First of all, as background information, I learned the Thai alphabet (script with 44 consonants and 32 vowels) nearly 20 years ago, so I have have a pretty decent foundation for the Thai language compared to most foreigners visting or working in Thailand.   I can read (slowly) and speak better than 99.99+ percent of all foreigners in Thailand.  For this reason, I thought it was ”the right thing to do” to redirect my career to a “new challenge” in the business climate of Thailand as I continue to improve my foreign language skills.   I wanted to help Thailand progress in IT and IT security, so where else would I go but where I have second language skills?

This was no small decision as you can imagine.  Your career and life changes quite dramatically when you give up a long established consulting practice in the US and dive into business in a foreign land, seeking a new challenge.  I can frankly tell you thatit is more difficult to do business in Thailand (as a foreigner) than I expected, for a number of reasons.  Here is my first off-topic post on this topic.

First of all, it is not legal for foreigners to directly own land in Thailand.  Foreigners can ”own” land using a variety of legal loopholes, proxy owners and shell companies; but all of this is risky and not advised.  Many foreigners lose a lot of money coming to Thailand and attempting to buy land via various “structures”.  Some get lucky, but the entire process of foreigners buying and selling land is quite risky and not recommended.

Foreigners can legally own condominiums, under certain conditions, but this “foreign market” results in inflated prices for condos in Thailand that are traded in an “artificial market place” designed for foreigners.   Condos in Bangkok and major resort areas that are up-to-par with condos in the US can easily cost more than condos in major cities in the US.  Hence, the cost of living in Thailand is not as economical as some might believe when you visit Thailand as a tourist.

Second, business in Thailand can best be described as protectionism with discrimination where the government has placed many barriers to entry to foreigners working and competing in Thailand.     Every foreigner must have a work permit and these work permits are expensive and time consuming to maintain.   If you own a business you must pay high professional service fees for “auditors” to perform annual and semiannual audits regardless of how much income you have (including zero).   Firms in Thailand charge thousands of dollars for these ”audits”.      

Third, if you operate a business in Thailand, you must have a place of business (you cannot legally work from your condo you bought at high prices!), so you are forced, by law, to lease office space.   Foreigners from the US, for example, must be paid a minimum of 50,000 Thai Baht per month, so the government will take 10 percent of that each month as their share of tax withholdings.  Startups with no income simply pay income taxes against their personal savings to comply with the law.  Therefore, to start a company and maintain the business in Thailand, you are required to pay significant startup, monthly, semi-annual and annual fees, permits, tax, leases, visas, etc. 

Forth, generating incoming revenue in Thailand can be quite difficult in a climate of both protectionism and discrimination.   In Thailand, it is easy when you are spending money.  This is the ”Land of Smiles” that tourists see and experience.   However, when you are legally permitted to work in Thailand and trying to generate in-country income, you cannot help but notice the protectionism and discrimination against foreigners working and living here.  Many foreigners working in Thailand just “give up” because the barriers to business success are quite high.

Fifth, on top of the challenges of protectionism/discrimination regarding foreigners and foreign investments, which I have only just scratched the surface here, is the overall global business slowdown combined with a climate of political instability which I am sure you have seen in the news.  Thailand has seen 18 coups since 1932.   Currently, Thailand is under a State-of-Emergency  which negatively impacts business even more.  Sound challenging? 

Most people who live and work in Thailand have the opinion that it is far better to enjoy being a tourist here. Working in Thailand is very difficult for many reasons.   Being a tourist in Thailand is completely different than working here.  When you are a tourist, foreign currently flows from you into Thailand, so life in Thailand as a tourist is fun and friendly, hence the “Land of Smiles” you have heard about or experienced.     However, when you are working in Thailand and trying to generate income from Thailand versus bringing in foreign currency, you don’t see the “Land of Smiles” quite the same anymore.

Without getting into too many details in this post, I can simply say that a foreigner doing business in Thailand experiences both protectionism and discrimination.  I came to Thailand hoping to contribute my experience to help the Kingdom.  However, sometimes it feels like foreigners are only welcome if you are working for free, giving seminars for free, and bringing in lots of foreign currency here.

In a future post on business in Thailand I will dive into some details on a number of topics that might be of interest to readers who will never have a chance to come and work here.   

First of all, I learned the Thai alphabet nearly 20 years ago, so I have have a pretty good foundation for the Thai language.   I can read (slowly) and speak better than 99.99+ percent of all foreigners in Thailand; so, I thought it was time to redirect my career to a “new challenge” in the business climate of Thailand.   

This was no small decision.  Your career changes dramatically when you give up a successful consulting practice in the US and dive into business in a foreign land for a new challenge.  I can frankly tell you that often the challenge is sometimes overwhelming.    It is quite difficult as a foreigner to do business in Thailand.

First of all, it is not legal for foreigners to own land in Thailand.  Foreigners can ”own” land using a variety of legal loopholes, proxy owners and shell companies; but all of this is risky and not advised.  Foreigners lose a lot of money coming to Thailand and attempting to buy land.  Some get lucky, but the entire process of foreigners buying and selling land is quite risky.

Foreigners can own condos, under certain conditions, but this results in  inflated prices for condos in Thailand that are traded in an artificial market place.   Condos that are up-to-par with condos in the US can easily cost more than condos in major cities in the US.  Hence, the cost of living is not as cheap as some might believe.

Business can best be described as “protectism” where the government has placed many barriers to entry to foreigners working in Thailand.     Every foreigner must have a work permit and these work permits are expensive and time consuming to maintain.   If you own a business you must pay high professional service fees for auditors to perform annual and semiannual audits even if your business has no income yet.   Firms in Thailand charge thousands of dollars for these ”audits”.      

In addition, if you operate a business, you must have a place of business, so you are forced to lease office space.   Foreigners from the US must be paid a minimum of 50,000 Thai Baht per month, so the government will take 10 percent of that each month as their share of tax withholdings.   Therefore, to start a company, you will pay a lot of money in startup fees, permits, tax, leases, visas, etc.  The entire system is designed to secure money from you, even if you do not have a penny of incoming revenue.

Of course, generating incoming revenue can be quite difficult in a climate of protectionism.   In Thailand, it is easy when you are spending money.  When you are trying to generate income from Thailand, as a foreigner the challenge can seem overwhelming at times.   Many foreigners here give up because the barriers to business here are very high.

On top of all these challenges, which I have not described in detail, is the overall global business slowdown combined with a climate of political instability, which I am sure you have seen in the news.  

Most people I know say it is better to be a tourist here.   Being a tourist is completely different.  Money flows from you, so life in Thailand is fun and friendly, complimentary to the “Land of Smiles” you have heard about.     However, when you are working to have money flow the other direction, flow to you versus away from you, you don’t see the “Land of Smiles” as tourists experience.

Without getting into too many details, I can simply say that a foreigner doing business in Thailand experiences protectionism and, to a certain degree, discrimination, and sometimes I wonder if coming here for a “business challenge” was a good idea.    I was seeking a “new challenge” and I got more than I bargained for!

In a future post on business in Thailand I will discuss issues regarding how little value is placed in intellectual property in Thailand and how this adversely impacts professional services.    I will also touch on how this lack of regard for intellectual property impacts a consulting practice.   Also, I will touch on some cultural differences in how Thais appear to view teamwork, which is very different than in the US.

It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.

It's a good idea in theory, but it's mostly bunk in practice.

Before I get into the details, there's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

But as anyone who has lived through a company's vicious end-of-year budget-slashing exercises knows, when you're trying to make your numbers, cutting costs is the same as increasing revenues. So while security can't produce ROI, loss prevention most certainly affects a company's bottom line.

And a company should implement only security countermeasures that affect its bottom line positively. It shouldn't spend more on a security problem than the problem is worth. Conversely, it shouldn't ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits.

The classic methodology is called annualized loss expectancy (ALE), and it's straightforward. Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk. So, for example, if your store has a 10 percent chance of getting robbed and the cost of being robbed is $10,000, then you should spend $1,000 a year on security. Spend more than that, and you're wasting money. Spend less than that, and you're also wasting money.

Of course, that $1,000 has to reduce the chance of being robbed to zero in order to be cost-effective. If a security measure cuts the chance of robbery by 40 percent -- to 6 percent a year -- then you should spend no more than $400 on it. If another security measure reduces it by 80 percent, it's worth $800. And if two security measures both reduce the chance of being robbed by 50 percent and one costs $300 and the other $700, the first one is worth it and the second isn't.

The Data Imperative

The key to making this work is good data; the term of art is "actuarial tail." If you're doing an ALE analysis of a security camera at a convenience store, you need to know the crime rate in the store's neighborhood and maybe have some idea of how much cameras improve the odds of convincing criminals to rob another store instead. You need to know how much a robbery costs: in merchandise, in time and annoyance, in lost sales due to spooked patrons, in employee morale. You need to know how much not having the cameras costs in terms of employee morale; maybe you're having trouble hiring salespeople to work the night shift. With all that data, you can figure out if the cost of the camera is cheaper than the loss of revenue if you close the store at night -- assuming that the closed store won't get robbed as well. And then you can decide whether to install one.

Cybersecurity is considerably harder, because there just isn't enough good data. There aren't good crime rates for cyberspace, and we have a lot less data about how individual security countermeasures -- or specific configurations of countermeasures -- mitigate those risks. We don't even have data on incident costs.

One problem is that the threat moves too quickly. The characteristics of the things we're trying to prevent change so quickly that we can't accumulate data fast enough. By the time we get some data, there's a new threat model for which we don't have enough data. So we can't create ALE models.

But there's another problem, and it's that the math quickly falls apart when it comes to rare and expensive events. Imagine you calculate the cost -- reputational costs, loss of customers, etc. -- of having your company's name in the newspaper after an embarrassing cybersecurity event to be $20 million. Also assume that the odds are 1 in 10,000 of that happening in any one year. ALE says you should spend no more than $2,000 mitigating that risk.

So far, so good. But maybe your CFO thinks an incident would cost only $10 million. You can't argue, since we're just estimating. But he just cut your security budget in half. A vendor trying to sell you a product finds a Web analysis claiming that the odds of this happening are actually 1 in 1,000. Accept this new number, and suddenly a product costing 10 times as much is still a good investment.

It gets worse when you deal with even more rare and expensive events. Imagine you're in charge of terrorism mitigation at a chlorine plant. What's the cost to your company, in money and reputation, of a large and very deadly explosion? $100 million? $1 billion? $10 billion? And the odds: 1 in a hundred thousand, 1 in a million, 1 in 10 million? Depending on how you answer those two questions -- and any answer is really just a guess -- you can justify spending anywhere from $10 to $100,000 annually to mitigate that risk.

Or take another example: airport security. Assume that all the new airport security measures increase the waiting time at airports by -- and I'm making this up -- 30 minutes per passenger. There were 760 million passenger boardings in the United States in 2007. This means that the extra waiting time at airports has cost us a collective 43,000 years of extra waiting time. Assume a 70-year life expectancy, and the increased waiting time has "killed" 620 people per year -- 930 if you calculate the numbers based on 16 hours of awake time per day. So the question is: If we did away with increased airport security, would the result be more people dead from terrorism or fewer?

Caveat Emptor

This kind of thing is why most ROI models you get from security vendors are nonsense. Of course their model demonstrates that their product or service makes financial sense: They've jiggered the numbers so that they do.

This doesn't mean that ALE is useless, but it does mean you should 1) mistrust any analyses that come from people with an agenda and 2) use any results as a general guideline only. So when you get an ROI model from your vendor, take its framework and plug in your own numbers. Don't even show the vendor your improvements; it won't consider any changes that make its product or service less cost-effective to be an "improvement." And use those results as a general guide, along with risk management and compliance analyses, when you're deciding what security products and services to buy.

This essay previously appeared in CSO Magazine.

“Event processing has been going on for more than fifty years.”

However, in On Event Processing as a Discipline and Some Subsets another colleague mistakenly blogs,

“… people who dealt in this area [network management and event correlation] have never investigated event processing in the larger sense (e.g. looking at additional patterns), and this area has also not spawned the event processing discipline.”

If you examine just one page from the CEP history at Stanford, researchers there outlined their view of the future applications for CEP, as follows:

• Instant Insight  - hierarchical event viewing applied to the Enterprise IT layer.
  • Analysing business processes
• Network Level Monitoring and Management
• Cyber Security: Network Intrusion Detection
• Enterprise Monitoring and Management
• Modeling and Simulation of Collaborative Business Processes
• Business Policy Monitoring
• Analysis and Debugging of Distributed Systems

These applications areas mentioned by Stanford researchers, including Professor Luckham, support and validate our recent discussion Magic Quadrant for IT Event Correlation and Analysis, 2007 where we concluded that “event correlation and event analysis is Gartner’s closest magic quadrant (MQ)  [...] relates directly to complex event processing (and event processing in general).”  

If you take a detailed look at the 1999 CEP presentation, Defeating Large Scale Attacks: Technology and Strategies for Global Network Monitoring you will readily see that our colleagues are incorrect when they says that event correlational and network management folks have never investigated event processing in the “larger sense”.  For example, the 1999 slides above, Stanford, slide 6, is titled “Complex Event Processing,” defining CEP from the application perspective of event correlation;

Complex Event Processing

• Accept network ‘events’ from any source
  • CISCO NetFlow FlowCollector, tcpdump
• Correlates events based on content and temporal relationship between events
• Event Processing Agents (EPAs) connected in an Event Processing Network (EPNs)
• Both post-mortem and real-time processing

This single event correlational project example from David’s team at Stanford examined the challenging event correlation problems in the context of hierarchical events, maps, patterns, visualization tools, event processing models, patterns languages, network management abstraction layers, and more.  Those core event processing problems from this 1999 example, very large and complex then, still exist today and are much more large and complex - precisely why it is called “complex event processing.”

It is quite obvious, in just this one example, that many folks have been looking at event correlation as a motivating application for event processing, in a larger context, for a long time, contrary to what our colleagues write in their “history of event processing” posts.  

In a future post I will completely debuke these event processing “history revisionists.”   I will illustrate very clearly how the history of event processing goes back at least a decade, and perhaps two (twenty years) before the history outlined in posts like On Research and Practice in Event Processing and The History of Complex Event Processing. 

David Luckam stated that the art-and-science of event processing goes back around 50 years. 

I am not sure I will go all the way back to 1960 in my next post on the history of event processing.  However,  I will go back at least to the early days of Internet Protocol (IP) networking and illustrate why distributed IP networking, network management and network security, is one of the key  motivating factors for what we now call “event processing” and “complex event processing.”

Here’s an interesting post on High Earth Orbit about the usage and promotion of open source software for defense contracts. As a developer of open source tools, Andrew Turner of course brings up some “pros” for the government to push open source, but it’s the “cons” that are really interesting. A big “con” – the US government having something called “sovereign immunity” which apparently means something like it can’t be sued unless it consents to be sued. Hunh – the Republic of ScienceLogic-Land? Closing the loop here, a federal appeals court just boosted open-source software licenses by saying that any infringements can now get more severe remedies under copyright law (instead of contract law); here’s the case, Jacobsen v Katzer. But apparently not if it’s the US government?? Who knows more?

Does Linus Torvalds hate everyone except for developers? You have to check out this article on an email exchange he had with Network World this week, talking about how fed up he is with the “security circus”. Over the course of the exchange and some other comments from last month, he manages to blast security folk, OpenBSD (on security) in particular, vendors and PR people (of course). In the midst of the barrage of colorful language, it’s difficult to really get his point – which if you can dig it out, ends up being surprisingly sensible.

Sharon Taylor, Chief Architect of ITIL V3, recently wrote that with the release of the latest version of ITIL, BSM is now an ‘ITIL best practice.’ You say potato… “The distinction between IT and the business has blurred, and the language of IT has been replaced with the language of the business.”

The Bottom Line

While there has been much consternation and alarm-raising over the potential for widespread proliferation of biological weapons and the possible use of such weapons on a massive scale, there are significant constraints on such designs. The current dearth of substantial biological weapons programs and arsenals by governments worldwide, and the even smaller number of cases in which systems were actually used, seems to belie -- or at least bring into question -- the intense concern about such programs.

While we would like to believe that countries such as the United States, the United Kingdom and Russia have halted their biological warfare programs for some noble ideological or humanitarian reason, we simply can’t. If biological weapons were in practice as effective as some would lead us to believe, these states would surely maintain stockpiles of them, just as they have maintained their nuclear weapons programs. Biological weapons programs were abandoned because they proved to be not as effective as advertised and because conventional munitions proved to provide more bang for the buck.