Below is an interview conducted with Mike Rothman. Mike specializes in protecting networks and endpoints, security management, and compliance. He is one of the most sought after speakers and commentators in the security business. After 20 years in and around security, he’s one of the guys who “knows where the bodies are buried” in the space. Mike started his career as a programmer and a networking consultant and has since held VP  roles at CipherTrust,TruSecure, and Senior VP, Strategy and CMO at eIQnetworks. Mike joined and is currently with Securosis. His full bio is located here.


Q: In the last 3 years, it feels like we have seen an acceleration of the commoditization of security products, led by Barracuda and others. What product categories do you see heading down this road in the next 3 years?

Mike Rothman: Funny you should mention that topic. We recently posted a few pieces on the Securosis blog about security commoditization and feature parity. The links are: 1,2,3. A combination of things have to be in place for commoditization to happen, at least within a mid-market customer base. First, the requirement needs to be nearly universal. So anything dictated by a compliance mandate fits the bill. Second, the technology needs to be reasonably mature, which means easy enough to use that it doesn’t require an army of professional services folks to make it work. Finally, the security channel needs to get behind a technology to provide wider distribution. When I look at the landscape out there, I think log management is probably the next market to commoditize. And that also means that these offerings will show up as “cloud services.” That’s another key aspect of driving volumes, which means lower prices and commoditization.

Q: What chance to smaller niche security companies have against the titans of our industry (HP, Cisco, Symantec, etc.)? What do they need to do to play in this market?

MR: Niche security companies have very little chance to compete over time against the behemouths. It’s just too easy for the big guys to bundle in the technology with their cash cows, effectively killing the stand alone markets. That being said, truly disruptive technology is mandatory to build a sustainable security company. Otherwise, the niche player better hope they get some early customer traction and make an attractive acquisition candidate. It also gets back to the success criteria of the company. Lots of companies can build a security products/services business and sell for $15-30 million. If they raised $1 or $2 million, it’s a huge win. If they raised $45 million, not so much.

Q: In the aggregate, do you feel that cloud-based apps reduce or increase security risks to an organization?

MR: Cloud-based apps clearly increase risk because of the lack of visibility and control. We at Securosis are big fans of monitoring everything you can and that is hard in the cloud. My Partner Rich Mogull was instrumental in working on the team that build the security framework for the Cloud Security Alliance. They defined how you should think about securing critical data in the cloud, and I do think it’s going to happen. But I don’t think we really (as an industry) understand all the ramifications of moving the data into the cloud.

Q: If you were a 22 year old EE or CS major due to graduate next spring in 2011, would you choose a security career?

MR: The only way security makes a good career choice is if you love it. Security is a hard job. You get very little positive feedback and a good day is when nothing happens. And those good days are few and far between. Thus, unless you have a passion for protecting data, working with people that don’t really care about what you are saying, and facing an adversary that has far more resources and a clear financial motive, security may not be a great choice. That being said, for those folks with the temperament to do security, it’s a great career and I suspect there will be employment opportunities for a long time to come.

Q: If you were a 32 year old senior network administrator at a large FI, would you try to move into an information security career?

MR: Again, it gets back to passion. An admin in his/her early 30s has a decent amount of experience and the right background to be successful in security. But it’s not technical chops that make the best security folks, it’s the attitude and high threshold for pain and frustration. Many of my friends in the trenches wouldn’t do anything else. But a lot wish they could. It’s an intensely personal decision and I don’t want to sugarcoat the difficulties in doing security every day.

Q: Recent research shows that the average time a person stays in a security specific job role is about 2 years. What do you make of this?

MR: Not surprising. As I’ve mentioned, security is hard and a lot of folks make a personal decision to go back to network management or systems administration. I suspect the turnover is even higher for senior security professionals because those are the folks that get thrown out of the car at a high rate of speed when something goes wrong. Regardless of whether they are at fault or not. As folks rise up the security ladder the job becomes a lot more about persuasion and influence and a lot less about technology. I discussed a lot of these topics and laid out a methodology to build a security program in my book the Pragmatic CSO. That’s a good background for anyone thinking about security and how to build a program.

Q: Do you feel we are in a hot or cold cyberwar with China?

MR: I’m not sure what that means. If “cyberwar” means we are spying on them and they are spying on us using electronic means, then sure. But keep in mind that definition means we are also at “cyberwar” with almost every country out there, enemies and allies alike. I’ve yet to hear about a laser beam being shot out of a computer that results in casualties and blood being spilled. That’s war to me. The reality is we see a lot of hype around “cyberwar” and I think emergency preparedness is key since electronic attacks are now part of any kind of military action. If you can knock out an enemy’s power grid without shooting one missile, then that is a much safer and more effective way to fight.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Q: What advisory services do you see CISOs most in need of? Does this match what you see them requesting from Securosis?

MR: That really varies by the size of the company. We see most large enterprise CISOs use IT research services in two ways. One is to learn about a topic, basically to know what they don’t know. The usually go through some kind of procurement process and then they come to the second use case, which is to cover their asses. At the end of the procurement they tend to know what they want to do, they just need someone to validate that direction. Gartner and Forrester do that well, just bring your checkbook. Most of our interactions with large companies are in the former camp, when they want to learn about a specific topic or get some ideas as to how other companies are solving problems. But we really don’t have a specific offering to sell to a large enterprise, so most of our work is informal.

We tend to cater to a more technical audience, which is why we tend to dig a lot deeper in our published research (available in our research library) and on our blog. That being said, we believe there is a significant opportunity to bring IT research to the mid-market. These folks aren’t necessarily CISOs, rather more IT generalists that have to deal with security as well. We are working on a mid-market research offering to provide far more actionable guidance to these folks at a much lower price point than is available today. Smaller companies have neither the time, nor the expertise to wade through all the “advice” that is available today. These folks need templates and task lists to work through all of the major security oriented projects that need to get done. We’ll provide that information and we think it’s a great opportunity. Folks should keep an eye on our blog  for the announcement of the new service towards the end of the year.

Q: We have seen a shift in the past 5 years from server side attacks to client side attacks. Do think the security industry as a whole can lock down the client side as well as we have done with the server side?

MR: Attackers will always migrate to the path of least resistance for their attacks. The goal has always been compromise as much data as possible with the least amount of effort. That used to involve going after servers. Now it’s about compromising a client device to gain a foothold within an organization and then go directly after the data stores. I’m not sure whether it’s because we’ve “locked down” the servers or whether the clients are just lower hanging fruit right now. The fact remains we can lock down the clients right now. But most organizations are not willing to fight the political battle to get something like application white listing broadly deployed because it tends to break the user experience. But it does a pretty good job of stopping client side attacks. So that was a long winded answer to saying locking down the client side isn’t a technology issue, it’s a political issue.


Q: Where do you see the antivirus industry heading? As the cash cow runs low on milk, will any of the diversification efforts replace lost revenues?

MR: Whether it’s anti-virus or any other kind of suite approach, the vendors in the space are only concerned with keeping the clients they have, taking market share and maintaining the average spend per licensed client device. Regardless of what we “security folks” know about effectiveness, the mass market still believes every endpoint device needs AV. And regulations like PCI perpetuate that perception. Mr. Market is dictating that the endpoint suites evolve. They need to integrate new technologies and become more effective, but in reality until there is a legitimate alternative that can be deployed en masse by unsophisticated users, endpoint suites will still be the corner stone of most organization’s security strategy. As ridiculous as that is.

Q: Adobe has replaced Microsoft as the poster child for poor practices in software security. Everything from iPhones to your grandma’s computer are getting rooted because of it. Do you think they will manage a turnaround ala Microsoft?

MR: Actually, it seems Adobe is trying to leverage the processes and distribution engine that Microsoft has built over the past 10 years. They are partnering on all sorts of activities and I think it’s a good move. No need for Adobe to reinvent the wheel and Microsoft realizes that even if a security problem is Adobe’s, Microsoft still gets a black eye because it runs on their O/S. But cultural change takes a long time and I suspect Adobe’s products have a large number of issues. It will take them years to get the process right, but at least they seem to be focused on the right activities and have commitment from the top.

Q: What is your opinion on federally mandated certification programs, such as the DoD 8750.1 directive?

MR: I think it’s great for companies that provide certifications. LOL. It doesn’t make me feel safer, nor do I think it will have any impact on the security posture of our critical information. I’m pretty skeptical about most certifications. I know some real dimwits who have all sorts of certifications, and likewise many of the best practitioners I’ve met didn’t bother with taking the tests to be certified. That being said, I think forcing a base level of knowledge isn’t a bad thing. But most folks make the mistake of mistaking the ability to take a test with *competence*. Never assume someone with a certification is competent. They have to prove that.

Q: If you were to take $100,000 of your own money and invest it into a single security company, which would you pick and why?

MR: I can’t play favorites, so I’m not going to get specific. On the network side, I think application control and visibility in the perimeter is important. On the endpoint, I believe the white listing will become integrated into the endpoint agents over time. For security management, I believe there is a large market for a low cost logging “toaster” targeted towards mid-market companies to meet compliance mandates. All of those areas will drive economic value. Investing in a start-up is more about execution than idea.

I can only tell you where I’ve have invested my own money and for me the best opportunity is with Securosis. There is no lack of technology or services out there to help organizations protect themselves. They just have to learn what to do. So personally I believe the biggest gap in the market is a knowledge gap. You guys fill that gap with educational training, we at Securosis will address the gap from a more packaged IT research perspective. But our end goal is the same. Making sure the masses out there understand how they can and should be protecting their information.

Q: How do you keep yourself in the know and up to date on the latest security issues?

MR: I read a lot. I talk to a lot of people. But remember, my job is to be in the know. Everyone else’s job is to do something. If I were fighting the battle day to day, I’d subscribe to only a few sources. Obviously the Securosis blog. But I also think Threatpost does a great job of summarizing what is going on. And maybe a newsletter from TechTarget or Dark Reading. That will provide a quick view of the headlines. I’d say social media networks like Twitter as well, but that’s a slippery slope. It’s a full time job just to keep up with the Security Twits…

Q: How do folks get in touch with you?

MR: It’s pretty easy, my email is mrothman (at) securosis (dot) com. And my partners and I write daily on the Securosis blog. My Twitter handle is @securityincite, but candidly I’m pretty spotty with my Tweets, depending on how busy I am on research projects.