Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

• Preventing data breach events is an admission of weakness. Data loss is caused by an attack launched from inside the company (whether by a trusted insider, business partner or malicious hacker). attacks that exploit internal vulnerabilities like the new Sharepoint server that the marketing team installed last week without consulting with the IT security team.  Who wants to spend  money on something when the first step is admitting that you’re vulnerable and that your existing security systems, policies and procedures do not meet business requirements?
• The need for instant gratification. Need to keep food fresh? – buy a fridge, Want music, voice, SMS, Web and mail? – buy an iPhone, Want IT security – buy a UTM appliance from Checkpoint or Cisco, want a CRM system – get salesforce.com, need a new enterprise software system – outsource to India. This is related to two other needs I think:
• The need to keep things simple and
• The need to walk on the safe side, not on the wild side.   Who wants to spend 6 figures on a DLP solution that requires a risk assessment from someone who isn’t your accountant,  a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I will talk about how to sell DLP through the psychology and not the technology in an upcoming post. Stay tuned.

It seems that the GFC is creating a movement of migratory hi-tech workers from Silicon Valley to the Beltway. I’m not sure that an unemployed IT security analyst turned hacker is the best choice for a defense contractor – the really good guys and gals are always in demand – and those DC summers are the pits. The weather in Mountain View is a lot nicer.

Daniel D. Allen, who works for Northrop Grumman, claims that federal spending on computer security now totals USD 10 billion annually, including classified programs. So there is a lot of lard in the pork barrel for cyberninjas who don’t mind the 95% humidity.  And with the recently publicized data breach of sensitive design and electronic systems data  from the $300BN F-35 Lightning II fighter project – there’s plenty of asses to be covered. Then again – with peace in our time looking to arrive by end of year from President Obama, we will not need all that hardware – I hear the beer is pretty good in Munich.

Here is the article on Presstv -

Military giants including Northrop Grumman, General Dynamics, Lockheed Martin and Raytheon are now busy with recruiting “hacker soldiers” to address the new demand for an unconventional cyberwar and in a way to blend the new capabilities into the nation’s war planning.