IANS Perspective

February 10, 2010

Adam Cardinal: Building Relationships – Business Development Team

If you’ve read the preceding installments of this series I hope you are well on your way to building effective relationships with your peers and other stakeholder organizations. Building quality relationships happens in small, gradual ways. When successful it’s done by building a history of small, strategic “a-ha” moments that demonstrate alignments and common goals.

Information Security and Business Development in some organizations can be equivalent to enemy camps. For Information Security, the Business Development team brings risky ventures to the table either just before go live or after go live – giving security little time or leverage to implement risk mitigations. Business Development may view Information Security as the wall of “No”. Developing and funding projects that will grow the business, increase revenue or reduce cost are hard enough without having to bring on board a security team that doesn’t seem to be motivated by revenue or profit targets. Business development always will have better funding and visibility than security – and rightly so. However, there are creative ways to find a place at the business development table.

Demonstrate subject matter expertise - When you’re in a business development review – do you tell them what they did wrong – or do you help them do right? Showing the development team that you have the skills to help identify a quality service provider, develop service level agreements that save money, or build a robust RFP/RFI questionnaire that separates the winners from the losers, adds value and builds credibility.
Educate about policy – We all know policy is important, but the business doesn’t look at it every day the way information security does. Make sure they know what policies will govern the installation of a new application, website, or service provider. Ensure the vendors know what the organization expects about password length and complexity, user access reporting requirements and activity logging. No one likes last minute surprises and the group that delays the go live date isn’t likely to be praised for being cautious.
Navigate the bureaucracy – The software development team may or may not warn them about code and change freezes, secure code review requirements, systems development oversight boards, and other non-business facing approval processes. Informing your business partners in advance helps them build accurate project plans. Helping them complete those processes – not just directing them to a website or form – is the way to be seen as a valuable, contributing member of the team.
Understand the business goal – Watch the eyes roll on the business development team when the security officer requests a process step that negates the entire purpose of the project. Knowing the reason for the project leads to higher quality mitigation recommendations, or helps clearly explain why the risks outweigh the benefit.
Do your homework – I’ve seen far too many info sec teams who expect to be spoon fed project information. Expecting the business team and project managers to set up a meeting to brief you about the project sets the tone that you’ll be a burden to the project. Get access to the project documents and read the business justification, project charter, design specifications – everything you’ll need so you can ask intelligent, informed questions.
Fish from the river – Relying on business development to notify you of projects that require information security involvement is a guaranteed path to failure. If possible get access to the process tools used to review and approve projects. Knowing which projects have been approved – or at least gotten through the initial qualification gate – helps you identify projects needing oversight and directs you to the business sponsor. Additionally, this sets the timeframe and defines proposed budget. No one wants to miss a step, but no one hits every step every time.

Business development managers are incented based on their ability to get products and services to market on time and on budget. Success has many parents – but failure is an orphan. No one may recall the development manager if the project fails after launch. Helping ensure that the project hits goals and milestones will create positive alignments. If delays must take place notify quickly and broadly, and explain clearly the risk/benefit decision behind it. Most importantly of all, remember that all successful businesses must continue to change and grow. Portraying yourself as a facilitator of success will earn you the seat at the business development table. Continuing to add value and help achieve goals will ensure that you stay there.

Posted at 09:35 AM in Research | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: adam cardinal, business development, business development team, career growth, information security, information security professionals, professional development, relationship building, team building

December 07, 2009

Adam Cardinal: Building Relationships – Software Development Team

This series of blogs is intended to give Information Security professionals some ideas on building quality relationships within their enterprise. Successful relationship building is sometimes defined as the ability to move your strategic goals forward in the organization. However, I believe that success expands beyond your strategic goals; to me real success achieves your goals and helps others achieve theirs.

Information Security and Software Development haven’t always been well aligned in establishing complementary goals. For Information Security, the Software Development team is the source of coding errors, vulnerabilities and potential weaknesses which necessitate identification, triage and remediation – preferably prior to implementation or ASAP in post-go live situations. Software Development perceives Information Security as a department solely focused on finding fault with their work. When Information Security gets involves, software developers have to take time to go through manual and automated code reviews, to justify against inaccurate or erroneous findings, and to develop and test code fixes while trying to meet already tight delivery dates. Transforming this potentially adversarial relationship into something collaborative and mutually beneficial can be done – but it may take some effort.

Clearly state your expectations – Have you provided the relevant sections of the information security policy to the team? Developers may not have a clear understanding or even access to the information security policy. Visit a staff meeting, talk with developers and explain the overall objectives of InfoSec at your organization. In most cases people want to play by the rules, they just need to know what they are. Pay special attention to giving them your authentication rules, password requirements and session timeout policies. Developers understand that it’s much cheaper to abide by the requirements in advance rather than make the changes after the code has already gone through QA.
Training – It’s possible that your developers never received training in secure code development. Work with the management team to include secure code development as part of the training and education plan. If your budget can support it, fund a portion of the training class, or offer the classes in-house with a member of your staff as a “train the trainer” program.
Create reference materials – Developing in-house guides and instruction books: it pays off in quality code. Describe buffer overflow conditions, the rationale between using PUT and GET commands, or explain cross-site scripting (XSS) attacks. Even providing them with a list of known bad characters to filter out of input can transform the Information Security team from a tattle-tale into a problem solver.
Be prepared to listen – Most development teams have an evangelist; someone who’s passionate about their coding knowledge and loves to share it. Work with that developer – get his or her input into how to improve policy. Learn about existing work papers and ways you can work together to improve their content. Consider increasing the scope to include company best practices.
Reward the champions – The QA team knows which developers routinely submit the best code. Find out who they are and send a note to their boss with that information. If they are using custom developed routines, logic statements or other parts of the code library, share them – but be sure to credit the developer who did the work. Even remind the coding manager at performance review time.
Share the wealth – When you get content that will benefit the developer team, don’t silo it. Make sure it gets back to them. Bring info sheets and presentation notes from security conferences. Share articles and publications that will be of interest to the team. Don’t be afraid to invite them to attend security conferences, multimedia briefings, lunch and learn sessions, or anything else you believe might improve their knowledge in the area of coding for information security.

In order to remain competitive in their field, developers know they must continually invest in their skills, and most are aware that hiring managers want to bring on experienced coders with a robust skill set. Helping them improve and market their skills will quickly pay off. By noticing and reporting on the quality of the developer team, InfoSec switches from an affliction to an ally. Most importantly you can convert your relationship with the developer team from a policing role to a mutually supportive relationship. Perhaps you’ll see the day when you’ll be getting calls from the developer team when they need help – and they refer to you as a key partner.

Posted at 10:40 AM in Research | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: adam cardinal, career growth, information security, information security professionals, professional development, relationship building, software development, software development team, team building

November 30, 2009

Nick Selby: Guardium Acquisition as Catalyst for DTM Roll-up

Assuming the stories of an IBM acquisition of Guardium are correct, the deal marks the official transition from "standalone product" to "standard feature" of database transaction monitoring. That is to say, DTM is actually an important feature of a much larger family of products and services. No longer should it be considered a standalone industry of its own.

Right now, DTM is, sadly and still, a fairly obscure space, populated by bleeding and leading edge companies unafraid to wade hip-deep into DBAs. So the question is, can IBM make this more understandable to the mainstream? That is what has to happen. People put information into a database because the data is important to their business. At this point, they worry about backing it up, but securing the database and hence the data while it's being used - which is even more relevant in the upcoming cloud thing - is less understood. Is IBM going to take on the effort of educating the marketplace? Or will it sell it as a platinum feature?

For customers, a buy-up within the DTM space should spell great news over the coming years in the form of increased quality, better-integrated server agents, and one-stop shopping - not to mention the rapidly increasing possibility to think of database vendors as being a bigger part of a safe solution when firms move to establish enterprise-wide data security (or anti-data-loss) programs. The question is when it moves from an "available feature" (like a backup vacuum pump for your 2009 Cirrus SR-22) to a "standard feature" (like seat-belts for your new Honda).

That Guardium would go to IBM is not at all surprising - IBM is well-poised to leverage the product and the services aspects of such a thing. That some have commented that Guardium executives sold the company for more than IBM wanted to pay is funny. (It's always more than IBM wanted to pay, no? But I would not be shocked if the real number turned out to be that IBM paid between four- and seven- times - or that Guardium revenues were as high as $50m for 2009; basically I think it did just about $37m this year.) I think Guardium is fully worth what IBM is said to have paid.

From what I can tell, Guardium has led the space in terms of sales and public relations. It has achieved this leadership by its concentration on partnerships with the likes of BMC and Dell; its concentration on the mainframe (mainly through a Z/OS agent Guardium had licensed from NEON Enterprise Software) as well as its ability to articulate, probably better than anyone, the value proposition for DTM. It also built a great database agent and showed that this could be integrated without freaking out either security or operations - in short, it worked, and customers love it.

One of the things that Aaron Turner has pointed out in our Information Protection track at IANS Forums for about two years has been the highly effective capabilities that Guardium brings to the table in terms of having someone capable of speaking with and explaining to database administrators the value of security: Guardium speaks DBA in a way that DBAs don't find threatening. In and of itself the ability to translate between business, security, and database administrator imperatives is a highly valuable skill set.

I talk about DTM (as does Rich Mogull) as part of a larger data security approach as opposed to a small independent market in and of itself. At Trident we counsel clients to use DTM as an arrow in the quiver of an overall data security approach. (By the way, I just saw that Securosis has Guardium at $45m, raising earlier estimates that more closely jibed with mine.)

What's left in the marketplace is interesting, and I see similarities between this and the rollup of the web application vulnerability assessment space a couple of years ago. This may well be the catalyst for a couple of quick acquisitions, mainly of Imperva, Application Security Inc, and Secerno. The religious differences between the products - specifically the outside-and-inside approach of Imperva's integrated Web Application Firewall/DTM product, and the babel-fish approach of Secerno - help several of the remaining players make solid acquisition stories. Bummer for AppSecInc, selected for the marketing project that was Enterprise To The Edge then getting passed over. Not sure what play it has here, nor how it remains relevant enough to become acquired meaningfully. Another player not catching on fire is Sentrigo, which has an interesting technical take that make some in the US intel community say things like, 'Dude, how do you spell '8200'?'.

I would not be surprised to see, as with the web application vulnerability assessment space, a longer-than-expected integration period as political battles within the acquiring companies overtake common sense and deal execution.

As with anyone selling a panacea, this is really just a piece of the very very much larger puzzle, and it directly threatens certain factions within any acquiring organization. For example, I would not like to be the guy in Oracle to tell the Oracle team that they'd just acquired Secerno to help with security of Oracle products. Merry Christmas indeed.

Nick Selby is IANS Faculty and managing director of Trident Risk Management, a security and risk consultancy.

Posted at 01:58 PM in Vendor Analysis | Permalink | Comments (0) | TrackBack (0)

November 17, 2009

Adam Cardinal: Building Relationships - Internal Audit Team

This series of blogs is intended to give Information Security professionals some ideas on building quality relationships within their enterprise. If you are following these steps – good for you! You’re well on your way to building a good professional working relationship. If not, take this as an opportunity to think about what small steps you can take – today or this week – to build those relationships. Only you can make your job more rewarding and improve your chances to positively impact the organization.

It should come as a surprise to no one that being a successful Information Security professional is entirely dependent upon the ability to build relationships and influence behavior. Shifting the profession from a tactical to a strategic position is an essential component to success in raising the profile of security professionals in the enterprise.

I’m not foolish enough to think that we’ll ever stop being tactical professionals – far from it. I actually love the crisis management aspects. But I am cognizant that as I assist the business to make informed decisions before a project goes live, I will see a reduction in the number of incidents I manage. I also know that I will be brought to the table more frequently if my business partners think I need to be there – and if they actually want me there!

Information Security and Internal Audit have a strong allegiance in many organizations. For Information Security, the Internal Audit team is often the last line of defense with a management team that can’t understand or fails to appreciate the impact of risks they are taking by allowing vulnerabilities to exist without proper mitigation. Internal Audit turns to Information Security first for significant portions of their IT audit work. Getting quality samples in a timely fashion helps ensure that audits are accurate and completed in a timely fashion. Identifying opportunities to work together can bring significant value for both groups of stakeholders.

Track open items – Auditors are measured not just on the audit items they identify, but their ability to work with the business to close them. Work with your audit team to understand audit items that are outstanding, the owner that has been assigned to address them, and the date by which a written response and remediation plan are due.
Ensure assigned roles make sense – Auditors don’t want items to be assigned to the wrong person any more than you do. Help them save time and avoid pushback by participating in post-audit review sessions not only to validate the validity of audit findings, but to ensure that they are assigned to the group that has the ability and the authority to make changes or implement compensating controls.
Validate mitigation plans – In some cases, the Info Sec team may have key insights into whether the business or systems team’s mitigation plan is achievable. Provide clear feedback to audit and business/systems team’s if you have reason to believe that the mitigation plan won’t work. I worked on an instance where the business told audit they’d remove access to a high risk function for 90% of the staff that had it; however, neither audit nor the business realized that the function was required to allow an essential process step. The proper response should have been to fund a systems change to separate the sensitive function from the one required for most staff. Instead, the business made a request to remove the function – the business team was brought to a halt so the function was added back. When audit returned to examine the results of the remediation, they saw that nothing was done and they opened a high priority audit item. It also meant that more than 6 months went by with the vulnerability, when it could have been closed more quickly if the proper mitigation action was identified and planned for.
Provide input to audit strategy – Most Internal Audit teams welcome input into their audit planning to reduce redundancy and overlap. Providing audit teams with opportunities to separate audits of systems shared by multiple groups with the audits of the groups themselves reduces redundancy and re-work. No one wants to re-audit the general ledger system when the accounting group, accounts payable, accounts receivable and order entry teams are audited.
Review major changes – Sit down with the audit team and inform them of major projects you’ve worked on in the past year. New systems, new functionality modules, business processes, external connections and strategic partnerships could all be in scope. Ideally, the business team has briefed them – but in the event they haven’t, you are providing good focus on areas of change. This is an opportunity to review all the steps the business and systems teams certified they’d done were done and done correctly.

It helps to notify your management team when your relationship with Internal Audit yields benefits for your team. Part of your job is building and investing in these relationships. It’s important to give credit when credit is due, when your partnerships make you a more effective security professional.

Posted at 09:25 AM in Research | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: adam cardinal , auditors, career growth, information security, information security professionals, internal audit team, professional development, relationship building, team building

October 21, 2009

Nick Selby: Metasploit Acquisition Shakes Up the Pen-test Landscape

With the acquisition of Metasploit (MS) by Rapid7 (R7), the dynamics within the small penetration testing market have changed. We believe that more competition will challenge each of the three main penetration testing software vendors in different ways, and that this new competitive landscape will quickly inure to the benefit of end users and buyers.

To radically simplify, the dynamics have been that Core Security sat at the top of the marketplace in terms of price, scale and enterprise usability; Immunity Security cleaned up at the lower end of the enterprise market and dominated for vendors and professional services types, who also used MS as a free tool.

Immunity has been working on its UI, workflow and backend, steadily but without any great urgency. As its main “competition,” Core, costs literally ten times more for a single seat, and there was no real alternate competition other than MS. Both Immunity and Core have partnerships with vulnerability assessment vendors, but I believe that R7 will be able to market successfully a converged product over time.

R7 has been aggressive in its product development and marketing, and as MS creator HD Moore is nothing if not hyperactive (MS got this far through his relentless late-night and weekend coding) and as MS has been advertising for developers and staff, we can infer that R7 is determined to rapidly integrate MS into its suite. There will of course be integration issues. Among the legions of open-source enthusiasts who are MS fans (the Metasploit 3.x tree, according to Moore, is now under a 3-clause BSD license; earlier, Moore had changed the license from open source to a EULA to prevent commercial exploitation by third parties), there will no doubt be “End is nigh” drama of the sort suffered by Sourcefire and Tenable and other products that have commercialized atop a community-supported project. I assume that both R7 and Moore are smart enough not to kill the golden goose and confident they will manage, ultimately, the community aspect of this.

If R7 and MS are able to clean up usability issues with the product it will be marketable. What then needs to happen is that R7 and Moore, in his new role as Chief Architect of MS, must create sustainable, repeatable workflow around the process of development, testing and quality control and rollout of exploits, and converting - this is no easy task - from the hair-on-fire but ultimately functioning process Moore has been using for these years. If I had to pick one major marketing and sales disadvantage MS has over both Core and Immunity, they are quality control and “safety” of the exploits (not to mention derivation of the exploits, another kettle of fish which must be addressed in the context of community relations). Core and Immunity are expert at these processes - and their attendant post-release support. MS is not and must become so while integrating and transitioning and managing these other issues related to any acquisition.

Assuming that R7 and MSF are able to integrate and address those issues, then the dynamics will change at both Core and Immunity. You'll note that this analysis is not comparing technical details - usability of then client side exploits or quality of the exploits from Core and Immunity which the industry agrees are first rate. At this point, what we have is a complex marketing calculation and discussion, not a technical bake-off.

Let's give some credit to R7 and say that it will make MS more user friendly, easy-to-install-and-use and that it will give it the correct help desk stuff to soothe enterprise buyers. At that point, it has an advantage over Immunity - which philosophically believes its UI is the most elegant to support the workflow and mindset of a penetration tester, but which it admits is less polished than the average enterprise-ready application. This plays right at and competitive with Core's chief selling proposition - ease of use and enterprise class polish and support. Core will begin to feel pricing pressure where it never has before - I have often said that anyone who can afford Core should buy Canvas and probably already has MS. As R7 begins to pressure and erode Core's per-seat price, this calculus will change for Core.

Immunity, on the other hand, will likely continue to sell well. In fact, we see Immunity Canvas sales rising slightly as R7 will spend good money and time promoting the functionality, differentiating penetration testing from vulnerability analysis (see below) and generally helping Immunity by marketing the “why should I pen-test?” proposition. A rising tide of marketing dosh raises all boats, and Immunity will benefit from a standpoint of sales. Where Immunity will suffer is in the development dollars it will feel pressured to spend to improve the UI faster than it may have otherwise wished. The team in Miami has a plan - a good one - for getting the UI and the backend framework to a new level, and it has been executing admirably on that plan. However, I believe that in the newly-shifted landscape in which it finds itself, Immunity may have to accelerate the timeline of these improvements, which will require a shift of resources within the firm to accommodate. Immunity is clearly capable of doing this.

The problem faced by all three which has been aggravated by this acquisition is the most problematic aspect of the competitive field in penetration testing - people conflate pen testing and vulnerability analysis. At IANS Forums for the last year, I've been running sessions on developing internal pen testing resources (the next one is Chicago on 2-3 November). During these sessions, I regularly ask delegates whether they are currently running pen test software and if so which. In every session, someone says that they run Nessus or Qualys and think they are pen testing when they are assessing vulnerabilities. The fact that R7 is known as a vulnerability scanning company is trouble enough for the firm, which is diversifying its offering. To add pen testing to its mix confuses customers, and R7 will have to spend wisely on marketing. We note that Core has been marketing aggressively for years and surmounted many challenges in the space; despite the success and aggression and audacity of its campaigns to date, these confusions remain in the industry. So Core, too, will benefit from R7 entering the market from a marketing standpoint. In the end, Core may find that even if it must eventually reduce its price (something it will resist mightily), its volume will likely increase as the market becomes more educated.

The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing. Quality will likely rise, average price will likely fall, and functionality will likely increase. This is a good time to be in the market for pen-test software.

Nick Selby is a Faculty member of IANS. He is Managing Director of Trident Risk Management.

Posted at 12:08 PM in Vendor Analysis | Permalink | Comments (3) | TrackBack (0)

August 17, 2009

Peter Kuper: Proof Positive

We’ve been tracking the difficulties facing the private sector given declining investment activity and fewer exits, but we’ve also been concerned that buyers will avoid the sector altogether – something we absolutely discourage. The innovation happens almost exclusively in the private companies, and therefore ignoring this sector is not an option.

Avoiding the financially frail companies and selecting the viable ones is clearly the right thing to do. Distinguishing between these two camps is the challenge. Fortunately we are very familiar with many privates, and one just recently made it very easy for all to get a sense of their viability.

BigFix recently shared their financial results with us and they are impressive across the board; revenues are up, cash flow is up, but so are investments!

In one of our recent posts we noted the decline in the total publicly traded security companies R&D expenses – not so here.

The company is also hiring – something else very few providers are doing today, closing in on almost 200 employees.

These financial results are no guarantee that BigFix will continue to prosper, but they are incredibly convincing snapshots of a company doing good things that are being recognized by other buyers. And they’re not the only ones.

As a follow up to our last blog, we checked in with Tenable Network Security and we can confidently state that the folks in Maryland are doing just fine, too. In order to not steal their thunder we won’t reveal any specifics, but keep an eye out for news regarding that company’s trajectory and I doubt you will be disappointed.

So, cheers to BigFix and the other successful privates! The sales growth and increased R&D are stark contrasts to the majority of the public companies who are slashing investments and headcount. We look forward to highlighting other private companies as the data is revealed.

Posted at 08:30 AM | Permalink | Comments (0) | TrackBack (0)

August 14, 2009

Peter Kuper: Eye on Privates - Don't Limit Your Options

The other day another article discussing the venture capital industry arrived in my inbox. It was from John Batdorf, a banker with Viant Capital I’ve worked with over the years and someone whose opinion I respect, so I paid attention. However, with the title “Is venture capital failing to keep the security ecosystem afloat?” I didn’t really need much prodding. Overall, the article touches on the topic we’ve been raising for some time now: while the attacks are all the more sophisticated, the investment dollars are in decline. Essentially the supply vs. demand equation for security is completely out of whack. This is not good. The reasons for this are numerous, but rather than turn this blog into an industry report we want to highlight the implications of this scenario as it pertains to the user community.

We strongly urge buyers not fall into the easy trap of ignoring the privates over this one issue. There are plenty of healthy, viable, and valuable private companies offering security protection. There are also plenty of "dogs" on their last breath. Identifying the dogs is key; dumping the entire market segment out the window because investors are less enthusiastic is flat out wrong. How to separate the dogs is the challenge -- and we’re here to help, of course.

Let’s look at the vulnerability management space as a proxy. We chose this space as most every organization knows it well enough. Sure there are the big dogs offering a scanning capability, but is IBM really going to invest in the acquired ISS scanner? My guess is that it’s not likely. So the classic “safe” move is not really a good one.

Instead, look at the private market: there are at least three companies we are very familiar with that have all done well – and from very different approaches. Core Security, Tenable, and Qualys each have a different approach to the market, ranging from comprehensive efficient capability to proven open source adaptation to SaaS (software/security as a service).

They each have different financing and expense structures -- from international development to solid venture backing to no VC needed -- but fundamentally they are each providing real value to their clients. Yes, they all do more than just pen testing and that certainly has helped the companies grow, but the point is simply that private companies are doing well even in these toughest of times.

Yes, it is tough out there and every buyer needs to have a higher level of scrutiny. But that applies to every vendor – from the brand new start up asking you to be a beta customer to the largest of the publicly traded guys, no one is immune from the harsh economic realities. In fact, the risk of working with a larger vendor could be higher than with the startup; in security, if the product doesn’t work, it’s you who may be in economic trouble.

Posted at 01:53 PM in Financial Analysis | Permalink | Comments (0) | TrackBack (0)

July 28, 2009

IANS Research Team: A Day of IBM Announcements

Busy day at IBM today. Entirely by chance, IBM announced both the acquisition of Ounce Labs (undisclosed amount) in the application security space and SPSS ($1.2 billion) in the business intelligence market.

In Ounce Labs, IBM adds static code analysis capabilities to its Rational Software portfolio and helps to round out the AppScan suite. This complements their earlier acquisition of Watchfire which brought them web application vulnerability testing capabilities. The acquisition better positions IBM against competitors, mainly HP, in the software development market by providing a broader framework for building secure code.

A long partnership gave IBM a good view of what was under the hood at Ounce, and despite a rosy announcement by Ounce Labs earlier this year, IANS assumes IBM was able to strike a very favorable price for the company which eased some of the pain early investors must be experiencing.

As we’ve written before, consolidation will continue in the information security software marketplace, as weaker private companies succumb to financial pressure, their investors lose patience, and larger players seek opportunities to grab compelling intellectual property to bolster their growing suites.

The 24-month history of the software security marketplace proves this out. SPI Dynamics and Watchfire were acquired in 2007 by HP and IBM, respectively, Security Innovation recently sold its European operations to Cigital. On the flip side, Veracode recently received $10 million in funding, Fortify continues to flourish while Klocwork and Coverity are still in the mix.

"The security market is continuing down a classic consolidation path" says IANS Faculty member Peter Kuper. "IBM has moved from buying scale (ISS) to incorporating complementary functionality as evidenced by the Ounce Labs announcement."

We expect the overall consolidation trend to further reveal the two or three dominant providers that will either reach sustainable independence or become an integral part of a larger organization. For security professionals, aligning with those few strong players will provide not only best-in-class technology but also a longer more valuable strategic relationship regardless of the acquiring entity.

We stick by our advice to enterprise buyers, however, that a solid group of high-quality, independent, reliable players still remains that do provide superior technology/service. The question at hand is whether or not application/software security will remain a standalone part of the security market or eventually become a feature of two distinct areas: software development and vulnerability management.

In SPSS, IBM is pushing to give clients “not just insight, but foresight.” The acquisition continues what was started with the Cognos acquisition back in late 2007, continuing the battle between Oracle, SAS and IBM for advantage in that marketplace.

“It’s a good fit for IBM,” says Tom Davenport, Lead Faculty Member at the International Institute for Analytics. “SPSS was the only remaining analytical software provider of any size that anyone could buy. It augments IBM’s business intelligence capabilities in Cognos, and its optimization and rule engine capabilities in ILog - not to mention its 4000-strong Business Analytics and Optimization unit in Global Business Services. IBM is clearly making a major play in analytics. It will be very interesting to see how the company combines all these businesses and goes to market with them.”

Where is the tie between the two announcements? The future of information risk management is moving from reactive to predictive. One obvious example: where will the SIEM space go? It has to move toward being able to predict attacks, not just telling when they occurred.

And how big a role will business intelligence and analytics play in making all industries more competitive? Stay tuned for more developments…

Not by chance, however, with a concentrated research focus in both information risk management and business analytics, IANS sees these two spaces being closely aligned going forward.

Posted at 05:19 PM in Financial Analysis | Permalink | Comments (0) | TrackBack (0)

July 24, 2009

Peter Kuper: No Help for the Little Guys

The latest VC data continues to reveal the pressure on private companies needing capital. The steady decline that began over two years ago is still continuing its downtrend.

Source: Thomson Reuters, National Venture Capital Association

This is definitely not a good thing, as we have consistently looked to the private sector to develop the next-generation solutions needed to keep up defenses against the ever-evolving hacker community. The problems go beyond the money - even if the fortunate few see deposits in their corporate checking accounts the valuations of these investments add to the burn.

Source: Cooley, February 2009

These trends further support our look to the government initiatives such as I4 as the private sector is under stress. The cynic in us can’t help but touch on the topic of bailouts for all the big boys, be they banks or botched auto companies, but what about the smaller players - the ones with the normal assumption of real job growth, let alone the real innovation that produces new products and whole product categories?

That said, we know of a very large group of private companies that are doing very well, including BigFix, Verdasys, and Qualys. Overall, we still recommend buyers look to the privates, especially given some of the antiquated wares of the public companies. Yes, they may be financially stronger -- but what protection are you getting for your scarcer dollars?

Our recommendations have centered around:

Product strength (worth the risk of linking up)
Management team (ability to execute)
Investors (history, viability of the backers)

Overall, we still endorse the private sector but need to caution IANS members to check out the firm before they “leap”. This applies to public companies as well - just because you’re big doesn’t mean you can’t be bought, as we have seen from the original ISS acquisition and more recently the previously-envied Sun Microsystems. We’re watching that deal very closely to see which Identity & Access Management solution service is phased out in favor of the other. Costs still matter, no matter how big or small.

Posted at 09:35 AM in Financial Analysis | Permalink | Comments (0) | TrackBack (0)

July 22, 2009

IANS Research Team: Personalizing Enterprise Assets - The Limits

All of a sudden this month the security implications of the “power to the people” revolution are coming into focus. More and more Ask an Expert research queries from client security teams are centering on securing one of three new security vectors:

Unsanctioned, personal wireless devices (e.g smartphones) accessing network assets of all types. POPing email is the most common; sensitive asset access the most concerning.
Workers using social networking resources on company time, for what they deem appropriate job-related reasons
Rogue cloud computing applications that are being requisitioned by well-intentioned business unit managers “because it’s so easy and cheap.”

The IANS research team is working on a Point of View (POV) report that will explore the technical, policy, and privacy issues this movement is continuing to raise.

We recently completed the one-day gathering of members participating in our Security Maturity Benchmarking study, and it was quite the eye-opener.

A few of the highlights:

Benchmarking your team’s maturity against relevant peers is viewed by CISOs as the best way to make the resource/budget case with senior management
High-performing IT security teams have adopted a “service delivery” model internally to accurately reflect to business units the value of security
The optimal organization structure chosen by high-performing IT security teams is a small centralized operation (SOC) with dotted-line reports out in the operating divisions. These agents live inside the business, but enforce the standards set by central command.

Finally, we’re seeing a stronger and stronger interest in the GRC (Governance, Risk & Compliance) space as more CISOs are seeking a true risk management measurement tool to centralize the view of organizational risk.

We’ll host an Interactive Phone Conference on the topic on August 6.

Posted at 11:49 AM in Research | Permalink | Comments (0) | TrackBack (0)