When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data  *  Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind. 

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables -  Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

What’s going on?

“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...]]> Mon, 29 Sep 2008 20:00:00 +0000 email palin free email mccain-palin campaign questions fairly simple questions email account breach gov palin birthday Gov. Palin, Yahoo! Email and SecurityA Call To Action? http://securityratty.com/article/155810725ba943a1b35e1c2b39138f7a http://securityratty.com/article/155810725ba943a1b35e1c2b39138f7a In The Audacity of Capital Markets we briefly touched on the culture of arrogance and greed in financial services.  It is interesting because if you look at the various software players that are focused on selling to financial services, you will easily see that they have bought into the same “feed the beast” culture that has contributed to the destabilization of the economy and, in turn, society.

For example, the “Average Joe Investor” does not care about “best order execution” or “smart order routing,” this is for “the big boys.”  As we all know, saving a few pennies or dollars per transaction to “Average Joe Investor” does nothing for them when their retirement nest egg is lost due to corporate greed and negligence.     The folks who “really care” about shaving a few milliseconds off market execution are the companies that are trading high volumes of exotic derivatives and baskets who have, for the most part, zero interest in the personal financial portfolio of “Jane in Iowa” or “Joe in Kansas.”

I am really amazed to see the dominance of greed in corporate America and the lack of corporate social responsibility.  Risk taking and “split second trading” does little for any small. individual investor and has proven to destabilize our society.    Who cares about saving a few pennies or dollars in market executive?

The answer: Only the greedy corporations, the same people responsible for the current destabilization, chao and near collaspe of our entire financial system.   Homes lost, unprecedented bankruptcies. and money market funds less than par value!   You no doubt have read that folks in the Reserve Money Market funds cannot even withdraw their “safe money.”  Investors in the Reserve Funds are being told that for every dollar they invested in a money market, they now only have 97 cents and cannot withdraw their capital as the Reserve waits for a government bailout.

What is to blame? Greed and profits over corporate social responsibility are to blame.

I read where some folks think the government needs to regulate market-related news, supposedly to stabilize trading based on news.   Regulating news has another name -  “censorship” - but who cares about the US Constitution when money and split second algo trading is involved?    I am amazed.   Folks in financial services just will say or do anything to make a buck, or keep from losing one, even at the expense of society and our basic constitutional freedoms.  News is not regulated in our democratic society, nor should it be to make algorithmic trading “better”.     What we need is less split second, computerized algo trading and more stablity.   Machine processing should not dicate nor mandate changes to our democratic principles.

Nor should our lives in a free society be censored or regulated because of the trading requirements for split second transactions that benefit large corporations.    The average investor does not need an unstable financial system trading exotic derivatives and baskets at the speed of light.  This requirement is driven by corporate greed that destabilizes the core economy and fabric of our society.

Of couse, many of the same folks would like for us to believe that technology is the answer.  This is a fallacy.

Corporate greed is destabilizing society.   What need to be regulated is not the news, but corporate risk taking and corporate goverance.  Individual investors do not need lightspeed transactions in an unstable world.   Citizens and families need a secure, stable economic infrastructure, something that has been lost in the culture of corporate greed, but hopefully not forever.

I have to admit that I was already a fan of Collins’ quantitative style blended with clever insight, but this was the first time that I had seen him in person, and he was just spectacular. He has a vivid, animated way of telling a story, and had a great sense of humor. This combination of presentation skill was put to immediate use with his first statement drawing a hearty laugh from the audience full of entrepreneurs.

“How many of you in the room are constitutionally unemployable?”

Much of his remaining presentation provided interesting stories and insight from the research that he has done to understand the make-up of exceptional companies.

As Jim said, he has spent years studying the contrast between average companies and exceptional companies. They faced the same set of variables… similar economic conditions, similar competition for top human resources, and a similar set of huge unknowns.

What is the single biggest element of difference?

Not a function of the cards you are dealt, or circumstance… it is conscious choice and discipline.

Jim’s key principles & disciplines that have come from the studies we have worked on:

1. Building greatness is a cumulative never ending process! The idea that no matter how exceptional, you are always only relatively as good as to what you can do next.
2. Most overnight successes are 20 years in the making…. Wal-mart  took 13 years to get to 125 stores. Starbucks required 17 years to get to 38 stores.

“If you start to break Packard’s law, and there are very few laws of business, it is like breaking a law of physics for building great companies.” - David Packard (Co-founder of HP)

If you allow growth to exceed your ability to get enough of the right people to fill the key seats to execute on the growth brilliantly, you will fall as surely as a stone dropped from your hand. This is one of those timeless truths that extends beyond technology and economics.

The number one constraint on growth and sustained success…

An ability to get enough of the right people in the key seats to achieve that sustained growth.

The discipline that WHO comes before WHAT. Collins always kept coming back to the “who” thing over and over again. He said, “The more turbulent the world, (given the great current economic uncertainty of our financial system) the more important this issue is.”

A question from the audience came near the end of his session… How do you figure out who are the right people to put in key seats on the bus?

Collins responded with “Given that I stand here amidst a room full of unmotivated people… the right people are self motivated, self disciplined, self managed, The task is not to motivate unmotivated people, the task is not to have to manage people… self motivated, figured it out from there… self motivated people don’t need tons of management … when you have to start managing, you know that you have the wrong person at the task.”

Final thoughts:

Greatness is not a function of circumstance. Greatness is a function of conscious choice and discipline. It is not a matter of circumstance, it is one of choices.

I believe that every one of the Inc. 500 companies that I met at this conference achieved the list because they did not embrace the status quo. Incredible passion, an unwillingness to accept failure and an excessive and compulsive willingness to solve customer’s problems were key ingredients in the business building formula for the entrepreneurs that were at the conference.

Finding Zune-Fi: Ina Fried of News.com wanders the polite streets of San Francisco in search of Zune connections over Wi-Fi. She finds a few, and has a good experience. One cafe owner sees the ease with which she can stream music and calls it cool. She can't connect at the long-running Google-sponsored free Wi-Fi at Union Square, however, which means the Wi-Fi likely has an accept button that must be pressed. Surely Microsoft could insert a little technology that would allow a browser-free acceptance of terms? Probably involves Yet Another Protocol: the Wi-Fi Terms Browser-Free Presentation Protocol (WTBFPP).

Kodak adds interesting Wi-Fi enabled all-in-one: The new Kodak ESP 9 is a multi-function printer (fax, scan, print, copy) that connects to a network via Wi-Fi or Ethernet. The $300 device spits out 30 pages per minutes in color, 32 ppm in black only. Kodak claims that the model line to which the ESP belongs uses ink in a vastly more efficient manner than the "average of comparable consumer inkjet printers."

A similar arrogance is happening in CEP-land, where, it seems, each and every financial services event processing application is now a “CEP application” just because someone in capital markets puts “CEP” in the same paragraph. I find it ridiculous that the same market of folks who have helped destroy the global economy are now the world’s self-proclaimed authorities on complex event processing. Amazing, if you really think about it, isn’t it?

I read many posts these days by folks in the capital markets trading world, claiming their message routing application is “CEP,” or their algo trading application is “CEP,” - feeds and speed, typical of what “turns on” the financial services folks. As an editorial note: I recall when I worked for a software company, folks on the same team who worked on Wall Street would look down on folks with many years of IT experience outside of financial services. Some would say “he is only a security guy” in their attempt to put down anyone who does not have trading floor IT experience on their resume. I found it all quite ridiculous and foolish.

My resume, for what it is worth, has a number of financial services companies, including either assessing, architecting or building large scale security systems for S.W.I.F.T, Chase or SBC. This experience does not seem to “count” with the trading floor folks, since security is more about getting things right, not just supporting a form of gaming or gambling with other peoples money, with more feeds and speeds the better.

Of late, as I have watched the CEP/EP space evolve, and unfortunately, I see a similar type of “capital markets virus” spreading into CEP-land. Folks on the trading side of financial services seem to think that whatever they say or do is right, and whatever others outside of the trading side do is wrong. These folks are quick to ridicule others who have far more experience than they do, outside of the trading floor of capital markets.

After all, mostly what they do on the trading side is route orders - and if a little old lady in a small town in Iowa loses her life savings because of a bad investment decision, it means little to the folks on the trading floor, the market folks are into feeds and speed - just keep the beast alive. Place your bet on this market or that one! Away we go, faster and faster!!!!

I am sometimes a little sad to observe the same audacity in the CEP world. Instead of focusing on the hard complex problems that require accuracy, the original set of problems defined when the phrase “complex event processing” was minted, the capital market folks have hijacked the term for their marketing purposes in algo trading and order managment systems. These same people ridicule others who are working to solve the (originally stated) complex event processing problems, problems the capital market traders seemingly cannot understand, since they have never worked on complex network or security management problems.

Nevermind, that these “ultra low latency” systems cannot accurately detect a complex money laundering scheme or an elaborate fraud. Nevermind that these “CEP engines” cannot accuracy insure that Average Joe does not lose his hard earned money in a fraud scheme.

I have no problem with folks in capital markets using the term CEP, but they should not ridicule those in technical areas that are not focused on keeping the “trading beast” alive so people can lose their life savings in a blink of an eye; but instead focused on solving complex problems such as the class of problems called out when the three letter acronym “CEP” was created.

Making IT work as One

How does my company stay efficient while we’re using technologies around interoperability? How can innovation help my business?

Top business needs:

• Reduce cost
• Manage complexity
• Mitigate risk

Mixed IT environments are a reality for almost all organizations. Different environments, architectural strategies, desktop profiles, etc. There are benefits to having mixed source environments, although homogenous environments are ideal. On average 46,000 hours in an organization are spent on Sarbanes-Oxley standards.

Some considerations to make IT work as one:

• Strategy
• Solutions
• Ecosystem

Strategy

Actionable strategy is key. The emergence of three silos (applications, systems and infrastructure, and operations) are now moved into one. There is a lot of pressure to make these pieces come together.

Solutions

You need focused solutions to solve problems today while keeping an eye to the future. There are three main needs: the data center, end-user computing, and identity and security. This is also what is the most important to the market right now. The end goal is the agility of the data center.

Data Center Challenges

• Create an agile IT infrastructure
• Address power and space constraints
• Deliver performance, security and availability
• Manage hardware, software and labor costs
• Meet service level agreements

Data Center Solutions

• Workload management - green IT and server efficiency, unified physical and virtual environment
• Virtualization and Consolidation - business continuity and disaster recovery
• Enterprise Servers

End-User Computing Solutions

• Collaboration
• Enterprise desktops - Novell uses Linux and Open Office, interesting to note
• Endpoint management

Identity and Security Challenges

• Minimize risk, uncertainty and policy violations
• Provide timely and secure access to information
• Ensure, document and prove information security
• Reduce the cost of proving compliance
• Reduce the cost and complexity of governance

Identity and Security Solutions

• Identity and Access Management - user provisioning, role management, access management
• Compliance Management - Audit, Governance, Risk Management and Compliance (GRC), IT controls automation, Security, Information and Event Management (SIEM)

Ecosystem

The ecosystem is powerful. Companies should challenge partners for innovation and interoperability.

Community Innovation - open source and open standards

IT Landscape - Mixed IT Environments

• Consulting, systems integration vendors
• Application vendors
• Systems software vendors (Novell)
• Hardware, network vendors

How does your ecosystem help your company? How do your partners help? What is their role in the industry to help you? How are all the vendors in the industry helping you?