My colleague John (who we'll convince to write a blog some day) often complains that the blogosphere seems to mostly be filled with complaints, rants and general whining. Normally, I disagree with him - the blogs that I read every day tend to stay away from that type of thing, filling my brain with interesting knowledge. And I usually try to keep from complaining myself.
But today, I just can't help myself.
I think that this fall must be a really a slow one for the information security industry, because it seems that things have devolved mostly into flame wars. And the most frustrating thing about the flame wars is that the topics are like, so 2001. The topics of late:
The Value of IDS - Didn't Gartner solve this one already? No? Well, hasn't the horse been killed about 1000 times yet?
Zero Days and Non-Zero Days - I think the argument here is that exploits that are released before public disclosure are now called "Less than Zero Days". In other news, "hackers" are now called "crackers".
Responsible Disclosure - Are we really still discussing the value of this?
I think some of the most interesting stories of the fall have been completely ignored by the security literati in favor of beating the afforementioned deceased equine topics. I'd love to hear some opinions on the following thoughts:
Terrible Management Plagues Security Companies - We saw the terrible valuation of Counterpane, but I haven't heard anybody talk about Qualys (who has seen the departure a newly hired C-level executive in less than 2 weeks there... twice in 2006), and other companies hemorrhaging employees like there's no tomorrow (one that I know of has lost almost 20% of their employees this quarter alone). Why is it that these little companies can't seem to hire management that can build strong teams, keep employee morale high, and deliver results?
The Trend Away from Operational Security - While this was touched on by some of the IDS debate, the real trend I've seen in security is away from a strict operational "secure the network and hosts" model, toward a real emphasis on identity-based security. How does that one change our models of risk? Sheldon (of nCircle) and I used to toss around the idea that very few of our risk models are really focused on user-level risk - how does that change things?
Those are two of the more interesting things that the blogosphere is not talking about this quarter...