Mike Rothman is skeptical that there will be a “security industry”, and I don’t disagree with him.

I think there will be 0 security professionals in 2012. That’s right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it’s an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they’ll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I’m with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years).

Of course, this leads me to wonder who, exactly they think is going to do security work. And by “security work,” I don’t mean running Anti-Virus or pleading with sysadmins to patch their boxes. That’s Console Jockey work and it will go the way of all other Run jobs–overseas and down to helpdesk pay levels. When I talk about Security Work, I mean the job of determining the appropriate level of risk for the organization, then defining the mix of controls and tools across people, process and technology to actually achieve it.

Senior Executives don’t know. They just want to know that they’re not having to explain incidents to the press and that I’m still pushing back on every task because my budget is stretched (their measure of whether or not I’m “appropriately funded”).

IT doesn’t know either. If anything, I’m seeing the competence trend running in the other direction in terms of what it’s reasonable to expect an “IT Person” to know about the technology they’re responsible for. More and more, it’s getting harder to even find anyone who actually does the work of touching the technology. I can find Project Managers, Relationship Managers, Program Managers, Application Managers, Support Managers, and every other kind of manager under the sun. What I can’t find are SysAdmins, DBA’s, Developers, or Engineers, and I find this disturbing.

For example, in a recent discussion of what should be the required fields in our application inventory tool, the question came up as to whether or not the data center where the production environment resides should be required. The answer was, “no,” because apparently that’s too much for a system owner or application support person to know–what building their app’s servers sit in. I wish this were an anomaly, but I’ve seen a steady increase in incidents like these, and not just at my current company, either.

And what tech talent do see, I increasingly wouldn’t bring back from the phone screen if I were the hiring manager. I’ve seen Web developers who didn’t know the difference between the corporate LAN and the Internet from a network visibility/connectivity perspective. I’ve seen support leads who didn’t know how to connect to the application they supported. I’ve seen DBA’s who didn’t know what an index was! These people don’t even understand fundamental aspects of their own core competency and we think they’re going to absorb a volume of knowledge and skills that most specialists can even seem to master?

So who’s going to do this work? The applications aren’t going to secure themselves. This is a simple fact, and even if the application can somehow be declared “secure” (which is to say, “secure enough”) in a vacuum, as soon as it starts interacting with users and other applications, all bets are off. Once again, someone has to decide how much security is enough for those interactions, either by declaring a standard or doing a risk assessment and determining what’s acceptable and what’s not.

While there might not be “Network Security” or “IT Security” as we know it today, I firmly believe that there are still going to be Information Risk and Information Protection specialists at all levels of the organization. Just because we’re going to either evolve beyond the world of Console Jockeys or get a job with Rothman at Dairy Queen doesn’t mean that Security Professionals are going away–quite the opposite, they’re going to have to actually become professionals.

So is all hope lost? Not necessarily. Clay Shirky had some really interesting observations on social surplus which apply here as well. Social Surplus is time that a society no longer needs to spend on some activity. For example, people worked fewer hours in the second half of the 20th century, leaving time that had to be filled. In response, the United States came up with things it sitcoms and yardwork.

So if you take Wikipedia as a kind of unit, all of Wikipedia, the whole project–every page, every edit, every talk page, every line of code, in every language that Wikipedia exists in–that represents something like the cumulation of 100 million hours of human thought. I worked this out with Martin Wattenberg at IBM; it’s a back-of-the-envelope calculation, but it’s the right order of magnitude, about 100 million hours of thought.

And television watching? Two hundred billion hours, in the U.S. alone, every year. Put another way, now that we have a unit, that’s 2,000 Wikipedia projects a year spent watching television. Or put still another way, in the U.S., we spend 100 million hours every weekend, just watching the ads. This is a pretty big surplus. People asking, “Where do they find the time?” when they’re looking at things like Wikipedia don’t understand how tiny that entire project is, as a carve-out of this asset that’s finally being dragged into what Tim calls an architecture of participation.

Now, the interesting thing about a surplus like that is that society doesn’t know what to do with it at first–hence the gin, hence the sitcoms.

(if you want to know where the gin comes in, go read the essay–it’s well worth the time)

But consider that if we switch the scale & topics from “The TV Watching of Population of the United States” to “the use & maintenance of IT,” and then swap Wikipedia with “IT Security,” then other than the scale of it, the same opportunity is out there, if we can figure out how to drive it.

But is it possible to create a Social Surplus within (Enterprise) IT that would be devoted to both improved excellence and ensuring security, rather than just chopped off as cost reduction?

From Cory Doctorow:

Whenever someone asks you which of two futures you think is more likely, your best bet is always “none of the above.”

I was disappointed, though not at all surprised, to learn that The DHS has no Disaster Recovery Plan:

It’s disheartening. It’s incredible. But it’s not all that surprising. That’s how some business continuity experts and government officials reacted to the news that 15 out of 19 agencies under the Department of Homeland Security lack fully operational disaster recovery sites—a shortfall that could hinder DHS’s ability to carry out its mission during a service disruption or national emergency.

DHS’s ability to to carry out its mission during a disruption or emergency is hindered by a lot more than their lack of a DR plan.

From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot Straight.

This picture is, in and of itself, pretty funny, so long as you’re either
1) Not one of those guys standing by the tree trying to figure out what to do about it; or
2) One of the guys standing by the tree re-telling the story in a bar at any point afterwards.

but then, I noticed the name of the tank…

You can’t make this stuff up.

Shamelessly stolen from Dave Farber’s Interesting People mailing list

Why is Department of Homeland Security worrying about file-swapping?

Simple, Dr. F:

a) MPAA posits that filesharing will kill the movie cartel.
{Dubious assumption - look at the Sony decision’s effects, but
follow along..}

b) If the movie cartel goes away, people will have less to fill
their time.

c) With less to do, the citizens may well start reading and
thinking again, as they did in generations past.

d) They just might run into the classic line from Pogo:

We have met the enemy, and he is us

and/or the Constitution while reading.

e) Armed with that, they might move to check the power
of Fatherland Security, and maybe even the Administration
as a whole.

f) Ergo, filesharing is a threat to them.

I guess that the Homeland Security boys and girls do some Risk Management after all.

You don’t have Rights if you’re not allowed to exercise them. This is a chilling account by a professional photographer of his experience with the San Francisco Transit Police (BART PD) and San Francisco Police (SFPD). In his own words, when he attempted to shoot some photos of a BART station platform:

… The short version is that The Fare Inspectors tried to prevent me from taking photos under threat of citation. When I refused to stop, they tried to cite me but couldn’t find any relevant code, regulation or law to cite me. Enlisting the aid of the SFPD and BART Police officers also yielded now results. No citation was issued.

He has links to a detailed account in the linked blog posting.

Essentially, what the police told him was, “Just because it’s legal and a Constitution Right doesn’t mean we won’t find some way to arrest you or harass you for attempting to exercise it.” If the only things being done in the name of “security” are Security Theater at best and Illegal Thuggery at worst, then I can’t help but believe that America has lost the utterly mis-named, “War on Terror.”

It’s times like these that I wonder what the future of Security and Risk Management holds. Real security professionals of all stripes (both information and physical) are trained in how to identify the most effective and least intrusive ways to protect assets. Real security people don’t harass people for the crime of knowing and exercising their rights. Whenever I see or hear an account of this sort of official harassment, it makes me sick.

I’m tempted to add a new category to my blog just for articles about things as silly as this one on New (Sub)Urbanist. Basically, it says that the image of the centerpiece statue in Chicago’s Millenium Park, commonly referred to as The Bean are copyrighted and may not be taken.

This whole mess seems fundamentally “broken” to me. First, the City of Chicago bought a very shiny new sculpture to put in their shiny new park. But, the story goes, they managed to separate the Image Rights (the copyright) from the sculpture itself. So now I’m to believe the City owns the large piece of metal decorating their park, but not the right to photograph it for commecial purposes–that belongs to the sculptor.

If the City were merely banning all commercial photography of The Bean, that would at least be consistent with their claims of upholding the copyright protections according to the law. Any issues relating to whether the City was smart or dumb in not obtaining those rights is a separate discussion.

But what they’re really doing is forcing commercial photographers to purchase (expensive) permits to take their pictures (and it’s just commercial, according to the original article which is linked from New (Sub)Urbanist above). So is the City forwarding any permit fees they collect on to the rightsholder? If so, how do they determine what proportion of those permit fees go to which sculptor, assuming that more than one is involved?

But if they aren’t forwarding those fees on, then the city is now selling something they don’t own, violating the very copyright license they claim to be enforcing! So which is it? Does the city have a franchise to sell Commercial Photography permits for The Bean or doesn’t it?

Is the City of Chicago merely an especially-inept contract negotiator, or are they also Copyright Scofflaws, as well?

P.S. Boing-Boing is getting in on this bit of silliness, as well.

I found this brief post at LaughingMeme, No One Knows You’re A 800lb Gorilla to be well worth sharing.

I know that much has been made of the Blogosphere in general as a driving force behind such actions as discrediting the Bush War Memos, but that was more a demonstration of the Power Of The Net than anything. This is one of those rare moments when a Major Corporation inadvertantly runs afoul of the uninhibited, activist nature of the Internet. If this had happened to a reporter, nothing would have come of it. But, because it happened to a major blogger–someone who must have a fair bit of ego and an agenda almost by definition–it turned into something much bigger than Traditional Media would ever have made possible.

This actually reminds me of the early 1990’s when people were all abuzz about the decentralizing influence The Web was going to have on society. It’s taken ten years for the pieces to fall into place, but I’m pretty excited to see what comes next.

I may only be an 8lb gorilla today, but I’m eating my ASCII’s and one day I’ll be as big as Cory Doctorow!

In Part I, I talked about the general problem of outsourcing and why it often doesn’t make sense from an operational perspective.

Now, I’m going to outline two situations where I believe it does make sense to outsource an operation. The first scenario is when the need for the outsourced skillset is only occasional or if the need is only applicable in exceptional circumstances. For example, as an individual I would put my relationship with various specialized tradesmen such as plumbers, electricians, or locksmiths in this category. Depending on my relative capability in a particular area, I might take on the task myself. I can change a lightbulb and even hang a light fixture, but when I need a new circuit run, I’m calling a professional.

Most small (and even some medium) businesses run their IT in this same manner. There’s probably someone in-house who handles day-to-day IT issues such as changing the tape in the backup system (assuming they have a backup system) or installing a new workstation for an employee, but when it’s time to buy and configure a new server or recover from a major failure, it’s probably money well-spent to call a specialist. Even though the business is paying a premium for the specialist’s high-value time, they are still saving significant amounts of money compared to trying to maintain that skillset in-house.

The other scenario where outsourcing makes sense is when the function is so far outside the realm of expertise that the business doesn’t even want to “change the lightbulbs” themselves. The obvious functions I put in this area are Accounting, Legal, and Human Resources since the cost of a significant mistake in these areas could easily end in bankruptcy, civil liability or worse.

In these cases, the view of Outsourcing as risk insurance is quite valid. Outsourcing the function to a trained professional significantly reduces the risk of an audit, lawsuit, or even criminal investigation brought on by ignorance of the law. There still exist risks in this relationship–the business is at the mercy of the specialist and must trust them to be doing their job diligently. Nevertheless, I would say that the risk is still less than if the function were in-house since a credible outsourcer will typically carry some sort of bonding or Errors and Omissions Insurance of their own.

There is one final factor implicit in the nature of the relationships that I’ve described here–the relative lack of “friction” created by outsourcing the function. Yes, it may take longer to drive to the accountant’s office than if they were right across the hall, but that can be controlled to a certain extent by choosing an accountant (or lawyer or HR Agency, etc.) who’s in your neighborhood, whom you communicate well with, and who’s honest.

So when all is said and done, Outsourcing is still a business decision just like any other. There are costs and risks associated. They key is to not get so focused on any one aspect that the decisionmakers fail to see the forest for the trees.