I hope you can catch me this week (September 19-23). Either attend a webinar on secure uses of the Cloud, or grab my lapel as I walk the show floor at ASIS in Orlando.
Here’s info on the webinar. Wednesday, Sept 22, 1-hour Webinar titled “Xerox and Cisco: Partnering in the Cloud”. I’ll be speaking along with Bill McGee from Cisco, and RG Conlee from ACS, a Xerox Company. I’ll explore the true benefits of using the cloud, understanding and mitigating the risks of the cloud, and how to best prepare for using the cloud. I hope you can join me.
At ASIS – the largest physical security professional conference in Orlando – this week I will be speaking at several private company events, but you can still find me on the floor. I’ll be excited to tell you the developments of the first venture-funded convergence consultancy I’m now heading.
Secure the Business!
What a successful SecurityDreamer Chicago Event last week! Thirty men and women from a cross section of Chicago’s IT and physical security communities, end users and service providers, gathered for a fun evening of information sharing, new research, fine art, yummy wine and stimulating conversation.
The event was held at the exquisite David Weinberg Gallery in the art district of Chicago near downtown. David Weinberg was on hand to talk about his art. The photographs lining the walls of the the three room gallery were provocative and powerful. David said his art was inspired by his childhood and colored by his years owning a technology company that he sold some years ago.
We were able to afford a beautiful and unusual venue because of our visionary sponsors, BRS Labs and Inovonics. I’ve mentioned BRS Labs in the past. I have such appreciation as a technologist for innovative companies, and BRS Labs is one of them. The company re-thinks video analytics and approaches the challenge in an entirely new way. While the “video analytics 1.0″ vendors battle it out, BRS Labs quietly amazes it’s customers and confounds its competitors with a “2.0″ solution. Thank you to BRS Labs for sponsoring SecurityDreamer Chicago.
Rethinking solutions was the theme of the event. I shared some research Hunt Business Intelligence recently completed on trends in critical infrastructure technology adoptions by the largest companies in the world. It turns out that non-security executives, like CEOs and CFOs, are steadily losing confidence in security executives.
Part of the reason for that loss of confidence is that security executives continue to think like security wonks and do a poor job running security like a regular business unit. A security professional should be able to analyze, measure and create value, and not merely avoid risks.
Inovonics helps its customers create value. Its line of wireless life safety technologies, led by its flagship RADIUS product, leverages existing network infrastructures to provide superior service. Imagine integrating a wide variety of sensors, including people-location, around your facility built around a single architecture of standard wireless networking. It is life safety information management at its finest. Thank you to Inovonics for sponsoring SecurityDreamer Chicago.
We are now planning SecurityDreamer New York, SecurityDreamer Houston and SecurityDreamer Orlando (at ASIS). Drop me a note and tell me a bit about yourself if you want one of the limited invitations.
Dan Dunkel wrote a fun article in the February issue of SDM magazine. He proposed that PSIM (physical security information management) be replaced with VSIM (virtual security information management). I assume he’s joking.
Actually, if you read the article assuming he had his tongue firmly planted in his cheek, it’s a fun ride. He brings in virtualization, the IT concept of using software to emulate hardware like servers and storage devices. He also refers to the word “virtual” in the gaming sense, of creating a virtual reality environment.
Dan does a good job of making fun of computer speak in the article. His articles in SDM are always entertaining. The only thing I didn’t like about this article was the nagging feeling that he may have been serious!
PSIM as a concept emerged because end user managers of security environments cried out for a way of better managing security information. They wanted to be able to do with security data what every other business unit does with the data from their respective business units – that is, to make intelligent business decisions.
If Dan is serious that the physical security industry no longer thinks in terms of being physical, then PSIM could be easily shortened to SIM – a moniker used for a decade or more in the IT Security industry.
I attend physical and homeland security conferences frequently and I can tell you in no uncertain terms that these industries dwell almost entirely in the physical nature of security.
If Dan is simply being an apologist (evangelist?) for “the cloud” as so many bandwagon jumpers (especially software manufacturers) do these days, then I’ll make a suggestion.
The cloud is an amorphous (by definition!) concept to describe techniques of managing data. Managing data is exactly what the security executives who gave birth to PSIM wanted all along. So I suggest that if you really want to get to the heart of PSIM, and to the heart of efficient, effective security management, forget about PSIM – and certainly jettison VSIM – and let’s all talk about just the “IM.” Information management and business intelligence is what it is all about.
If you get that, you got it.
There is a problem with honesty in this security industry of ours. Far more of a problem in the physical/homeland security indsutry than IT/cyber security. the difference? Critics.
The IT/cyber security industry has dozens of knowledgeable, influential industry analysts constantly pushing end users, VARs and manufacturers, (vendors) to higher levels of performance, quality and customer service.
The physical security had none before I showed up on the scene when I directed my research team at Giga Information Group (later Forrester) to begin tracking trends in physical security in 2000. I kept thinking I would spark industry improvement in physical security and homeland security by inspiring dozens of industry analysts to cover the huge industry. Instead, vendors reacted with their panties in a bunch and most consultants I spoke to were chicken-shits, with not enough balls to tell Lenel or SoftwareHouse or Bosch when they smelled snake oil, or when product development aimed low.
So in 2005, I left my job as head of security research at Forrester and opened the first industry analyst firm in physical security – thinking for sure that THAT would start the trend.
I was partly right. A few “analysts” popped up afterwards. Forrester and Gartner dabbled in physical security half-heartedly for a few months after I left. Frost & Sullivan later beefed up their particular brand of analysis combned with their trademark (and dubious) “awards.” More on that another time. INS also started making noise.
Finally, some “serious” critics emerged. Jeff Kessler, the long-time Lehman analyst, brought intellectual rigor to financial critique of the entire industry and specific niches. And John Honovich carved a niche for himself becoming the preeminent critic of IP video solutions.
I am very grateful for John and Jeff. They largely validated my belief that the physical security industry had room for and could benefit from piercing, honest criticism. But I’m sad that there are only three of us. John critiques vendors in the IP video arena on his website, Jeff now works for Imperial Capital and focuses is on numbers, and I focus on best practices for end users. Three different niches, but it’s just crazy that a $170 bn industry supports only three guys doing real industry analysis.
I’ve criticized Frost & Sullivan and INS elsewhere, not to belabor the point here. The shortcomings of their analysis in this industry are obvious to any observer and I don’t need to harp on them. In a nutshell, I’m disappointed when any analyst relies on the word (or dollars) of manufacturers. It is an obvious conflict of interest, and the so-called analyst quickly becomes a shill for vendors, whether they intend to or not. (Hint: they usually intend to.)
If an analyst performs paid work for a vendor, it should be with the sole purpose of helping that vendor improve its products or solve specific customer problems. It should also be done privately.
For example, I’ll allow vendors to pay me to critique and plan their product development road map or marketing strategy – but I don’t write publically available white papers and will never publicly trade whatever I’ve discussed with vendor clients privately. I share my end user research findings with my end user- and investor-customers only.
Analysis should be derived from the analyst’s professional experience with the subject he is analyzing, or by analyzing the experiences of end users. I believe John touches or in some way directly interacts with with every product he writes about, and then bases what he writes on his highly technical knowledge. Jeff is similar. He performs primary research, writes his own analysis of his research based on his extensive knowledge and experience with financial and market analysis, and critiques secondary research. I talk to hundreds of end users each year and systematically analyze best practices (and worst practices) among the users of just about every kind of security technology.
I still think there is plenty of room for honest critique in the physical security industry. If only someone else with the guts would step up.
In honor of being at the RSA Conference in San Francisco this week, I figured I should at least post one IT security blog. Here is an excerpt from the “ship’s log” of my mentor Captain Phil Rosch:
I think the Security industry needs to be more proactive in terms of policing itself. I’ve spent way too much time over the past 6 months fixing machines for friends who got sucked in.
Fixing Charlie’s virus ridden computer wasn’t too hard. I found a detailed set of instructions on the Internet that fit his problem exactly so I just followed the yellow brick road. It’s easy to see how an error screen like the one crafted for the AVG 2011 could suck someone in. http://deletemalware.blogspot.com/2011/01/how-to-remove-fake-avg-antivirus-2011.html
After I blew off the virus, I downloaded Spybot Search & Destroy and Microsoft Security Essentials (both free). The Microsoft scan caught 2 Trojans and the S&D cleaned up all the spyware. The last job in the “tune-up” was to run SpinRite 6 to clean up the physical hard drive.
I really feel sorry for seniors who get sucked in by viruses and crap like you see on TV. Allen Harkleroad, a consumer advocate said “I am 100% skeptical of any advertisement that claims to be able to fix a computer online, and from the consumer complaints I have read online, in the case of DoubleMySpeed and MyCleanPC, it appears that my misgivings were completely warranted.” Allen built himself a new Windows 7 machine with nothing on it and ran all current maintenance.
Next he ran MycleanPC and it produced over 1,000 errors and took him to a page that demanded $89 for the product and wouldn’t let him lose the page.
Check out “DoubleMySpeed complaints” on Google, also MyCleanPC complaints and the CyberDefender Corporation complaints. It seems now CyberDefender is trying to hide who owns the domains they operate, however IP address/DNS lookups don’t lie. CyberDefender responded by sending a legal threat letter, claiming defamation, and demanding the removal of the original posts.
Over the years I’ve had the good fortune to get to know Dan Moceri and his company, Schaumburg, IL-based Convergint Technologies. Convergint has served as an integrator for some of my largest and most demanding end user clients.
When I think of a best-of-breed integrator, Convergint is always one of the first to come to mind.
Why? You may think it is because the company is big, but as we all know from working with large integrators, there is often a huge disparity in skills and professionalism from one regional office to the next. No. Size is not the reason I think of Convergint.
Maybe it’s skill. After all, Convergint has highly skilled technicians in the field who deeply understand products like Lenel OnGuard and Genetec Omnicast. But skill is not it either.
How about customers? Surely few companies can match Convergint in high-profile customer deployments. Just look at how Convergint came to the rescue of the City of Chicago’s urban surveillance project. Convergint has a great customer list, but that’s not why it shines as a company.
Convergint is on my mind because it is focused on continual improvement. A simple idea, but one nearly absent across the rest of the security industry sales channel. When Dan Moceri and his business partner Greg Lernihan look at their company, they see a community of professionals working together – a community built around shared values, including one of the most powerful: the desire to go from Good to Great in every aspect of the company.
Dan, and the Convergint leadership team are driven by continual improvement in another way, too. When they consider expanding their business, they seek partners or acquisition targets that also have a Good to Great mentality. That way the Convergint culture of continual improvement may be more quickly and effectively infused into the new partner.
Dan speaks frequently at security conferences; so if you ever have a chance to hear him, don’t miss it. And whenever you consider working with an integrator or value added reseller, keep in mind that consistency and quality come not from a large customer base, many employees or demonstrated technical skill. Consistency and quality are born out of a mindset, a philosophy, of continual improvement.
The way a security integrator, or any service provider at all, can create a Good to Great culture will be the topic of many future posts here on SecurityDreamer.
I took a year off from blogging. Obviously.
It has been an intense, exciting year of brainstorming and new opportunities. As a result I have a new view of the industry and new series of innovations. You will see it all on this blog in the days and weeks to come. So stay tuned for new ways of thinking about security technology, operational best practices, and quality.
For many years, as you may know, I worked closely with hundreds of end users (security and technology executives) to help them make better decisions about technology and to glean from them the best (and worst) ways of doing just about anything having to do with security. Over the years I gained a unique insight into end user requirements, preferences, goals and budgets.
Concurrently, I worked with dozens of technology manufacturers to help them make better products and development roadmaps, plus more effective marketing and sales strategies.
The segment of the industry that receives much of my attention now is that piece in the middle, between the manufacturers and the end user. I’m talking about the wild west of integrators, resellers and dealers. The sales channel.
Security Dreamer will continue to draw attention to trends and best practices, but will now also focus on fixing the problems that end users and manufacturers have shared with me about the sales channel over the years.
My goal is not to ruffle feathers, as my efforts undoubtedly will — after all, the good ol’ boys club of the security industry is nowhere more established than in the sales channel — but to help progressive VAR (value added reseller) owners to run better companies, make more money and satisfy their constituents far more successfully.
Software as a service (SaaS) and cloud computing and cloud storage and
other “aaSes” are all the rage these days. The cloud is going to force
security pros to revisit policy and value. We have to make the case of
why we have specific policies and why those policies apply to certain
data and applications. Otherwise biz units will throw apps and data up
to the cloud willy-nilly to grab the cost savings.
My buddy Kevin Richards at Crowe Horwath said, "Nobody really cares about “securing the cloud” – outside of the security industry anyway. In that way, it’s the same as security in general. Security is not the point. It’s not our job to secure the cloud. We have data and applications all over the place. Some are running on this network segment, some on that. Some are in this data center, some in that one. Some are outsourced, or off shore, or cloud based like SaaS."
Una nueva forma de comparar productos beneficiaría a todos
por Steve Hunt (originally published on ZonaSecuridad.org)
mayoría de comparaciones de productos no dicen gran cosa. Propongo una
mejor manera orientada al beneficio para el usuario final.
mayoría de evaluaciones de tecnología que se leen en las revistas de la
industria, o aquellas proporcionadas por los fabricantes, sufren de un
defecto común y básico.
tecnologías con otros productos similares de la competencia y muy rara
vez, si es que alguna vez lo hacen, le dicen al lector qué tan bueno el
producto es en realidad.
Estas evaluaciones hacen una lista de características a la luz de los competidores. En mi opinión, esto perpetúa la mediocridad.
que hay una mejor forma de mirar los productos de tecnología. El método
que he estado desarrollando durante los últimos cuatro años es lo más
cercano que pude encontrar a una forma científica de realizar las
método también tiene otra diferencia importante: le dice al ejecutivo
de seguridad (o al fabricante) qué tan exitoso el producto será en
resolver los problemas del usuario final, más que decirle al cliente
con lo que él o ella tendrán que conformarse.
Una respuesta adecuada
diré de forma más explícita. Al tomar cientos de criterios sobre los
requerimientos y preferencias del usuario final, puedo calificar qué
tanto cualquier producto cumple con las expectativas del cliente.
aquí un ejemplo de esa calificación. Este producto (el cual no
nombraré) fue recientemente premiado en una comparación de producto
(más o menos) independiente con otro gran nombre de productos de
control de acceso.
considerado uno de los mejores productos que se puede comprar en esta
categoría. Sin embargo, usted puede ver por la calificación que todavía
tiene algunas áreas de mejoramiento si quiere cumplir con las
necesidades reales del cliente.
Arquitectura e integración: 2.7
Confiabilidad y escalabilidad: 3.5
Configuración y flexibilidad: 1.9
Administración y reporteo: 1.8
Calificación general: 2.5
un rango de calificación de 1 a 5, 1 representaría una calidad o
soporte pobre o nula, mientras que 5 indicaría cualidades
satisfactorias, amplias y flexibles.
Facilidad de uso para el cliente
categoría tiene múltiples subcategorías que consisten en diferentes
criterios. Cada subcategoría y criterio es medido de acuerdo a su
importancia relativa para el cliente.
lo tanto, la cantidad de tiempo requerido por el administrador de la
base de datos para configurar el sistema puede ser ponderado, en mayor
o menor medida, que, digamos, el rango de bases de datos de terceras
partes soportadas por el producto, dependiendo de lo que los usuarios
forma similar, la usabilidad e intuitividad de la interfaz gráfica del
usuario o las herramientas de ayuda en línea serán ponderadas más que
el soporte del producto de una interfaz de línea de comando.
mi evaluación esté completada, el CSO o gerente de producto verá en el
reporte detallado cada forma principal en que la tecnología cumple,
excede o falla con los requerimientos más importantes o con las
preferencias de los clientes usuarios finales.
en lugar de llorar y avanzar sobre cuál aparatejo tiene más
características que el del lado, vamos a enfocarnos en resolver el
problema y en cumplir con las necesidades del jefe de seguridad del
saber si quieren más información sobre cómo medir el valor real de las
tecnologías. Estaría feliz de hablar con ustedes.
La aproximación al problema es interesante y corresponde a la tendencia que se está observando (aunque aún muy poco) en las evaluaciones profesionales actuale. Lo más importante al final son los beneficios recibidos, siempre y cuando el usuario tenga claros sus requerimientos, o exista la forma y tiempo de asistirle en esta definición. De cualquier manera, los criterios deben estar acompañados de parámetros medibles, como lo son las especificaciones mínimas requeridas para lograr un nivel de satisfacción adecuado. Si me interesaría conocer más acerca de su método.
I learned long ago that users of security technology do not really want security. They want systems that help to make the business better or more successful. Therefore, when I gather technology requirements from enterprise security executives and business leaders, I look for examples of how existing IT and operations systems and processes are already succeeding. In other words, I discover what the customer likes. For example, if I find that all of the company databases are Oracle, I will give a higher “weight” to the requirements related to databases. If I found that the company uses many different databases across the organization, I’d place a lower weight on that criterion. I do the same with the user interface, the backup and recovery techniques, workflow, and every other aspect of a security technology product.
I am not trying to understand the “security needs” of my customer. I’m trying to understand and measure the business and operational needs of my customer. That’s the main difference between the way I do it and common “competitive analysis” most people use.
A security professional working for a large end user organization contributes occasionally to SecurityDreamer under the pseudonym of "Padded Arrow." Here are his latest thoughts from a Fortune 500 corporate security department:
You may have noticed that over the last couple years, Security is changing phases in the never-ending cycle. With the current financial climate, cost is once again the biggest project risk. If Security departments are to survive, they will need to move from an add-on risk function to an integral part of the organization. They will need to move from saying "no" to saying "how can we do this securely."
First, let's agree on two things; bolt-on security and security by obscurity don't work. They cost more and in the end, don't increase security.
Collaboration, collaboration, collaboration
As much as we all want to be special, unique and different, that is a negative when it comes to corporate solutions. Look for opportunities to collaborate with other business units in your company to save money. I know this is difficult for most of the "I'll tell you but then I have to kill you" security types but why would you implement a million dollar security platform for monitoring when there may already be a solution available. Many IT management platforms include functionality that can be leveraged by Security; reporting, logging, monitoring, alerting. Collaborate during product selection and you may get the functionality you need without any additional cost.
Show costs accurately and realistically
Most business managers have grown immune to the claims of loss that Security has been spouting for years. "If we don't put this system in, we will be overrun with hackers and that will cost millions if not the company." Put real numbers to a real problem and then propose a solution that costs less than the potential loss. You wouldn't spend more than something is worth to protect it.
Learn how to say "yes”
…or better yet, "Here is how you design this solution securely." Granted, 100% Security is 0% functionality however
100% functionality doesn't necessarily mean 0% Security. The earlier
Security is involved in the development and requirements process, the easier it is to make sure the organization is protected.
- Padded Arrow