We've Found the Enemy and It Is Us - Page 2

McAfee has developed one of the more comprehensive tool sets to identify escalation of privileges, code insertion and unauthorized access in real time. But it also has one of the leading tools to scan the enterprise and report unsecure endpoints. One of its biggest problems in closing sales of this tool is that executives are afraid that the report will make them look incompetent. It may showcase that the enterprise isn't secure, which will reflect on their competence unfavorably. Given their limited resources, they would rather not know how exposed they are than know but not have the resources to correct the problems in a timely fashion.

This builds on the board problem of not funding security adequately because it removes what is likely the biggest proof point to a higher level of adequate security funding.

HP's Chilling Tale

HP's security organization is one of the fastest growing in the company. Growing at an impressive 30 percent year over year in revenue and with one of the largest pools of open jobs, it is moving to fill this group, which was largely built around its ArcSight acquisition, one of the more recent stars in HP's portfolio.

ArcSight is a SIEM company that focuses on security information and event management. HP tends to supply services to the largest and most critical vertical markets in defense, health care and general government. It largely concurred with McAfee that customers' biggest impediment to deploying tools that could identify exposures before Anonymous-like catastrophes occurred was that managers didn't want executives to know how exposed the company was for fear of looking bad.

Pipeline Manager's Scary Story

This isn't just security. I ended up the week talking to a company called Pipeline Manager. It provides a tool for sales that resides on top of Salesforce, which can much more accurately assess the viability of the sales pipeline. It can point out sales people who are in trouble and create a much more accurate view of the near-term future of company sales.


This kind of hit home for me because at IBM I was part of a team that fixed an annual forecasting problem only to get our CFO fired because some idiot controller applied a historical manual adjustment assuming the forecast was wrong even though it wasn't. This caused us to over-forecast significantly and the result embarrassed IBM and resulted in the early retirement of the CFO, who sadly, was one of the best in the company.


The problem for Pipeline Manager, and it is very consistent with the security products, is that sales people don't want executive management to know they are in trouble because it makes them look bad. So they would rather the company take the risk of over forecasting and failure than risk embarrassment.

Wrapping Up: We May Need to Accept That We're Idiots

Here in California, after a series of devastating earthquakes, we put in place building requirements that were to assure survival. Then in the early 90s, after a large number of deaths, these rules were updated. We recently saw Japan crippled because of a tsunami hitting a nuclear plant that was clearly out of date in an area known for massive seismic events.

We build homes in flood areas like New Orleans that aren't designed to survive floods, homes in tornado areas that aren't designed to survive tornadoes and in security we apparently avoid tools that can point out exposures.

I think it is well past time that we consider our behavior and collectively conclude it isn't working and that our businesses and lives are at unreasonable risk as a result. In the end, we should all be making more effort to assess the risks we are taking before taking them (the financial collapse a few years ago is another case in point). In the end, our lives depend on informed decisions, something even Steve Jobs learned the hard way recently, and avoiding tools that can help us make them is terminally foolish.

In the end, this suggests that in each of our organizations and governments there are people actively working against giving us the information we need to make good critical choices. It also suggests that from time to time we are those people. Understanding and eliminating this may be key to both our professional survival and our families' safety.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.