In a nutshell, the guide advocates that organizations calculate cyber security risks and costs by asking questions of every organizational discipline that might be affected: legal, compliance, business operations, IT, external communications, crisis management, and risk management/insurance. The idea is to involve everyone who might be affected by a security breach and collect data on the potential risks and costs.

Once all of the involved parties have weighed in, the guide offers a mathematical formula for calculating financial risk: Essentially, it is a product of the frequency of an event multiplied by its severity, multiplied by the likelihood of its occurrence. If risk can be transferred to other organizations, that part of the risk can be subtracted from the net financial risk.

Guide is here.

I have to admit that I was already a fan of Collins’ quantitative style blended with clever insight, but this was the first time that I had seen him in person, and he was just spectacular. He has a vivid, animated way of telling a story, and had a great sense of humor. This combination of presentation skill was put to immediate use with his first statement drawing a hearty laugh from the audience full of entrepreneurs.

“How many of you in the room are constitutionally unemployable?”

Much of his remaining presentation provided interesting stories and insight from the research that he has done to understand the make-up of exceptional companies.

As Jim said, he has spent years studying the contrast between average companies and exceptional companies. They faced the same set of variables… similar economic conditions, similar competition for top human resources, and a similar set of huge unknowns.

What is the single biggest element of difference?

Not a function of the cards you are dealt, or circumstance… it is conscious choice and discipline.

Jim’s key principles & disciplines that have come from the studies we have worked on:

1. Building greatness is a cumulative never ending process! The idea that no matter how exceptional, you are always only relatively as good as to what you can do next.
2. Most overnight successes are 20 years in the making…. Wal-mart  took 13 years to get to 125 stores. Starbucks required 17 years to get to 38 stores.

“If you start to break Packard’s law, and there are very few laws of business, it is like breaking a law of physics for building great companies.” - David Packard (Co-founder of HP)

If you allow growth to exceed your ability to get enough of the right people to fill the key seats to execute on the growth brilliantly, you will fall as surely as a stone dropped from your hand. This is one of those timeless truths that extends beyond technology and economics.

The number one constraint on growth and sustained success…

An ability to get enough of the right people in the key seats to achieve that sustained growth.

The discipline that WHO comes before WHAT. Collins always kept coming back to the “who” thing over and over again. He said, “The more turbulent the world, (given the great current economic uncertainty of our financial system) the more important this issue is.”

A question from the audience came near the end of his session… How do you figure out who are the right people to put in key seats on the bus?

Collins responded with “Given that I stand here amidst a room full of unmotivated people… the right people are self motivated, self disciplined, self managed, The task is not to motivate unmotivated people, the task is not to have to manage people… self motivated, figured it out from there… self motivated people don’t need tons of management … when you have to start managing, you know that you have the wrong person at the task.”

Final thoughts:

Greatness is not a function of circumstance. Greatness is a function of conscious choice and discipline. It is not a matter of circumstance, it is one of choices.

I believe that every one of the Inc. 500 companies that I met at this conference achieved the list because they did not embrace the status quo. Incredible passion, an unwillingness to accept failure and an excessive and compulsive willingness to solve customer’s problems were key ingredients in the business building formula for the entrepreneurs that were at the conference.

The first UEPS transaction was performed on Sunday, August 3, 2008, in Baghdad, Iraq, during the official launch of the UEPS smart card technology with the two state banks namely, Rafidain Bank and Rasheed Bank.

The official launch, attended by invitees from Rafidain Bank, Rasheed Bank, the Iraqi Government, War Victim Ministry and Martyrdom Ministry, demonstrated smart card registration, biometric enrolment and issuing of UEPS cards, offline loading of wage payments and government grants to the UEPS cards and dispensing of cash.

The pilot project involving 100,000 beneficiaries is now ready for implementation across selected bank branches and will enable the distribution and payment of government grants to war victims and martyrdom beneficiaries, as well as salary and wage distribution and payment to employees of the two state banks.

Brenda Stewart, Net1 Senior Vice President Sales and Marketing, said, "From the entire team at Net1, we congratulate the Iraqi consortium on this historic achievement and look forward to the successful implementation of the various projects already identified for implementation, as well as the projects currently in business development. Net1 is proud that the development of its core technology, from which it creates end-user products that satisfy the requirements of its customers, can change the way business is conducted leading to the improvement of people's lives. We share the belief of our Iraqi partners that our technology can play a fundamental role in the upliftment of the economy. The success of any technology should be measured, not only by the profits it generates for its inventors, suppliers and users, but also by the difference that it makes to the lives of people," Stewart concluded.

Some basic statements, the rest of this post will explain:

• C&A is a commodity market
• Security controls assessment is a commodity market
• PCI assessment is a commodity market
• Most MSSP (or rather, Security Device Management Service Providers) services are commodity markets

Now my boss said the first one to me about 4 months ago and it really needed some time for me to grasp the implications.  What we mean by “commodity market” is that since there isn’t really much of a difference between vendors, the vendors have to compete on having the lower price.

Now what the smart people will try to do is to take the commodity service and try to make it more of a boutique service by increasing the value.  Problem is that it only works if the customers play along and figure out how your service is different–usually what happens is you lose in the market simply because now you’re “too expensive”.

Where Boutique Sits by miss_rogue.

Since the security assessment world is a services business, the only way to compete in a commodity market is to pay your people less and try to charge more. But oh yeah, we compete on price, so that only leaves the paychecks as the way to keep the margin up.

Some ways that vendors will try to keep the assessment costs down:

• Hire cheaper people (yes, paper CISSPs)
• Try to reduce the engegement to a formula/methodlogy (ack, a checklist)
• It’s all about billability:  what percentage of your people’s time is not billable to clients? 
• Put people on assessments who have tangential skills just to keep them billable
• Use Cost-Plus-Margin or Time-Plus-Materials so that you can work more hours
• Use Firm-Fixed-Price contracts with highly reduced services ($150 PCI assessments)

Now inside Government contracting, there’s a fact that’s not known outside of the beltway:  your margins are fixed by the Government.  In other words, they only allow you to have around a 13-15% margin.  The way to make money is that the pie is a much bigger pie, even though you only get a small piece of it.  And yes, they do look at your accounting records and yes, there are loopholes, but for the most part, you can only collect this little margin.  If you stop and think about it, the Government almost forces the majority of its contractors into a commodity market.

Then we wonder why C&A engagements go so haywire…

The problem with commodity markets and vulnerability/risk/pen-test assessments is that your results, and by extension your ability to secure your data, are only as good as the skills and creativity of the people that the vendor sends.  Sounds like a problem?  It is.

So knowing this, how can you as the client get the most out of your service providers? This is a quick list:

• Every year (or every other), get an assessment from somebody who has a good reputation for being thorough (ie, a boutique)
• Be willing to pay more for services than the bottom of the market but be sure that you get quality people to go along with it, otherwise you’ve just added to the vendor’s margin with no real improvements to yourself
• Get assessments from multiple vendors across the span of a year or two–more eyes means different checklists
• Provide the assessors with your own checklists so you can steer them (tip from Dave Mortman)
• Self-identify vulnerabilities when appropriate (especially with vulnerabilities from previous assessments)
• Typical contracting fixes such as scope management, reviewing resumes of key personnel, etc
• Get lucky when the vendor hires really good people who don’t know how much they’re really worth (that was me 5 years ago)
• More than I’m sure will end up in the comments to this post  =)

And the final technique is that it’s all about what you do with the assessment results.  If you feed them into a mitigation plan (goviespeak: POA&M) and improve your security, it’s a win.

Bookmark to:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Bookmark to:

Yesterday, Microsoft published the new Security Intelligence Report for the 2nd half of 2007. (home page is http://www.microsoft.com/sir, and the download page is here).

As one of the contributors for the report, I'd like to highlight the findings summary for the Industry vuln trends:

• Vulnerability disclosures decreased by about 5 percent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
  
• Despite the decrease, the number of new disclosures across the industry remains in the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
  
• The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously
  the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
  
• Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
  about half of all vulnerabilities disclosed in 2H07. Although this number is relatively
  large, the number has declined significantly from earlier periods.

Here is the high level trend chart from the report:

Regards ~ Jeff

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.