Israeli Software

For my Israeli readers – הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

I’m collecting data for a couple of articles on data security in social networks and ad-hoc mobile networks so I’ve been a little slow on blogging lately – so I’m down to general management and risk management stuff.

I think that cutting and running as soon as possible from unreliable business partners is an exercise in sound risk management.  Let me know if you agree after reading the following story.

I have an acquaintance, Eran Lasser who is co-founder and joint GM of John Bryce Training.  Back when I ran Bynet Software (a Microsoft distributor and ACS – Authorized Support Center), we did some training projects with Eran as we were launching Windows NT and later Microsoft Backoffice.

I reached out to Eran last week with some ideas for management level training courses in areas where I have some personal expertise – data security and more recently using social software for B2B sales. He asked their VP Business development, Ori Lapid to meet with me – and within a day or two a secretary made an appointment.  The morning of the appointment – the secretary called to confirm – I came in a few minutes early and waited patiently for Ori to start the meeting.

After 5, 10 and 15 minutes went by with the secretary giving me the usual disclaimer of “he will be with you in a few minutes” – I told the secretary that Ori’s 15 minute academic grace period had expired and I left.  I thought it was significant and also a vindication of my decision to walk out that neither the secretary nor Ori Lapid bothered to contact me and apologize for wasting my time.

This is  the epitome of what Israelis call “not being serious” or as they say in Israel.

הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

A common conversation I have with my technology clients  touches on patent protection as a  security countermeasure against abuse of intellectual property. The short answer is that if you’re not DuPont or Roche, then patent protection is not going to help you very much. If you develop software , you are probably infringing  someone’s patents as we speak.

Outside the chemical and pharmaceutical industries, the cost of litigation far exceeds the benefits of patent protection. (See “Patent Failure, How judges, bureaucrats and lawyers put innovators at risk”, Bessen and Maurer, Princeton University Press, 2008 pages 130-156, “The cost of dispute”)

Read more…

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage. Read more…

Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing.

As my maternal grandmother, who spoke fluent Yiddish would yell at us – you have ” grosse augen” when we would pile too much food on our plates. ” Grosse augen”  is literally “big eyes” – having eyes that are bigger than your capacity.

Read more…

Two days in the same week to run into FCPA issues is strange.

A prospect in Poland (ENEA) recently acquired Euro 6 million worth of disks from Hitachi and explained the purchase as a data loss prevention measure (Hitachi has data at rest encryption- i.e. the controller encrypts the data on the disk, which makes it unreadable if the disk is ever stolen).  The outstanding aspect of the deal is that it was done without a public tender. The details are a bit fuzzy but it appears to have been done by breaking up the order into a large number of small purchase orders below the RFP requirement. It’s highly likely that there was some money paid under the table for expediting the transaction.  People in Poland are predicting that it will eventually end up in a criminal investigation.  Hitachi Data Systems is a US company and needs to be compliant with the Foreign Corrupt Practices Act – and a bribe even via a third-party intermediary, is illegal under the FCPA – as companies like Johnson and Johnson and Monsanto know well.

There is compliance to industry regulation like PCI DSS 1.2 which is aimed at consumer protection and then there is compliance to government regulation like the FCPA which is aimed at maintaining a high ethical level of behavior and ensuring a level playing field of business.

For a large global company like Monsanto, Merck or Johnson and Johnson, FCPA is an exercise in compliance, awareness training, monitoring and risk management. Clearly – paying bribes directly or indirectly via third party intermediaries, to government employees is problematic from an ethical standpoint and attempts to dilute the problem by explaining that there are gray areas and cultural differences doesn’t change the ethical substance. Like many issues in compliance and risk management, preventing Foreign Corrupt Practices violations is not as simple as it looks although the principle is straightforward – “Thou shalt not give a bribe”.

A seminar at Bioworld last year dealt with the challenge of FCPA compliance using language such as:

• 15 red flags to indicate non-compliance—find and fix these before the DoJ and SEC do it for you!
• Activities for which you can be held accountable, even if committed by foreign subsidiaries, suppliers, or rogue employees
• 5 guidelines for creating FCPA policies, based on recent cases
• 3 foreign official risk areas—did you realize making remuneration to these people could be a Federal crime?
• Who should write procedures, and who should implement them
• Advice and resources for training staff locally and abroad
• 9 ways to audit and assess your FCPA compliance program
• Internal investigations—when to conduct one, who should conduct it, and what to do if you find evidence of non-compliance
• Issues with conducting employee interviews and collecting electronic records

The problem is that you know where you start, you don’t know where you finish and you will always have trouble organizing the useful references you collect on the way.

After a call with a client, I started investigating how to provide high value scientific data in a social network for doctors and medical representatives in a way that would bypass the sticky issues of digital asset protection, content preparation, distrust of vendor-sponsored forums and information overload.

Earlier this week, a conversation with a nephrologist convinced me that this is a problem of data discovery and organization, not content creation. Like everyone else, doctors are swimming in an ocean of information – they just have less time and more patients on their hands than the average programmer or sales person.

So I started searching. and found out about science social networking, heard about a science social networking killer app, moved on to discover Synthese Recommender – tried it out on Tamiflu effectiveness (Swine flu is in the news these days with travel alerts to Mexico) read a fiction article called Raj, Bohemian, went back and posted a general reference on the Wikipedia article on risk assessment describing my work on a quantitative approach to data security – then spent some time in the Apache project reading about the technology underpinnings of Synthese – Mahout and Tika.

Then I blogged and tweeted a bit and emailed my wife about all this great stuff (she’s a librarian and I thought she’d be as excited as I was – she wasn’t) )…

Three hours of fascinating clicking later, it’s now time to go pick up Carmel from the day care center – since they finish early today – it being the evening before Israeli Independence day.

I just got an invite to Bizspark from thefunded.com

“Microsoft® BizSpark™ is a global program designed to help accelerate the success of early stage startups by providing key resources “; basically free development software and a hook into a community of potential investors.  A lot of the comments on techcrunch were of a religious nature, calling it a scam and wondering why you have to be sponsored by a VC (you don’t…) or have $1M in funding (you have to have < $1M…)