The next question from the president-elect was what single policy issue he could focus on that would most help entrepreneurs.

“The most important thing he’s got to do is kick-start a huge amount of research and innovation in energy,” said Mr. Doerr, who backed Google and Amazon.com and has invested heavily in clean energy technology for the last few years.

The nation now invests less than $1 billion a year in renewable energy versus $32 billion a year in health care, Mr. Doerr said. “I think we’ve just scratched the surface in terms of clean ways to use energy, to produce energy. It’s the challenge of our generation.”

How to do that? Double the number of engineers who graduate from American universities each year to 60,000, Mr. Doerr said. Bring more women into the field, and encourage foreigners who study engineering here to stay here.

“What we do is bring foreign nationals to the world’s greatest universities. We train them, invest in them and make them go home,” he said. “What kind of national strategy is that? So I would staple a green card to the diploma.”

I may be new to the team, but I’m (reasonably) old to the game. My name is Tyler Shields and I’m the latest addition to the Veracode research team. I started at Veracode in September 2008 as a Senior Security Researcher and have been immediately thrown into the fire. Working for a fast paced, highly energetic company like Veracode, keeps you busy and challenges you every day. I plan to blog on the most interesting pieces of my work with Veracode and hope that you find it enlightening or at the very least entertaining.

In the past I have worked as the security engineer at a .com startup, as an incident response and forensics specialist for the United States Postal Service (think HUGE network), and most recently as a security consultant for @stake and Symantec. I have consulted on engagements for Fortune 500 companies, most major financial institutions, and the highest levels of the United States government. As a consultant my focus was on anything related to application security including, application penetration assessments, product security assessments, secure development lifecycle consulting, and secure application architecture engagements. I lead the @stake/Symantec Application Security Center of Excellence that was used to help guide the knowledge of the global consulting team. I also spent time as the lead for the Symantec Vulnerability Research program in which a number of interesting vulnerabilities were discovered and publicly released. In my spare time I enjoy reverse engineering and malware research. I recently completed my graduate degree in Information Security/Computer Science from James Madison University in Virginia.

So… Here’s to a new job, a new blog poster, and of course lots of fun to come.

He is urging young entrepreneurs and engineers to stop making some of  the sillier software that lets Facebook users throw virtual sheep at  their friends or download virtual beer on iPhones, and instead start  making a real difference in the world.

He says it's not just the right thing to do, but also the smart thing  to do -- especially as the credit crunch spreads to Silicon Valley,  venture financing becomes scarce and start-ups have to retrench.

When this grizzled, 54-year-old tech-industry veteran talks, Silicon  Valley tends to listen, if only to argue with him.

He is urging young entrepreneurs and engineers to stop making some of  
the sillier software that lets Facebook users throw virtual sheep at  
their friends or download virtual beer on iPhones, and instead start  
making a real difference in the world.

He says it's not just the right thing to do, but also the smart thing  
to do -- especially as the credit crunch spreads to Silicon Valley,  
venture financing becomes scarce and start-ups have to retrench.

When this grizzled, 54-year-old tech-industry veteran talks, Silicon  
Valley tends to listen, if only to argue with him.

I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.)  THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed.  It is well worth your time as it’s chock full of interesting information.  As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept  seems just to rehash the old GIGO argument regarding risk analysis.  Great.  Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you -  is this really a problem common in your analysis?  Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!”  Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about?  See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report.  It’s just that I don’t see what the big deal is.  This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool?  I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria,  and then correlated to the frequency and magnitude of real-world losses across the aggregate sample.  In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.)  THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward.  Why is this news?  Now as I read the article it’s not clear if:

• The RSA Council is claiming that the CISO’s office should be the ones determining reward.  Absurd.

or

• Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter.  So I’m pretty sure (good) businesses do a good job at estimating reward.  Businesses I’ve been a part of?  We LOVE(D) estimating reward.  We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market.  So what could the problem be that this RSA council is trying to address?  Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless.  It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later).  It also gave you the ability to build workflow quite nicely.  But it measured NOTHING.  There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff.  So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting.  I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath.  The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be.  Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure.  And maybe we’re infantile in our ability to describe our problem space.  But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY  NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

• No skills

and/or

• No resources

Any ancillary “cause” can be mapped to one of these categories.  You could have significant resources but crappy models, and have conversations like our imaginary CSO, above.  You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

OnAir has so far tested their calling/texting-only service on two aircraft--one operated by Air France, one by TAP Portugal--even though RyanAir announced plans that its planes would started being unwired with the service by late 2007. Still no word on that fleet progress.

Qantas will apparently launch cached Web browsing and limited Web email (probably through a proxy) along with instant messaging, with full Internet service coming "later in 2009." This is clearly due to a lack of satellite coverage that was just remediated a few weeks ago (see below). The first plane with limited service, a new A380, should be in flight 20-October-2008.

The Morning Herald seems to overstate the importance and scope of a complaint filed by the union representing American Airlines' flight attendants. The detailed coverage in the U.S. had more to do with the potential for issues, and likely attendants lack of interest in policing yet another media on the plane. Filtering doesn't work, the attendants probably already know, and this may just be a negotiating point with the airline.

On why Qantas is waiting until late 2009? This requires unwinding how OnAir gets its signal.

Aeromobile and OnAir both rely on Inmarsat satellites for their service. Both companies had several years ago staked their futures on the fourth-generation network Inmarsat was to inaugurate with three satellites that would use beamforming to allow precise delivery of nearly 500 Kbps per receiver, with hundreds or thousands of regions being able to be targeted from a single satellite. Inmarsat's third-gen network--don't confuse this with 3G cellular ground-based networks--can deliver about 64 Kbps per channel.

Now, unfortunately, Inmarsat was three years late on launching its trans-Pacific bird. While the company claims 85 percent coverage of the earth and 98 percent coverage of population, there's a big gap over the Pacific that also prevents them from having good overlap between the U.S. and Japan/China/Korea, as well as the southern Pacific, covering Australia. Since the biggest market for long-haul flights would likely be Australia, Japan, and China, traveling trans-Pacific or trans-hemispheric routes, that gap is rather large.

Aeromobile opted to build out a service, deployed only by Emirates airline as far as I can tell, that uses the 3G service since it was available, and most necessary equipment is already installed on most over-water planes. OnAir was waiting for 4G, which has necessitated a long wait, but allowed them to launch in Europe with a seemingly next-generation service. Given that OnAir is controlled by an airline-owned integration firm, SITA, and by Airbus, they're not going anywhere.

Inmarsat finally lofted its third satellite on Baikonur Cosmodrome in Kazakhstan on 19-August-2008, and the launch and separation was reported as successful. Previously, the company has needed up to a year to verify and deploy its 4G satellites. (You can read extremely close coverage of the launch at a Web site devoted to space enthusiasm.)

However, the dirty little secret about Inmarsat's BGAN is that it costs a fortune to heft bandwidth across it. Thus, in-flight broadband over BGAN, if it's ever available, is going to be changed on an extremely high per-MB rate. None of the providers want to say this. This is in contrast to Row 44 (and, once, Connexion by Boeing), which relies on leased Ku-band transponders where they can fix costs and they require high volumes to keep per-bit costs efffectively low.

OnAir's launch of calling on Air France's service involves paying a few euros per minute for calls, which might help you understand what data costs could ultimately run.

I say today is a good day for two reasons:  1.)  BT’s CSO Jill Knesek wrote an article called “Keys to establishing an end-to-end security strategy” which begs some discussion within context, and 2.)  Sara Peters on Twitter last night wanted to know why I thought “risk management” requires more than what most “best practices” around the subject suggest the effort requires.

WHAT SHOULD WE BE REFLECTING ABOUT?

Jill Knesek’s article gives us a rough outline of how to develop a security strategy.  It’s fairly high-level, Pragmatic CSO-ish type stuff.  It gives us a nice outline of

• Get a seat at the table
• Process
• People
• Technology

Nothing earth-shattering there.  But it is a very nice broad CISO-level taxonomy about what we have to reflect on.  The need to reflect is driven by something Jack told me long ago,

“The amount of risk we have is a function of the decisions we made and our ability to execute on them from some point in the past”.

As an Aside:  So Sarah if you’re reading, this quote does much to explain why I said I disagree with much of what our industry calls “risk management”.  We tend to define the process of risk management as essentially a tactical “issue whack-a-mole” exercise. Find the issue.  Analyze the “risk” around the issue.  Fix the issue.  Repeat. This hamster-wheel-of-pain, while sometimes an effective tool for the CISO, is incongruous with addressing root causes (the ability to match a tactical issue to the strategic shortcoming that created the issue is up to the expertise of the analyst or consultant).  It is only Kaizen without (good) Hansei, if you will.

Back to what Jill is writing - the sorts of things we should be reflecting about can be thought of in context of her outline.  Namely:

1. Once you have a seat at the table, what is the nature of that relationship?  Who are you reporting to and what are their concerns? What and how are you reporting and how might that be addressing their concerns?
2. What processes are in place?, How do you know that those are the processes that should be in place? If they are, what kind of job am I doing at those processes?
3. What is the quality of the skills and resources I have from a people perspective, and how do I know if they are adequate?  How do I know that the training they petition me for will effectively reduce organizational risk?
4. Are the Technology solutions I have in place effective, are we managing them effectively, and what sort of States of Knowledge could they provide me with (to make good decisions and execute upon them, from above)?

This, for the CISO, is Hansei.  The continuous management of it is Kaizen.  Not to particularly pick on Jill’s article, but creating a “risk register expressed in ALE” might be fine if you’re trying to explain to the board what your “first 100 days in office” will be like - but these sorts of lists are usually not very strategic in nature, and as such, depending on the outcome of that risk register (and the models used to create it) it might not actually be useful.

WHAT IS NEEDED FOR REFLECTION?

So what is needed for this sort of CISO-level Hansei?

The CISO must understand the

• Current State of Nature

turn that into a

• State of Knowledge

and use that to create a

• State of Wisdom.

CREATING A STATE OF NATURE FOR THE IRM PROGRAM

This Current State of Nature determination be done by applying analytical methods to a program audit.  We must understand questions like,  “What is in that program and how is it structured?”  before we can answer questions about “how (good/bad) are we at managing risk?”

There are many ways to structure an IRM program, but as an example - below is a graphic shared with me by Adrian Seccombe.  For those who know Adrian and the Trust Model - this is classified as “white” so it’s OK for public display and consumption.  But here’s what Adrian is trying to build at a high level:

So regarding Adrian’s program diagram:

1. Is a governance framework.  Think ITIL.
2. Is a risk framework.  Think ISO 27002 using FAIR as an analytical engine.  To be fair (pun) I believe this is really issue management, and it’s a process, but that’s OK.
3. Reg compliance should be self explanatory.  That’s essentially what GRC products do for you.
4. With architecture, I think Adrian is inclined towards TOGAF.
5. Security is the ISMS in place (27001, ISM^3, PCI, whatever…)
6. Are the processes that drive execution
7. Monitor (audit) is creating a State of Nature and Evaluate is creating a State of Knowledge from that State of Nature around items 1-6.

EVALUATE - CREATING A STATE OF KNOWLEDGE ABOUT THE IRM PROGRAM

That evaluate is Hansei/Kaizen.  Evaluation, done effectively, will drive actual organizational risk exposure.  Evaluate will even answer those four questions we raised in the “What Should We Be Reflecting About” section above:

1. Once you have a seat at the table, what is the nature of that relationship?  Who are you reporting to and what are their concerns? What and how are you reporting and how might that be addressing their concerns?
2. What processes are in place?, How do you know that those are the processes that should be in place? If they are, what kind of job am I doing at those processes?
3. What is the quality of the skills and resources I have from a people perspective, and how do I know if they are adequate?
4. Are the Technology solutions I have in place effective, are we managing them effectively, and what sort of States of Wisdom do they provide me with (to make good decisions and execute upon them, from above)?

If we could have a nice metric (or set of metrics) that answers these questions, we might call it something like “My Ability To Manage Risk” or MATMR for short.

GETTING TO A STATE OF WISDOM

What’s then missing is how you create a State of Wisdom around the State of Knowledge developed - your “MATMR” metric.  That is, given the current State of Knowledge - how can I be most effective?  This State of Wisdom requires proper models for what risk is, and what you can do to manage it applied in a probabilistic manner (because we can’t intrinsically *know* the future, we can only say with some degree of certainty what the desired course should be).

So the outcome of Hansei/Kaizen should be to create a State of Wisdom about Risk Management.  This is why reflection must be relentless - because your wisdom must be similarly abundant.

This is no small part of the reason RMI exists, why we build software and help organizations understand the things they do.

Just a few months after CEO and founder Diane Greene was ousted, it comes as no surprise that her husband and co-founder, Mendel Rosenblum, has also resigned via a company wide message last night. Turns out he’s going back to Stanford to teach. What a lovely way to get out of the political mess VMware has become. Admit it, haven’t we all had a point where we get fed up with the latest work snafu and wondered, maybe I should go back to college and teach? I had a really good time in college… Kudos to Rosenblum for doing it and doing it in style.

And if you believe Tarry Singh, the company knew this was going to happen but waited until after registrations were closed for VMworld before making it official. Hmm.

From the New York Times, more on Greene’s firing and just what kind of atmosphere is forcing executives to leave VMware:

After Ms. Greene made a special presentation to VMware’s board, Mr. Tucci, who heads VMware’s parent company, EMC, pulled her aside, according to people familiar with the events, who asked for anonymity because they were not authorized to discuss internal company decisions.

Inviting Mendel Rosenblum, Ms. Greene’s husband and the co-founder of VMware, into the room, Mr. Tucci told Ms. Greene she was fired, effective immediately. And he said the board wanted Mr. Rosenblum, VMware’s chief scientist, to take her seat on the board. Mr. Rosenblum declined the offer.

Honestly, what kind of a judgement call was made to first fire the man’s wife in front of him and then offer him her board seat? Has Tucci never seen an episode of Survivor?

One of my favorite banks in Thailand is K-Bank. With K-Bank I can simply walk up to an ATM machine and pay a mobile phone bill, purchase mutual funds, buy insurance, or transact an ever-growing list of services payable at the modern and sleek K-Bank ATM.

For example, tomorrow I fly to Chiang Mai in Northern Thailand and found K-Bank’s service amazingly better than in the US. For example, I booked my flight as usual (over the phone, but could have used the Internet) and told the reservation agent I was going to pay by ATM. He simply gave me a PayCode and told me I had three hours to go to the ATM and enter the PayCode to perfect my reservation.  I also got the PayCode via SMS.  This gave me the time I needed to make sure I had booked the perfect boutique hotel in Chiang Mai, the Fern Paradise.

Then, I went out into the beautiful Thai weather and completely my airplane reservation at the ATM machine; which also printed out a receipt with my flight details and reservation number.

It sometimes amazes me how much further advanced some services are in Thailand compared to the US. To me, it feels more secure not to use an on-line payment center or give out my credit card details over the phone. I can simply book a ticket, take a PayCode, and complete the transaction at a nice modern, shiny, K-Bank ATM machine.

Who knows, maybe soon I can select the perfect window seat at the ATM and the receipt will act as my boarding pass!