Most Recent Blogs

The Security Industry Remains Strong with Computer Science but Weak on IT

Posted: November 18, 2013   /   By: Jon Oltsik   /   Tags: IBM, Cybersecurity, Cisco, Information and Risk Management, FireEye, HP, Dell, Oracle, Security and Privacy, Security, Enterprise, SIEM, E&Y, Leidos, Accenture, CISO, saic, IPO, Security Management, CSC, Unisys

Last week, I was in Silicon Valley meeting with a parade of CISOs and security vendors. Business travel is no “day at the beach,” but these trips really help me keep up with the latest enterprise security challenges and potential technology solutions.

It was also nice to spend time in the Valley and re-charge my batteries toward the security industry. There was a lot of excitement out there as a result of business growth, VC investment, and the wildly successful FireEye IPO.

Read More

Why Aren’t We Questioning the Effectiveness of the NSA Program?

Posted: June 11, 2013   /   By: Jon Oltsik   /   Tags: Information and Risk Management, Security and Privacy, Security, Booz Allen, saic, nsa, cybercrime, Edward Snowden

Full disclosure, I am extremely uncomfortable with the intrusive intelligence programs going on at NSA. If it weren’t for Edward Snowden and Mark Klein (former AT&T technician) we wouldn’t know about NSA activities on telephony and data networks. It makes you wonder what additional data the NSA is collecting that we don’t know about.

Beyond the privacy issue however, there are a few other fundamental questions here and I don’t hear anyone asking them. Allow me to chime in:

  1. How effective are these programs? PRISM is just one of several programs based upon data collection and mining. We’ve heard rhetoric about how these programs have protected us by detecting and preventing terrorist attacks but no one has provided any detail. Yeah, I know this is classified information but this means that we U.S. Citizens have to take the government’s word for it which has proved to be a fool’s choice in the past. We do know that in spite of these massive programs, the intelligence community missed the underwear bomber (spelling error in database), the Time Square bomber, and Tamerlan Tsarnaev. Given these “swings and misses,” how often did the intelligence community deliver base hits?
  2. How much does it cost? The NSA budget is classified but you've got to figure that the U.S. is spending multiple billions of dollars on data collection, storage, and mining. Heck, the NSA is building a $1.2 billion data center in Utah, capable of holding yottabytes of data. Big dollars for government integrators but is this investment really worth it in an era of budget deficits and bridges falling apart? Without an answer to question #1, we can’t understand whether we are throwing good money after bad to keep K Street lobbyists and “Beltway Bandits” fat and happy.
  3. How secure are these programs? In my mind, Booz Allen has a bit more explaining to do. How was Edward Snowden, a new employee, able to walk out the door with classified data so easily? At a higher level, how many others working at L3, CACI, and SAIC could expose similar data to the press or sell it to Iran, North Korea, or other nations? A disgruntled worker could make the damage caused by Bradley Manning look like nothing.
Read More

The Security Skills Shortage Is Worse Than You Think

Posted: August 30, 2012   /   By: Jon Oltsik   /   Tags: IBM, Cloud Computing, Check Point, Palo Alto Networks, Private Cloud Infrastructure, Information and Risk Management, Sourcefire, HP, Dell, McAfee, Security and Privacy, BYOD, Raytheon, Lockheed Martin, trend micro, Symantec, saic, CSC, BT, Verizon, Unisys, Server Virtualization, security skills, Public Cloud Service

I’ve written a lot about the security skills shortage but it is worth reviewing a bit of data here for context. According to ESG Research, 55% of enterprise organizations (i.e., those with more than 1,000 employees) plan to hire additional security professionals in 2012 but they are extremely hard to find. In fact, 83% of enterprises claim that it is “extremely difficult” or “somewhat difficult” to recruit and/or hire security professionals in the current market.

Given this data, it is fair to assume that many IT security organizations are short staffed and pushing the security team to its limits. As if this wasn’t bad enough, ESG data also points to 3 trends that exacerbate the security skills shortage further impacting the effectiveness of the precious few security personnel in place:

  1. Critical skills deficits. Along with the shortage of staff, many organizations report that their security staff lacks skills in critical areas such as network security, cloud computing/server virtualization security, mobile device security, and security analysis/forensics.
  2. Security staff time management. Large organizations indicate that one of their biggest problems is that their security professionals spend an inordinate amount of their time putting out fires. This limits the time for other more proactive security activities.
  3. Security tools complexity and lack of automation. Security vendors built tools rich in feature/functionality and designed for customization. Unfortunately, many large organizations don’t have the time or staff necessary to fine-tune them or develop expertise in their use.
Read More

My Take On The Security IPOs: Infoblox, Palo Alto Networks, and Splunk

Posted: April 20, 2012   /   By: Jon Oltsik   /   Tags: IBM, Microsoft, Check Point, Palo Alto Networks, Cisco, Information and Risk Management, Juniper, Sourcefire, Dell, McAfee, Security and Privacy, SIEM, ArcSight, RSA, saic, IPO, Firewall, Splunk, Q1 Labs, SecureWorks, SonicWall, Windows

Splunk (SPLK) went public this week and both Infoblox and Palo Alto Networks will soon follow. This could be the start of a security IPO run moving forward. Why? Status quo security defenses aren't working so there is a burgeoning market for next-generation security technologies. This market opportunity has driven M&A activities for years but we've recently seen far broader interest in security. HP grabbed ArcSight and started a security business unit. IBM acquired Q1 Labs and did the same. Dell purchased SecureWorks and SonicWall. Investment is pouring into the security sector driving innovation and a present and future wave of IPOs.

Read More

Final Thoughts on the RSA Conference 2012

Posted: March 09, 2012   /   By: Jon Oltsik   /   Tags: Microsoft, Big Data, Cisco, Data Management & Analytics, Information and Risk Management, Sourcefire, McAfee, Security and Privacy, Kaspersky, android, Juniper Networks, rsa conference, trend micro, Symantec, RSA, Blue Coat, saic, security analytics, Gartner

Okay, it's been a week since the RSA Security Conference 2012 so my window of opportunity for editorial comment is nearly closed. A few last thoughts:

Read More

Posts by Topic

see all