Rational Survivability

Last week, Jim Rapoza from the ZD Enterprise’s Emerging Technology blog wrote an article that caught my eye titled "Emerging Security Threats." 

I popped on over to get what I suspected would be my weekly fill of Botnets gone wild and other malware-laden horror stories only to be surprised to find that the top emerging security threats were actually many of the same strategic technologies that CIO’s reported to Gartner as those  "…with the
potential for significant impact on the enterprise in the next three
years."  Go figure.

Jim summarized the intent of his post thusly:

Emerging technologies can bring a whole host of benefits, often
improving productivity, changing the way businesses interact and
enhancing the lives of people all over the world.

And whenever a new technology comes out and gets a lot of hype,
there is a lot of enthusiasm about the many benefits and new
capabilities that this technology provides.

But, also without fail, there is one key thing that almost no one ever talks about. What is this hidden factor? It’s security.

Over the years I’ve gone to lots of conferences and seminars
dedicated to emerging technologies, from Web 2.0 to virtualization to
virtual worlds. And the one thing that pretty much never gets covered
(or even mentioned) in these conferences in security.

Of course, this is understandable. New technologies are just
introducing themselves to the world. It’s sort of like a first date.
When you go on a first date, you probably don’t start out talking about
all of your illnesses and insecurities. The same goes for emerging
technologies. Their creators just want to promote their good points.

But for users of these technologies, ignoring the potential security
threats that these emerging technologies introduce can lead to big
problems, including data theft, system compromises and the spread of
malware.

I think that Jim’s analogies are basically good ones; security has been shown historically as an afterthought, but in the context of my last couple of posts, by attempting to draw attention to the disruptive effect these technologies have and their generally under-capitalized security investment in the manner in which he does in effect sensationalizes an already flammable scenario.

The reality-based analog that is suitable for contrast here is the old
cliche: "guns don’t kill people…people kill people."  As corny and over-played as that is, technology
doesn’t cause threats to materialize magically, the poor implementation of
the technology does. 

Rather than work to rationally discuss security in context and consider these disruptive technological innovations as opportunities to leverage, they are ultimately painted here as evil.  This is exactly the sort of "security is a speed bump" persona we need to shed!

Check out the purported horror show of "emerging threats" below and compare them to Gartner’s Top 10 Strategic Technologies for 2008-2011 to the right.   These technologies possess "factors that denote significant impact include a high potential
for disruption to IT or the business, the need for a major dollar
investment, or the risk of being late to adopt"

1. Ajax
   
2. Google Apps
3. Mobile Devices & Applications
4. RFID
5. Rich Internet Applications
6. RSS
7. Social Networks
8. Virtual Worlds
9. Virtualization
10. VoIP

How many of either of the Top-Ten lists above are you dealing with today?

Check out the slideshow.  Lovely artwork, but abrasive and vague at best.  Rather than paint a balanced portrait of pros and cons as his introduction alludes to or suggest how these technologies can be deployed securely, we instead get soundbites like this:

VOIP – VOIP systems have greatly broadened the telecom options for
businesses, not only freeing them from traditional phones but making it
possible to easily tie voice into other enterprise applications. But
VOIP systems can be easily tapped by anyone and have become an
attractive target for hackers.

The reality is that any new technology has the potential to allow "bad stuff to happen."  I think we all know that already.  What would be really useful is a way of managing this process.  I think there’s a better way of communicating without relying on fear.

/Hoff

Continuing on from my last post titled Security and Disruptive Innovation Part I: The Setup we’re going to take the general examples of innovative technological industry disruptors in slide 3 and highlight some security-specific examples to bring the point a little closer to home.

In this case, we’re going to reflect upon security practices, movements and methodologies and how disruptors, market pressures and technology are impacting what we do and how.  The point of this is to discuss a framework of how to embrace and manage the process of evaluating emerging technologies and disruption and manage to it proactively.

13.  Examples of Disruptive Innovation in Security

As we demonstrated previously in slide 3, the impact that disruptors in the right-hand column caused against those who enjoyed market dominance in the left-hand column was profound.  In many cases, they incumbents never saw it coming. 

Some of these shifts were incremental and some were radically game-changing.  Some took quite a while to catch on, while others benefited from the viral "sneezers" (as Seth Godin is fond of saying.)

Here we see a list  on the left featuring established thought leadership, generally observed practices and methodologies and what some might describe as the status quo within the security industry.   

The corresponding list on the right represents emerging disruptive innovation and technology.  Most of you should be familiar with these issues.  To some, they are merely background noise — glacially eroding the landscape while the day-to-day priorities are dispatched —  while to others they represent pressing business concerns and abrasive friction, threatening the manner in which security programs are executed and competing for attention at every turn.

Let’s take a look at each of these samples in more detail; the slides are just talking points, so I’ll add color in the accompanying text.  This will be split into a couple of posts.

14. The Outsourcing of Security

In my experience, outsourcing in general provokes a visceral response no matter which side of the fence one may choose to sit.  Pro or con, outsourcing of services is a due matter of course in today’s world.

Whether the motivation is taking cost out of the business, focusing on competencies, the transference of risk or improving operational efficiency, if you haven’t felt some impact from the outsourcing movement already, you surely will at some point shortly.

If one starts poking around the notion of outsourcing "security" functions to resources outside of an InfoSec shop’s interal corps, it’s often bound to generate sparks. 

In general, my observations have been that InfoSec staffers become incredibly defensive about the feasibility and perception of security when discussing outsourcing elements of a security program.  Many of these arguments are instinctual and not business-driven but are autonomic and reflexive.  It’s really hard to let go of the fact that the value we purport to provide the business is, in many cases, becoming a feature set of a larger operational machine.

In many cases I have personally witnessed, the arguments against outsourcing security are supported with knee-jerk comments citing "possible exposure," "unacceptable risk," or "regulatory issues" but rarely have any hard data (read: quantifiable metrics) to back them up.  Neither hope or FUD is a very good strategy.

The reality is that in many cases, mature operational functions represent excellent opportunities for outsourcing.  Many of these have capital and operating expenses that can be reduced or altogether eliminated and allow for the "security" team to focus on more important things.

Common examples of outsourced low-hanging fruit security functions today include:

• Managed firewall
• Managed Intrusion Detection/Prevention
• Anti-Spam
• Vulnerability Assessment/Management
• Secure Messaging

Combined with operational models such as Software as a Service (SaaS) which we’re going to talk about shortly, we’re even seeing examples of outsourced application and code analysis, complete application outsourcing, etc.

Obviously this all comes down to the type of business you’re in and the risk associated with letting some other party operationalize elements of your business processes, but it’s happening in a big way and will continue to do so.

I’ve personally witnessed and example of Fortune 500 companies dissolving their entire operational administrative and security teams and sell their data center hard assets to a management services company.  This company then leases back the management of the IT and Security operations as a service allowing the security team to act as architects and focus on more pressing relevant business issues instead of firefighting.  They become much more strategic and integrated with the business.

The disruptive argument for outsourcing revolves around addressing the issue of spending time and money paying legions of administrators and security folk to perform tasks which are often times not critical and do not add business value and that can be obtained elsewhere at competent levels of quality (or perhaps higher) that are also faster and cheaper.

How would you take the cost savings/avoidance benefits of outsourcing and describe how you might invest it elsewhere in your security spend to demonstrate better alignment to the business?

15. The Consumerization of IT

A good number of security professionals are also masterful consumers and collectors of toys of one kind or another.  As aficionados of all things tech, you’ll often find even the most conservative security wonks lining up to buy the latest kit with the newest features on release day.

Rationalizing why we might need to upgrade to a phone with video playback, camera, massive storage, WiFi, web browsing and open API’s is easy: flexibility, agility, efficiency, connectivity…it let’s one do what one wants/needs/likes to do faster, better, easier, and cheaper, right?  At least that’s what we tell our wives 😉

In what can only be described as a case of clinical schizophrenia, the same iPhone-toting CISO might also be the first to rail against the introduction of these new technologies within the enterprise despite the exact claims and justifications being made by the business.

New technology is often introduced into the organization and championed under the same banners of enhanced efficiency, agility or customer experience, and these initiatives are often critical elements that a business invests in so as to secure a competitive business advantage against the competition.

Strangely, the business value for the adoption of many of these consumer-based technologies entering the enterprise (even if it’s merely "good will") is often times ignored and cast aside in the name of "security" with the overriding inflexibility chalked up to "implied" risk, undisclosed (invisible?) vulnerabilities and simply bad "juju" — all grouped under the iron-clad containment of the almighty "security policy."

Now, there are also many very reasonable reasons to suggest that allowing employees to use consumer technologies within the enterprise is a difficult concept: support, confidentiality, privacy, regulatory requirements.  There are valid issues to be dealt with and awareness of the impact by the business of what their decisions to allow this sort of technology to be used is really important.

There are two dirty little secrets that must be accounted for when discussing the consumerization of IT within the enterprise and your business constituents:

1. It’s not Security’s place, birthright, charter or problem to be the judge, jury and executioner as to what is allowed or not allowed.  It *is* Security’s job to advise the business and allow them to make a (gasp!) business decision on the matter.
2. They’re doing it anyway and will continue to do so. 

If a technology or innovation allows an employee who actually contributes to the bottom line to do his/her job better, more efficiently, less costly and helps driven revenue that contributes to your budget (read: paycheck) why is this bad thing!? 

If you’re doing your job, the business will take your advice seriously and will make a decision based on fact.  They may decide that despite your advice, the technology or innovation is compelling enough to outweigh the potential risk.  Other times they might not.

Either way, you’ve done your job. 

Remember when WiFi first appeared?  Most enterprises and their IT and Security teams vehemently attempted to prevent its use by policy citing the lack of business need and security concerns.  There were certainly security issues that needed to be solved, but today WiFi has emerged as a disruptive technology that is indispensable as a tool.  If you have remote employees, you are first-row-center observers as to how WiFi as a disruptive innovation has changed the landscape.

Many companies have these enormous virtualized and distributed workforces.   To facilitate such a decentralized model, these companies are beginning to embrace a program that my company calls the "Digital Allowance." 

Digital Allowance provides an annual stipend to employees to allow them to go out and purchase technology that they will use to do their jobs.  They can use their home computers, their iPhones, etc. to do their jobs if it meets pertinent and reasonable requirements.

It is the job of the IT and Security teams to provide a safe and reasonably secure computing environment to allow employees to do their jobs without putting the company in harm’s way.

This sort of program is taking off as companies realize that consumer, pro-sumer and enterprise technologies are colliding at velocity of change that makes it difficult to distinguish between them and the business benefits outweigh the downside.  In fact, my company has a business consulting practice that teaches other companies how to put these programs in place.

Most security professionals curl up in a fetal position (as I first did, admittedly) when considering this sort of program.  How are you dealing with the consumerization of IT within your company?

Up Next: Part III – The Examples Continue…

As a follow-on to my post on security and innovation here, I’m going to do a series based upon my keynote from ISD titled "Why Security Should Embrace Disruptive Technology" with a brief narrative of each slide’s talking points

The setup for the the talk was summarized nicely:

IT departments have spent the last 10+ years enabling users by delivering revolutionary technology and
delegating ownership and control of intellectual property and information
in order to promote agility, innovation and competitive advantage on
behalf of the business. Meanwhile IT Security has traditionally
focused on reigning in the limits of this technology in a belated
compliance-driven game of tug-of-war to apply control over the same sets
of infrastructure, intellectual property and data that is utilized freely
by the business.
  Christofer Hoff, chief architect for Security Innovation at Unisys and
former Security 7 winner, will highlight several areas of emerging and
disruptive technologies and practices that should be embraced, addressed,
and integrated into the security portfolios and strategic dashboards of
all forward looking, business-aligned risk managers. Many of these topics
are contentious when discussing their impact on security:          
      

• Outsourcing of Security
• Consumerization of IT
• Software as a Service (SaaS)
• Virtualization
• De-perimeterization
• Information Centricity
• Next Generation Distributed Data Centers

Hoff will discuss what you ought to already have thought about and how to
map these examples to predict what is coming next and explore this
classical illustration of the cyclical patterns of how history, evolving
business requirements, technology and culture repeatedly intersect on a
never-ending continuum and how this convergence ought to be analyzed as
part of the strategic security program of any company.

I will be highlighting each of the seven examples above as a series on how we should embrace disruptive innovation and integrate it into our strategic planning process so we can manage it as opposed to the other way around.  First the setup of the presentation:

1. What is Innovation?

Innovation can simply be defined as people implementing new ideas to
creatively solve problems and add value. 

How you choose to define
"value" really depends upon your goal and how you choose to measure the
impact on the business you
serve.

Within the context of this discussion while there is certainly technical innovation in the security field — how to make security "better," "faster," or "cheaper," rather than focus on the latest piece of kit, I’m interested in exploring how disruptive technologies and innovative drivers from the intersection of business, culture, and economics can profoundly impact how, what, why and when you do what you do.

We are going to discuss how Security can and should embrace disruptive technology and innovation in a formulaic and process-oriented way with the lovely side effect of becoming more innovative in the process.

2. What is Disruptive Technology/Innovation?

Clayton Christensen coined this term and is known for his series of work in this realm.  He is perhaps best known for his books: The Innovator’s Solution and The Innovator’s Dilemma.

Christensen defined disruptive technology/innovation as "a technology, product or service
that ultimately overturns the dominant market leader, technology or
product."

This sort of event can happen quickly or gradually and can be
evolutionary or revolutionary in execution.  In many cases, the
technology itself is not the disruptive catalyst, but rather the
strategy, business model or marketing/messaging creates the disruptive
impact.  It can also be radical or evolutionary in nature.

3. Examples of Disruptive Technology

Here are some examples from a general technology perspective that highlights disruptive technologies/innovation.

Mainframe computing was disrupted by mini computers and ultimately client-server desktop computing.  Long distance telephony was been broadly impacted by Internet telephony such as Skype and Vonage.  Apple’s iTunes has dramatically impacted the way music is purchased and enjoyed.  The list goes on.

The key takeaway here is that the dominant technologies and industries on the left often times didn’t see the forces on the right coming and when they did, it was already too late.   What’s really important is that we find a framework and a process by which we can understand how disruptive technology/innovation emerges.  This will allow us to try and tame the impact and harness disruption positively by managing it and our response to it.

4. Technology Evolution: The Theory of Punctuated Equilibrium

I’m a really visual person, so I like to model things by analogy that spark non-linear connections for me to reinforce a point.  When I was searching for an analogy that described the evolution of technology and innovation, it became clear to me that this process was not linear at all.

Bob Warfield over at the SmoothSpan blog gave me this idea for an evolution analogy called the Theory of Punctuated Equilibrium that describes how development and evolution of reproducing species actually happens in big bursts followed by periods of little change rather than constant, gradual transformation.

This is really important because innovation happens in spurts and is then absorbed and assimilated, but forecasting the timing of these events is really important.

5.  Mobius Strips and the Cyclic Security Continuum (aka the Hamster Wheel of Pain)

If we look at innovation within the Information Security space as an example, we see evidence of this punctuated equilibrium distributed across what appears to be a never ending continuum.  Some might suggest that it’s like a never-ending Mobius strip.

Security innovation (mostly in technology) has manifested itself over time by offering a diverse set of solutions for a particular problem which ultimately settles down over time with solution conformity and functional democratization.  A classic example is NAC or DLP; lots of vendors spool up in a frenzy and ultimately thin down when the problem becomes defined and solution diversity thins.

Warfield described this as a classic damped oscillation where big swings in thinking ultimately settle down until everything looks and sounds the same…until the next "big thing" occurs.

What is problematic, however, is when we have overlays of timing curves of technology, economics, business requirements and culture.  Take for example the (cyclic) evolution of compute models: we started with the mainframe which were displaced my minis, desktops and mobile endpoints.  This changed the models of computing and how data was produced, consumed, stored and managed.

Interestingly as data has become more and more distributed, we’re now trending back to centralizing the computing experience with big honking centralied virtualized servers, storage and desktops.  The applications and protocols remain somewhere in between…

So while one set of oscillations are dampening, another is peaking.  It’s no wonder why we find it difficult to arrive at a static model in a dynamic instance.

6. Using Projections/Studies/Surveys to Gain Clarified Guidance

Trying to visualize this intersection of curves can be very taxing, so I like to use industry projections/surveys/studies to help clear the fog. Some folks love these things, others hate them.  We all use them for budget, however 😉

I like Gartner’s thematic consistency of their presentations, so I’m going to use several of their example snippets to highlight a more business-focused logical presentation of how impending business requirements will drive innovation and disruptive technology right to your doorstop.

As security practitioners we can use this information to stay ahead of the curve and not get caught flat-footed when disruptive innovation shows up because you’ll be prepared for it.

7. What CIO’s see as the Top 10 Strategic Technologies for 2008-2011

Gartner defines  a strategic technology as  "…one with the potential for significant impact on the enterprise in the next three years. Factors that denote significant impact include a high potential for disruption to IT or the business, the need for a major dollar investment, or the risk of being late to adopt."

Check out this list of technologies that your CIO has said are the technology categories that will provide significant impact to their enterprise.  How many of them can you  identify as being addressed in alignment to the business as part of your security strategy for the next three years?

Of the roughly 50 security professionals queried by me thus far, most can only honestly answer that they are doing their best to get in front of at most 1 to 2 of them…rot roh.

8. What those same CIO’s see as their Top 10 Priorities for 2007

If we drill down a level and investigate what business-focused priorities CIO’s have for 2007, the lump in most security manager’s throats becomes bigger.

Of these top ten business priorities, almost all of those same 50 CISO’s I polled had real difficulty in demonstrating how their efforts were in alignment to these priorities, except as a menial "insurance purchase" acting as a grudge-based cost of business.

It becomes readily apparent to most that being a cost of business does not put one in the light of being strategic.  In fact, the bottom line impact caused by the never-ending profit draining by security is often in direct competition with some of these initiatives.  Security contributing to revenue growth, customer retention, controlling operating costs?

Whoops…

9. And here’s how those CIO’s are investing their Technology Dollars in 2007…

So now the story gets even more interesting.  If we take the Top 10 Strategic Technologies and hold that up against the Top 10 CIO Priorities, what we should see is a business-focused alignment of how one supports the other.

This is exactly what we get when we take a look at the investments in technology that CIO’s are making in 2007.

By the way, last year, "Security" was number one.  Now it’s number six.  I bet that next year, it may not even make the top ten.

This means that security is being classified as being less and less strategically important and is being seen as a feature being included in these other purchase/cost centers.  That means that unless you start thinking differently about how and what you do, you run the risk of becoming obsolete from a stand-alone budget perspective.

That lump in your throat’s getting pretty big now, huh?

10.  How Do I Start to Think About What/How My Security Investment Maps to the Business?  Cajun Food, Of Course!

This is my patented demonstration of how I classify my security investments into a taxonomy that is based upon Cajun food recipes.

It’s referred to as "Hoff’s Jumbalaya Model" by those who have been victimized by its demonstration.  Mock it if you must, but it recently helped secure $21MM in late-stage VC funding…

Almost all savory Cajun dishes are made up of three classes of ingredients which I call: Foundational, Commodities and Distinguished.

Foundational ingredients are mature, high-quality and time-tested items that are used as the base for a dish.  You can’t make a recipe without using them and your choice of ingredients, preparation and cooking precision matter very much. 

Commodity ingredients are needed because without them, a dish would be bland.  However, the source of these ingredients is less of a concern given the diversity of choice and availability.  Furthermore, salt is salt — sure, you could use Fleur de Sel or Morton’s Kosher, but there’s not a lot of difference here.  One supplier could vanish and you’d have an alternative without much thought.

Distinguished ingredients are really what set a dish off.  If you’ve got a fantastic foundation combined with the requisite seasoning of commodity spices, adding a specific distinguished ingredient to the mix will complete the effort.  Andouille sausage, Crawfish, Alligator, Tasso or (if you’re from the South) Squirrel are excellent examples.  Some of these ingredients are hard to find and for certain dishes, very specific ingredients are needed for that big bang.

Bear with me now…

11. So What the Hell Does Jambalaya Have to Do with Security Technology?

Our recipes for deploying security technology are just like making a pot of Jambalaya, of course! 

Today when we think about how we organize our spending and our deployment methodologies for security solutions, we’re actually following a recipe…even if it’s not conscious.

I’m going to use two large markets in intersection to demonstrate this.  Let’s overlay the service provider/mobile operator/telco. market and their security needs with that of the common commercial enterprise.

As with the Cajun recipe example, the go-to foundational ingredients that we based our efforts around are the mature, end-to-end, time-tested firewall and intrusion detection/prevention suites.  These ingredients have benefited from decades of evolution and are stable, mature and well-understood.  Quality is important as is the source.

In the case of either market space, short of scaling requirements, the SP/MSSP/MO/Telco and Enterprise markets both utilize common approaches and choices to satisfy their requirements.

Both markets also have many common overlapping sets of requirements and solution choices for the commoditizing ingredients.  In this case, except separated by scale and performance, there’s little difference the AV, Anti-Spam, or URL filtering functionality offered by the many vendors in the pool who supply these functions.  Vendor A could go out of business tomorrow and for the most part, Vendor B’s product could be substituted with the same functionality without much fuss.

Now, when we look at distinguished "ingredients," this is where we witness a bit of a divergence.  In the SP/MSSP/MO/Telco space, they have very specific requirements for solutions that are unique beyond just scale and performance.  Session Border Controllers and DDoS tools are an example.  In the enterprise, XML gateways and web application firewalls are key.  The point here is that these solutions are quite unique and are often the source of innovation and disruption.

Properly classifying your solutions into these categories allows one to demonstrate an investment strategy inline with the value it brings.  Some of these solutions start off being distinguished and can either become commoditzied quickly or ultimately make their way as features into the more stable and mature foundational ingredient class.

Keep this model handy…

12.  Mapping the Solution Classes (Ingredients) to a Technology/Innovation Curve: The Hype Cycle!

So, remember the Theory of Punctuated Equilibrium and it’s damped oscillation visual?  Check out Gartner’s Hype Cycle…it’s basically the same waveform.

I use the Hype Cycle slightly differently than Gartner does.  The G-Men use this to demonstrate how technology can appear and transform in terms of visibility and maturity over time.  Technology can appear almost anywhere along this curve; some are born commoditized and/or never make it.  Some take a long time to become recognized as a mature technology for adoption.

Ultimately, you’d like to see a new set of innovative or disruptive solutions/technologies appear on the left, get an uptake, mellow out over time and ultimately transform from diversity to conformity.  You can use the cute little names for the blips and bunkers if you like, but keep this motion across the curve top of mind.

Now, I map the classifications of Foundational, Commodities and Distinguished across this map and lo and behold, what we see is that most of the examples I gave (and that you can come up with) can be classified and qualified across this curve.  This allows a security manager/CISO to take technology hype cycle overlays and map them to an easily demonstrated/visualized class of solutions and investment strategies that also can speak to their lifecycle.

The things you really need to keep an eye on from an emerging innovation/disruption perspective are those distinguished solutions over on the left, climbing the "Technology Trigger" and aiming for the "Peak of Inflated Expectations" prior to sliding down to the "Trough of Disillusionment."  I think Gartner missed a perfect opportunity by not including the "Chasm of Eternal Despair" 😉

We’re going to talk more about this later, but you can essentially take your portfolio of technology solutions and start to map those business drivers/technologies prioritized by your CIO and see how you measure up.  When you need to talk budget, you can easily demonstrate how you’re keeping pulse with the dynamics of the industry, managing innovation and how that translates to your spend and depreciation cycles. 

You shore up your investment in Foundational components, manage the Commodities over time (they should get cheaper) and as business sees fit, put money into incubating emerging technologies and innovation.

Up Next…Some Really Interesting Examples of Disruptive Technology/Innovation and how they impact Security…

One of the more interesting things I get to do in my job is steer discussions with customers and within industry on the topic of innovation.  After all, the ‘I’ word is in my official title: Chief Architect, Security Innovation.  You don’t often see those two words utilized in union.

Specifically, I get my jollies discussing with folks up and down the stack how "Information Security" can and should embrace disruptive technology/innovation and actually become innovative in the process.

It’s all a matter of perspective — and clever management of how, what and why you do what you do…and as we’ve discovered, how you communicate that.

Innovation can simply be defined as people implementing new ideas to creatively solve problems and add value.  How you choose to define "value" really depends upon your goal and how you choose to measure the impact (or difference as some like to describe it) on the business you serve.  We don’t need to get into that debate for the moment, however.

Disruptive technology/innovation is a technology, product or service that ultimately overturns the dominant market leader, technology or product.  This sort of event can happen quickly or gradually and can be evolutionary or revolutionary in execution.  In many cases, the technology itself is not the disruptive catalyst, but rather the strategy, business model or marketing/messaging creates the disruptive impact.

It’s really an interesting topic and an important one at this period in time; we’ve got a rough patch to hoe in the "Information Security" world.  The perception of what we do and what value we add is again being called into question.  This is happening because while the business innovates to gain competitive advantage, we present bigger bills that suckle profit away from the bottom line without being viewed as contributing to the innovative process but rather strictly as a cost of doing business.

I’m delivering my keynote at the Information Security Decisions conference on this very topic. The focus of the presentation will demonstrate that how even with emerging disruptive innovations that have profound impact upon what we do such as SaaS, the consumerization of IT and virtualization, "Information Security" practitioners and managers can not only embrace these technologies in a prescribed and rational manner, but do so in a way that provides alignment to the business and turns disruptive technology into an opportunity rather than a curse.

If you’re in Chicago on November 5th at the ISD conference, come throw stuff at me…they’ve got a great cast of speakers queued up: Bruce Schneier, Howard Schmidt, Eugene Spafford, David Litchfield, Dave Dittrich, David Mortman, Stephen Bonner, Pete Lindstrom, and many more.  It’ll be a good conference.

/Hoff