"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It's instinctual, intuitive and fundamental to life, and one of the brain's primary functions.

Some have hypothesized that humans have a "risk thermostat" that tries to maintain some optimal risk level. It explains why we drive our motorcycles faster when we wear a helmet, or are more likely to take up smoking during wartime. It's our natural risk management in action.

The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008. We make

systematic risk management mistakes -- miscalculating the probability of rare events, reacting more to stories than data, responding to the feeling of security rather than reality, and making decisions based on irrelevant context. And that risk cockpit of ours? It's not nearly as finely tuned as we might like it to be.

Like a rabbit that responds to an oncoming car with its default predator avoidance behavior -- dart left, dart right, dart left, and at the last moment jump -- instead of just getting out of the way, our Stone Age intuition doesn't serve us well in a modern technological society. So when we in the security industry use the term "risk management," we don't want you to do it by trusting your gut. We want you to do risk management consciously and intelligently, to analyze the tradeoff and make the best decision.

This means balancing the costs and benefits of any security decision -- buying and installing a new technology, implementing a new procedure or forgoing a common precaution. It means allocating a security budget to mitigate different risks by different amounts. It means buying insurance to transfer some risks to others. It's what businesses do, all the time, about everything. IT security has its own risk management decisions, based on the threats and the technologies.

There's never just one risk, of course, and bad risk management decisions often carry an underlying tradeoff. Terrorism policy in the U.S. is based more on politics than actual security risk, but the politicians who make these decisions are concerned about the risks of not being re-elected.

Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers.

You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics.

The problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle. We don't know how well our network security will keep the bad guys out, and we don't know the cost to the company if we don't keep them out. And the risks change all the time, making the calculations even harder. But this doesn't mean we shouldn't try.

You can't avoid risk management; it's fundamental to business just as to life. The question is whether you're going to try to use data or whether you're going to just react based on emotions, hunches and anecdotes.

This essay appeared as the first half of a point-counterpoint with Marcus Ranum in Information Security magazine.

Squid and their relatives have eyes that are sensitive to polarised light and to them and are known to use it to signal to one another. Their predators on the other hand, like seals or whales, don't share this ability and cannot see the squids' signals.

Most of all, the polarised iridescent light, is not affected by the chromatophores and passes through unaltered. This means that camouflaged squid can have entire visual conversations while remaining invisible to passing predators. In the world of squid, conversations carry secrets wrapped in lies.

There are many weird things about the giant Humboldt squid, but here's one of the strangest: Its beak. The squid's beak is one of the hardest organic substances in existence -- such that the sharp point can slice through a fish or whale like a Ginsu knife. Yet the beak is attached to squid flesh that itself is the texture of jello. How precisely does a gelatinous animal safely wield such a razor-sharp weapon? Why doesn't it just sort of, y'know, rip off? It's as if you tried to carve a roast with a knife that doesn't have a handle: It would cut into your fingers as much as the roast.

Paper here.

"We are looking at something verging on the incredibly bizarre. As she got older she got shorter and broader and was reduced to a giant gelatinous blob, carrying many thousands of eggs," he says.

"Her shape was likely to have affected her behaviour and ability to hunt. I can't imagine her jetting herself around in the water at any great speed, and she was too gelatinous to have been a fighting machine.

"It's likely she was just blobbing around the seabed carrying her brood of eggs, living on dead fish, while her mate was off hunting."

To kick off our celebration of our first five years, we asked ScienceLogic founders Dave Link, Richard Chart and Chris Cordray for their thoughts and memories on events leading to today’s milestone. How and why did they set out on this venture? What happened along the way – expected and unexpected? Why were they successful in times when other new (and established) businesses have come and gone?

How did you three put together this team?

We all worked together at a large Managed Service Provider for a couple of years before leaving to start ScienceLogic, so we all knew each other and knew our collective strengths. More importantly, each of us had worked with network management tools on some level (sales and marketing, engineering and product development), and knew first-hand all of the customer pain points, from every perspective. So we left and began rapidly figuring out how to build a better network management solution based upon our real world operational experience..

Dave: One interesting aspect is that our areas of expertise don’t overlap, which has contributed to our success. Chris is excellent with developing the product front-end and interface, Richard handled the backend architecture and engineering and I focused on the technical business side of sales and marketing. Our roles have been to build a product that works well and that provides real value to operations teams that experience the same day to day frustrations that we felt.

Whose idea was it to start the company?

Dave: It was really a collective effort. We were all passionate about “getting it right” and not just starting a company. We knew the industry need and between us, we had the knowledge and skill sets to address all of the right aspects of developing a product and a building a business around it.

What process did you go through to get started?

Richard: From the beginning we knew the type of solution the market needed and we knew that we wanted to build it as an appliance. From different vantage points, we had each experienced the effects of long, difficult and expensive installations that still exist with traditional network tools. Every install has unique variations: there are always different server types, varying hardware and software versions, different patches installed, and on and on. Every installation was time consuming and unpredictable. We knew that an appliance model would address all of these variables and save a lot of time on how quickly customers could achieve immediate value.

The harder decisions were around actually starting the business, assessing the market and of course determining the product pricing.

EM7 completely flips the traditional model of complex, lengthy and expensive deployments. How did you convince others that the EM7 Meta-Appliance product was valid?

Dave: Yes, EM7 totally disrupts the traditional model for network management. While others take a narrow approach, we intentionally designed EM7 to focus on the broad problem – managing the data center. How do you cover a variety of technologies and make sure they work seamlessly together? The vision was to make it easier, not harder, for customers.

Chris: I have to give it to Dave – very early on, he realized the power of a demo. If Dave could get in front of someone, he’d make them a believer. He’d use the Peter Falk/Columbo technique of “let me show you one more thing.” It was very effective. It’s getting easier, but even today people sometimes have to see EM7 in action before they become believers.

Can you describe the early days of running a new business?

Dave: ScienceLogic is a classic case of entrepreneurship. For the first year we worked out of our basements. We kept the costs low in every conceivable way and spent the first year developing the product before we even made a sale.

Chris: We stayed at lots of odd places when we were on the road, took cheap flights with multiple layovers and purchased lots of our first test equipment on eBay. This was during the dot-com bust so there was lots of equipment for sale on eBay, really cheap!

Richard: The amount of equipment I had in my house was absolutely crazy. Back then, servers were huge – I had a Cisco 6509 Catalyst, a Compaq Proliant DL380, Brocade switch, IBM Netfinity 4500R, and tons of other machines.

Chris: I had to install a new circuit box at home because I was blowing breakers. I remember when that 6509 crashed, we revived it and it died again. The second death was final.

So you started in your houses – what was your first office space?

Dave: My friend, the CEO at Ernst & Young Technology had a few extra cubes and a data center in their office that they graciously allowed us to use. Their help was an important step in helping us really formalize the business. We started doing well and adding people, but ironically, their company was downsizing. Before long, many of their original YET people were gone and the ScienceLogic team kept growing in to the open cubes.

Our first leased space was converted warehouse space in Chantilly, VA that once housed an internet radio station. It was cool – it had a large salt water fish tank, a loft, a spiral staircase and a Star Trek door that retracted into the walls with the customary lights and “whooshing” sound.

We outgrew the Chantilly space, leading to our current office in Reston, VA.

Who was the first ScienceLogic customer?

Our first paying customer was Martins Point Health Care. We deployed there in July 2004 and are pleased to say they continue to be a ScienceLogic customer. Other early (and still) EM7 customers include Navy Knowledge Online and the Department of Transportation. Nearly all of our customers are still actively using EM7 and renewing their maintenance.

Where do you see the company in the next 5, 10 or 15 years?

Well, our revenue has doubled year-over-year in each of the last three years, so of course we’d like to continue to grow like that or even faster. In five years we’ve gone from three founders to the point where Dave does not know everyone’s fondest childhood memory. We’ll continue to scale our growth to cover the demands of our growing customer base.

Where do you see the industry going over the coming years?

Chris: IT is always moving and gaining in complexity, so network management is also becoming more complicated. There’s increasing diversity, new standards, virtualization and cloud computing. All of these are today’s technologies. Customers have a mix of the old and the new, so EM7 has to accommodate and support both.

Richard: Each generation of products has a new set of ways to monitor, but the “old” doesn’t go away. Even when a new, hot technology comes along, the old technologies still need to be supported. We work to ensure EM7 keeps up with both.

Dave: After five years we’re just hitting our stride and we’re just now reaching the tipping point in awareness of ScienceLogic and EM7. We’re all still passionate about the product and as Chris and Rich said, there’s still a lot do. We’ll continue disrupting the market with EM7. Our vision hasn’t changed, and with the increasing levels of automation that customers demand, the market needs are greater than ever. Our future is as bright, or brighter, than ever and we’ll continue to be looking for smart ways to automate traditionally manual IT Operations processes.

What’s your advice for someone interested in starting their own business?

Chris: Be passionate. That’s what has gotten me through the tough times. I didn’t really appreciate this thought when I heard others say it before. But it’s very true.

Richard: I agree. We met and talked with lots of people who told us, “That’s been done before.” But we kept going because we truly believed in what we were doing and we knew that while our approach was different, that it would be successful.

Richard: Be fearless. You can’t be too nervous and you need to be able to expect and handle the stress because it will be there. You have to learn to accept the stressful times as a necessary part of the process of starting out on your own.

Dave: Know your niche from the beginning and give potential customers a compelling reason to trust you and really benefit from your solution. You have to know the problem, see the gap and have a clear and consistent vision of how to solve the problem. Then you have to execute. If you don’t build your team with “doers” you won’t make it.

Chris: It helps to have friends. ScienceLogic was built on friendships and relationships, starting with the three of us. If you look at our team, most of our hires are referrals – people who developed and maintained great connections with other great people throughout their careers. Maintain your connections and keep in touch with your network of friends.

I realize that security is a system level issue and it takes a long time to change things at that level, but what's more concerning to me is that the typical infosec mindset remains the same. Should we be surprised by rampant phishing and fraud? I am frankly surprised the numbers are so low given the opportunities that the attackers have via the glacial pace of security improvements. Its been three years since that list and I could write the same exact one today for SOAP, REST, SOA, Web 2.0 whatever. Maybe the main reason, beyond failure of imagination, why infosec is so far behind developers is that infosec lacks tools. Developers automate everything possible. Security doesn't. The most promising thing about static analysis is not the ability to find everything, its the ability to find many important things in an automated way. Infosec needs to stop giving people fish and teaching people to fish. Look at Fortify's vulncat site which has a Taxonomy of Coding Errors. Fortify's Seven (plus one) pernicious kingdoms are:

Had a great time Sunday with Rob Newby. We solved the world’s problems over deep fried whitefish and french fries (fish & chips to him).  It was a very good time, even if my driving did make him a bit uneasy.  If I may quote myself (said in an attempt to soothe Rob’s uneasyness about being lost in the car of a complete stranger in a strange country):

If your life doesn’t imitate the surreal aspects of a Douglas Adams book at least once a day, you’re just not living right.

Aside:  Bruce Scheier already has too many awards and too much recognition, so go vote for Rob instead :)   :  http://robnewby.blogspot.com/2008/07/award-up-for-grabs.html

SEPARATION OF CHURCH AND (CURRENT) STATE

Rob and I spent some time discussing risk and security,  and our conversation circled around the (now) recurring blogo-topic concerning the State of the Practice.  It’s a favorite topic of mine, so I’ve been delighted that it has reappeared in blogodom.

Rob writes about it some here in PCI the Priest.  LonerVamp’s and Richard Bejtlich’s blogs talk about Galileo, his confrontation with his church, and lessons we can learn from history (there’s nothing wrong with them recycling the meme, IMHO - because I, for one, never got closure the first time). Jon added a nice quote from Feynman today that’s also inline with the meme.

I’m not going to belabor the analogy, the “art vs. science” misnomer, nor discuss the problems with our various canon (PCI, ISO, CoBTI, COSO, blah, blah, blah).  Rather I’d like to talk about some essential things I think our industry needs to “sort out”  before it can move on towards a more scientific view of the world.  And by “sort out” of course, I mean agree with me on

CAN’T WE ALL JUST GET ALONG?

1 - Can we agree that risk is a probability issue?
Now obviously, you can retreat in probability theory a century or so and claim that risk is a Knightian uncertainty and that we just can’t “know” it.  Have fun.  But you should know that there’s the catch - “security” is also a probability issue.  So I’m betting that you can’t know “secure” for much of the same reasons Frank Knight would argue we can’t know “risky”.

But if risk (and security) is a probability issue, however, then we’re going to have to do better than “A’s in three college courses in statistics” to address the problem.  We will have to do as Curphey (and others) suggest and bring elements of other disciplines to bear on our problem space.  Let me suggest probability theory and economics as fine, fine places to start.

2 - Can we agree to stop measuring stupidly?
We have to agree that Ordinal Scales are not measurements, and Interval Scales are not useful measurements?

I had a post titled “More Ways To Confuse Your Auditor/Assessor” but it turned out to be a pretty cruel discussion about how we tend to try to act like our calculations based on ordinal or interval scales are useful (hint:  insist that your auditor/assessor/consultant replace the label “one” with the label “zero”).

Note that if risk is a probability issue, then we’re going to have to throw out the concepts of measuring in any scale other than a ratio anyhow.

3 - Can we agree on a (good) taxonomy?
We’re going to have to do (much) better than ISO 27005 (nudge, nudge).

4 - Can we agree we need to do a better job with our data?
We’re going to have to do better with measurements, metrics, models and testing.

It’s a shame that honeypots tend to be under appreciated.

5 - Can we agree to test that data and share it with each other?
We may not need to share specific data, but we will need to share when a model falls down.

I’d like to be as idealistic as some of my fellow ‘New Schoolers’ and suggest we’ll someday all be sharing data together, but I’m skeptical.  But that doesn’t mean we can’t demonstrate where results from the models we use are not repeatable, consistent or logical.   One thing Rob and I talked about at length yesterday was the ability to disprove a model using realistic but “substitute” or sanitized data.  There’s gonna be a TON of work to be done here, and that work will take not years but careers.  Which begs a great question:

Is it the sharing of data that we need, or the sharing of models?

HELP ME OUT, HERE
That’s my list of 5 fundamental concepts I wish we could move past.  Let me ask you - what else am I missing?  What’s it going to take to get past our current malaise?  How does the New School reach critical mass?  Who is going to help us agree in a centralized manner?

Your comments or own blog posts are most welcome (please include a trackback or post here)

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.

The beak, made of hard chitin and other materials, changes density gradually from the hard tip to a softer, more flexible base where it attaches to the muscle around the squid's mouth, the researchers found.

That means the tough beak can chomp away at fish for dinner, but the hard material doesn't press or rub directly against the squid's softer tissues.

Herbert Waite, a professor in the university's department of molecular, cellular & developmental biology and co-author of the paper, said such graduated materials could have broad applications in biomedical materials.

"Lots of useful information could some out of this for implant materials, for example. Interfaces between soft and hard materials occur everywhere," he said in a telephone interview.

Frank Zok, professor and associate chair of the department of materials, said he had always been skeptical of whether there is any real advantage to materials that change their properties gradually from one part to another, "but the squid beak turned me into a believer."

"If we could reproduce the property gradients that we find in squid beak, it would open new possibilities for joining materials," Zok said in a statement. "For example, if you graded an adhesive to make its properties match one material on one side and the other material on the other side, you could potentially form a much more robust bond."

The researchers are learning lessons that can be applied to medical materials in the future, said Phillip B. Messersmith of the department of biomedical engineering at Northwestern University.

Messersmith, who was not part of the research team, noted that hard medical implants made of metal or ceramic are often imbedded in soft tissues.

"The lessons here from nature might be useful in transitions between devices and the tissues they are imbedded in," he said in a telephone interview.

More on squid beaks.