jump to navigation

Sophos takes on new investors May 4, 2010

Posted by jonathanpenn in client security, news.
add a comment

On the heels of Symantec’s two encryption acquisitions,  there’s another development in the client security space. Sophos’ original investors just sold their stake. Sophos’ new investors, Apax Partners, invested $400m and acquired a majority stake – thus valuing Sophos at just over $800m.

Sometimes, these investments serve as a lifeline for a vendor (e.g., private equity firm Thoma Bravo’s acquisition of Entrust a year ago). That is not the case here. Sophos was a healthy and growing company – though it faces increasingly stiff competition from the top-tier client security companies.

This is not just a buyout of early investors, but an additional investment in Sophos. So this will ultimately help Sophos by fueling acquisitions as well as global expansion.

There are several possible dynamics going on here. It could be that Sophos investors saw a good opportunity to pull out. In fact, those investors (TA Associates), were also the ones who invested $200m in AVG recently. So it could also simply be that TA didn’t want to have two AV vendors in its portfolio and decided to rationalize, especially since these two vendors have very different strategies and business models. Sophos was also purportedly on the IPO track – with estimates placing the valuation at ~ $1b. It could also be that Sophos saw that, for whatever reason, the IPO route wasn’t optimal.


Security of open source: Sunlight disinfects, but does it introduce germs as well? April 9, 2010

Posted by jonathanpenn in news.
add a comment

The security of open source software took a small hit this week as Mozilla reported that Firefox currently contains a root certificate authority that has no owner.  The fear being that this is a bogus CA inserted by hackers to provide trustworthiness to malicious sites.

This potentially provides an example of a nightmare scenario the anti-open-sourcers talk about: that hackers can inject back doors or introduce vulnerabilities within the open source development process.

Indeed, Fortify is drawing a rather extreme conclusion to this situation with its European director, Richard Kirk, stating that “this tilts the balance in favour of Microsoft’s Explorer”. That’s a ridiculous claim: in the browser war, this event will not move the needle one way or another. All it’s served to do is get much of the security community (which tends to favor openness) to jump on Fortify. Besides, while good theoretical arguments are made on both sides of the “security of open source versus closed source” debate, in practice it comes down to, well….practice. And it has been shown that one of the best practices is openness: whether closed or open source, an open and transparent disclosure process improves security over time.

I do agree with what Fortify’s Kirk says later, that “The important thing to stress, however, is the need for software security testing to identify and remove vulnerabilities from applications, rather than simply trying to block attacks on software by securing the network.”

Lesson #1: DO use these moments to offer constructive advice by raising awareness of issues and solutions.

Lesson #2: DON’T broadly attack an entire movement with biased statements. You’ll only make yourself a target for wrath and ridicule.

Live at the RSA Conference: an industry view March 2, 2010

Posted by jonathanpenn in news.
add a comment

Update – Friday March 5 – Wrap-Up

The session was on how CISOs should be adapting to IT changes, and included Steve Munford, CEO of Sophos, and Sam Ghelfi, the Chief information Security and Privacy Officer of Raymond James. The main topics of discussion were:

  1. Given staffing and budget pressures, and the heightened threat climate, we need to actively seek a way to spend less effort managing security technology, to allow us to devote more time to managing IT risk
  2. How compliance has helped IT Security practices gain visibility, but the business views IT compliance as a check-box with little value beyond avoidance of fines. As Sam eloquently stated “Every time we’re talking with the business about compliance, we’re not talking about risk management.”
  3. Consumerization and the loss of control within IT and IT Security over the technologies and devices that businesses want to run.

Here’s a run-down of my meetings:

  • Lieberman Software. The privileged user management (PUM) vendor announced product and partnerships that provide visibility and control of IT administration in virtualization and cloud environments. No one else I’m aware of in the PUM space has done this, to my knowledge. I pressed Phil Lieberman for references, even of beta customers. No one is yet willing to talk, he said, but I will keep trying. Even off-the-record validation of this could be a significant move forward.
  • VeriSign. VeriSign just released some consumer data and findings around consumers’ trust in the Internet. Great stuff. More detailed than I’ve done in the past.
  • Novell. Novell is another company striving for the revolutionary when it comes to cloud security, embodied in its Intelligent Workforce Management strategy. Things I enjoy most about talking with Nick Nikols: (a) he’s intelligent, (b) as a former analyst him, he really seeks to understand my perspective on the market – he doesn’t just look at me as a marketing tool, and (c) also because he’s a former analyst, I know I can’t get away with anything, so he really keeps me on my toes. Thanks, Nick!
  • AVG. Meeting with AVG was a delight: I find them fascinating, given how freeware is such a completely disruptive force in the consumer antimalware market, with no incumbent vendor seeming to be able to develop a strategy to adapt (hint: read my report).
  • Modulo. Modulo has had some impressive success, but remains under most people’s radar screen. Nonetheless, the whole GRC product market is one in dire need of evolution. Clearly, the message about more efficient controls management and insight is one that is not compelling enough. Hopefully, I’ll write more on that in a subsequent post.

Update – Thursday March 4, 10:40am – Where is everybody?

Just a quick note on the attendance and activity. The first day was actually quite busy and everyone was congratulating themselves on how robust and resilient the security industry is, and how important security must be the business for so many security practitioners to show up. The sessions were nearly packed, and the exhibit floor was bustling – here’s what the show floor looked like even at 5pm on Tuesday.

Since that first day, however, there’s been a steady drop-off in attendance and activity on the show floor and outside the conference rooms. Maybe everyone is just meeting at hospitality suites, or conducting business at the W Hotel’s XYZ Bar. Yesterday’s sessions were pretty thin, and the floor activity was quite slow. Today, it’s looking like a conference that’s ready to wrap up.

Did everyone just come for the security swag? We’re they expecting the beautiful San Francisco spring and were so disappointed by the rains that they just packed up and went home early (RSA: please go back to running this in April)? Whatever the reason, and whatever attendance numbers RSA may put out in the end, this conference is less active than last years in many respects. Attendees are also saying that they’re not really seeing or hearing anything new, either. The value and impact of the conference seems to have dipped again. I think many people limited their attendance to a day or day and half. I also think some of the activity is shifting to the social networking (the physical kind) that exists around the shows periphery.

Update – Thursday March 4, 8:00am – Key conference themes

Major themes or topics of the show:

  1. Cloud security. Thankfully, must of this conversation is shifting to what security is offered in the cloud (vendors’ delivery model), and people are now discussing how to secure the broader set of IT services that are moving to the cloud (ie, IaaS, PaaS, and SaaS).
  2. Web 2.0 threats. These are both external (everything from Koobface to malware links showing up in blogs & Twitter streams to ) and internal (malicious or inadvertent disclosure of sensitive information in blogs, Twitter, LinkedIn, etc).
  3. Consumerization. A lot of talk about “Moving from IT security professionals saying ‘No’ to saying ‘Yes, but…’ when it comes to whether/how to allow devices and technologies that end users are bringing in or adopting on their  own. Frankly, most CISOs I know aren’t in a position to say Yes or No…they aren’t asked; they are told that this stuff is coming in (or, more likley, they discover it by happenstance) and they just have to adapt.

Update – Wednesday March 3,10:00am – AT&T breakfast session

The conference started early for me today, with an AT&T breakfast seesion led AT&T VP Bill O’Hern, who didn’t discuss security, but instead focused on mobility and the growing capabilities of the smart phone. I expect AT&T to position more around what Bill referred to as “smart mobile computing”. The concept itself simply takes the mobility conversation a step further  than we see at present: as smartphones become reach functionality parity with PCs, instead of trying to work in a world where we use both and need to synchronize seamlessly between the two, we can just work on the mobile platform and have a world without desktops and laptops. Naturally, we’d need better interfaces that we could plug our smartphones into (for a full keyboard and a big screen, eg.), but  that’s not much of an issue. And of course, Bill presented the notion of the entire data center moving to the cloud. The vision was interesting. Unlike Bill, I see this playing out our in the 5-15 year timeframe, rather than the 2-5 year timeframe he placed it at.

But it did get me thinking that we have two different sides of the same trend around cloud. The first is that applications and IT infrastructure are moving out of the data center: in effect, pushing server environments into the cloud. This is slowly happening with IaaS, PaaS, and SaaS, etc. The other side of the coin is that user mobility is moving workers outside the LAN and WAN – in effect coming into the organization through the cloud. So we’re getting pulling into the cloud from two angles. I don’t see either as happening rapidly, but looked at in combination it points to disruption and opportunity.

Update – Tuesday March 2, 6:30pm: Briefings, and a quick run of the floor

My afternoon was spend in back to back briefings with EMC/RSA and Cisco. Cisco was a deeper dive into the Secure Borderless Network strategy, which I discussed yesterday (below in this post). With EMC/RSA, we delved into security consulting — which I’ve mentioned before is a critical capability for any vendor wishing to be a strategic security partner to its customers. What I didn’t know was how well-developed EMC’s consulting practice is (not all security-related by any means): EMC reports having 2,200 consultants. I haven’t done the math yet to make a revenue guess, but that’s certainly a significant advantage in having such relationships with so many customers, resulting in a deep understanding of their customers’ business strategy, IT strategy, and security strategy.

Update – Tuesday March 2, 2:30pm: Industry Analyst Roundtable

We just wrapped up our Industry Analyst panel with John Pescatore of Gartner and Chris Christiansen of IDC, hosted by Asheem Chandna of Greylock Partners. and covered  a lot of ground. For 3 analysts from 3 different firms, there was a surprising (perhaps disappointing, to some in the audience) amount of agreement. Among the topics we discussed:

1. The move to cloud/SaaS-based security is far stronger than just a reaction to budget  and staffing pressures. There’s a significant shift happening as organizations outsource operational or discrete security functions. This mirrors our Forrester data, which shows strong enterprise interest across the board for managed security services.

2. The Aurora cyberattacks do not represent any significant new threat. But they do present an opportunity to educate executives on the existence, sophistication, and prevalence of cyber espionage.

3. Adoption of cloud services — the most talked about topic at the conference so far — represents some new  considerations from a security perspective. However, the overall framework of security doesn’t need modification: simply apply what you already do to your own security environment and put requirements into the contracts. It’s not quite that  simple, but cloud (IaaS and PaaS specifically) doesnt’ require a complete rethinking of security…just more diligence. We all stated that solutions which secure the cloud  are far more likely to be sold to cloud provider (who in turn offer them as classes of service) than to end user organizations directly. This will fundamentally shift the dynamic between security vendors and organizations: security solutions will be part of the cloud and adopted by providers, not something bolted on left to end user organizations to integrate.

4. Compliance has been a double-edged sword for security. It’s helped fund projects that in general have improved our security postures. However, they haven’t really elevated the value of security (at the end of the day, compliance is a check-box, after all) and it can often siphon funds away from other projects that provide more security value.

5. Consumerization is just one trend representing how IT is losing control of the corporate environment, and how that challenges IT Security to adapt.

There were some good questions from the audience delving deeper on managed security services (why do it? how do you measure the benefits?).

Update – Tuesday March 2, 9:00am: Art Coviello’s keynote

Just saw the keynote by Art Coviello, President, RSA. The focus was on securing the cloud. His main points were:

  1. Migration of IT to the cloud is inevitable. I totally agree with this, and see security merely as a temporary hurdle.
  2. That adoption of virtualization and cloud has implications on the relationship between IT Security and IT Ops, as the former focuses on governance and the latter on quality of service.

Both of these observations are spot on. The Keynote wasn’t a place to announce how to secure the cloud, or what RSA is doing here to further the effort, but this is obviously where RSA (and VMware and EMC) are in a great position to develop leadership.

Monday March 1, 3:30pm: Cisco’s Secure Borderless Network strategy

I spent the first half of the afternoon with Cisco, which detailed elements of its Secure Borderless Network strategy. This looks like a very significant move, and a compelling direction, for Cisco. It attempts to make network connectivity and access far more seamless than it is today. However, one way the demonstration delivered seamlessness was to hide all aspects of security. Specifically, how Cisco handles identity issues. If Cisco relies solely on device-based identity and NAC, this is potentially troubling or at least limiting. How Cisco incorporates other forms of authentication – a promising area for partnership with authentication and credential management companies – is key to this being successful in the enterprise.

And corporate workers aren’t the only people using multiple devices from multiple locations to access data and services: there are some powerful opportunities for AnyConnect in the consumer space that Cisco doesn’t seem to have fully explored yet.

With this announcement, Cisco is also relying first on the Ironport appliance but also moving more towards reliance on cloud services (enabled by its acquisition of ScanSafe. This also marks a significant shift in Cisco security strategy away from a reliance purely on product to offer its own managed/SaaS solution rather than providing products to service providers. Expect ScanSafe assets to serve as the foundation for more security policy enforcement moving forward.

This will fundamentally shift the dynamic between security vendors and organizations. Security solutions will be part of the cloud and adopted by providers, not something bolted on like a form of duct tape to connect organizations with cloud services

Cloud Security Challenge: Looking for startups with innovative solutions March 1, 2010

Posted by jonathanpenn in news.
add a comment

The Global Security Challenge, with whom I’ve worked in the past, is now accepting applications for startups with cloud security solutions. The Cloud Security Challenge, sponsored by HP, is open to any company. I’ll be one of the judges.

Entrants must have a technology that can be used to prevent, defend against, cope with or recover from terrorist incidents and other criminal acts in the ‘cloud’.  Examples of areas of interest are (but are not limited to): data protection, storage in the cloud, authentication, encrypted data transfer, data classification, understanding data locations, vulnerabilities from social networks and virtualization SW.

Entrants cannot have more than GBP£3 million (~$4.5m) in annual revenues in 2009 (total annual sales revenue).

Deadline for submission is March 15, and winners will be announced in April. Entry is free.

The winner of the Cloud Security Challenge will receive:
• $10,000 cash award.
• Exclusive mentorship from an executive at CapGemini
• Up to three finalists will be invited to test their technology in an HP Labs cloud test-bed

The winner and finalists will also enjoy some very good visibility and recognition given what promises to be quite a competitive field.

If you have innovative technology that addresses some of security or privacy issues surrounding cloud computing, I encourage you to apply.

What I expect from the RSA Conference February 26, 2010

Posted by jonathanpenn in news.
add a comment

I’ll be pretty busy at the RSA Conference this year, with participation in the always-well-attended Industry Analyst Roundtable discussion with my colleagues at Gartner and IDC (March 2, 1:00 PM, Orange Room 302), and moderation a very interesting session on the changing nature of the vendor-CISO relationship (March 4, 9:10 AM, Green Room 123) with the CEO of Sophos and the CISO of Raymond James Financial.

And about 30 vendor briefings, with some time to cruise the exhibit floor. I’ll probably have to view many of the keynotes online, unfortunately. But I promise to blog each day about what I’m seeing (and not seeing) at the event.

Here’s what I expect:

  • Cloudiness. Lots of solutions focused on securing IT as it adopts cloud (IaaS, PaaS, and SaaS) computing. This is a marked difference from last year, which showed many vendors offering security products that simply exist “in the cloud” (ie, cloud/SaaS as a delivery model)
  • Commotion. For several years the RSA Conf was somewhat torpid. IT security investment was down, and attendance reflected that as the vendor presence started to overshadow that of practitioners. Last year represented an uptick in both activity and innovation. Expect that continue – new product, new vendors (!), and lots of interested security professionals eager to learn.
  • Corroboration. Security professionals are always scrutinizing in their spending, but this year is especially tight. Even though their own security budgets have fared reasonably well, other IT groups and business units that normally contribute funds to various projects simply don’t have the money to spare. On top of this, IT Security groups are facing enormous staffing pressures at a time when the pace of change – IT change, business change, and change in the threat landscape – is increasing. I don’t know if vendors will be providing better models or examples of the benefits their solutions can bring, but the IT sec pros asking questions at the booths and from the audience at the session will have a laser-like focus not just on how these solutions deliver more security, but also on how they deliver demonstrable value,.
  • Consistency. What I don’t expect see is any ground-breaking new security technologies or groundswells of vendor movement, the way we saw identity management, then compliance and governance, then data loss prevention each sweep through the industry in turn through the course of the last decade.

There you have it. As I said, it’s going to be a whirlwind week. I’ll be posting frequently, so please let me know what you’d like to hear about as I grill vendors on their performance, plans, and products, and also talk with security professionals about their priorities, challenges, and successes.

Hyping the Hackorist Threat February 9, 2010

Posted by jonathanpenn in cyberwar/CIP, news.
add a comment

The cyber-espionage threat is certainly news these days thanks to Google,  but it is not new. It’s been going on for quite some time and it represents a significant risk to many companies, most of whom underestimate that risk. What concerns me about much of the commentary coming from the cybersecurity community is that it uses the Google incident as a springboard to pump up the cyber-war / cyber-terrorism rhetoric. Couldn’t we focus on cyber-espionage for just a minute before turning things over to the defense community?

Yes, we should pay attention to the potential cyber-terrorism threat. But we need to be careful that our attempts to proactively address a digital 9/11 don’t come at the expense of defending against corporate espionage. We have an excellent opportunity to start building that public-private partnership we all recognize as necessary to the critical infrastructure protection effort. Corporate espionage is a perfect area for public-private collaboration. We’ll have squandered that if we overly focus on the hackorist threat.

Forrester’s latest Security Survey findings published January 22, 2010

Posted by jonathanpenn in client security, identity, news, trends & futures, value.
add a comment

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25. These are among our most widely-read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

Here’s a taste of some of the findings:

  • Security budgets, which didn’t take too much of a hit overall last year, continue to fare well. Most notably, budgets for acquiring new security technology are recovering quite strongly. But insufficient staffing is still going to be an issue in 2010. Top security technologies areas identified for growing investment are network security and data security (for a slightly alternative view to data security spend and related 2010 prognostications, see Andrew Jaquith’s report, “Data Security Predictions 2010”).
  • The top IT security priority remains data protection. Notably, managing vulnerabilities and complex threats moved several slots up the ranks to become the #2 IT security priority today.

Some findings at a more detailed level:

  • Across the board growth expected in adoption of various managed security services, with vulnerability assessments being the service organizations are most interested in adopting “over the next 12 months” (Sept 2009 – Sept 2010)
  • Compliance with PCI continues to look pretty abysmal. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • Organizations are expecting to investment big in client security, with renewed spending on more mature threat management technologies while simultaneously taking emerging data protection technologies mainstream.

Finally, some other observations from the data:

  • Diminishing distinctions between SMBs and enterprises with respect to priorities, challenges, and tech adoption. This is a continuing trend, and one that my colleague and economist-in-residence Andy Bartels is seeing across many segments of IT.
  • Not to minimize the fact that security concerns impede adoption of cloud, but security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc). In general, this follows the broader trend of IT losing centralized control of technology adoption, deployment, and use. It’s not just consumer technology like iPods and use of Facebook or Twitter; it also shows up in the uncontrolled proliferation of SharePoint sites by business groups, or in the use of cloud compute services by application developers. All that aligns well with Forrester’s identification of the mega trends most affecting the technology industry.

Terrorism and measuring the risk of air travel January 7, 2010

Posted by jonathanpenn in news.
add a comment

In the wake of the Dec 25 “Christmas bomber” (aka “underwear bomber”) incident, there’s been a lot of conversation around safety of air travel. I’ve seen several articles and posts that repeat the old argument that air travel is safer than car travel, or even simply safer than ever.

I don’t want to get into why the air travel versus car travel comparison is faulty. But the “air travel being safer than ever” statement is measuring probabilities based on the number of flights and the number of incidents. That sounds reasonable at first glance, but I believe it is inappropriate in this circumstance. If one were measuring indiscriminate events such as equipment failures or flying into a flock of birds, such calculations might hold. But terrorist attacks are different. Terrorist attacks are planned, and planned with a purpose. Because of this, you cannot think of them as randomly occurring along some even distribution curve.

These terrorist attacks in the air aren’t designed to bring down our commercial aviation industry; they are designed to instill fear in the general populace. So on Dec 26, 2009, the odds of a terrorist attack would be quite low: besides the fact that security is heightened, fear has already been instilled, so the terrorists don’t need to do anything. On the other hand, we have determined, resourceful enemies which collectively presents a new threat that wasn’t there ten years ago. You can’t just say that because there are more flights than 10 years ago, that the skies are safer even in light of a few successful or attempted attacks. The specific situational aspects of the issue are everything.

I’m not saying the skies are unsafe. But simply tallying up the number of incidents or fatalities and dividing by the number of flights or miles (or, even worse, “passenger-miles”) doesn’t give you an accurate picture of the situation.