StillSecure, After All These Years

As I wrote about a few weeks ago StillSecure has partnered with Microsoft in supporting the Stirling beta release of Forefront. We have integrated both Strata Guard our IDS/IPS and VAM our vulnerability management solution with Stirling.  The official release of Forefront with this functionality is scheduled for Q4 or Q1 of next year. 

I have been trying to figure out what is the best way to work with Microsoft in supporting this release and obviously what is the best way for StillSecure to capitalize on this.  Brad Feld recommended a book called Partnering with Microsoft.

Reading this book was invaluable. It really gets you to understand Microsoft’s structure and what to do to be successful.  If you are working with Microsoft, I highly recommend it!  Also, don’t be silly and buy it new, you can get it for a fraction of the cost used!

Anyone who looks at the currently reading and read recently sidebars on my blog knows that I read a decent number of books.  I do most of my reading on planes.  I like to read either Sci Fi or historical novels, but also a fair amount of current event stuff. Occasionally I will read business related books and even some security related books as well.  I have been meaning to get to two books that were given to me by their authors for the last month.  I am going to tee them both up and try to get to them in the next two weeks.  I will write a review of each in the sidebars of my blog.  Here are the two books:

This is Michael Santarcangelo's book based upon his philosophy in security.  I know Santa has been talking about it a long time.  I am looking forward to reading what he has to say.

This is Don Ulsch's book. Don is a wealth of information on managing risk.  This should be a great book.  Will let you know what I think after I read it.

I guess with reading "The World is Flat" I am thinking about the whole outsourcing thing a lot more and how America can compete in a flat world. Dave Rosenberg over on the Open Sources blog has an interesting article that I think helps illustrate my view on this. The article notes that Wipro, the giant Indian outsourcing firm plans to open a software design center in Atlanta and will hire about 500 programmers over the next three years.  Dave talks about possible cultural differences that will make it interesting and challenging.  I don't think it will be any more challenging than Toyota or any of the other foreign car manufacturers opening plants and building cars here in America.  They will find the American worker not as lazy or ugly as advertised.  They will find them incredibly productive given the right incentives and environment.  Enough so that it makes sense for them to bring jobs here. Now you can say that Wipro, Toyota, etc are foreign companies and so they are profiting from the fruits of American labor.  But are they any more foreign than "American" companies? I think not. I think where the plants and offices are built and where people are earning good livings is what counts.

In fact I think this is the future of all of this outsourcing. Yes there are short terms differences in labor costs versus productivity as many former developing companies join the flat world.  But just as the Japanese found out, when workers who may be envious or contemptuous of our decadent lifestyle get a taste of the good life, they become not very different that Americans.  They want big cars, iPods, cell phones, good things for their families and a nice place to live and learn. Then they want to take off to take some time to smell the flowers and enjoy the good life.  Soon the advantage that had capital moving there begins to wane.  I think the relative costs begin to come into balance and the many advantages of the American labor force who have dealt with working through the "good times" come into play. 

That is not to say that we have some inalienable right for high paying jobs to automatically come here.  It means that we still have many advantages to leverage and that we should not fear other countries becoming more developed.  That makes them bigger consumers for our products and makes each of them a "little bit American" themselves.  It is a brave new flat world that we live in and in which our children will grow up in.  However, it is one full of opportunity for more people than ever before including us here in the USA.

New times call for new ideas.  In security we have seen a revolution over the past few years in the depth and breadth of security solutions that are available to the security administrator and CSO.  However, all of this new technology and the methods of securing our businesses and data have not left us any safer or more secure.  The reasons for this are many.  Some are, the increased sophistication of the bad guys tools, the monetary reward to the hacker, the lack of secure software development, mono-cultural computing environments, etc.  So throwing more technology and dollars at the problem is not the solution.  What is the professional security person to do?  The answer comes from our friend Mike Rothman.  Mike has had a vision of writing a book and developing a community that offers the over-stressed security professional a new way of dealing with the problems.  A blueprint for success in security.  A realistic and holistic model to succeed in these tough new times.  In short a pragmatic methodology to becoming a successful security manager and a happier person.  He calls the book and the soon to be launched community the Pragmatic CSO. Don't let the CSO part fool you.  If you are in any way, shape or form responsible for security as part of your job or want to learn what to do to get a handle on a near impossible task, this book and the content to follow on the web site is for you.  At $97 dollars for the PDF version it is a steal and I would not waste any time before buying it.

I was lucky enough to be given an advance copy of the book by Mike last month.  Truthfully, I was going to take a look at it as a courtesy to Mike, but did not relish the thought of reading yet another boring business book. I was hooked in the first chapter.  The fictional Mike attends his first 12 step "security anonymous" program.  His story is one that is all too familiar to many of us in the security field.  Despite the hard work, the never ending flow of money out the door and the best of intentions, it is just not working.  The security is not there, the boss doesn't appreciate the problems or the amount of effort that goes into solving them and his life is running from one fire to another.  Into this desperate situation comes salvation in the form of the P-CSO 12 step program. The 12 steps are divided into 4 broad categories.  They  are as copied from the site:

Section 1 – Plan to be Pragmatic
	Step 1: Assess the Value of Your Business Systems You can’t protect what you don’t know about, so the first step is to figure out what you have. Likewise, you don’t want to spend $50,000 protecting a $2,000 business system, so in Step 1 you talk to senior management and discern how important each system is to the operations of the business. Then you can figure out how much to invest in protecting it.
	Step 2: Baseline Your Environment If you don’t know where you are, it’s pretty unlikely you’ll know that you’ve made progress. In Step 2, you gather data to understand your current state, where your most significant exposures are, and how much work you need to do.
	Step 3: Manage Expectations Managing executive expectations are the most critical responsibilities of the CSO. You must be very clear about what you are going to accomplish and how you are going to do it. In Step 3 you see the power of speaking security in the language of business, and how you can get everyone on the same page regarding what the security program does.
Section 2 – Build a Pragmatic Security Environment
	Step 4: Build Your Security Business Plan Every business needs a plan, and yours is no exception. In Step 4, you prepare a high-level business plan, laying out the reasons your business exists and presents a high level architecture, committed service levels, and the milestones that you plan to achieve.
	Step 5: Sell the Story You need money to secure anything, in Step 5 you package your business plan, associated service levels and milestones and sell the program to senior executives getting the funding you need to protect your corporate assets.
	Step 6: Procure the Solution A structured procurement process is critical to getting the right products, at the right time, for the right price. In Step 6, you learn about Security Incite’s Buying Security Products methodology and how that should be applied to how you buy the products and services you need for the Pragmatic CSO process.
Section 3 – Run Your Security Organization Pragmatically
	Step 7: Operate/Monitor Now that parts of the solution are implemented, you need to make sure they’re doing what they’re supposed to. In Step 7, you learn how to fortify your perimeter defenses, what you should be monitoring, and how to navigate the change control process.
	Step 8: Contain the Problem Inevitably you will have a compromise or breach situation. Dealing with that will make the difference between a CSO with a job and one collecting unemployment. In Step 8, you learn how to recover as gracefully as possible and use a structured incident response process to make sure you live to fight another day.
	Step 9: Train the Users Users are the weakest link in the security chain, so all the technology in the world will not help if a user gives up a password to the bad guys. In Step 9, you learn why a structured user awareness training process is critical to educate users to think and act securely and avoid many of the easy attacks used every day.
	Step 10: Assure Your Defenses It doesn’t matter if you say something is secure, you need third-party validation. In Step 10, you’ll engage third parties to try to penetrate your defenses, both to see where you are really exposed and also to make the case for more funding.
Section 4 – Communicate your Value
	Step 11: Benchmark Your Progress Quantitative measurements prove your worth and ensure your program is moving in the right direction. In Step 11, you’ll benchmarking your program by tracking the right metrics and comparing what you are doing relative to your peer group and other businesses your size.
	Step 12: Comply without Going Nuts Compliance with a variety of both internal policies and legislative regulations is a critical aspect of every CSO’s job. In Step 12, you see how compliance is a benefit of implementing the Pragmatic CSO program and how by generating a set of hard-hitting reports, the auditors will be gone in a fraction of the time it used to take.

Following the level headed, plain talking advice will give the reader and pragmatic practitioner a new sense of power over his security domain and a path to success.  It does not promise a magic bullet, just a realistic method and approach of dealing with the every day tasks and goals that all security folks live with. The writing style of the book is light and refreshing.  It is from Mike the recovering and now pragmatic CSO's point of view.  It will feel more like you are reading a short story than another how to business book.  I think the Pragmatic CSO will go down as a milestone in the security management arena.  I can already envision the follow ons as the pragmatic methodology is more fully fleshed out.  I am already thinking of how StillSecure can better align our products to help all of the new pragmatists that will be managing security out there.  Congratulations to Mike on a job well done!  I am looking forward to what is to come and seeing how the security pragmatists change the security world.

My friend and fellow security round table member, Larry Pesce of Paul Dot Com has just had a book of which he wrote a chapter published.  By Syngress is Wireshark & Ethereal Network Protocol Analyzer Toolkit.  Larry and Paul are great guys and have a great podcast.  You can read more about the book here. Larry and Paul are working on another book as well.  Speaking of books Mitchell and I were also recently involved in helping to write some chapters in a book on software companies. Will keep you all posted on that one as well.  Nice work Larry!