it here, and the work has been interesting and challenging. Being in Spain has made accessing the UK market quite tough, but getting the blog going has opened up a whole new area which I have found invaluable. Kinamik will do very well in the future, they have just had a new round of funding and they have a great opportunity opening up in the States, which to my mind is vital to any fledgling software company. They have great backing and are set to expand their offering further into data security, in the UK and US markets. This would normally be some sort of dream for me to be involved in, but circumstances have not been kind to me.

I would love to be able to stay and help, but my circumstances changed dramatically during my time out here. I am gutted to be leaving the people behind, and the weather. I'm giving up a stake (unless they want to keep me on as a non-executive board member of course...) in a company which I firmly believe is destined for success , and will stay in close contact.

Without going into unnecessary details, there was an untimely death in my immediate family in late March which has made things very stressful for me, and my wife, as time has gone on. As we approached our first anniversary, we realised that there was more reason to return to the UK than to stay where we have no family and few English friends. I think this was around the time I picked up my reputation for being grumpy, although maybe there was an element of this already.

Going back to the UK was never part of my immediate plan, but I started to feel the pull more and more as time progressed. Giving up life on the Costa Brava with an exciting start-up to be with family is a hard decision which most people will always come to the same decision on. It was just a matter of time and opportunity. It really has not been easy to do.

The management team here have been great friends as well as work colleagues, so this post is really an au revoir to them, rather than a goodbye. I am keeping my flat in Barcelona until the end of the year, because, er... I can. I will definitely be in touch by email, and almost certainly on the phone in the near future. Try and stop me!

As a very wise man once said: "I'll be back."

Monday, 3 September 2007

Not as dangerous?

This "Who is sick?" site bothers me less than the stuff I mentioned in my earlier post, but it's still going to be abused. Nothing to do with paedophiles this time, but people who are a bit poorly, and therefore need some time off work.

Picture the scene if you will. Dave has been out for a drink after work, got carried away and had one too many. Dave wakes up the next morning with a blinding hangover and decides to take the day off. Dave calls in sick and tells his boss he has "a headache, stomach ache and feels sick", which isn't a lie. Dave tells this story on numerous occasions, until his boss decides to check him out because he's a time-wasting slacker, and catches him on the booze.

Scenario 2, Dave wakes up feeling crappy and logs on to "Who is sick?", sees there is rabid lurgi in his area and phones in with the exact symptoms. "Take a week off Dave, don't come back un until you're fully recovered", says caring boss. I bet people will use this for exactly this. I would if I didn't live for my work!

I just watched an episode of NUMB3RS, that one where the scientist sets off 2 strains of Spanish flu in 2 different directions across LA, to see which is the deadliest so he can develop a cure and get rich. How much easier would it be for him if the victims called in their own data!? This is just encouraging mad scientists. OK, this isn't as persuasive as the paedophile post, but I'm on a Web2.0 rampage here. Expect to see more where this came from.

Web2.0 is like cloning and communism, a great idea in theory, but in practice it may be more dangerous than we could have possibly imagined. You have been warned.

Peace of Mind???

This probably won't make me very popular, but this bothers me. Vision 20/20 have released a "Peace of Mind Mashup". You enter an address and it shows the location of registered sex-offenders in the area. Over the weekend it has at least changed to being a service which you must sign-up for, but it is nowhere near what I would call safe.

In the UK recently, paedophilia has very much become the shocking crime of the moment. No matter how long it has been a reality, it is fashionable to be outraged about it right now. I will therefore try to keep this balanced without overreacting to media influence, but be warned. I don't think anyone approves of this sort of behaviour, but when the media spotlights homed in on these stories, several paedophiles (and even one poor paediatrician) were attacked in their homes and beaten severely. So what? I hear you ask.

It seems to me that all this service can do for the general public is spread fear and paranoia. The innocent people who will use this will be concerned parents who will find criminals living on their doorstep, or maybe thugs looking for a legitimate target. You may not care if a paedophile gets beaten up, but what about when this thug has run out of "legitimate" targets that we have turned a blind eye to? We cannot encourage violence just because we don't like the target of it. Two wrongs, and all that...

Try out the service for yourself if you are curious. It only covered the US when I tried it, so I put in the address of a friend of mine in SF, and there were more than 20 within walking distance. At 6'6" and 200+ pounds I don't normally scare that easily, and probably have little to fear from these pretty pathetic specimens of society, but this turned my stomach. Not just in concern for my friend's safety, not just because I will be in those streets in the near future, not just because it made me realise just how common sexual abuse is, everywhere.

No, my real horror came much more slowly than that, and during a conversation with my wife. She started off talking about how she'd like to go to Amsterdam before we settle down and have kids. I understood this to mean she didn't want her offspring to be influenced by seeing Mummy with a doobie in The Grasshopper, but no, as ever she is far wiser than I.

Amsterdam has legalised prostitution and marijuana, and although I question their motives for doing so, I fully support their right to. I feel unutterably sorry for the people of Amsterdam who have seen their once beautiful city turned into a cesspit of human excess and depravity, but still go there fairly regularly to watch this insanity unfold. Am I being a hypocrite to encourage this to continue? Perhaps. Whereas ten years ago it was fun to go with a friend to wander round and see the sights, now it's like taking holidays in hell. People used to go to Amsterdam to see some of the prettiest architecture, fields and fields of tulips and poppies, windmills, dykes and polders. Now they go for the whores. No, many of them won't actually use these women, most go for the same reason a car crash causes a 5 mile tailback, they just want to stare in horror.

Legalising drugs brought with it the idea that other drugs would be tolerated, and over time they have been. Walking through from Centraal Station to the Leidesplein some years ago I was offered cocaine no less than 5 times, in broad daylight. Police were nearby, the dealers were not arrested, or even talked to. Many times, foreigners have been sold contaminated Ecstasy, only to later find themselves in hospital, full of horse tranquilisers.

Legalised prostitution has brought with it something far more terrifying. Prostitution is conducted through windows in Amsterdam, the women sit and show themselves off, whilst the punters go shopping. This is all very open and liberal, thus stopping the abuse of women in secret. Yeah, right. I don't pretend to know what it has done for the rights of women, but I tend to believe that if they had the choice, not a single one of them would be working in a shop window by the canal.

As prostitution in the city has become so famous, so other businesses have tried to catch a passing trade. What better to titilate on the way to the workers booths than to stop off at a sex-show, heavily advertised in neon? And when you've finished, why not get a DVD, maybe containing some animals, for when you get home? Yes, the back streets of Amsterdam now cater for everything the discerning pervert could ever desire. I'm shaking my head in disbelief as I write these words. How the hell have we encouraged this? This isn't liberal, it's fascist.

What is known, and not something affected by my opinion in any way, is that Amsterdam now has one of the largest collections of paedophiles and sex-abuse rings in the world. Unsurprising if you consider the magnetism it has for pervs and paedos of every distinction. Just as the coke and Es are easier to obtain and more willingly overlooked, so is the paedophilia and abuse. These people aren't out in the streets yet offering you children as you walk to your next station, but they know where to find each other. A simple search in Amsterdam could be done in a shady theatre or the back of a sex shop. Ask a dodgy question and anyone not wanting to take it any further will not likely inform the police, nor would the police take it very seriously.

Vision 20/20 just made this search a hell of a lot easier and safer for the very people we don't want to have this information. Now the rings don't have to be confined to one area of one country where the police can hopefully make some progress in addressing it. Now they can be ANYWHERE. On my friends doorstep, on yours, on mine. This I am frightened of.