jump to navigation

Cloud Security Challenge: Looking for startups with innovative solutions March 1, 2010

Posted by jonathanpenn in news.
add a comment

The Global Security Challenge, with whom I’ve worked in the past, is now accepting applications for startups with cloud security solutions. The Cloud Security Challenge, sponsored by HP, is open to any company. I’ll be one of the judges.

Entrants must have a technology that can be used to prevent, defend against, cope with or recover from terrorist incidents and other criminal acts in the ‘cloud’.  Examples of areas of interest are (but are not limited to): data protection, storage in the cloud, authentication, encrypted data transfer, data classification, understanding data locations, vulnerabilities from social networks and virtualization SW.

Entrants cannot have more than GBP£3 million (~$4.5m) in annual revenues in 2009 (total annual sales revenue).

Deadline for submission is March 15, and winners will be announced in April. Entry is free.

The winner of the Cloud Security Challenge will receive:
• $10,000 cash award.
• Exclusive mentorship from an executive at CapGemini
• Up to three finalists will be invited to test their technology in an HP Labs cloud test-bed

The winner and finalists will also enjoy some very good visibility and recognition given what promises to be quite a competitive field.

If you have innovative technology that addresses some of security or privacy issues surrounding cloud computing, I encourage you to apply.


What I expect from the RSA Conference February 26, 2010

Posted by jonathanpenn in news.
add a comment

I’ll be pretty busy at the RSA Conference this year, with participation in the always-well-attended Industry Analyst Roundtable discussion with my colleagues at Gartner and IDC (March 2, 1:00 PM, Orange Room 302), and moderation a very interesting session on the changing nature of the vendor-CISO relationship (March 4, 9:10 AM, Green Room 123) with the CEO of Sophos and the CISO of Raymond James Financial.

And about 30 vendor briefings, with some time to cruise the exhibit floor. I’ll probably have to view many of the keynotes online, unfortunately. But I promise to blog each day about what I’m seeing (and not seeing) at the event.

Here’s what I expect:

  • Cloudiness. Lots of solutions focused on securing IT as it adopts cloud (IaaS, PaaS, and SaaS) computing. This is a marked difference from last year, which showed many vendors offering security products that simply exist “in the cloud” (ie, cloud/SaaS as a delivery model)
  • Commotion. For several years the RSA Conf was somewhat torpid. IT security investment was down, and attendance reflected that as the vendor presence started to overshadow that of practitioners. Last year represented an uptick in both activity and innovation. Expect that continue – new product, new vendors (!), and lots of interested security professionals eager to learn.
  • Corroboration. Security professionals are always scrutinizing in their spending, but this year is especially tight. Even though their own security budgets have fared reasonably well, other IT groups and business units that normally contribute funds to various projects simply don’t have the money to spare. On top of this, IT Security groups are facing enormous staffing pressures at a time when the pace of change – IT change, business change, and change in the threat landscape – is increasing. I don’t know if vendors will be providing better models or examples of the benefits their solutions can bring, but the IT sec pros asking questions at the booths and from the audience at the session will have a laser-like focus not just on how these solutions deliver more security, but also on how they deliver demonstrable value,.
  • Consistency. What I don’t expect see is any ground-breaking new security technologies or groundswells of vendor movement, the way we saw identity management, then compliance and governance, then data loss prevention each sweep through the industry in turn through the course of the last decade.

There you have it. As I said, it’s going to be a whirlwind week. I’ll be posting frequently, so please let me know what you’d like to hear about as I grill vendors on their performance, plans, and products, and also talk with security professionals about their priorities, challenges, and successes.

Hyping the Hackorist Threat February 9, 2010

Posted by jonathanpenn in cyberwar/CIP, news.
add a comment

The cyber-espionage threat is certainly news these days thanks to Google,  but it is not new. It’s been going on for quite some time and it represents a significant risk to many companies, most of whom underestimate that risk. What concerns me about much of the commentary coming from the cybersecurity community is that it uses the Google incident as a springboard to pump up the cyber-war / cyber-terrorism rhetoric. Couldn’t we focus on cyber-espionage for just a minute before turning things over to the defense community?

Yes, we should pay attention to the potential cyber-terrorism threat. But we need to be careful that our attempts to proactively address a digital 9/11 don’t come at the expense of defending against corporate espionage. We have an excellent opportunity to start building that public-private partnership we all recognize as necessary to the critical infrastructure protection effort. Corporate espionage is a perfect area for public-private collaboration. We’ll have squandered that if we overly focus on the hackorist threat.

Me being interviewed at The Heretech February 2, 2010

Posted by jonathanpenn in trends & futures.
add a comment

My colleague at Forrester, Tom Grant, interviewed me for his blog, The Heretech, where we discuss the state of security and what tech product markets of all stripes – security and otherwise – need to think about in light of these trends.

Forrester’s latest Security Survey findings published January 22, 2010

Posted by jonathanpenn in client security, identity, news, trends & futures, value.
add a comment

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25. These are among our most widely-read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

Here’s a taste of some of the findings:

  • Security budgets, which didn’t take too much of a hit overall last year, continue to fare well. Most notably, budgets for acquiring new security technology are recovering quite strongly. But insufficient staffing is still going to be an issue in 2010. Top security technologies areas identified for growing investment are network security and data security (for a slightly alternative view to data security spend and related 2010 prognostications, see Andrew Jaquith’s report, “Data Security Predictions 2010”).
  • The top IT security priority remains data protection. Notably, managing vulnerabilities and complex threats moved several slots up the ranks to become the #2 IT security priority today.

Some findings at a more detailed level:

  • Across the board growth expected in adoption of various managed security services, with vulnerability assessments being the service organizations are most interested in adopting “over the next 12 months” (Sept 2009 – Sept 2010)
  • Compliance with PCI continues to look pretty abysmal. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • Organizations are expecting to investment big in client security, with renewed spending on more mature threat management technologies while simultaneously taking emerging data protection technologies mainstream.

Finally, some other observations from the data:

  • Diminishing distinctions between SMBs and enterprises with respect to priorities, challenges, and tech adoption. This is a continuing trend, and one that my colleague and economist-in-residence Andy Bartels is seeing across many segments of IT.
  • Not to minimize the fact that security concerns impede adoption of cloud, but security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc). In general, this follows the broader trend of IT losing centralized control of technology adoption, deployment, and use. It’s not just consumer technology like iPods and use of Facebook or Twitter; it also shows up in the uncontrolled proliferation of SharePoint sites by business groups, or in the use of cloud compute services by application developers. All that aligns well with Forrester’s identification of the mega trends most affecting the technology industry.

What Google v. China tells us about how the security market is changing January 15, 2010

Posted by jonathanpenn in cyberwar/CIP, trends & futures.
add a comment

Rather than discuss the extent of the cyber threat from China, or whether Google should effectively pull out of China by ending the censoring of search results (or why it was even in China to begin with), the most interesting and telling thing I’m seeing from all the discussion on this is the visibility of the defense contracting and intelligence consulting community, and how that visibility and even dominance is going without much comment by industry watchers and without much challenge by traditional security firms. Who is going to analyze and say with confidence whether the attack came from proxies or direct representatives of the Chinese state? It’s the defense contractors. Like the July 4 attacks targeting the US and South Korea, the traditional defense contractors — Lockheed Martin, Northop Grumman (also targeted), and Raytheon, most notably) are the go-to authorities on this, while Symantec (which was also one of the targets in the multi-pronged attack), McAfee and others are left merely to talk about how the attacks in and of themselves might fuel greater interest in their security technologies.

Traditional defense contractors (Lockheed Martin, Northop Grumman, and Raytheon, most notably…but also BAE, Boeing, and General Dynamics, among many more) have successfully expanded from military and aerospace to cyber-surveillance and from the predominantly physical security aspects of homeland security to cyber-defense. Being so well-resourced and well-connected, they are extremely powerful and effective competitors to the traditional security vendors and security services (MSS, security consulting, and security integration) players.   Some estimates for the size the cyber-defense market place it at already about one-fourth the traditional IT Security market, and growing at a far faster rate. Given this, and that it should now be extremely clear that private sector IT lies within the cyber-warfare theater of operation, we can expect a formidable battle ahead.

Tip of the Hat to Richard Stiennon for posting similar thoughts — but even more pointedly and vociferously — here at ThreatChaos.com prior to these attacks.

And if I were to comment on Google’s effective exit from China, I’d ask: What’s exactly is Google’s goal in pulling out? Given that other tech companies that don’t host email accounts of Chinese human rights activists were also targeted, pulling out of the China market won’t likely remove it from the target list in future attacks.

[This entry is cross posted to Forrester’s Security & Risk Management Blog]

Terrorism and measuring the risk of air travel January 7, 2010

Posted by jonathanpenn in news.
add a comment

In the wake of the Dec 25 “Christmas bomber” (aka “underwear bomber”) incident, there’s been a lot of conversation around safety of air travel. I’ve seen several articles and posts that repeat the old argument that air travel is safer than car travel, or even simply safer than ever.

I don’t want to get into why the air travel versus car travel comparison is faulty. But the “air travel being safer than ever” statement is measuring probabilities based on the number of flights and the number of incidents. That sounds reasonable at first glance, but I believe it is inappropriate in this circumstance. If one were measuring indiscriminate events such as equipment failures or flying into a flock of birds, such calculations might hold. But terrorist attacks are different. Terrorist attacks are planned, and planned with a purpose. Because of this, you cannot think of them as randomly occurring along some even distribution curve.

These terrorist attacks in the air aren’t designed to bring down our commercial aviation industry; they are designed to instill fear in the general populace. So on Dec 26, 2009, the odds of a terrorist attack would be quite low: besides the fact that security is heightened, fear has already been instilled, so the terrorists don’t need to do anything. On the other hand, we have determined, resourceful enemies which collectively presents a new threat that wasn’t there ten years ago. You can’t just say that because there are more flights than 10 years ago, that the skies are safer even in light of a few successful or attempted attacks. The specific situational aspects of the issue are everything.

I’m not saying the skies are unsafe. But simply tallying up the number of incidents or fatalities and dividing by the number of flights or miles (or, even worse, “passenger-miles”) doesn’t give you an accurate picture of the situation.

Security Predictions For 2010 December 23, 2009

Posted by jonathanpenn in trends & futures.

[This entry is cross posted to Forrester’s Security & Risk Management Blog]

Trying to avoid the obvious and the already underway, here are my predictions for 2010.

1. Cloud security standards emerge. By the end of 2010, we’ll see a framework emerge for establishing a well defined set of technology, practices, and processes, organized into different levels of trust. Ultimately, adherence to these specifications will need be certified by third parties. The effort won’t be complete, but it will be underway. Look to the government as key industry (other than the vendors) driving this effort.

COROLLARY: The use of cloud will take off as adopting organizations by and large overcome their security concerns – or at least, understand them at a specific enough level to seek out providers that satisfy these concerns.

2. Federation will start to take off by the end of 2010. Use of federation will be fueled by SaaS and cloud computing and the need for single sign-on to bridge identity from the enterprise to those external environments. Where standards reign over kludges, SAML will be the leading mechanism. OpenID will continue to be just a lab toy for the “Identerati”.

3. Managed Security Services expands far beyond “Managed”. Organizations are not only turning to managed security services, they are seeking more from their providers than merely assuming operational functions. Increasingly, they seek partners to help them with security strategy, benchmarking, making the business case, and integration. MSSPs that are in fact multifaceted solution providers will start to establish market dominance. Big winners will be IBM, VZB, Wipro, among others.

4. Web content security in the cloud will take off. Though managed email security is one of the more popular areas of security SaaS, organizations have been slow to adopt the SaaS model for web content security. This will change in 2010. Fueled by the increasing focus of attacks on browser and browser plug-in vulnerabilities, exacerbated by growing degree of mobility among users, and further boosted by the acquisition of some major  SaaS-based vendors (PureWire by Barracuda and ScanSafe by Cisco), SaaS-based web security is primed to enter the mainstream.

5. Cybersecurity starts to look like a bonanza for security vendors. Cybersecurity and critical infrastructure protection are real challenges. But with the need to act gaining visibility, and so much money being made available, we’re likely to look back on 2010 as a rather large give-away to the security vendor, service provider and consultant communities.

What won’t happen:

  1. Federal data privacy legislation. By the end of 2010, we’ll still be grappling a hodgepodge of state and industry laws dealing with breach disclosure, encryption, auditing and other forms due care.
  2. A big “I told you so” mobile malware outbreak. I do expect mobile to be the next frontier in malware – but that’s a 5-yr trend, not a 12-month one. And does anyone else share my perverse sense of amusement at the irony that in the mobile world, it’s Apple that owns the malware target platform, not Microsoft?
  3. Investment in training and awareness. Despite the fact that inadvertent insider activity (including getting fooled by social engineering attacks) continues to represent a significant vector for breaches, and despite its value in enlisting users as a front-line defense to spotting suspicious activity, security training and awareness will remain on the back burner of IT security priorities.

What do you think I missed? Where do you think I’m wrong?

Even security experts endorse consumer security freeware December 16, 2009

Posted by jonathanpenn in client security.
add a comment

For the third time in two months (and second time mentioning AVG by name!), Bruce Schneier endorses and legitimizes consumer use of  freeware antimalware tools. As I write in Consumer Security Market Trends, 2009 To 2010: The Freeware Threat, “[For-pay products] must bring demonstrably better protection or added features that deliver real value.”

The rise of freeware is fascinating from a market watcher standpoint. Freeware forces the question “What makes ‘better’ truly ‘better’, rather than just ‘more’?” It’s a challenge for all the vendors competing in consumer security, but especially Symantec, McAfee and Trend Micro as they have the most to lose here.

One of the Heartland lawsuits dismissed December 10, 2009

Posted by jonathanpenn in privacy.
add a comment

See the news article here.

This was the shareholder lawsuit, not the consumer/victim lawsuit, so different issues apply. But it’s still interesting. Somewhere down the road, such a case will win…likely because of a smoking gun email by IT security staff. That calls for greater communication and accountability around security, which smells like GRC to me.

DataLossDB.org maps stock price showing when the data breach occurred. Here’s the chart for Heartland.

Stock price isn’t always affected, even in big breaches. DSW stock kept rising after its breach of 1.4 million records. TJX stock didn’t seem affected either, after its big breach.