What a Trip

As some of you know Monday was my last day at Yahoo!  Kara Swisher reported on it and got the communication out.  As a side note, she made reference to this blog and helped drive the largest single day viewership that I've had since I started.  Either that's a sad state of the draw I have or the power of her readership. 

Regarding Yahoo!, it was a fantastic journey with them.  I couldn't be happier with the team or our accomplishments.  As everyone knows in these jobs the work is never done and they have my respect and support in accomplishing their mission.  I have been absolutely floored by the response that I have gotten over the past couple of days.  I have received, literaly hundreds, of emails from people within the industry and beyond.

In the meantime I'm going to be focusing a very necessary amount of time back to the blog and advisory boards.  I'm very excited about it and what will come.

OMG! Governments are Spying!

There has been a lot of media about the recent report to Congress on Foreign Economic Collection and Industrial Espionage.  It states that there is a huge level of espionage being done by foreign governments on corporations in the U.S. for intellectual property.  There are a couple of things that bother me about this. 

  • Spying and/or industrial espionage is nothing new.  It' been going on for hundreds of years and the introduction of the Internet hasn't changed anything other than the ease in which it can occur.
  • These electronic attacks have been going on for over 10 years and now we see a report?  Those of us who actually practice security have been dealing with it for a long time and trying to combat the issue in a mature and risk mitigation based manner.
  • The report focuses on key areas of data such as defense, energy and others.  It should be scoped as such in the beginning to not be inflamitory as it is. 
  • The recommendations at the end of the report should be a lot better.  If they really wanted to drive solutioning to the problem it would have really suggested using an industry mature framework (COBIT / ISO) to do it.  This only highlights how far behind they are in understanding the problem.

As I've written before, the problem isn't knowing attribution, threat vectors or anything else.  It has everything to do with getting corporate behavior to agree that this is a problem for it.  That doesn't mean that all companies will agree that this is a concern and nor should they.  It's the discussion that's important for practitioners to drive and have a healthy dialogue about it.

Yet, this report goes for the fear sell instead of actual data and diagnosis.  This is the same for certain vendors in their "Marketing Reports".  All fear with no data to substantiate it and no solutioning to solve it.  In addition, the media picks up on "China does most of the attacks" and reprints because it's catchy.  Congrats ONCIX on getting media attention, however, you're ruining all of our chances in fixing it.