So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO,  for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him  speak or conduct a meeting (or by watching him beat up a job candidate…). For example,  one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys  ARE HIRING!  Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.

Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.

Recently, Thinking Problem Management wrote on the concept of Hansei-Kaizen.  That started me thinking about Information Risk Management, Information Security, the role of the security group and the analytical function. The following isn’t necessarily a revelation, but as I’ve a friend interviewing for a CISO-type job at a Fortune 20 this week and they are focused on a not dissimilar business management philosophy, I thought I’d write a little about the subject.

Hansei-Kaizen is the process of relentless reflection (Hansei) and continuous improvement (Kaizen).  It might be thought of as part of the Deming Plan, Do, Check, Act cycle.  In fact, Taiichi Ohno, father of Toyota’s production system (Lean Manufacturing) is quoted as saying:   “Check (in PDCA) is Hansei”.

image from the awesome Panta Rei weblog

Now those who have had exposure to Six Sigma and management theory are already probably very well acquainted with the concept of Kaizen.  I think anyone who has held a security management position would argue that continuous improvement is a very admirable goal.  And I don’t think we need to talk necessarily about what improvement is and why it needs to be continuous.

But what is usually not given a great deal of consideration in  our profession is this concept of “relentless reflection”, the “Hansei” bit. And a lack of Hansei can be a source of frustration to those we work with and report to.  In fact, there’s a great presentation by Dr. Hwang Chi Hong available via search engines that explains:

Hansei (reflection) alone only generates staff unhappiness.  Kaizen (continuous improvement) alone only wastes creativity.

Cool huh?

So what’s this got to do with Risk Analysis?

If we can agree that continuous improvement is an admirable goal for security management, security departments, and even security vendors, then in light of the quote above we have some questions to ask ourselves;

• what is this relentless reflection (Hansei),
• what should we be relentlessly reflecting about, and
• how much work is being put into, and how good are we at, Hansei?

I’d like to focus on that for the next few blog posts this week, because I think that adding structure around this concept may be a “pragmatic” (Hi Mike!) compliment to many of the CISO  “self-help” books I’ve been seeing.

Hobby groups throughout North America have cracked supposedly unbeatable locks. Mr. Nekrep, who maintains a personal collection of more than 300 locks, has demonstrated online how to open a Kensington laptop lock using Scotch tape and a Post-it note. Another Lockpicking101.com member discovered the well-publicized method of opening Kryptonite bike locks with a ball-point pen, a revelation that prompted Kryptonite to replace all of its compromised locks. Other lock manufacturers haven't admitted their flaws so readily. Marc Tobias, a lawyer and security expert, recently shook up the lock-picking community by publishing a detailed analysis of how to crack the uncrackable: Medeco locks. "We've figured out how to break them in as little as 30 seconds," he said. "[Medeco] won't admit it, though. They still believe in security through obscurity. But by not fixing the problems we identify, lock-makers are putting the public at risk. They have a duty to disclose vulnerabilities. If they don't, we will."

From Seattle Times:

Four years after Abdul Qadeer Khan, the leader of the world’s largest atomic black market, was put under house arrest and his operation declared over, international inspectors and Western officials were confronting a new mystery left by him, this time over who might have received blueprints for a sophisticated and compact nuclear weapon found on his network’s computers.

Working in secret for two years, investigators have tracked the digitized blueprints to Khan computers in Switzerland, Dubai, Malaysia and Thailand. The blueprints are electronic and could be rapidly reproducible for creating a weapon relatively small and easy to hide, making it attractive to terrorists.

The revelation over the weekend that the Khan operation even had such a blueprint underscores the questions that remain about what the Pakistani metallurgist and the father of Pakistan’s nuclear-weapons program, was selling and to whom.

It also raises the possibility he may still have sensitive material in his possession.

Read on.

Article Link

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.