I would guess that every one of you reading this blog have a stock portfolio with 5 to 10 individual stocks or mutual funds. There are more than 5,000 publicly listed companies to choose from, and another 5,000 mutual funds. But, out of 10,000 possible companies you chose 10 to invest in. Why? Why did you reject the other 9,990 companies? Obviously there are more than 10 good companies to invest in. Other investors chose to invest their money in the other 9,990 companies…why not you?

I suppose the difference must be that many investors aren’t actively involved in their investments (maybe entrepreneurs are more so, since they have to know a certain investment space quite well)…

It sounds to me a lot like the editorial selection process for book manuscripts, articles, and so forth — editors receive a ton of submissions and they have to be choosy. Sometimes they don’t pick winners; sometimes they pick losers. More importantly, each has a personal style, opinions, preferences, and they are trying to appeal to a certain audience. It’s interesting to think that VCs are similar but makes sense–the end question of “What will be successful” really depends on the consumer base and industry, and VCs are just people who probably know and prefer to interact with a certain type of consumer base or audience.

Collaboration in the Cloud

Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers.  Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”.  One major focus area is Virtual Worlds.

Teleporting Virgins

The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds.  The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.

At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended.  Today just login and teleport are supported.  No stealing those trade secret “assets” yet ;-).

Linden Labs speaks to this issue:

Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.

With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here.  I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out.  “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.

Threat Profiling Second Life

Getting back to reality, people are already exploring Virtual World security.  Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.

He covers:

• In-game cheating
• Identity theft
• Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)

For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).

Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.

In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.

ScienceLogic: What is “BSM Lite” and how is it different from “heavy” BSM?

Doug McClure: I think the concepts that Peter Sevcik from Net Forecast initially outlined in his blog post sum up what “BSM Lite” is all about: a simpler, less expensive, more responsive way of achieving the goals and objectives of Business Service Management (BSM).  He’s contrasted this nicely against what he termed “BSM Heavy” being the larger investments in time and resources to deploy domain specific tools and solutions each providing a view into the business service delivery with some aggregation and consolidation to tie up all of the disparate tool’s information into a concise end-to-end business service management story.

I’m pleased that he leveraged some of my thinking around a better working definition of what BSM really is from the BSM Defined page on my blog. Of course, these definitions are going to vary depending on whom you talk with and how they see the overall BSM Maturity Model.  I’ve created a BSM Maturity Model that aligns with the famous Gartner IT maturity model.  I’d like to think that a “BSM Lite” solution is one attacking the low hanging fruit, enabling one to achieve value quicker, and in a more tactical manner.  The “BSM Heavy” solutions are capable of the same, but span all along the BSM Maturity Model by adding additional point solutions, products and technologies from their broader portfolio. 

ScienceLogic: Does “BSM Lite” just refer to the tools, or can it refer to the process and methodology as well?

Doug McClure: I think that BSM is as much a philosophy as it is technology, process, people and methodology.  If we can get people to think, operate and respond differently than they do today with a focus on the business, customers, quality, revenue, or whatever else is most important to their business goals and objectives, than that is Business Service Management and could be “BSM Lite” if you will. 

Being that I work for IBM Tivoli, one of my personal objectives is to identify ways to use our key BSM enabling products in a more efficient, effective and BSM centric way. This was a huge driver for trying to hold DevCampTivoli focused on “Collaborative Development of End-to-End BSM Solutions”. 

In my opinion, we don’t make things very easy for our clients and the answer can’t be to “buy this product, module or widget” to fill in the gaps.  In my opinion, we must establish a BSM overlay within IBM Tivoli’s development and product management organization that ensures that we have clearly thought about how to enable BSM with the hundreds or products that we sell.  In my opinion, every product release must incorporate the fundamentals of enabling BSM in addition to the core domain specific functionality intended. I hope to keep this spirit alive and get our smartest IBMers and clients thinking about the best way to take a “BSM Heavy” solution and make it “lighter”. I hope to share more about my plans here and guidance for the industry in general soon.

That said, I am always interested in consulting with clients and collaborate with peers in the industry to figure out how to get the focus on the people, process and technology as key components of their BSM strategies.  I am absolutely convinced that without a documented BSM strategy, roadmap and top level sponsorship within the business and IT, the chances of BSM success greatly diminish.

ScienceLogic: Given the complexities involved in implementing a BSM strategy and dealing with the people and processes components of any business, how does “BSM Lite” really work? Should the expectations and outcomes be “lite” as well?

Doug McClure: Time will tell if “BSM Lite” will work.  I’m seeing emerging companies that are already breaking down some of the barriers to BSM success.  I do not expect that those choosing to begin with a “BSM Lite” approach should expect “lite” outcomes. 

The outcomes are the same regardless of the approach IF you’ve got a documented BSM strategy, roadmap and top level sponsorship in place before you begin. New features, capabilities and technologies will be needed as the needs of the business change and companies mature in BSM and fundamental IT management. This will likely force companies to move in more “BSM Heavy” directions to fill those gaps. 

In my opinion, this is the ideal scenario now as it gives “BSM Lite” vendors opportunities to grow their products and solutions. It also GREATLY improves the chances for success with a “BSM Heavy” solution because the organization would have already had matured enough to approach a “BSM Heavy” solution than if they hadn’t done a “BSM Lite” solution in the past.

ScienceLogic: Is “BSM Lite” more appropriate for a small or midsized organization, or does it apply equally to large companies? Is there an ideal profile for a company that can successfully implement a BSM strategy? Is there a different profile for “BSM Lite”?

Doug McClure: From an economic perspective, the concepts of “BSM Lite” are appropriate for all companies.  Remember, with “BSM Lite” we’re focused on identifying ways to make the goals and objectives of BSM easier to implement and in a more cost effective way.  Any company concerned about their IT cost overhead should care about this, especially when the risks of starting out with a “BSM Heavy” type deployment are much greater and the time to value generally much longer.

The “ideal” profile for any company is one where the BSM initiative begins by establishing top level buy in through creation of a formal BSM strategy for the company. This BSM strategy personalizes how the company defines what BSM is, what value the company expects from it, and how it will use BSM as a competitive differentiator for delivery of its business and IT services, products, etc.

The organizational “profile” I’ve seen most successful is when implementing a BSM strategy originates from within or actively includes a group that many companies have now that serves as a liaison or relationship management role between the various lines of business and IT. Sometimes this group is often seen as the gatekeeper to filter (and hinder) business driven requirements into the IT organization. In the ideal scenario, this group works very closely with the business and IT (usually staffed by business people and not IT people) to understand both the business side and IT side of complex business services and applications. 

Apart from the traditional IT components, what this group can do is help IT really understand the business perspective.  Analysis of the impact on the business in business terms is only possible by collaborating with a group such as this.  True value oriented BSM becomes attainable when we get to this level of IT and business alignment, cooperation, collaboration and communication.

If BSM is an IT only initiative, this will likely result in an IT centric perspective severely lacking in the necessary business perspective.  In these cases where IT doesn’t invest their BSM efforts with the business as an equal partner, the implementation ultimately becomes a “CYA” tool for IT and not achieve the desired value oriented expected.

To some degree “BSM Lite” may have an entirely different profile. If we see the price points, complexity and time to value change significantly we may see these types of deployments originate exclusively within the Line of Business. The possibility may exist where large enterprises operating in a shared IT services or IT outsourcing type model that the Line of Business brings in a “BSM Lite” solution to gain the visibility, checks and balances needed to ensure that the LoB’s needs are being met from the internal/external provider. I’d envision that “BSM Lite” may even be capable of operating within a “SaaS” model or other managed service type offering where the price points are below the signing levels triggering broader IT involvement and review.

To Be Continued…

ShareThis

• "VM instance is NOT a server" - thus physical separation is required.
• "VM IS a different machine, might be different OS, etc" - thus it IS sufficient separation.
• "VM is like a VLAN" - thus VM separation IS adequate separation. Then again: some say VLANs are not sufficient separation either.

• Reported the incident to the Virginia State Police and the FBI;
• Contacted the web page host to demand that the page be disabled;
• Removed all credit card information from the affected area of our database and moved it to a secured area of the database that cannot be accessed by the method used during the incident;
• Installed an additional database security solution to detect and prevent any future attempted security breaches;
• Sent notice to affected customers by letter and e-mail
  

In Tech Spending Hit by Subprime Mess, Jeffery Schwartz says,

“According to Tabb, spending on development is being refocused on projects that can help firms improve their margins and, not surprisingly, do a better job at risk management. As such, investments in capabilities such as algorithmic trading and complex event processing (CEP) are likely to be pivotal in some firms’ efforts to become more competitive and improve their efforts at mitigating risks.”

“But for some banks that have deployed such technologies — the now-defunct Bear Stearns, Lehman Brothers, Citigroup and Merrill Lynch — the question is: How did these companies fail to mitigate the risks that have slammed their businesses if their development teams were developing and deploying sophisticated systems?

“There is definitely an awareness that perhaps the systems that existed in place to assess the value of portfolios or judge risk [are being scrutinized],” said Stevan Vidich, an industry architect in Microsoft’s financial services group. “

He added that there is strong interest in CEP and other risk management methodologies. A growing number of shops have started deploying such solutions based on the .NET Framework, Vidich said, and he believes such investments will continue.

“Clearly, there’s a lot of need to deal with the immense influx of data and being able to analyze data in a timely manner,” Vidich said. “It also drives need for systems like business intelligence, or BI, applied to a near-real-time scenario, which is a very attractive proposition.”

What are these guys on Wall Street smoking? 

This is the precise “over hyping” problem I have warned about repeatedly.   Folks selling rule engines that perform basic calculations over a time window of streaming data have been marketing their wares as “superbrains” that can solve very complicated problems and, at the same time, save Wall Street and The Planet.

Let me be perfectly clear here Wall Street.  Listen very carefully.

There is nothing in any of the so called CEP products in the market place that is going to stop losses related to the subprime meltdown effecting the “now-defunct Bear Stearns, Lehman Brothers, Citigroup and Merrill Lynch,” as Jeffery Schwartz implies.

To imply that the risk management (and corporate governance) required to mitigate the current crisis on Wall Street can be foreseen, solved, or even mitigated, by a rules engine (or any software) is complete and absolute fantasy.   

I think the fever created by the subprime flu is putting folks on Wall Street, or at least the vendors and the analysts pandering to them, in a Capital Market CEP Fantasy Land.

“According to Tabb, spending on development is being refocused on projects that can help firms improve their margins and, not surprisingly, do a better job at risk management. As such, investments in capabilities such as algorithmic trading and complex event processing (CEP) are likely to be pivotal in some firms’ efforts to become more competitive and improve their efforts at mitigating risks.”

“But for some banks that have deployed such technologies — the now-defunct Bear Stearns, Lehman Brothers, Citigroup and Merrill Lynch — the question is: How did these companies fail to mitigate the risks that have slammed their businesses if their development teams were developing and deploying sophisticated systems?

“There is definitely an awareness that perhaps the systems that existed in place to assess the value of portfolios or judge risk [are being scrutinized],” said Stevan Vidich, an industry architect in Microsoft’s financial services group. “

He added that there is strong interest in CEP and other risk management methodologies. A growing number of shops have started deploying such solutions based on the .NET Framework, Vidich said, and he believes such investments will continue.

“Clearly, there’s a lot of need to deal with the immense influx of data and being able to analyze data in a timely manner,” Vidich said. “It also drives need for systems like business intelligence, or BI, applied to a near-real-time scenario, which is a very attractive proposition.”

What are these guys on Wall Street smoking? 

This is the precise “over hyping” problem I have warned about repeatedly.   Folks selling rule engines that perform basic calculations over a time window of streaming data have been marketing their wares as “superbrains” that can solve very complicated problems and, at the same time, save Wall Street and The Planet.

Let me be perfectly clear here Wall Street.  Listen very carefully.

There is nothing in any of the so called CEP products in the market place that is going to stop losses related to the subprime meltdown effecting the “now-defunct Bear Stearns, Lehman Brothers, Citigroup and Merrill Lynch,” as Jeffery Schwartz implies.

To imply that the risk management (and corporate governance) required to mitigate the current crisis on Wall Street can be foreseen, solved, or even mitigated, by a rules engine (or any software) is complete and absolute fantasy.   

I think the fever created by the subprime flu is putting folks on Wall Street, or at least the vendors and the analysts pandering to them, in a Capital Market CEP Fantasy Land.

• State of Nature. State of Nature just means what the current state is.  There are two ISSA Journals on my desk right now - State of Nature statement.

• State of Knowledge:  Analysis derived from examination of State of Nature.  “One of these ISSA Journals has an article co-authored Donn Parker on ROI.  I’ve read it, and it makes some statements he regards as truth.  Looking at those, well, I know that risk is quantifiable, best practices have significant issues, and there are many, many other statements of authority in the article that I can refute on evidence.” - Analysis or State of Knowledge.

• State of Wisdom:  Synthesis from the analysis.  The “So” moment.  “So since there are many statements of authority made in the article that I can refute on evidence, I should be open but skeptical about whether the conclusions of this article are likely to have much value to me in my quest to understand the value of risk reducing investments.”  What I’ve synthesized from the quality of the article - State of Wisdom.

(Just a clue for our readers, anytime you read someone talk about risk and mention the term “actuarial” - be skeptical about the conclusions they have you draw from the statement using that word. 9 times out of 10 what I’ve read after someone says actuarial is made as authoritative but shows a level of ignorance on the subject.  If you really want to mess with them - say “Really! Well, tell me how you feel about the use of non-parametric Bayesian Methods” and wait… )

MMMMM-MMMMMMM CHECKLISTS!

So what about Checklists?  They’re worth discussing because we’re swamped by them!  Heck, we’ve got people in love with the idea of checklists of checklists and claiming GRC nirvana is not in the checklist itself, but in the mapping of checklists.

Here ya go:  Checklists have one of two uses -

First they can give us a path to accomplish something.  I make a checklist every morning I call a “Todo List”.   Useful Checklists could be as Curphey mentions - steps for operating machinery or performing a certain task (heck, scientific method could be said to be a checklist of steps in analysis).  Checklists are useful in this way because, well, we’re fallible, absent minded, and novices.  They serve to reduce some level of variability in a process.

Second, they can help us develop a State of Nature.  PCI or the ISO are very nice checklists that, once you’re done, certifies that you have the existence of a certain amount of control.  Again, this serves to reduce some level of variability, comparing you to a “best practice”.

And so…..

They are both useful in each use - as long as the limitations therein are understood!   And that’s where we get into trouble.  Too many times we believe that checklists are a State of Knowledge.  Checklists allow for some limited analysis, just like the use of ordinal numbers to describe “risk” - they only serve to identify some level of variability, nothing more.

But outside of that they usually offer us no analytical function at all, they cannot provide a State of Knowledge and therefore, more succinctly, Checklists are dumb.

As slightly paranoid, skeptical and jaded risk management professionals, we know this to be true.  A PCI compliant company may or may not be at all “secure” or “risk-free” or even “risk-reduced”.  That’s an aspect of analysis that the checklist is some prior information for, but not nearly all the information we need for an analysis of risk or even a statement about the ability to control or resist.  We know an ISO certified organization did what they claim they do enough to at least fool an auditor once, but cannot arrive at any other State of Knowledge without more effort.

Make no mistake, the checklists we commonly deal with provide a very, very limited State of Knowledge.  Only analysis (with rigor and testing) will provide that.  And note that a State of Wisdom (what we’re really after, after all) is predicated on a strong State of Knowledge.

WHAT ARE YOU MANAGING TOWARDS, REDUX
So if checklists only provide a State of Nature, and are incapable of really giving us Knowledge or Wisdom - then let me encourage you to think about the amount of time you spend just getting a certain State of Nature and the relative return on that investment vs. the amount of time you spend in analysis and synthesis.  Is your time best spent mapping checklist to checklist - or is it better spent developing the analytics that allow us to synthesize wisdom?

AMAZE AND CONFUSE YOUR FRIENDS AUDITORS
Let me finish by encouraging you to have a frank discussion with those who perform your audit function.  You must really pin them down if they are out to give you any analysis at all - and when/if they do provide analysis - press them on what rigor they use to create a State of Nature, and then the means by which they create a State of Knowledge (that belief statement based on the State of Nature they see).