The Security Industry Remains Strong with Computer Science but Weak on IT

Last week, I was in Silicon Valley meeting with a parade of CISOs and security vendors. Business travel is no “day at the beach,” but these trips really help me keep up with the latest enterprise security challenges and potential technology solutions.

It was also nice to spend time in the Valley and re-charge my batteries toward the security industry. There was a lot of excitement out there as a result of business growth, VC investment, and the wildly successful FireEye IPO.

Topics: IBM Cybersecurity Cisco Information and Risk Management FireEye HP Dell Oracle Security and Privacy Security Enterprise SIEM E&Y Leidos Accenture CISO saic IPO Security Management CSC Unisys

Why Aren’t We Questioning the Effectiveness of the NSA Program?

Full disclosure, I am extremely uncomfortable with the intrusive intelligence programs going on at NSA. If it weren’t for Edward Snowden and Mark Klein (former AT&T technician) we wouldn’t know about NSA activities on telephony and data networks. It makes you wonder what additional data the NSA is collecting that we don’t know about.

Beyond the privacy issue however, there are a few other fundamental questions here and I don’t hear anyone asking them. Allow me to chime in:

  1. How effective are these programs? PRISM is just one of several programs based upon data collection and mining. We’ve heard rhetoric about how these programs have protected us by detecting and preventing terrorist attacks but no one has provided any detail. Yeah, I know this is classified information but this means that we U.S. Citizens have to take the government’s word for it which has proved to be a fool’s choice in the past. We do know that in spite of these massive programs, the intelligence community missed the underwear bomber (spelling error in database), the Time Square bomber, and Tamerlan Tsarnaev. Given these “swings and misses,” how often did the intelligence community deliver base hits?
  2. How much does it cost? The NSA budget is classified but you've got to figure that the U.S. is spending multiple billions of dollars on data collection, storage, and mining. Heck, the NSA is building a $1.2 billion data center in Utah, capable of holding yottabytes of data. Big dollars for government integrators but is this investment really worth it in an era of budget deficits and bridges falling apart? Without an answer to question #1, we can’t understand whether we are throwing good money after bad to keep K Street lobbyists and “Beltway Bandits” fat and happy.
  3. How secure are these programs? In my mind, Booz Allen has a bit more explaining to do. How was Edward Snowden, a new employee, able to walk out the door with classified data so easily? At a higher level, how many others working at L3, CACI, and SAIC could expose similar data to the press or sell it to Iran, North Korea, or other nations? A disgruntled worker could make the damage caused by Bradley Manning look like nothing.
Topics: Information and Risk Management Security and Privacy Security Booz Allen saic nsa cybercrime Edward Snowden

The Security Skills Shortage Is Worse Than You Think

I’ve written a lot about the security skills shortage but it is worth reviewing a bit of data here for context. According to ESG Research, 55% of enterprise organizations (i.e., those with more than 1,000 employees) plan to hire additional security professionals in 2012 but they are extremely hard to find. In fact, 83% of enterprises claim that it is “extremely difficult” or “somewhat difficult” to recruit and/or hire security professionals in the current market.

Given this data, it is fair to assume that many IT security organizations are short staffed and pushing the security team to its limits. As if this wasn’t bad enough, ESG data also points to 3 trends that exacerbate the security skills shortage further impacting the effectiveness of the precious few security personnel in place:

  1. Critical skills deficits. Along with the shortage of staff, many organizations report that their security staff lacks skills in critical areas such as network security, cloud computing/server virtualization security, mobile device security, and security analysis/forensics.
  2. Security staff time management. Large organizations indicate that one of their biggest problems is that their security professionals spend an inordinate amount of their time putting out fires. This limits the time for other more proactive security activities.
  3. Security tools complexity and lack of automation. Security vendors built tools rich in feature/functionality and designed for customization. Unfortunately, many large organizations don’t have the time or staff necessary to fine-tune them or develop expertise in their use.
Topics: IBM Cloud Computing Check Point Palo Alto Networks Private Cloud Infrastructure Information and Risk Management Sourcefire HP Dell McAfee Security and Privacy BYOD Raytheon Lockheed Martin trend micro Symantec saic CSC BT Verizon Unisys Server Virtualization security skills Public Cloud Service

My Take On The Security IPOs: Infoblox, Palo Alto Networks, and Splunk

Splunk (SPLK) went public this week and both Infoblox and Palo Alto Networks will soon follow. This could be the start of a security IPO run moving forward. Why? Status quo security defenses aren't working so there is a burgeoning market for next-generation security technologies. This market opportunity has driven M&A activities for years but we've recently seen far broader interest in security. HP grabbed ArcSight and started a security business unit. IBM acquired Q1 Labs and did the same. Dell purchased SecureWorks and SonicWall. Investment is pouring into the security sector driving innovation and a present and future wave of IPOs.

Topics: IBM Microsoft Check Point Palo Alto Networks Cisco Information and Risk Management Juniper Sourcefire Dell McAfee Security and Privacy SIEM ArcSight RSA saic IPO Firewall Splunk Q1 Labs SecureWorks SonicWall Windows

Final Thoughts on the RSA Conference 2012

Okay, it's been a week since the RSA Security Conference 2012 so my window of opportunity for editorial comment is nearly closed. A few last thoughts:

Topics: Microsoft Big Data Cisco Data Management & Analytics Information and Risk Management Sourcefire McAfee Security and Privacy Kaspersky android Juniper Networks rsa conference trend micro Symantec RSA Blue Coat saic security analytics Gartner