ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

• 849 feet long (nearly the size of a football field)
• 12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
• Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis

• Which problems will be solved and forgotten?
• Which ones will simply go away?
• Which ones will persist and in fact increase?
• Finally, which new ones might emerge?

First, let me bet my ass that "Not knowing what to log" problem will be licked in 18-24 months; at least as far as major regulations go, people will have a pretty good idea a) what  the auditors want them to log (and review!) b) what they need to log for solving their problems. Now, for esoteric log sources (and custom applications) might still present a challenge from that point of view, but for basic "staples" (firewall, network gear, major OS) the mystery will be over (again, see "Tell me EXACTLY what to log for PCI?"  for reference)

Next, the problem of "Log volume" will  definitely get worse, much worse.  One might think that 100,000 each second is a lot of log - but there WILL BE more at many companies! Big application log explosion is coming, fueled by the need to address logging in areas where such motivation was lacking before (basically, custom and vertical applications) as well as harness the power of "uncommon" logs for such tasks as fraud analysis or SOA monitoring. Keep in mind that even though in some areas logging is NOT a preferred way of monitoring and auditing activities (see this discussion on database logs here), application logging will still explode on us...

The problem of "Log diversity" (the fact that most logs all look different in format and meaning) will get worse before it will get better - and better it WILL (!!!) get since standards are being developed. We will see people struggling with all sorts bizarro log data in the coming years. Virtualization, web services and SOA, various ERP applications and even cloud services will increase the diversity of logging in the coming years.

Similar to the above, a problem of "Bad logs" (ones that are subjective, miss key information, require groping for a crystal ball to understand, turn log analysis into dark voodooistic experience or are useless in some other way) will also follow the pattern of the above log diversity problems - it will get worse before it gets better (via the CEE standard effort that now covers the OpenXDAS effort as well!) I noticed that people started asked me questions about "how to do application logging right?" and "what to tell application developers about logging?" which almost never happened in the past. BTW, watch my blog for some uber-fun info on that!

"Getting the logs"  has gotten much easier in recent years; agentless collectors like Project Lasso (which, BTW, just got updated) and grabbing  files remotely via secure protocols made application log collection easier (syslog-NG with TCP transfer and buffering also helped). Next, Windows 2008 will make it MUCH easier for the whole Windows kingdom due to their use of web services (thanks Eric!). However, in the future it might resurface as we try to collect logs from "weird" places, again, clouds come to mind as well as virtual environments (e.g. how do you get logs off a dormant VM?). What's the next frontier in this area? Log discovery - automatic finding and identifying log files on systems in order to analyze and retain them (Yo, my t-shirt-making colleagues... :-))

All this, however, pales in comparison with my favorite "uber-challenge", "Making sense of logs in  an automated fashion" - this baby is definitely not going away in 2-3 years. Much more research is needed to make that "log->conclusion" jump automatically without head-scratching, invoking ancient deities and cursing under ones's breath. Only then we can attempt to reliable handle "proactive logging" (i.e. analyzing various failure or compromise precursors in logs and then predicting the future based on them), another Holy Grail of logging domain.

Anything new will emerge? Yes, I think awareness of the "Logging Gap" problem will grow. "Logging gap" happens when you combine "a need to log" with utter "inability to do so."  For example, this will happen when people will know that they HAVE TO log, say, for compliance, but will have no way of doing it due to application or platform limitations. This will become one of the challenges and special "logging add-ons" will appear to close the logging gap and create additional logs where activity audit is desperately needed, but native logging is not helping to achieve it.

Also, I think people will finally wake up to "Log security" challenges - i.e. producing for use as evidence, compliance attestations, etc. Log security is not getting the attention it deserves, but I think this challenge will finally emerge in full force in the next 2-3 years. My next poll will address that :-)

Anything else I missed? Share away!

Related posts:

• Ideal Tool to Solve Real Problems ... of the Near Future?

• Ideal Log Management Tool?

Only 6% of the those who responded to the poll, conducted from July 3 thru July 12th, voted that CEP was mature.   If you include those who consider CEP getting close to maturity, 18% of our readers who voted said that CEP was in the final stages of maturity.

How is it possible that 31% of the folks who responded believe that CEP is in the Gartner-defined Technology Trigger stage of maturity, while 6% believe CEP is at the other end of spectrum, in the Plateau of Maturity Phase?

During the poll I received a question from a colleague who asked me if I “still loved CEP?” and “why are you trashing the entire industry that you love?”   

Frankly speaking, I have enjoyed a passion about event processing since my early days at Sprint, circa 1993, during the NSFNET transition to the commercial Internet.   Then, as today, we hoped for the same goals and objectives that network and security management people seek to achieve; high confidence in actionable alerts with a very low false alarm rate, all based on processing myriad distributed networking events, sometimes referred to today as sense-and-respond networking.

Today, we are good at “sensing”.  Events are created, perhaps trillions upon trillions a second globally.   No one knows the exact number of events the world’s networks generate in a single second, much less in a day or a year.      Yet, we are quite good at producing events.

What we do know is that we do not yet have the technology to listen to myriad events and determine complex events and situations with high confidence.   At best, we can detect, sense-and-respond, to simple events and primitive situations.  

On the other end of the maturity curve, there have been some advances.  Some of the notable progress has been in the event stream processing (ESP) space.    ESP is an importart part of the equation but it is nowhere close to the entire solution because rule-based stream processing is at a very low level in most sense-and-respond decision-making models.  Higher level inference requires more sophistication.

Two-thirds of our readers believe that CEP is still in the very early stages.  The majority of our readers envision CEP as a technology, or set of technologies, to solve myriad complex event processing problems and they know we have a long way to go.     On the other hand and with just as much passion, about one-in-six readers think that the technology is mature, and we are at the end of the CEP maturity cycle.

My crystal ball is just as foggy as yours on the future of CEP - but here on The Complex Event Processing Blog, we continue to work hard to “keep it real” for our readers.  

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

One of the arguments I’ve heard folks use to dismiss the notion of a risk-based approach to security is that it’s been tried and failed.  The argument goes on to claim that it isn’t possible to get appropriate funding for security because management just doesn’t “get it”.  And, while I agree that many (most?) past attempts at risk-based security have struggled, I’d submit that it was because the methods used didn’t address risk effectively.  They often focused solely on worst-case outcomes (which is the Chicken Little problem), didn’t apply any rigor in determining risk, simply focused on vulnerability (but called it “risk”), or treated the problem as a possibility issue versus a probability issue. 

Of course, the argument about funding begs the question of what constitutes “appropriate funding”.  It’s naive (or arrogant) to believe that I — as an information security professional — am in a position to understand the incredible mix of business issues that determine the right risk-balance for an organization.  Running a business requires weighing the various risk-domains management faces (investment, insurance, product, market, security, etc.) as well as complex value propositions in light of the organization’s objectives and limited resources.  And, while it’s imperative that information security professionals seek to understand the business side of the equation, we are never going to have the same breadth and depth of vision into the organization’s unique mix of business issues that executive management has.  Combine that with the fact that it isn’t our risk tolerance that matters, and it should be crystal clear that complaints of being “underfunded” have to be cast in the light of “Compared to what?”.  Compared to what we think it ought to be?  Compared to some industry baseline of questionable applicability to our organization?

Of course, I struggled to get management support for years.  I tried leveraging fear, uncertainty, and doubt.  I also tried the old “You have to do it because it’s best practice” card.  And although both of these can work for awhile, at the end of the day, management’s perspective will likely be that you’re paranoid and you lack perspective about the nature of running a business.  I’ve come to the conclusion that if I believe I’m underfunded, then it’s likely:

• I haven’t done a good job of communicating risk to the business, 
• I don’t sufficiently understand the risk tolerance of the organization’s leadership, and/or
• I don’t understand the mix of competing risk issues, resource limitations, or business objectives.  

It’s my responsibility to see that I’m not underfunded by providing high quality (unbiased) risk information to management.  If I do that, then I can expect to receive an appropriate level of funding given the other business considerations management faces and their risk tolerance.  The funding may be less than I’d like given my risk tolerance, but that’s a personal problem. 

Frankly, since taking a risk-based approach to my job, I’ve had very little difficulty getting management support for the stuff that matters most.

I started my career in IT many years ago and since that year have worked in enterprise IT for year and years.     Almost all of my odd career story evolves around working with end users, often advising, architecting and managing the complexity of large systems integration projects, from hands on implementation to strategic vision development.  My deep background is with Techrotech in network systems engineering.

A few years ago, years after I started my career at Techrotech, I grew a bit dismayed at enterprise software companies.   They would, for the most part, always come to us, the end users, and try to sell us large software packages.  Their sales and technical teams had very little domain knowledge of the problems they claimed they could solve - and they had little doubt that if we purchased their wares, our problems would be solved,

These software companies were keen on buzzwords and technology jargon but somewhat clueless on operational solutions or the challenges of implementation across a large federated organization with many powerful business units and “in name only” CIOs.  We often referred to these software sales guys, and their favorite systems integrators, as “drive by (or fly by) implementations” where they dump the software (and hardware) at your door and run like crazy!

So, I joined a very cool Silicon Valley company,  Nerwana Software, hoping to change all of that, or so I thought

Naturally, when I first came on board Nerwana , the entire organization, from executives to recent new hires out of school, heaped praise-upon-praise on my years of operational experience at Techrotech and elsewhere.   They cheered me on as I wrote papers and created slides on operational use cases and event processing solutions that the sales and solutions teams could take to market.   They sang my praises as I spoke to large audiences and evangelized their most innovative software and solutions.  They were pleased with the great reviews from customers.

As one would expect, I was destined to learn the face of the problems I experienced as an end-user “outsider,” now from an ”insider’s” perspective. 

One of the interesting challenges that surfaced at Nerwana was the “let’s export our culture and business model to the world” mantra, maybe better referred to as “if it sells in New York, then we must sell it the same way in Tokyo or Bejing!”

Also, I really was surprised to find out how dependent Nerwana was on the opinion of analysts.   When I was worked for the customers and end users, we rarely paid any special attention to the analyst’s opinions.   Sure, analysts provides a good data point, but that is all it was (or is), simply another data point.   

I soon found that software companies are often held hostage by “analyst chasing” which really was an eye opener for me, because we end-users, the people who actually buy the software, view analysts as mere mortals reading from the same foggy crystal ball as everyone else. 

Another one of the fasinating challenges I experienced at Nerwana was what some would call  “The Hero Culture.”  

I’ll elaborate on some these, hopefully interesting, observations and experiences in a future Page from Greg’s Diary.

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.