Thursday, 27 December 2007

Other encryption headaches

I was supposed to be telling you about issues I've faced recently with customers. I can't say too much, because of course everything I do gets turned into Product Management requests and either turned into new functionality, or we address it with partnerships, etc. either way, all very hush hush.

One other generic example which I have to give however is using encryption in conjunction with 3rd party apps and databases. Many 3rd party apps which use back-end databases connect to the database using just one user login. Of course, this means that anyone able to access the application potentially has access to any encrypted data. This can cause real headaches for me, and will continue to do so as compliance becomes more strict.

At present, PCI only dictates that sensitive data is encrypted, it doesn't talk about the mechanisms of the applications, which is probably where it has potential to fall down the most. A short aside here: I was speaking to a customer last week and they asked whether encrypting a database at the file level was in line with PCI. I replied that PCI was quite vague on this, and before I could go any further he replied "Oh, I find it quite the opposite." I had to bite my tongue quite hard. How irritating it is to be a bitter twisted security commentator AND have customers. I could have spent hours softening him up just to cut him down, but I just listened and realised how simple it would be to tell them I could do everything they need. The truth is, no-one can yet.

Happy New Year?

If I told you what a brutal year I've had no-one would actually want to read what I write about. Just to cap it off, my Mum's house was burgled last night. After nearly 30 years of complete safety, someone forced a back window just to run off with a few bits of jewellery worth no more than a couple of hundred quid on the black market.

I moved into that house aged 3, just as it was being finished off, we've known everyone in the drive since then, my mother is leading light in the local community, a member of the parish church, local WI treasurer, ex-secretary of the village fete, etc. My father and sister both died in that house, which makes it a tragic place as well as a happy place for my mother, but one she would never choose to leave for either reason.

And now she can't sleep at night because some bastard needed a fix, or couldn't be bothered to work for a living, or something equally bland and banal. Criminals are worthless, brainless scum, whether in the real world or the virtual world. What may seem like a harmless act for one can ruin someone else's life.

To the criminals, I vow to track you all down and destroy you, one by one, like Dirty Harry. Make my day. To the security guys, I will be supporting you, now and always.

Just for once, I'd like to have a happy new year. I wish the same to all of you.

Tuesday, 25 December 2007

Insecurity by obscurity

Much has been written on the pages of the SBN about application insecurities, we are honoured to have Jeremiah Grossman putting his ideas down in print, and I still have the occasional contact with Mark Curphey - founder of OWASP - even though I stood him up for lunch in his first month back in the UK - which I vow to make up for in the new year. In short, there are better men than I to talk about application holes and how to stop them occurring.

My experience is with data-security, and whilst it is undoubtedly the best way forward, I have grown used to the idea that it will never be complete on its own. Whilst I dislike using firewalls to plug holes, I admit they have their place, especially whilst data security is relatively expensive and applications are such a minefield. And whilst it would be too easy to argue about 'an ideal world', where applications had no holes, and networks had no points of insecurity, even best case reality has issues.

Consider a database, any database, any flavour on any OS from any company, you will all have your favourite. Now encrypt it with your favourite encryption method, encrypt the password files, prevent access to all part of the filesystem that you deem sensitive. You will still need a DBA. That DBA can write triggers. That DBA can write a trigger which, with no access to data himself, rewrites sensitive data to a file whenever a legitimate user accesses it. This is a hole.

How do you start to code around that? Obviously no-one thought of it, or it wouldn't be there. No-one thought to encrypt, so why would they make it harder for the DBA to do his job after all?
Of course, now there are other tools to cover this and many other issues around databases, we partner with them to plug the holes which encryption alone cannot fix. The problem is, with applications smaller than databases (i.e. pretty much every other application ever written), the issues come to light much slower, or rather once an attack is found, it can be kept quiet for far longer - insecurity by obscurity.

Thursday, 20 December 2007

Talking turkey

Back when firewalls were all the rage, people talked about encryption like it was panacea. It seemed so far off, so complex and so difficult to achieve that it was revered far too much. Of course, encryption turned out not to be the be all and end all of security. Of course to BE secure, encryption helps, as part of a whole system of in-depth, defense in layers - but there are many more points to security after you've hidden the data.

Encryption is addressed broadly in 4 areas now, email, the file system, the application, and the database:
  • Email encryption has been possible for years, but there are new mechanisms being designed all the time for some reason. I often wonder how much mileage there really is in this.
  • File system encryption is so simple that storage companies are building it in.
  • People write their own applications, databases of course are just reasonably complex applications.
What needs addressing is the management of keys used by these applications, and the security of the applications themselves. Most applications are too small to be an issue, secure because they are:
  • written that way (it occasionally happens),
  • protected by WAFs, or
  • propietary code which no-one cares about enough to attack - security by obscurity.
But what I'm seeing now, as I am called to a number of sites around Europe to handle keys for encrypting inside databases, is that the databases themselves are badly designed, inherently insecure, and need a whole lot of extra help.

Encrypting a database can only do so much. I thought it would be interesting to go over a few of the issues I've seen recently, so I'll do that over the Christmas turkey, and hope someone reads it.

Tuesday, 18 December 2007

More UK data losses

Answer the following question.
To get a position in the UK government you need:

a) a degree
b) to be patriotic and dedicated to your country
c) a sexual perversion
d) to be good at apologising
If you answered d), give yourself a pat on the back. If you managed to pat yourself on the back, give yourself a hug monkey-boy. Actually, any of the above are acceptable, except a), which is most definitely not a requirement.

Yes, Our Illustrious Leaders have gone and done it again. It seems like only a few days ago I was crying with laughter, safe in a Paris hotel, as the home secretary apologised to the nation for losing, oh, I don't know, millions of people's tax details. Oh, hang on, it WAS only a few days ago.

This week the DVLA (Driver and Vehicle Licensing Agency) has lost, oh, a few million drivers details. The former was on CDs, I cringed a bit between gasps for air and thought that actually, it was just embarrassing, anyone could lose a CD with millions of people's personal records on. Err...? If anyone HAD a CD with millions of people's personal records on that is. Why was this ever out of the building?

This time it was 2 hard drives. How do you go about losing a hard drive? And how do you lose 2? Again, WHY was this ever out of the building, or the computer?

And in either case, why wasn't the data encrypted? I know I'm a bit of an encryption nut, I work for an encryption company, have worked for or with every encryption company under the sun (except NeoScale of course, that one wasn't my fault) and would encrypt my underpants to stop unauthorised people seeing my private details. But maybe that's because I realise how important it is when I'm carrying something so sensitive?

Now, who would want the details on my laptop? A competitor would, for sure. Are the government so blind as they think they don't have any competitors or people who could benefit from their information?

To be honest, I'm waiting for the call from Downing Street:

Gordon Brown:"We've been losing quite a lot of information recently and it's making me look like a bit of a prat who can't control what's going on under his own nose"
Your Humble Author:"Oh, I wouldn't say that"
GB:"Yes, it does, although that's very kind of you to say so. You're very tall and handsome by the way"
YHA:"Thanks, but I'm happily married"
GB:"Oh. Well, what about this data thing? Can you stop people losing it all the time?"
YHA:"No, but I can stop them using it."
GB:"How do you do that?"
YHA:"Easy Mr. B, you encrypt it."
GB:"Hallelujah, you are a god-like genius, have a job and some money."
YHA:"No thanks Prime Minister, I'm doing it for my country, and I don't want to work for you."
Well, maybe that's what'll happen?

[Unrelated side note which just came to mind: Last week the Regional Sales Manager was staying in the Paris Hilton. That ought to get me a few more page hits.]

Saturday, 15 December 2007

More statistics and security confusion

When this report came across the wire yesterday:

Report: Security becoming business tool

I was reasonably happy. Until I read the tag-line that is:
Compliance, privacy and data protection, and meeting business objectives are top three drivers for security
"Strange", I hear you say, "for a security vendor to dislike business drivers in the press..."

And you'd be right. With my vendor hat on, this is great news for me. This story was sent to me by the Senior PM at Ingrian in fact, and he knows a good driver when he sees one. But, take the hat off, and there's a security guy underneath it banging his head on the table.

But why? This is all positive for the industry isn't it? Yes... and no. It's all true, and it's all relevant and it's right that security gets publicity, but this is what I object to:
"Eight out of 10 organizations said security has helped improve IT and operational efficiencies, and six out of 10 said it helped with the organization's strategic initiatives. And compliance has played a bigger role than a checkbox: Eighty percent of the respondents say compliance has improved their organizations' security."
First off, security and compliance do not make easy bedfellows. Ask your dyed-in-the-wool security guy what he thinks of compliance, and that isn't the only c-word you'll hear. 80% of respondents may say that compliance has improved their security, but then they would, they're probably being filled in by the marketing department, sorry, Executives.

And of course they're going to say it has helped improve IT and operational efficiencies, for the same reason, but this is the thing: SECURITY IS IMPROVED IT AND OPERATIONAL EFFICIENCIES. This annoys me because it is the one thing that anyone in security should understand from the moment they sign up - security is not just encryption, not anti-virus and not some worthless device, for firewall's sake (sorry to use the F-word and the C-word, but I'm angry).

Security is confidentiality, so yes, encryption and everything that comes with it, but also physical protection of the same. Security is integrity, making sure processes don't have to be repeated because information is lost or incorrect. And security is availability, making sure that processes work the way they are supposed to, access to information. This is what security has always been. Just because businesses have only just realised what it is doesn't mean that it is suddenly a magical driver, it just means we're all putting the same name to it.

I look forward to making a few easy sales now the budget will be available. 80% you say...

Tuesday, 11 December 2007

nCipher buys NeoScale.

For $1.95bn. For your mental picture, I am sitting here goggle-eyed in amazement.

### UPDATE: Tyler informs me that it's million, not billion. My eyes have popped back in. I'm leaving the story up as a warning to others of how not to jump to conclusions. ###

What the hell just happened here?

I've stayed away from commenting on this because of the nature of my business and the fact I am a competitor of both companies, but... er, what?

Co-founder Alex Van Someren (brother of other founder Nicko VS) left nCipher a couple of weeks ago, it seems that someone else is in charge of the product decisions now. This is a huge move for nCipher.

They were also looking for a new VP of Professional Services last month, in either Cambridge, UK or Boston, MA. All of this points to huge expansion. But on what basis?

My only guess is that nCipher are wanting to play more on their Key Management portfolio, because they've seen how well it does for... well, us, actually. And it just so happens that NeoScale have a device based approach. Oh well, I suppose it was bound to happen sooner or later.

But where did they get all this money from? I have to ask: Will they have enough left over to hire the developers to put it all together?

Sunday, 9 December 2007

Expansion in EMEA

I'm fighting a losing battle at the moment. Not just with my waistline, but with my diary. It seems that every time I think we're slowing down for Christmas, we get yet another customer calling up and asking for more of my time. I'm actually quite pleased to be able to go and talk to people about their encryption and key management issues, and the nearer we get to Christmas, the more wining and dining seems to be involved, so I can't exactly complain.

On the flip side of this, being on the technical side of operations in EMEA, I also get more involved in support calls than I should - because I genuinely care that any company I am involved with appears to give a good service, and because our support team wakes up around 4pm our time - not ideal. I am responsible for the technical service we deliver as a whole after all. We currently back off first-line support to a distributor who are not delivering to the level which I require. As a result I am relegated to a support function when I should be out drumming up technical interest. Often these days I also end up being farmed out to resellers to explain 'how it works', when this is something else the disti should be picking up by now - or if I'm doing it, I shouldn't be doing the support and the evangelising too. Fortunately after Christmas I am getting someone else on board, and who knows what will happen with the disti if things don't pick up.

Expansion is a luxury, both in terms of stomach and corporation. So, I may get a little flustered, and I appreciate that my output has dropped here recently, but early in the new year this balance should be restored. EMEA's looking busy right now, the UK especially has found deeper pockets for new technologies. I look forward to having time to blog about this more from all over Europe next year... and to ditch the technical support woes.

Tuesday, 4 December 2007

MI5 blames the Chinese

Sam sent me a link to this today. I particularly liked the James Bond reference. Well, it does sound a bit like we're regressing to the same playground tactics of blaming it on the Russians and Chinese. Bond would have been proud. He would have been blowing stuff up and shagging anything that moves, just to try and control the little buggers. Makes you proud to be British.

What made me laugh was "Dutch Shell uncovered a Chinese spying ring in Houston, aimed at pilfering confidential pricing information for the oil giant's operations in Africa", that must have been pretty tough to pin down, but it must be true, because "security sources" said so. I guess if you're a Dutchman living in Houston it's pretty easy to spot the Chinese guys stealing your African secrets, they're the only ones who look like they know what's going on.

But silliness aside, doesn't the rest of this article read like FUD to you? I've been in this game for a while now, and this sounds almost like a sales pitch, but with no point to it. It looks a little like publicity for Sophos to me, Graham Cluley is very high profile over here anyway, but he seems to appear in an awful lot of Jeremy Kirk's stuff. Must be useful for them both I guess, although hasn't anyone told Graham that blogs are the new magazines?

Thursday, 29 November 2007

More mainstream by the minute

I'm not going to spend long on this because I'm having a break from all things work related, and that includes my blog, but Hoff deserves a special 'hoorah' for this article.

It's nice to see people sitting up and listening to data security. Chris, this is for you: "Hoorah!"

Tuesday, 27 November 2007

Taking a break

The rent on my flat in Barcelona is nearly up, and I've still got a few cupboards full of trinkets, and books. An unbelievable number of books. My wife is a reader, not in the sense that normal people are readers, reading maybe a book a week - which until I got married I thought was going it some. No, she will read a book a day, sometimes 2 or 3 if I'm neglecting her and working. I know Spain must have been hard on her (didn't understand the TV, and no-one else spoke English) because I now have to import the equivalent of the British Library back across Europe in a couple of suitcases.

Rather than making a few trips over and trying to ram it all in suitcases, which would take a thousand trips anyway, I'm going to take it easy and have a break. I've been in San Francisco, Paris, London, Manchester, Trowbridge (yes, there!) in the last couple of weeks, and I'm shattered. Frankly I don't want to take another flight, but I'm still paying for the flat in Spain, so I may as well make use of it. I'm still on call, but I'm going to tune out and drop off for a few days, try and recharge my batteries.

I've got to go to Norway and Gibraltar before Christmas (not to mention Runcorn) anyway and I need some sleep right now. Not sure Barcelona is the best place for it, but it's either that or imploding at Christmas, and I did that last year after an operation which left me open to infection and what felt like food poisoning - only without the pleasure of food beforehand. I'd rather chill out for a bit and gear up for January. Now that's going to be exciting - more business than ever and hopefully a new member of staff - hooray, half the number of back breaking plane trips, half as many support calls and only one salesman to deal with each.

What's the betting it doesn't work out like that?

Thursday, 22 November 2007

What's happening to Data Security?

It's been a bad week for Data Security. First of all, on Tuesday, Alistair Darling, our illustrious Chancellor of the Exchequer, had to stand up and apologise to the entire country for losing 35 million records from HMRC (Her Majesty's Revenue and Customs), our version of the IRS, and the NAO, or National Audit Office. Apparently it was down to 'junior staff' walking out with names on disks. Isn't it always?

Secondly, and I'm allowed to talk about this now, because, like EVERYONE knows already, NeoScale are in big trouble having put all their financial eggs in one MTI-shaped basket. Doh. Rich Mogull covers this better than I will even attempt to, and I'm slightly uncomfortable in knocking them, being as I am, in the same industry and working for a major competitor.

Things were looking up after Vontu were acquired, and I thought data security was in for another golden age, but maybe the message is still too bloody slow in getting across the Atlantic. Bad government in the UK is a given these days, it's why I left in the first place, sadly I had to come back. However, bad business management on the other side of the pond is really surprising to still see. I guess some tech companies are led by techies, and some are led by businessmen.

Saturday, 17 November 2007

Channel vision

I've talked before about Cisco and how they hit the market at exactly the right time with the right product. But these guys never needed distribution networks like the UK channel, they created the UK channel. The world NEEDED Cisco kit. There was nothing else, computers were booming and networking was king. The channel sprouted up out of nothing almost overnight to cope with demand, pure and simple economics.

I've mentioned Juniper and a million other "second phase" technologies as I will now be referring to them as. These are the ones who took advantage of the newly created channel of distributors and resellers to sell a whole new set of technologies, built on the holes in the existing ones. Now the economics began to work differently, the channel had to get smarter, employ people who understood the technology and 'add value'. How many distis and resellers are now called 'value added distis or resellers'?

Many of the people driving these sales from the US had been responsible for at least part of the first phase too. This is where they cut their teeth, watching the millionaire being made, and doing it for themselves in the second phase. The second phase is now mature, many technologies are being acquired, resellers and distis too as everything amalgamates into a giant Googlemonster. However, this leaves us with an interesting development.

When I left the channel some months back, despite some great people and reasonably interesting technologies, I felt as though the brakes were on. I thought there was more value in being a technology leader. I aimed way over the top as it happened, too visionary for the UK market right now at least. All this did was confirm one thing, the channel was too 'safe', or as I said back then, stagnant.

The problem is, the people who have come in under the value added generation have been led to believe that there is a set way of doing things which just works. And to an extent it does. Juniper did very well out of the current distribtution model for example. However, Juniper are now the Cisco of yesterday, becoming self sufficient. There is very little value that the old-style channel can add.

So what happens? The channel gets bloated and filled with marginal value adding, carrying already fat technologies because the status quo isn't being changed.

My friend wants to change that, and so do I. They are bringing new technologies in in the old way, helping small companies to grow, not already established ones. The new way is just the old way in a new hat, but it took it being waved under my nose to recognise it.

Friday, 16 November 2007

Computer Weekly article

The title wasn't quite what I'd put, but I guess journalism is sensationalist these days.

Here's the article I've been promising for a couple of weeks, and fits in with a lot of what I've been writing the last few days.


Security goes mainstream

Who saw Dilbert today?

Just call me Mordac.

Wednesday, 14 November 2007

A moment of clarity

I was having lunch with an old friend the other day when I mentioned what a great response I'd had to the recent articles I've been doing on US and UK sales. The friend in question just happens to be the man who employed me in my last stint in the UK channel, and he was interested to know more. He has since left the same company that I worked for and started again, doing it his way.

He mentioned to me that the channel seemed to be getting very stale for a lot of the smaller technologies, which is why he started small again. My mind flashed through a thousand posts at once and suddenly everything seemed to make sense.

I've bemoaned the fact that security is stagnating here before. Richard Stiennon took me to task for it, and even compared me to Mike Rothman, which was very hurtful (joke Mike!). I remember thinking at the time it was unfair, because whereas Mike had been pontificating a bit, I was genuinely struggling to see where we would go next as a reasonably sophisticated market started to dig its heels in.

I spoke to another friend of mine from the same distributor not long ago, and he practically whined that no-one was buying anything. He blamed everything from sub-prime mortgages to the exchange rate to Gordon Brown, which no doubt all have their faults, but I'm pretty sure stuff is still being sold. I'm so busy personally that I can't even arrange a doctor's appointment to fix my DVT. We have a great product and a really good team in the UK, but that doesn't mean we created a market from nothing. The opportunities are out there, you just have to stand out from the crowd.

Tomorrow I'll be covering what we talked about in more detail, and yet another view of the channel.

Pitfalls of regional sales

Yesterday I started talking about the pitfalls which sales based organisations coming into foreign regions often fall into, and in doing so uncovered that it is not just US companies coming into the UK and Europe, but UK ones moving into Europe as well. The good news is, it's salvageable.

Not everyone loves a 'have a nice day', 'thank you sir', 'right away ma'am' attitude to sales. My skin crawls when I listen to some sales people on calls. Sorry, I know that's the way it works over in the US, but over here, people are not only numb to it, but resistant. We need to think that people are interested in us, and in their own product. Insincerity seems to be a way of not being rude in the US (when was the last time "Have a nice day" actually MEANT anything?).

In Europe it comes across as vacuous and disengaged. Try that with a German and they will politely leave the call as quickly as possible. A Spaniard will probably not be quite so polite. I know there's at least one Frenchman reading this, so I won't go into what he'd do, needless to say I've experienced it and it wasn't pretty for the guy on the other end of the phone.

I'm probably making myself unpopular here, so moving on...

Will cold calling cover enough ground, are there are lists of contacts available, etc?

Quite simply, there is no replacement for having a man on the ground in a country. If you can't be in every region, make friends with your resellers, give them discounts, be good to them, don't whine at them, don't tell them they aren't achieving enough, just be nice. Which brings me to my next point.

People need a good whipping to get performance.

OK, most people don't do this, it's pretty 80s after all, but it is something many US CEOs and sales directors have been guilty of, so worth mentioning. If you incentivise responsible people, you will get results. If you kick responsible people, they will put up barriers. If you incentivise irresponsible people they will either take advantage of you or do nothing. If they take advantage of you, your incentives are set up wrong, or they are guilty of fraud (I've seen this too, on a massive scale - more later...). If they do nothing, they get nothing. Be nice, get results.

Once it's all set up, it still needs running.

The difference here is micromanagement and proper handing over of responsibilities. You can say 'I don't micromanage' all you like, but if you don't even know what your people are doing, you aren't managing at all. On the other side, if you have your fingers in every decision in every country, you are not only a pain to your employees, you are a bottleneck to your business. Be clever, empower people, give them boundaries, not just "you're responsible for this, you do it, or else" - that's poor management, and you will lose their buy in.

"You're the Product Manager, you do X, Y, Z, if someone comes to you with anything outside this, pass them over to me or the Sales Manager" for example. "If you get a complaint, if it costs less than $1000 to put right, you have absolute permission to do whatever it takes. If it's getting more expensive than that, get me involved." should take care of 90% of issues. It empowers.

These are just the views of someone who has dabbled in these areas, with a little help and advice along the way. I don't pretend to know everything, but I do listen to what I'm told. And that's all I'm reproducing here. My father quotes Sir Isaac Newton in his book Sales Strategies - "If I have seen further than others, it is because I have stood on the shoulders of giants." Which loosely translated means "I didn't do any work, I just read a load of stuff and put it in a sensible order." Clever chap.

*** many thanks to Sam Van Ryder of AlertLogic for his guiding hand and proof reading of this piece, who also deserves a mention purely for having one of the coolest sounding names ever (although heaven forbid he ever marries Minnie Driver, or anyone called Laurie) ***

Monday, 12 November 2007

Not on your doorstep - selling into 'other regions'

I've been asked by a few people to expand on my post of last week about US companies moving into the UK and other regions. I only touched lightly on the 'other regions', the reason being that although I have worked extensively in Europe, there are many people more experienced in each country and separate region. The only country I have only ever lived in other than the UK is Spain, although I have worked extensively in Ireland, Germany, Italy, and France too. I am currently embarking on work in the Nordic region, and Ingrian has accounts in South Africa and the Middle East which I will be working on soon.

Again, much of what I've noticed about sales in these regions is common across them all, but there is still a channel setup in each country which needs to be understood on an individual basis. By far the best way to address this is to find resellers in each country who do what they do day in and day out. You will never be able to cover the ground they do, get the contacts, understand the market , and most important of all, speak the language as they do.

This brings me to the additional assumptions which US businesses typically make in trying to break foreign markets. Everything I wrote previously still stands, and stems mainly from the fact that these countries are not on your doorstep. And I'm sorry if some of this offends, but many countries are not as friendly towards the US as the UK is. Hell, many countries are not as friendly towards the UK either. The biggest barrier of all is our inherent arrogance, which we should be forgiven for once we realise it.

English is the international business language.

Wrong. English is the international language of the boardroom. The international decision making language if you will, but the language of business is the language of sociability - and that changes whichever region of whichever country you are in. If you can mix with the people you are selling to, you stand a far greater chance of getting your product accepted, simple as that. I have sold some relatively weak products to people just by being friendly, and missed out when younger just because I was scared of socialising with people who I assumed knew more than I did. (They undoubtedly did, but they rarely find out in my experience.)

If you think English is the international business language, try selling something in France. Go on, try it. Didn't work did it? Because you don't speak French. I am currently in a deal with a very large service provider in France, I have never, and will never meet the person paying for the kit, and so it shall remain. We have a reseller talking to a systems integrator, who is talking to the end user. In French. The reseller speaks French to the SI, I speak English to the reseller and sometimes we misunderstand each other. However, by the time it gets to the end user, everything is as French as can be. Just the way they like it.

Language and culture can be intimidating, but need not be. Whenever I go to a new country I always find someone who is prepared to tell me everything about their little corner of it. Most people are happy to show off their knowledge of a place, the more cosmopolitan the better. I have a host of people who can show you the back streets of Barcelona just a phone call away, likewise Paris, Munich, Stockholm and Oslo. Just be interested and they will come to you.

There are many more pitfalls that can come from this ignorance/arrogance that we find ourselves unwittingly a part of, just because we speak English - and yes, English people are just as bad as Americans, in fact often worse because we are busy gloating about how bad the Americans are in the UK to realise how bad we are abroad. I'm guilty of it myself in the first post for not covering any other region than the UK (even though that's obviously the most important :0)

I'll cover the pitfalls tomorrow, and apologies in advance for having to generalise the rest of Europe into one region, but one post per country would take a little longer than I have free.

Saturday, 10 November 2007

Flying away

San Francisco is obviously sad to see me go, it's been miserable all day and shows no sign of letting me take off without giving me the bumps. For someone who spends a large amount of his life in airports, I am not the most comfortable of flyers. It doesn't help that I'm 6'6" (my wife will delight in telling you that this is a lie, I am in fact 6' 5 3/4") and seats are built for traveling dwarves. Fortunately I have been 'upgraded' to seats with more 'legroom' on both the inbound and outbound flights, but I still feel like a battery hen. It doesn't help that I always find the moron on every plane who sits in front of me and puts their seat back, ignoring the fact that my knees are already up around their ears.

I asked about upgrading to business class on the way back this time, as even if the company wouldn't cover it, I would happily part with a few hundred dollars for some comfort. Apparently this isn't possible on a code W ticket from United Airlines, and that's that. No explanation, no offer to buy a completely new ticket even. When I asked, they said no, the plane was too full, but they'd put me on a list. Great. I have a feeling that in about 12 hours time I'm going to be walking off the plane in London and having a massive thrombosis related coronary. Still, maybe then I can sue United and get upgraded to 'monkey' rather than 'chicken'. At least I'm not in the 'pondslime' economy class still.

Really I don't understand why airlines can't just sort their act out, take out a few rows of seats, put the prices up another $50, we wouldn't even notice. I stopped short of throwing a hissy fit because the English have a bad enough reputation abroad as it is. My wife may not be able to hold back for as long. The seats we managed to get in the end are not together, and not on an aisle. All this we turned up 3 hours early for. What a waste of life. I hate airports and I hate flying, so to examine my life you might think me some sort of masochist. Sadly, to get to meet interesting people, you can't stay housebound, hell, you can't even stay in the UK for long before you run out.

This month I will have taken 13 flights from 1st to 30th:

Southampton to Manchester and back, 3 times = 6
Southampton to Paris twice and back once totals 10
San Francisco and back totals 12
Out to Barcelona (coming back in December) grand total 13.

These are all the ones I know about so far... of course there are still 2 unbooked days in my diary so far and I could easily end up in Patagonia for an afternoon. My carbon footprint is matched only by my actual footprint (size 13 UK - I think this is around size 26 US with the current exchange rate?)

So, despite taking a flight on average every 2-3 days this month I have remained relatively sane. How? Well, it sure as hell beats working.

Friday, 9 November 2007

5000 miles and counting.

I mentioned in a previous post that US companies trying to break into the UK make the same mistakes over and over again, and that there are a few things which 'they' just don't seem to understand. I have an article coming out in Computer Weekly on this very soon, so I need to be careful I don't repeat myself too much, but basically there are a few pitfalls:

The UK market is not an extension of the US market.

Just because a product has worked in the US, does not mean it will automatically work in the UK. The laws in the UK are different, compliance isn't taken as seriously yet, there is a different attitude towards legislation and whilst less technology savvy in general, people are less easily led by advertising and will need something proven to them before they part with their hard earned cash.

If you don't know the UK market, you are destined to fail.

Many US companies will happily send an experienced sales guy out to the UK in an attempt to kick start things. Many will succeed, but in the meantime poor old Mike (all American salesmen are called Mike, don't tell me any different) is having triple bypass surgery at the age of 35. Many others will use a recruitment agency to find them an experienced sales person in the UK, at great cost, to help them out, without doing any market research.

Unless the product you have has such a high price point that you only have to have one or two accounts to become viable, sales needs to be done locally, and with local talent, people who know the market, and how to exploit it. This is the area which distribution tries to exploit.

The UK channel (distribution and resellers) exists because of the US attitude towards the UK market.

Very few people looking out from the US understand this. This is because the channel has grown up from the state of the market, it is not there to serve, but to feed from the US. Because no US company can set up a UK branch with any clear knowledge of how they are going to fare, they use agents, these agents pitch to resellers who are offered large discounts. When the resellers have made the solution viable, they can pitch to distribution, who will get even larger discounts to bring in even more resellers. Then the product becomes much more widely distributed, but the product is tied to a distributor unless the company becomes so large and successful that they can start manufacturing in the same region.

The channel is not as reliable as they would like you to think.

Some resellers and distis are better than others, in fact the quality of work is extremely variable. Not only that, the turnover of staff inside these places is staggering. A company who did well for you 6 months ago could be staffed by entirely different people now. Are you doing your checks on them from 5000 miles away?

The channel is not as exclusive as they would like you to think.

At the risk of incurring the wrath of a few resellers and distributors, what they do is rarely unique. Many of the top distis and resellers are now so close in their offerings that it is only acronyms that differ, not the service levels or support.

Incentives work differently in the UK.

Try starting a Beta program on the West Coast and you can easily come up against issues. People expect more out of your product, and they expect it to work. Not so in the UK, but you have to warn them. Beta programs can be much more successful, people expect discounts, but are very pragmatic in relation to the quality of code if warned in advance. In the US they expect perfection and immediate service. Britain grew up on British Rail. However, running a Beta program from 5000 miles away is not possible.

The UK market needs to be built again.

Just as you had to build up awareness of your product in the US, so we have to build awarenesss in the UK. If that took 4 years in the US, it will take 4 years in the UK. You may have seen me refer to the 4-6 year market lag between the US and UK before. This is why it happens. Those which take 6 years usually had a false start somewhere along the line, or a hard technology to punt in the first place.

This last point broadly covers a lot of issues. Think about business drivers, they are not the same. Think about the sales message. Think about the marketing message. Think about the support. SLAs, maintenance, delivery, replacement, etc. You can't just do it from 5000 miles away and expect it to go right just because you managed to do it in the US and you're really angry because it's failing.

I've seen a successful company lose momentum and practically disappear because of it's lack of vision in this area. I've seen a very small company make itself look like a huge corporation because of their clever use of ideas. I've seen some very intelligent people look like lost children when faced with the UK channel and disbelief when the product failed to make a dent in sales. I've also seen people embrace and empower their staff to go ahead and do what they think is best in the region. So far these are the ones who are doing well, but I still can't help thinking that this is an expensive way to do it.

Thursday, 8 November 2007

Security City

San Francisco is an amazing city, fewer than a million people living in a town which has everything you could possibly want. Like Barcelona, the city centre is a couple of miles away from the beach. Unlike Barcelona, they speak English here, so I'm able to get around much more easily.

I've impressed myself by driving everywhere in a car which I can only just squeeze into, and on the wrong side of the road. It takes a lot of getting used to and I'm still reaching for the door handle when I should be changing gear. Fortunately it's an automatic, so I'm not changing gear that often, or San Francisco would be a much more dangerous place.

I've also been fortunate enough to meet up and chat with some great security guys whilst I've been here. On Tuesday Walt Conway took a detour on the way home to meet me for a glass of wine and an hour or so of generally quite silly talk, which I enjoyed immensely. Yesterday I finally got my phone call with Rich Mogull having missed him in the morning due to a Daylight Savings Time mishap. We spent another hour or so talking variously about encryption, DLP, DAM and all things datacentric, including the new blog, which I am hoping will contain some of his wisdom soon now I've activated his account.

Sadly my stomach turned late yesterday afternoon and having arranged dinner with Mike Dahn and his wife Amber, I had to cancel at the eleventh hour. I then hit my bed like there was no tomorrow. Fortunately there was and I was able to meet Kevin Rowney from Vontu today - a happy man with a lot of very interesting things to say. Happy because Vontu have just been bought, interesting because he is in the same line as me, but also very considerate to my wife who came along and was equally charmed by him. I'm really pleased to have him contributing to the datacentric blog too, he says there are 'a thousand people cleverer' than him, but I doubt it. And if there are, they certainly don't have the ideas per minute rate that Kevin does.

A bit of insider info here, and sorry Kevin if this is kiss and tell. Kevin told me that he set up Vontu after a company he was with in 2001 went down the pan after the dot com bust, and Kevin, not wanting to "seem like a loser" to the woman he was with at the time, started his own company - Vontu. I didn't like to pry into whether he was still with the aforementioned woman, but seeing as it was all explained in the past tense, I rather thought not. I'll bet she's kicking herself now. :)

*** CORRECTION *** Kevin contacted me today to let me know that the woman he was with is now his wife and the mother of his child. Apparently he made a subtle gesture towards his wedding ring as he told me the story, which just goes to show that subtlety and jet-lag don't mix. Sorry Kevin, and more to the point, sorry Mrs. Rowney.

So tonight I'm hoping to catch up with Mike and Amber again, to prove that I'm not an ungrateful bastard and that I really want to see them. Well, I really want to see them anyway. Tomorrow I've promised my wife that I'll spend the day exclusively with her, but I just had an email from Anton Chuvakin...

*** Further additional comments *** Finally got out with Mike and Amber for a lovely Thai meal last night. Anton was in Chicago, so maybe next time I'm in town.

Monday, 5 November 2007

What Security Man did next...

I'm very interested in start ups. I like the idea of the geek inheriting the earth, an intelligent idea and some hard graft being enough to pave the future with gold. I like the business side, the deals that are done by being normal, nice, not smarmy or aggressive (salesmen please note). I like the technologies, the ones I've followed for years, Vontu being the most recent example, seeing them turn from unusable ideas into well marketed, coherent messages.

I hate being pressured into things. I hate my time being wasted. I hate worthless crap being peddled as the next big thing. Poor marketing, poor sales and boring technology is easy, I could do that on my own (and most probably would).

There is still one area in which I feel I have had experience that few others have. Not just in data security, although I'd like to meet one other person who has qualifications in nCipher, Ingrian, Vormetric and RSA. I also have qualifications from F5, Network Intelligence, Bluecoat, Infoblox and probably some others I've forgotten about along the way. In short, I find it all pretty simple to understand. Before I was a product manager however, I couldn't have told you whether one was more valuable than another, whether one would take off and another fall flat.

Having worked as hard as I ever have done as a PM, I now know what it takes to produce a winning product, and it isn't just hard work. Communication is a key factor of course, as in any business, but knowing your market is vital. Many US companies don't understand the UK and EMEA markets. I'm back now helping yet another US company break the UK, and the patterns are always the same. It seems to me that there is a market for this amongst other US technologies. If only I could bottle it once and repeat it over and over.

7 Stages of Security Man - Part 7 - Making it my own

Now I don't pretend for a second that I am at the end of my career, or even at the peak of my abilities, but I am at an important and crucial stage, and from here on in I get to make choices rather than decisions.

Let me put it another way. I have the experience of being a reseller, distributor, security admin for a finance house, an SE, a Product Manager and a Director. I'm currently in a job I really enjoy, basically in charge of 'technical stuff' for Ingrian in the EMEA region. People are queuing up to offer me work, and I am happy to turn them down. I get flown out to San Francisco with my wife in tow. I am honoured to count some security heroes of mine amongst my friends. In short, I have everything I want right now.

I sent a message to my wife this afternoon saying "The bloke we're having lunch with on Thursday just became a multi-millionaire, I am still not one" in an attempt to curb her over-enthusiastic embracing of the beneficial exchange rate. She sent one back saying "Oh, did you want to be one, I'm sure you'll manage" which I took to be encouraging, or wishful at least. Thinking about it, I'm not sure I do, it must be an awful lot of stress. Having what you like and liking what you have is much more important I think.

I think maybe the time is coming where instead of being Security Man, I become something else entirely. I'll never tire of security, but it's taught me so much about business that it seems a shame to ignore it.


Well well well. What have we here then? It appears that everyone's favourite DLP company (apart from EMC/RSA of course) has been and gone and sold themselves to Symantec for $350m.

Sometimes fate deals you a good hand as a blogger, and it just so happens I'm in SFO for the week. Even more fortuitously, I'm meeting Kevin Rowney - founder of Vontu and newly christened multi-millionaire - for lunch on Thursday. I think I'll let him buy.

I have to say I think Symantec have got a pretty good deal, hopefully now Kevin will take some time to contribute more to our new venture, the datacentric blog. I also need to apologise to Rich Mogull for saying that he was wrong when Kevin denied all activity with Symantec last month. But I'll do that on Wednesday when we finally get to speak on the phone as I'm in the 'right' timezone for a change.

7 Stages of Security Man - Part 6 - Direction

Luring me to Spain was not difficult. Barcelona was sunny in January, Basingstoke was wet and miserable. The MD was a passionate and intelligent Frenchman whose energy and pure drive to succeed would have had me join him in an exercise to sell ice to eskimos. Kinamik as a company is small and friendly, with various highlights (most of whom will be reading this, so to avoid pampering their egos I won't mention them by name). The salary to join was less than I'd had in the UK, but this was a minor inconvenience when weighed up against the cost of living in Barcelona and the kudos of being a company director at the age of 30. Director of Product Management that is.

I had always promised myself I would achieve this, and it is remarkable how little it seemed in hindsight. However had I NOT achieved it, I would have been quite disappointed in myself. I guess this is what people mean by life affirming? Whatever the case, it certainly didn't mean as much to anyone else. After all you can set up your own company tomorrow and be Vice President and CEO of Global Operations, but this was a personal thing, an achievement which meant something to me.

Work was hard. I spent long days in the office, often 12 hours or more, just to try and turn a small piece of software into a going concern. After about 3 months of this, things started to happen. More investment, interest from a large application server company, more employees. It was great, and it felt like we were achieving something very hard - to start a successful tech company from Spain.

Plans were afoot to expand into the UK, with me at the helm, and into the US, which we deemed absolutely necessary for survival. Things were looking brighter than ever. Then 6 months in, I received a devastating blow, a death in my immediate family back at home left me knocked for six. Despite the support of some fantastic people I felt the pull back home permanently stronger than ever. So after 8 short and exciting months I sadly packed my bags and returned home. No-one was more disappointed than I to be going. I am still in regular contact with the great people there.

The only thing which softened the blow for me was the position I now hold with Ingrian Networks. I had worked with Ingrian at each of the stages mentioned so far, we resold at the reseller, distributed at the distributor, competed at Vormetric, partnered at Kinamik, and finally they thought they'd grab me to see how I fare...

Sunday, 4 November 2007

7 Stages of Security Man - Part 5 - Management

I had craved a management position for some time, and getting it was somewhat of a coup for me. I was very quickly fast-tracked through an organisation where there were engineers with higher qualifications than I, but none with the breadth of experience, which was what was needed.

The security distributor I was employed by was being acquired by a much larger IT distributor, and the bigger we looked from the outside during due diligence, the better. I was made very high profile in a very short time. I wish I had started blogging then in hindsight, I had access to some of the best security engineers in the country, sales guys in every large SI, reseller and corporate in the UK worth talking about and all of them wanted to talk to me about security. In short, I had my finger on the pulse, and could even influence where security was going in specific and general terms. I loved it, and then we were acquired.

Acquisition is uncomfortable at the best of times. When you are a newly incumbent manager of people with more history in a company than you, it quickly becomes painful. When the overall manager who has employed you leaves, and then the MD, it becomes impossible to stay. I was offered a new position as a Product Manager in the newly formed company. It would have been easy, saying 'I think we should keep this and lose this' sucking up to vendors and resellers, etc. Real security easy-street, but it was not for me. I was losing the buy in of the engineers rapidly as more and more people left, and the new company wanted to use me as a figurehead which I was not prepared to be, it would have just pissed off too many people.

Luckily for me then, I was offered a job as a Product Manager in Barcelona at the same time. The choice was relatively simple, but with wide ranging implications for a newly married and settled man.

7 Stages of Security Man - Part 4 - Settling down

Working at Vormetric was fun, but I was never particularly mentally stretched. Whereas my previous job had been a constant learning experience I now had one product to learn everything about, or at least as much as I needed to sell it, which it turned out wasn't that much. However, I did start travelling, a lot. My particular most painful memory is flying to Munich for a 10am start, which meant leaving my house at 4am. I finished around 7pm in Munich and finally got back home to my cold damp flat in the UK at 1am the next day.

There wasn't much business coming in to be honest, and I had to take what I could, where I could, often at short notice. The market for file encryption in Europe is limited, it isn't really driven by PCI like database encryption is. It is very much event driven, and that is like looking for a needle in a haystack. Vormetric is a fantastic technology, but I think it is better suited to becoming a feature of something else as this is a much easier sale. Symantec (Veritas) would be the perfect acquirer as it is something they need and can't do as well themselves.

There was a lot of down-time between engagements, so around this time I decided to do something to keep me focused on security. Working at a vendor can make you very blinkered in one direction and I wanted a broader view. I studied for, took and passed my CISSP in 2 months. I wouldn't say it was easy, but I was in the right position to do it. I was very focused and knew what I wanted from it.

I had just moved into a new flat, a bachelor pad I suppose you could call it, although my ex-flatmate's sister was increasingly there, cramping my bachelor style. I suppose it's my own fault for proposing to her. It was around that point that I decided if I was to be a responsible married type, I would need to be a bit more home-based.

So, when I got a call from a local recruitment agent saying that there was a management position coming up at a distributor near me, I was really interested. When I went to interview to meet the Director of Client Services, I was immediately interested further. He was another genuinely nice guy, I knew I would get on with him from the second we started talking.

Saturday, 3 November 2007

On your doorstep...

I am. If you live in San Francisco that is. I'm staying at the Chancellor Hotel in Union Square all week.

More of my life story tomorrow, and maybe I'll pick another technology to write about now I'm here.

I was sitting on the plane opposite someone from Centrify, which is a technology I like very much, but he was too far away to strike up a meaningful conversation and I didn't like to say "I've been reading your PowerPoints over your shoulder" as an ice-breaker.

Maybe if someone from Centrify wants to get in touch I'll do something on them, but I'm meeting Kevin from Vontu on Thursday, so that might be a good one to follow up on too.

In San Francisco, the possibilities really are endless... but for now - I've just landed after a 10 and a half hour flight from London and an hour of driving around town looking for a way to the hotel. It's now 4am UK time. My head hurts. I need sleep.

Friday, 2 November 2007

7 Stages of Security Man - Part 3 - Confidence

I didn't particularly enjoy my time with the reseller, despite learning a lot about security. In fact, I think the fact that I wasn't enjoying myself was only saved by the fact that I really enjoyed the things I was looking at. The management was bad, I disagreed with the sales approach and my father ailed quickly. I was happy to get out, and planned to go traveling with my sister for a while, but as a last act of disappointment I was made to serve out my notice until the very last possible moment and missed the chance to join her in Monaco.
Thoroughly dejected, but full of interest in security and technology, I took a job as a network security administrator at a local MSP in Winchester, where I lived close to my mother who I had obviously worried about being on her own. The work was simple enough, but a fantastic ground for learning more about networks, security and most importantly, trusting people who I worked with. My boss at the MSP was a true friend, and has remained close ever since. He and his wife were at my wedding last year and we are still in regular contact.
I also had time to myself. I was doing shift work which allowed me to use the local gym in the mornings when everyone else was at work, or in the evenings before everyone got out again. I lived with a friend I had known for years, and we lived like students for a few months before we both stopped drinking. Neither of us has drunk again since for the good it did us! I also married his sister... last year sometime.
All of this lead to me becoming increasingly more confident with myself and in my abilities. My knowledge of the network became very broad, and my depth of knowledge in security meant that I was prepared for another challenge in the same area. I was beginning to get calls from recruiters (which now never stop), and when I got a call from Vormetric to be their SE in the EMEA region, I jumped at the chance.
They were interested in my previous experience with Ingrian of course, I was interested in the money. I'm still interested in the money of course, but now I also get to do a load of other stuff I picked up on the way too.

7 Stages of Security Man - Part 2 - Sentience

Having been in London for my first dismal job sufferance, I returned home to Winchester when my father became terminally ill in 2000. I was job-less and feckless (I didn't have a job and didn't give a feck) having lost all faith in human kindness at the bank, and didn't really want to do anything having had the news of my father's ill health.

My aunt was a careers officer for the local University at the time, and regularly sent me ideas of what I could try. I think she thought rather more of my abilities than I, or indeed any of my tutors had. One day however, I put my name down on the University jobs board, and received a handful of replies.

One such reply was from a guy who was setting up his own reselling business, and needed a technical person to help out. It turned out I had been at school with his wife and brother-in-law, and that was all the reference I needed. In the main we sold RSA SecurID and nCipher cards. We also dabbled in RSA Keon (urgh), Cleartrust (argh!) and various other minor annoyances. I quickly set up the network, saw in and out in rapid succession of around 10 sales people, learnt SecurID inside out, and got to grips with nCipher. At the same time my father became increasingly more ill and finally passed away in December of 2001.

Around this time however, we landed a large deal with nCipher, to install 20 cards at a large broadcaster in the UK. A company named Ingrian Networks (more of them later...) were using their cards in their new whizz-bang SSL device. They needed a strong reseller in the UK to help them conquer the market, and chose our little 4 man shop as it was at the time. I worked with the American SE very closely for some time, and we all thoroughly enjoyed ourselves. However, Ingrian did not see the sales they were expecting from us.

The relationship did not continue, but I was already out of the door by that time and on to pastures new. With my new found confidence in the network and now hooked on security devices, I joined an MSP, controlling financial websites across the world. Time to get my own back on the bankers...

Thursday, 1 November 2007


Interspersed with my 7 Stages of Security Man posts I'm going to be talking a bit about new technologies which I'm looking at at the moment. In fact, now that I have 'Data Centric' up and running, I'm moving all my sensible, well thought out, pure security thought over there, and keeping all the ramblings and opinionated rantings over here. I wonder which will get the more subscribers?

I like little west coast tech companies, especially those who go on to become big global ones, if I have stock options. I don't (yet) have stock in PacketTrap, but who knows how well this write up will go?

I had a call from a company called PacketTrap tonight, based out in San Francisco, where I am flying on Saturday, but sadly I'm probably too busy at Ingrian corporate to go and visit them this time around. I've said I'll catch them at RSA instead, by which time they will be launching the Pro version of what I've just seen.

When I first saw PacketTrap, I had to ask myself why anyone would buy it. It has a number of tools, ping, portscan, DNS queries, whois, WMI scan, etc. built in to one device which you can sit on your network - but when I was a network admin (more on that later) I had all those tools on my laptop.
Aha, and there's the rub.
Just as routers became necessary to take the load off machines in a network, now a completely separate and distinct device is needed to investigate and manage the network. It's actually quite neat, and that's what you want in a complex network, some tidiness.

Every customer I've ever been in to has asked 2 questions (amongst others of course, just 2 would be silly):
"How do I manage 'it'?"
"What kind of reporting does it have?"
Nowadays of course we have silly devices which collect all the logs and make them into pretty pictures, just because the CFO needs something to put on his wall. We have devices which report in real time and send emails to the CIO about who's doing what with whom, where and for how long, with which instrument, because he needs something to show to the CEO when he's asked what he does all day. Reporting and management are king, they will always be king because the C-suite don't give a monkey's about what the techies are doing, they just care that something is being done and they can see the results of that. If they can then use that data to make something more efficient, or to show the shareholders that they aren't wasting money printing off reports all day, then it's gold stars for everyone.

In Silicon Valley, with a great sounding team of people on board, this start-up should do well. I think they will get some useful feedback and if they take it into consideration when producing the next 'Pro' release, we will start to see them at shows and in a network near us. The messaging will need to be right, but as long as they remember that no-one cares how much work the network admin has on, and he can automate it himself, but the CEO, CFO and CIO have all the power and money in the company, they have every chance of making this work as a product too, then maybe we can slip in something useful for the poor admin too.

PacketTrap launches on 7th November 2007, go visit their website for more info. My work here is done.

7 Stages of Security Man - Part 1 - Emerging

I've been suffering from 2 complaints which I have since found out are called 'up to my eyeballs in alligators' and 'Blogger's block' - thanks to Brian Honan for that one. shrdlu has suggested I get around it with Primal Scream Podcast therapy, but I'm not sure anyone's going to download that. Brian came back with the suggestion that I write about how I got to be where I am today, and I wondered if it might be kind of therapeutic, cathartic if not chaotic. I've had quite a few jobs, so I'm going to serialise them and pull out a few of the security and life lessons I've learnt along the way. Enjoy.

I've been in security for about 7 years now, and in networking before that, so 'IT' for nearly 10 years, since I left University with a quite useless degree in Physics which I vowed never to use. That's not to say Physics in useless, quite the opposite, that is to say that I had given all I had to spare to Physics by the time I left, and the loss to both parties was not great. Einstein I am not, but you probably realised that by now.

In the early days of my career I worked for an investment management bank in London, with a million legacy systems and every new piece of equipment you could possible sell to an idiot in a suit. Investment bankers are a vendor's dream, rich and stupid, unbelievably arrogantly stupid beyond belief in the main. They are the helpdesk monkey's nightmare for the exact same reasons however. I was shouted out day and night-shift for various reasons such as WHY ISN'T MY PRINTER ON? Er, try the plug mate. CHANGE MY PASSWORD, NOW! I just did fella, you just locked yourself out again because your cAPS lOCK's stuck on. Et cetera.

I rapidly got bored of the arrogance, I can't abide being pushed around, especially when it is by people more stupid even than I. Banking was not for me, much like it isn't for the vast majority of people who have any self respect. Clever people, great: push me around mentally and I'll bow to your superior brain, but idiots beware. And so on to my second job.

Sunday, 28 October 2007


Well, I know security is cool enough to attract spam, but apparently I am also now popular enough to get it in my comments. Hoo-bloody-ray. Really, I'm probably not the best person to pick on, I got this in my comments box today:
"Don't forget to visit, have fun"
From "Visitor" at IP A quick look at the Whois for this site reveals it to have come from somewhere in Asia Pacific. A quick look at securityrules reveals it to be chock full of adverts and links to stuff you don't want to go to. The articles are an odd mix of pseudo-relevant and advertisement, but I wonder where they are from. Anyone recognise these as your own work?

I really don't understand why people do this, and certainly not why they target me if they do. Don't they know I'm going to bite them?

Saturday, 27 October 2007

The less we write, the more they read...

...apparently, so I'll be keeping this short.

Thursday, 25 October 2007

Features or scaled down products?

Chuck Hollis of EMC has posted an interesting article this weekend. The products versus features argument is one I'm only too aware of having worked in data circles for so long.

A point which Chuck manages to scoot over quite well is the fact that, whilst "every time I see some small company getting attention over some feature they've brought to market, a part of me is saddened by the ultimate reality that it's highly unlikely they'll make it alone", he still works as VP for Technology Alliances for EMC, so he kind of has the ultimate say in whether they will make it at all these days. I guess it's not surprising, the cream always rises to the top, and he's obviously got a great eye for the right products. This isn't really the point.

What interested me was his comments about Decru and Neoscale, two companies I have had direct and indirect contact and competition with over the years. Decru are a laid back bunch, no doubt aided by their recent(ish) acquisition by NetApp, which left all concerned with reasonable pay-offs and the chance to hang on to their old jobs. Apparently NetApp haven't spent much time working them into the company as a whole, but the technology is being adopted and built in to the existing filers. It will be interesting to see what becomes of "Decru - a NetApp company" when this process is finished. Will the feature become part of the product and therefore exist no more? Will the Decru guys and girls be overly concerned if/when it does? It was undoubtedly a good acquisition for NetApp at the time, but are they kicking themselves now that they didn't try and code it themselves?

Neo on the other hand don't have the luxury of acquisition investment, and there have been various reports pertaining to the fact that their product is also just a feature - a feature which companies like EMC can apply to their storage much more easily than a device out in the SAN fabric. There are no such questions surrounding their existence as part of another company then, so is it too late for acquisition on their terms?

There was a rumour going around at RSA which I am interested to find out the truth behind. Having said that, there was a rumour about Vontu recently, which I have straight from the horse's mouth (Kevin Rowney, founder and CTO who I am having lunch with the week after next in SF) is completely fabricated. Hopefully I'll have more on the Neo story in a few days time, but due to America's strict libel laws I will keep my mouth shut - I'm flying in on Saturday and Hoff has already threatened to put me on the no-fly list, I can do without a lawsuit too. :)

Tuesday, 23 October 2007

RSA keeps it real

I've been at RSA this week, the conference, not the company. It's the first one I've attended, but the second conference I've been to at ExCeL in London - the Exhibition Centre London, way out in the East End's Docklands for those who haven't been. The first show I attended here was called Complitech, all about compliance and technology, sounds fun right? Well, it can't have been that appealing as I sat there for 2 days (I was exhibiting for Kinamik) and watched around 12 people wandering through the doors, and I'm sure 6 of those were looking for the stairlift conference (sadly I'm not making this up) next door.

Back to RSA then, and whilst there are more than 12 people (there are at least 1000 people manning the RSA stand alone) it's not as busy as other Information Security shows I've been to this year. This felt like the InfoSec shows of yesteryear, no nurses in short skirts, no gorilla outfits, Fortify had 2 men in suits - no giant from 'Hackistan' as in previous shows - but I couldn't help but look at the girl on their booth with the legs. She must have been chilly in those shorts. I wonder how much she knows about security? I'm meandering off the point for some reason... where was I?

Oh yes, the hall was embarrassingly empty when I arrived, like it had been at Complitech for the full 2 days. I was beginning to think that maybe ExCeL just isn't the right place for a show. But then "Stairlifts and Chairlifts" had been well attended, maybe all the reduced mobility domestic assistance salesmen in the UK live in East London? I couldn't prove otherwise thinking about it. Then the keynote speeches finished - shame, I would have liked to have seen Bruce Schneier's "Security 101" lecture - and the hall became modestly full. By lunchtime it was buzzing, and in the afternoon there were people chatting all over the place, deals being struck, and drinks being drunk. This is how I remember conferences in the old days, before it all became commercialised, and I'm grateful to RSA for keeping it like this. It's less noise, more signal, and I for one, as a serious security professional for a moment, appreciate this.

I managed to miss lunch altogether by getting completely engrossed in conversation with Brian Honan, over from Dublin for the duration of the conference. An interesting man with plenty of practical knowledge and a gentle yet wicked sense of humour that only the Irish seem to be able to pull off convincingly. I rather lost track of time, but I think we chatted for about 2 hours before surfacing and the conference seemed to have almost finished without us. I think today is going to be busier, and I'm looking forward to meeting some other people today too. I find people in suits less intimidating that girls in short skirts to strike up a conversation with. I'll always be the little geek at heart - despite being a rugged and handsome young man now...

[Thanks to Karen Friar for the write up and massive picture.]

Saturday, 20 October 2007

Closing the gap

I haven't seen anything really new and interesting recently. I love seeing new technologies, and especially new security technologies. I was really happy at InfoSec this year when I saw Secerno, AppGate and Centrify. I hope I'll come across them again at RSA next week, but I'm really looking for something more.

I have an article being printed in Computer Weekly soon (I'll let you know when it hits) about US and UK security markets, and why there's such a gap. I won't spoil the surprise by discussing it here, but most people who read this will already broadly know. The outcome of it is that there is usually a space of 4 or 5 years between something becoming popular in the US, to becoming popular in the UK.

My current position is a case in point. I was at a reseller who tried to bring Ingrian into the UK 5 years ago or so, and we had real problems getting broad interest. We are now inundated with work. This isn't an Ingrian advert however.

No, what I'm looking for now are the things that are interesting, up and coming, and tearing up the market in the US right now. I don't know if I'll get to see these at RSA Europe, because of the very fact that most technologies take 4 or 5 years to become popular over here once they are established in the US. It's a bit of a Catch-22 really, but since I've won a trip to RSA2008 in SF, I'm thinking I can probably wait a few months.

Of course, there's always the chance that I'll come across some badly informed companies who are trying to break into the market here before it's taken off in the US, in which case I will do everything I can to encourage them. It's about time the UK started to encourage security a bit more, ignored the channel and encouraged new and exciting ideas. I'll be in SF in 2 weeks and I want to see some seriously good technology, but it's a hell of a long trip, I'd rather have it on my doorstep.

Friday, 19 October 2007

Swindon Communists

It's not often that I listen to something an American tells me, but a couple of weeks back I had the fortune to travel the highways and byways of Southern England with a guy from Orange County, CA. He told me various stories, many of them centering on his cousin, of whom he is obviously very fond, who lives in Swindon. Poor sod.

Said Swindoner was a mover and shaker of some sorts in the British Computer Society, one of those acronyms I've heard of and keep hearing of more regularly, and have even considered joining to the point of downloading the application forms. Then it all got a bit tricky and I gave up.

So instead of being a characteristically lazy bugger, I sat on my fat behind and emailed this chap. He got back to me quickly and I ended up talking to another geezer from Swindon about how great the BCS truly is. He then said the magic words "online application form" and I was hooked. I even got a 10% discount for my troubles.

The BCS does have some serious points to make, and this is something I took on board whilst talking to my wife again on a recent jolly back over in Spain. She was lamenting the lack of good computer teaching in schools. She trained as a teacher and never entered professionally because the kids (in Swindon - ironically and circularly) were a nightmare. I told her that I couldn't do it, and wouldn't because it wouldn't pay me anything close to what I get now.

It's true, sadly. Those who can, do, and sod the rest. I've thought about setting up schemes with Universities to share knowledge, but I just don't have the spare time. A blog is about as altruistic as I get. My ideal would be to get the pros talking to the Unis and the Unis talking to the schools, then everyone magically living in my little communist utopia happily ever after. I don't think I could make that work - certainly not with my selfish money-grabbing attitude.

The BCS are nicer than me though, probably because they've had to suffer in Swindon for so long. I'm sure there are many people in the BCS outside of Swindon who are nice too. They are aiming to share knowledge, create professional standards, and set up an infrastructure like most other long standing professions have. It's great that computerists can finally be recognised and support by their peers. Maybe it'll stop all the cliqueyness in IT? Maybe not, but I'm sure they have made Swindon a happier place.

[Disclaimer: The BCS has offices all over the UK, I just happened upon Swindon for personal reasons. Swindon is one of the loveliest places in the UK, nay the world.]

PCI project blues

I've just been talking to the PCI project manager of one of the largest retailers in the UK. I won't go into any more details in case I give away too much, but the content of the discussion was very interesting.

First of all his assertation that he didn't care about PCI was no revelation - he just wanted a tick in the box. That he said it didn't bring any benefit to the corporation - "We just want to sell things" - was also no big shakes. He'd had resellers and QSAs crawling all over him like a rash, which is sad, but hardly surprising. I expect he's paid well enough to put up with that.

What surprised me was the advice he was getting from his QSA, that all of his branch offices needed IDP/IDS. I must have reacted in the same way as he had done when told that because he smiled wrily at my furrowed brow and said: "That's bollocks isn't it?"

Well, yes, I'm afraid it is. Please correct me if I'm wrong, but no-one needs to have intrusion prevention systems installed at every branch location. Especially not when they're putting encryption in place, practically unbreakable, centrally-managed encryption at that (yes, that would be Ingrian Networks, of course). Not when they have things like firewalls in place. At head office, where the processing is done on the cards and they are stored in databases, perhaps this is valid, but at branches where they are held safely encrypted until they are sent offsite, this is just a waste of money.

I don't think the US is this stringent yet, and the UK certainly isn't. I'm sure VISA and MC would jump up and down shouting hurrah and huzzah if everyone did this, but they would have to recover from the shock first. It just doesn't happen, especially when other retailers are shelving their PCI projects altogether because they can prove they've started them when the auditors come round, and that's all that's required to be compliant right now.

Come next audit of course the latter company will have to show that they are moving again, so effectively all they are doing is making their PCI project more urgent, probably squeezing it into 6 months at the end of next year, when the aforementioned will be compliant by June '08 and squeaky clean - just in time for a change in the rules no doubt.

I have heard no more about the requirement for FIPS being introduced into PCI DSS, but it seems so unnecessary that it is almost destined to happen. Any light that can be shed on this would be much appreciated. I've got another meeting to get to.

Thursday, 18 October 2007

Traveling again

I'm sitting in a hotel room in the North of England, several hundred miles away from home, comtemplating the past few days and weeks. I haven't blogged much, certainly not daily like I used to, because I'm just so bloody busy, and I really miss it. I used to use my blog as a method of getting my randomly organised ideas down and hopefully get people to give me some feedback and/or input. I've really missed that input recently. So I'm going to be more disciplined, just like I am with the gym - ahem. Well, I'll maybe start with once a week and build up then.
Today I have finally booked my trip to the US. I will be in San Francisco from 4th to 10th of November. I am already booked out from 5th-7th at Ingrian Corporate, but I'm really looking forward to meeting up with a few others (non-Ingrian related) as well. I just extended an invitation to Mike Dahn over on PCI Compliance Demystified to take me out to dinner like I did him last time he was in London, generous as I am.
I want to meet as many US based security types as possible in my short week out there, as I won't be back until RSA 2008, and that's months away.
Who knows, I may even write something about security again if I get inspired...

Sunday, 14 October 2007

I've got a little behind

OK, it's a cheap headline, but I wanted to see this come up in the SBN feed and it made you read this didn't it?

Suffice to say:
  1. Business is booming like I had never believed it could
  2. I've won a trip to the RSA Conference in San Fran next year for a piece I wrote on ZDNet
  3. The ISC2 have asked me to write some stuff for Computer Weekly, the first of which I've just zipped off to the editor
  4. I'm starting another blog over on WordPress concentrating on datacentric security ( if you haven't guessed!), and hoping to get some really interesting people involved (if you're an interesting person, do drop me a line if you want to get involved)
All of which means I've got no time to write about security... sorry.

(If you're one of the many people I've promised a phone call, email or date in the diary, I apologise profusely - call me if you see me online and give me hell.)

Wednesday, 10 October 2007


A long long time ago, when I was in short trousers and sandals, a spotty bespectacled youth named William invented some software named Windows. Or he stole it from his friend Stephen, depending on the version of events you prefer. Whatever, he made a bundle from it, and his vision of a computer in every home was well on its way to bearing fruit. Now, there may not be a computer in every home, but on average, we must be approaching it. I can count 6 from where I'm sitting (in my home), and there are others in other rooms. Those are just the PCs. There are computers in our phones, watches, cookers, boilers and cars. In short, they are everywhere. They have always grown up in the most convenient way possible.

In the 50s and 60s, computers filled whole buildings and data was kept in vast underground storage facilities on reel-to-reel tape. In the 70s and 80s cassettes and disks were born, and in the 90s and today, hard disks, optical disks, etc... The capacities are increasing as the size decreases. The same goes for memory, Moore's Law stating that the capacity of chips doubles every two years - and whilst we're almost at a stage where that can't possible keep happening due to physical limitations, quantum computing is now very much a reality. It's all pretty amazing how far we've come in such a short time, but that's mainly due to the vast sums of money to be made - young William now being the richest man in the world and everything.

At around the same time as Bill Gates brought computing to the masses, a company in San Francisco was switching on to the fact that these computers needed to be connected to each other. At first, Cisco Systems built dedicated Unix devices to take the routing load off machines passing messages around the internet. Where one machine had been sufficient for a whole department, government or university, now multiple machines were to be found in each physical location, and routing was becoming more complex. If each machine was to figure out it's own routing, it would detract from its core function. Routers were a prime example of a technology of its time. Routers are still used everywhere on the internet, even in my house I have one - I need it to connect my many PCs and servers to the internet.

Routers have become much smaller over time of course. I wonder if we couldn't build them back into the machines again now they are so trivial, but Cisco has cleverly made their functions suitable for devices which sit at the perimeter of networks - controlling ingress and egress, and sometimes even access. Quality of service is a neat idea which keeps routers firmly in and of the network. Spanning-tree, although horrible, also keeps them out there. VLANs, BGP, you name it, if it appears on a router, it's there not just as a technical feature, it's a business ploy too.

This is the reason I believe there is no lasting reason for firewalls in our networks, or many other network devices in fact. I hesitate to say this having had a nice couple of messages from Richard Stiennon this week, but this has always been my stance and I'm sticking with it. Firewalls can be built into routers, so could IDP, and any other UTM type features. The hardware box which sits at the perimeter, your router, can handle all of this on very little hardware. With your routers and switches properly linked and managed, you shouldn't really need any firewall capabilities anyway.

Eventually then, these devices could be part of every machine, controlled from a central point - I wonder if there's a new William who will do that one day? Could it be possible to have such security at the heart of an operating system? The guess the point of this is, every device we put in our network runs on a computer. Every computer we put in our network could run the devices, and if it were powerful enough to do so without slowing down, it would be a far better way of protecting a machine. It's only software after all.

With this kind of thinking, taken to its logical (or illogical maybe) conclusion, we can see that the perimeter disappears. This makes communication between networks far simpler and safer. Imagine a secure DNS server in every machine. No reason it couldn't happen. Firewalls managed by a network administrator from a central point, firewalls which reside on every machine - just an interface on the admins desktop to apply rules. Again, no reason why not. No device is needed to achieve this.

So what of my precious data-security? Can we do that without devices? No, I don't think so, because there are legitimate reasons for having secure, locked, tamper-evident, tamper-proof boxes for keeping keys in. Computers will probably never be that safe. However, by the same argument, will computers ever be built that we will want to run a bunch of security 'device' software on as well as our business processes? What will stop this convergence is the very thing that started it, economics. There will be a point when it is viable to stick personal firewalls on every desktop and have them centrally managed - we are probably there already. What is Anti-virus if not a personal IDP?

If everything that runs at the perimeter can be bundled up tightly enough, we could see the devices disappear. If this pushes the price of computing up too high however, economics will bring devices back up again. So, if the device manufacturers keep the cost of implementing the software high, devices stay, if they devalue, or open source becomes more popular, they go. Of course, when something becomes so popular, open source inevitably becomes a contender. These are the guys to watch out for. Microsoft can then snap them up and build them in, saying how great they are for supporting open source all the way. (Note Oracle doing this with Berkeley DB recently too - in a similar vein).

It seems to me that device based perimeter security is in danger of disappearing because of its own popularity, and it feels like we're on the cusp of this right now. A turning point where we will go one way or the other, and inevitably so once the market picks up in one direction.

I'd hate to see Microsoft monopolise the security market like they have done the OS market, but it would make things a lot tidier, and we could all get on with REAL security, data-centric like.

Tuesday, 9 October 2007

The Keys of Encryption

Every so often, someone else writes something which makes me want to write a bit more down my own avenue. Often that person is Rich Mogull, and yesterday he wrote "you should write some more", which makes me want to write some more. Bad intro to what I hope is a familiar subject.

Everyone involved in security in any way at all, except maybe the bloke in the uniform in Tesco's car park, knows about CIA. We are taught to think about every situation in terms of Confidentiality, Integrity and Availability. I've talked before about how business thinks in terms of "Availability, Availability, Availability, confid... ooh, look, I can make money out of Availability."

But I'm not here to go 'ptchah' and 'humbug' at the business people, not this time anyway, not when I am one. No, I'm here to talk about the right way of doing things. Rich talked recently about encryption, a subject close to my heart. I commented that encryption is only about one thing - confidentiality.

This is true, and it's all it ever can be about. This is why I don't understand why there are so many companies (competitors of mine now I'll admit) trying to do new things in encryption, when really, there's nothing to it. No-one cares how you build a better mousetrap. They care how easy it is for them to forget about it and make sure it does its job.

My analogy

The only way encryption will ever do its job, however, is surrounded by proper controls. I have a very clear picture in my head when it comes to data security. Think of a block, a plain wooden block, the colour of pine perhaps, nothing special or fancy. That is my data. When I encrypt, I might chop it up, re-arrange it, paint it blue, chop it another way, paint it yellow and end up with something that is rather different to that which I started with.


My block, although now no longer a block, nor pine coloured throughout, is still my block. If I chose to clean off the paint and reassemble in the original order, I would still have my block left. Indeed, if I leave my block out in the street in such a configuration, the chances are that an infinite number of monkeys will come along, and one will solve the riddle of the block.


Crazy? Yes, of course. The point being that encryption alone will not keep you safe forever. Not with all those monkeys out there. No, what you need is a physical control. So, I put my chopped and coloured block in a lockable box, and allow only one key to open that box. Ah, grand, it's all safe and sound. The only time I open the box is when I get my key out and look inside. Then I can build the block and look at it without anyone else being party to my beautiful block, and its blockness. Bliss.


BUT... what if I fall asleep, and one of the monkeys rifles through my pockets? What if I just leave the key out on the mantelpiece for anyone to come and pick up? Yes, the monkey gets the block again. Actually, in reality, the situation is rather worse as the action of being a legitimate user applies access controls, which control the decryption key. So, just being able to open the box means the monkey can see the data. My beautiful block is exposed to the world.

The best way to ensure against all of this is to manage your keys properly of course, but key management also requires good user controls. User controls require not only good authentication, authorisation and accounting, but audit, and immutable audit trails at that.

Reporting and management

All the reporting and management gubbins around these important security systems are just a way to sell to the business. I say 'just', obviously security wouldn't go anywhere if we couldn't sell it. More's the pity.

Further to this, read Rich's posts on DLP/ILM, etc., they are fantastic. I sometimes feel like he's writing them just for me they are so good.

Sunday, 7 October 2007

Coming to America

I never travelled much as a youngster (not that I'm a particularly old man now), apart from the odd holiday to France and Italy, even as far as Greece and Turkey, but never really that far out of Europe. When I reached studenthood - the time when typically people are spreading their wings and seeing more of the world for themselves, I got as far as Hong Kong, once, but nothing as exciting as America. I didn't get to the US until well into my 20s, when I started working with US companies, and every time I leave I feel like I've barely touched on a great country.

For all my ribbing of my American cousins, I feel a great kindred with them. A couple of years ago a work associate came over from LA and we spent a week travelling around Europe together. I've rarely enjoyed myself as much in a work situation. Just recently an SE from Orange County, CA came over to the UK and we spent a week traveling the UK (including Swindon and Exeter) and hardly got on each other's nerves at all. He then flew to Norway for the weekend for a cleansing of the spirit and wallet. I sadly didn't get there as I was hoping to catch up with Kai Roer. Next time Kai...

However, when I got back to base one day last week, I forget which, it's all been a bit of a blur, there was a mail in my inbox which caused quite a proud stirring. I wrote a blog entry on ZDNet, for a competition to win tickets to RSA Europe 2007, in London. Now, my reasons for entering were primarily because I'd screwed up the registration process, and had already written most of the content for the article in a post here. To my everlasting surprise, I won. Not only did I win a ticket to RSA Europe 2007 however, I have tickets and hotel (economy of course) to RSA San Francisco 2008 in April. Woohoo!

So, after months of speculation as to when I would be coming out to the West Coast, I can finally commit to a date, and to where I will be - RSA Europe 2008, April 7-11 at the Moscone Center in San Fran - with a full conference pass. I would love to meet you all (y'all) there. I should actually be coming out for a few days next month too, but I think I'll be pretty much heads down in Redwood City HQ. Don't let that stop you coming to see me (and that means you Mike D.)

Now for the freaky bit. I had a dream last night that I worked with Richard Stiennon at my old company. We were thoroughly nice to each other and I woke up feeling I had wronged him for taking the opposing stance on network security (my old company sold network security devices, if that helps in your analysis Dr. Freud?). What does this mean? Do I have some sort of deep desire to atone for my past sins of device-based deception? Do I have a secret yearning to work with Stiennon? Do I need therapy? Perhaps all of the above... maybe I just need another holiday?

Saturday, 6 October 2007

Smart customers

So much for my 'series of posts' about getting back to basics that I promised last week. I hadn't realised quite how much my new position would take out of me in the first few weeks. I had a customer meeting yesterday with one of the UK's largest internet banks, they are being pressured by their acquirer to become PCI compliant by the end of next year, but don't want to fail any audits this year. In the meantime another customer has announced a complete security budget freeze because they think they can show they are making progress on their PCI compliance when the auditors come round. This is a big mistake in my opinion, but I expect they will get away with it, because they are a very large retailer - that doesn't mean they won't be breached.

So I'm back in the land of the customer, and REALLY enjoying talking about security again. I'd forgotten what it feels like to have a room full of people asking questions that I actually know the answers to. I guess some time in product management has taught me how to think on my feet, or rather like a product manager when faced with the inevitable 'when are you releasing an agent in Fortran77?', 'what is the enryption overhead on my z/OS/COBOL/AS400 mainframe likely to cost me in terms of network latency?' type curveballs.

The thing which is impressing me about these initial meetings is how much MORE people seem to know about security these days. There were 6 people around the table, 4 customers, 1 reseller and 1 me. Reseller and I listened with 2 ears and 1 mouth, the 4 customers asked some very intelligent questions - all the ones I had prepared to be asked, and some I had hoped wouldn't come up.

The thing which struck me was that although this was a meeting about addressing PCI compliance, they knew about security, and asked about security. The ONLY compliance question I was asked was 'do you have a list of the PCI boxes this ticks?' Which of course we do, but we do a hell of a lot more than that, and the customer knew it. They asked about future proofing, key management for distributed heterogenous systems, separation of duties, application integration, the works.

I'm disappointed for compliance, but tend to think of this as a victory for common sense and security. I rather think it's natural selection. Maybe because this is such a large bank they can afford the bright sparks, but these weren't security guys, they were DBAs, Project Managers and Technical Business management. This makes me pleased, and encourages me to keep spreading the good word.

I have been having some exciting conversations over the past week with a couple of guys who will already be familiar to many of you. Without giving the game away too much, there is a new project in the pipeline which I hope to be able to give more news on in a couple of weeks time. As always, watch this space.