Posted by Joe Franscella – 12-28-09 –

The appointment of Howard Schmidt to the position of White House Cybersecurity Coordinator is further indication that President Obama’s administration acknowledges that effective cybersecurity can mean the difference between life and death. The administration should look at cybersecurity in this way, after all, cyberspace provides criminals and terrorists with a platform to launch attacks against the US that could have fatal results.

Appointment of an official to a new position is only a first step though, the question remains, “what will Schmidt do?”

It makes sense for Schmidt to engage with private business to address cybersecurity problems and to close security gaps — the White House may be responsible for defending the nation but private enterprise produces the technology that fuels and defends cyberspace.

Schmidt will undoubtedly seek counsel from established IT security vendors, vendors that will use these counsel opportunities to sell him on the importance of influencing congress to pass legislation calling for regulations that their solutions can provide compliance for. But, will these traditional vendors’ solutions be enough to close security gaps that could lead to fatal outcomes?

Any strategy that relies on technologies supplied by established, major enterprises as the sole means of ensuring security in cyberspace will fail. Evidence to this is clear, in the last year there have been dozens of reports and news headlines that have revealed cyberattacks that have resulted in compromises to top-secret defense initiatives, power grids and other critical systems. It’s safe to assume that most of those breaches took place on networks founded on established technologies.

To reduce risk, Schmidt is going to have to move beyond traditional Washington politics that drive public-private efforts. He is going to have to open Washington’s collective mind to listen to more than just the major enterprises that have lobby dollars available to shape thought on Capitol Hill, and he is going to have to reach out to innovative small companies and startups that have developed game-changing security technologies.

So, how should Schmidt engage startups and other small and innovative technology vendors that typically don’t have budgets for lobby efforts?

Some steps Washington could take to reach startups and small IT security vendors in the quest to reduce risk are:

1.    Establishment of federal grants for small vendors and startups to fund lobbying efforts
2.    Sponsoring a federal “Demo Day (or Week)” that provides small vendors and startups with funding to cover the costs associated with demoing their solutions on a DC stage
3.    Establishment of federal grants for small vendors and startups that could be used to fund marketing efforts focused on the federal government
4.    The formation of a federal VC banking system that provides taxpayers with equity stakes in IT security startups and small enterprises

When it comes to protecting the nation against cyberattack, foresight needs to be 20/20. It would benefit the nation to identify security technologies that reduce risk prior to a tragedy as opposed to after one. The only way to do this is to take steps that facilitate connections between the federal government and innovators that have the potential to change the game.

Back in August, the New York Times published an article written by Ellen Messmer out of IDG’s Network World, titled: Security Start-Up Rohati Extends Access-Control Gear to the Cloud.
In it, she says that John Burke of  Nemertes Research stated:

….Nemertes in its research has found that fewer than 5% of organizations today have any type of funded cloud initiative.

Interesting to see how fast that’s going to change. In only a couple short months analysts have predicted that spending on cloud services will account for 10 percent of IT budgets by 2013, making up a whopping $44.2 billion in total IT spend (not that the $9 billion to be spent this year is chump change). This was pointed out by Dave Rosenberg on his CNET blog ‘Software Interrupted, where he wrote:

If public cloud services will be 10 percent of all IT money spent [by 2013], that represents a blisteringly fast growth rate. And while we certainly don’t wish the recession to continue, it’s interesting to see how companies have adapted their IT plans to take advantage of services that require far less capital expenditure.

CNET Graphic Showing Cloud Computing IT Spend by 2013

Evolution of the “Cloud” – 1.) Buzzword, 2.) Chris Hoff is snatched up by Cisco, 3.) Obama open’s Cloud store, 4.) $44 billion by 2013, 5.) Reality

Other thoughts recently thunk: I thoroughly enjoyed Forbe’s Lee Gomes’ led coverage of the next Silicon Valley God Rush – Virtualization. I especially enjoyed the Nemertes contribution from Andreas and John: The Virtualized Desktop. As a PR guy with a special interest in the intrigue of digital security, I also enjoyed Andy Greenberg’s piece: Virtualization’s Real Security Problem: Sprawl.

Couple new blogs I’ve added to my roll lately:

Gary’s Blog (Nimsoft CEO Gary Read)

Tales from the Si Valley Front (Ken Rutsky)

Found threatpost.com to be quite intriguing – I think its good news for the news industry that corporations are stepping in to fill some of the gaps that the slowing print industry is experiencing. Had a chance to interview editor Ryan Naraine on video about the new Web tech news outlet, I’ll be posting it next week.

Security Blogger Network Meet-up – Appreciated being able to mix with and meet some of the people I read ever day outside of the pressure of trying to pitch them; especially enjoyed the conversation with Chris Christianson on firewall audits.

Appreciated Andreas Antonopolous‘ virtual security panel with Chris Hoff, Simon Crosby, Stephen Herod and – sorry – can’t recall the other panelist’s name. Thought Andreas did a great job pulling the whole thing together with some actual solutions to the challenge.

Posted by Joe Franscella

Sixty-nine percent of respondents defined a virtual firewall as software running on a virtual system. However, the largest deployment of virtual firewalls provided by the leading vendors are firewall devices running multiple firewall instances. This gap indicates a lack of understanding of virtual firewall solutions available, vendors’ failure to meet market demand, or both. At a minimum, it strongly suggests a need to more clearly differentiate the solutions being provided today.

The number one management concern about virtual firewalls is the increase in complexity caused by the growth in the number of firewalls, polices, rules and objects. Closely following the top concern is the additional management burden caused by the lack of automated tools and resources to effectively address the increase in complexity. These concerns may explain why 64 percent of respondents do not feel that virtual firewalls will gain widespread adoption for another two to three years.

Forty-two percent of respondents identified that their top security concern about virtualization is users creating unauthorized virtual environments. Twenty-seven percent of respondents are concerned about their limited view into the host operating system and virtual network to identify vulnerabilities. Similar to traditional firewalls, misconfiguration of virtual firewalls is one of the top three concerns.

The survey polled 109 conference attendees that are involved in the IT decision making process for organizations within a wide variety of industries, including health care, government, financial, insurance and telecom.

Join Secure Passage in a discussion of this survey and other security related topics on Twitter @Secure Passage, Facebook, and LinkedIn. For more information on Secure Passage, stop by booth 553 on the RSA Conference 2009 Expo floor.

Posted by Joe Franscells (Disclaimer – I represent Secure Passage)

I was hired into the Security Practice and was not sure what to think at first. I had returned to PR following a six-year stint as the managing editor of a newspaper (with some periods of PR and advertising consulting work mixed in). My last tech PR gig prior was in 2001 at a company called TIBCO Software, and before that with an agency assigned to PeopleSoft. Back then the words “cyber security” weren’t even being mentioned — EAI and ERP were all the rage.

I jumped right into security. My first assignment was to book a tour for a startup out of Seattle. I realized immediately that social media and the proliferation of bloggers had dramatically changed the PR landscape. Also, that the Internet has become David’s sling, Sampson’s jaw bone if you will — it’s the one medium that can enable a little fish to take out the big fish with one calculated move. Fascinating — I was hooked (excuse the pun) on tech security immediately.

My goal through this social media tool (I think blogs are social media tools) is to interact with some of the world’s best security minds in the business (outside of the pressure of pitching), so that I can build on my genuine interest in information security.

The views and opinions expressed on this blog do not represent the views or opinions of my employer, any of its employees or clients. As a PR professional representing a number of security clients, there will be times when they will be mentioned within the context of this discussion. Current security clients I represent include Rohati Systems (www.rohati.com) and Secure Passage (www.securepassage.com). For a complete list of Trainer Communications clients visit: http://www.trainercommunications.com/current-clients.html

Posted by Joe Franscella