PGP Corp earned bragging rights by winning the prestigious Ahead of the Pack Technology Innovation Award from the Wall Street Journal.  PGP won in the Network Security category, and was the sole company in the information security industry to be honored.  PGP’s enterprise platform approach to the problem of key management has been a great success story and their disruptive approach to the market attracted me as an advisor 5 years ago.  Way to PGP!!

You might have noticed that nobody shouts “Group Hug!” when a security person enters a meeting. I have my theories why. One of them involves credibility — the kind that comes stingy in the workplace and must be earned.

Not all security pros earn enough credibility to truly affect the business. If you feel like you could use more than you’ve got, here are a few tips on how to accrue in ways that align with the business grain.

• Think “selling” not “getting.” You don’t want to get security mind share from people; you want them to buy yours. You’re there to help them meet rising customer expectations, or whatever.

• Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.

• Next time the budget fairy leaves unexpected cash under your pillow, decline it. There are lots of under-capitalized units in every business. Find one with a really worthy shelved project and suggest they revive it instead.

• Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.

• Ask questions rather than making absolute statements. “When you say we don’t need a firewall, what assumptions might you be making?” is a lot more effective than “Of course we need a firewall.” It politely keeps the burden of justification where it belongs.

• Don’t pick fights you can’t win. You’ll only end up a sore loser.

This isn’t about playing games to win political favor. It’s about demonstrating big picture perspective in a way that reeks of sensibility. And who doesn’t want to cooperate with sensible.

Jim Reavis will be talking about the threats and long term security implications of Web 2.0.  You can watch it live at 1pm PDT on September 20, 2007, or view the archived webinar later.  Click here to attend.

Last week I participated at a Cisco-sponsored round table of infosec executives and managers. Although I’m not one at the moment, I used to head security at Amazon.com. I still travel those circles as a consultant and speaker.

The topic regarded ways to get funding for security initiatives. How’s this for cool: one of the speakers was Tom Nicoletti, current venture capitalist and former CFO, who over the years had seen many a security purchase order cross his desk. From the sound of things he had signed precious few. After I heard him out it was pretty clear why. Nearly made me wish I could turn the clock back to my former purchase ordering days.

Here were some of the collective takeaways:

• First and foremost, have a crisp layman’s response to: What problem are we solving? Stutter and you might leave worse off than you entered.

• Whatever your case may be, make sure it’s understandable with a single slide and under five minutes.

• Be aligned with business drivers and company culture. (Ever succeed at going against the grain of business?)

• Speak in your company’s business dialect. “This product will help keep those freakin’ bad guys out next time” is a far cry from “This product will enable us to meet our availability objectives in the face of another revenue-denting distributed denial of service attack during peak website traffic.”

• Speak to your initiative’s tax benefits, assuming it has an R&D components that qualify.

• Timing is crucial. Except in the most dire circumstances your initiative must be capex-friendly, something that usually oscillates on a schedule, and always correlates to stock price.

• Never pitch the best case results scenario. If you achieve it, great, you’ve over delivered. Pitch two cases: likely and worst. If the worst is no better than what you have today, then by definition you don’t have an initiative.

• Play the policy card when you really, really need to, treating it as a rare trump. “Our policy says we encrypt all company laptops. If we don’t do it now, we’ll need to downgrade the policy.” Don’t have front-and-center policies backing your initiative? Then quit writing purchase orders and start writing policies.

Botnets. Phishing. Crimeware. Government-sponsored hacking. TD Ameritrade. Ad-based trojans. Some week.

Given all the press attention, you’d think all this was a big surprise. And I suppose it is to some people. The unwashed masses, certainly. The tech industry as a whole, apparently. The infosec community, not by a long shot. All the cyber-badness we’re experiencing today was foreseeable, and foreseen, a decade or more ago.

Why not the tech industry? I always tell people that it boils down to a lack of imagination. I’m not talking creativity. I’m talking about daydreaming over things like, What bad things might happen if somebody misuses [or abuses] this thing I’m building? What assumptions am I making, and how screwed are we if they prove wrong? Who’s going to feel the pain if I’m not thinking far enough ahead?

Questions like these are second nature to security minds. Until they’re first nature to technology minds, trust me, things won’t start to get any better. In fact they’ll continue to get worse. Scratch that: They’ll continue to surprise.

I recommend you get to know your neighborhood security geek. They’ve seen the future — and you can too.

My son is a level 70 mage, and I couldn’t be prouder.  If that sentence makes no sense, you obviously do not play World of Warcraft.  I just started reading Exploiting Online Games, co-authored by my friend Gary McGraw and I highly recommend you check it out.  I just finished chapter 4 and it has already been worth the price of admission.  WoW, Second Life, online gambling, et al., are a preview of how we will be interacting with software and the Internet in the future, and we better figure out how to secure it.  The book is filled with some wonderful examples and sobering Catch 22’s in regards to the vulnerabilities of the MMORPGs.  Now if I could only get my avatar to write this blog without me…

By Jim Reavis

(Editor’s note: This blog entry was originally posted to The Entitlement Management Blog at www.entitlementblog.com.  If you are interested in XACML and more generally understanding how we can deploy enterprise applciations with more sophisticated and granular security controls, please go to The Entitlement Management Blog to learn and contribute.)  

Without a doubt, the best part of my job as a security wonk is to listen to the war stories.  Listening to how one bright but flawed person subverted several layers of security controls and stole information and usually money are very instructive.  Understanding the security gaps that were exploited, how the forensics investigators cracked the case and the resultant control changes are like getting thousands of dollars of free consulting for the price of a single tall latte.  You also sometimes can’t help but admire the ingenuity of a single person who succeeded against a Fortune 500 corporation’s security system, but then I wake up and remember that it could have been my data (and in some cases, probably was).  There are many different lessons to be learned from these incidents, but one thing I can definitely say is that depending on your business application to protect you from a fraudster is foolhardy and hard-coding entitlements into the application is a bad idea.

What follows is one of those war stories.  It is true, names and minor details were changed to protect the embarrassed.  A large consumer products company (let’s call them BigCo) offers rebates on a regular basis as a sales incentive.  I can hear many of your teeth gnashing already.  Rebates lower the price of that gizmo so that it fits your budget, but the DNA sample and book report you have to submit is definitely a disincentive to claim it.  Even when you do submit the forms, you might forget about it and throw away the check with the rest of the junk mail.  As a result, billions of dollars in rebates go unclaimed every year.
Continue Reading »