If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Hey all,
2022 is a year in which I post to Dailydave *at least twice*. This hasn't happened in a while.
Dave's last paragraph hits on something that I have repeated to startup founders and other folks in security for the last few years. When I started optimyze, a lot of my acquaintances asked me: "Why not a security company?". And my reply was always a variant of the following:
In B2B, there are three categories of product, and the importance of your sales org goes up exponentially as you travel down that list: 1. The best category to be in is "top line growth" products. These are products that the customer buys, and they grow their top line -- e.g. they make more money. It is the best category of B2B product to build, and things like AdWords fit right into this category. You won't need a huge sales force for this, as the economics for buying the product are great, and it will be easy to find an internal champion that wants to shine by pushing through the purchase of your product. If you have an idea in this category, and the TAM is large, go for it. 2. The second best category is "bottom line growth" products. They essentially say "we will measurably save you money, without you having to drastically change the way you do business". They are not quite as compelling as the first category, and will work best in down markets or recessions, but they will still allow a good product to shine, and your sales org to not dictate all aspects of your business. 3. Everything else. This is the category where your success will largely be driven by your sales org, as the economics of your product are not clear-cut. The quality of your engineering, or whether your product measurably works, is secondary here - it is only relevant to the extent that it damages or enhances your marketing message, and deficiencies can be compensated by louder voices. (Engineering also matters "all else being equal", but in this category you cannot compensate a weaker sales/marketing org with better engineering).
Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in (1) or (2). This is also a good explanation why RSA looks the way it does.
Cheers, Halvar/Thomas
On Wed, 24 Aug 2022, 15:48 Dave Aitel via Dailydave, < dailydave@lists.aitelfoundation.org> wrote:
If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in (1) or (2). This is also >a good explanation why RSA looks the way it does.
mic-drop moment , if there ever was one. And folks who have played this game from about the time of the old h/p/v groups realize this " law " [1]
[1] - https://www.reuters.com/article/us-whatsapp-w00w00/elite-security-posse-fost...
This reasoning is similar to why selling iOS 0-days for a million dollars a pop for a talented computer scientist is not the most economically appealing choice when you can potentially build and sell a neat $1 app to 100 million people.
On Aug 24, 2022, at 10:48 PM, Thomas Dullien via Dailydave dailydave@lists.aitelfoundation.org wrote:
Hey all,
2022 is a year in which I post to Dailydave *at least twice*. This hasn't happened in a while.
Dave's last paragraph hits on something that I have repeated to startup founders and other folks in security for the last few years. When I started optimyze, a lot of my acquaintances asked me: "Why not a security company?". And my reply was always a variant of the following:
In B2B, there are three categories of product, and the importance of your sales org goes up exponentially as you travel down that list:
- The best category to be in is "top line growth" products. These are products that the customer buys, and they grow their top line -- e.g. they make more money. It is the best category of B2B product to build, and things like AdWords fit right into this category. You won't need a huge sales force for this, as the economics for buying the product are great, and it will be easy to find an internal champion that wants to shine by pushing through the purchase of your product. If you have an idea in this category, and the TAM is large, go for it.
- The second best category is "bottom line growth" products. They essentially say "we will measurably save you money, without you having to drastically change the way you do business". They are not quite as compelling as the first category, and will work best in down markets or recessions, but they will still allow a good product to shine, and your sales org to not dictate all aspects of your business.
- Everything else. This is the category where your success will largely be driven by your sales org, as the economics of your product are not clear-cut. The quality of your engineering, or whether your product measurably works, is secondary here - it is only relevant to the extent that it damages or enhances your marketing message, and deficiencies can be compensated by louder voices. (Engineering also matters "all else being equal", but in this category you cannot compensate a weaker sales/marketing org with better engineering).
Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in (1) or (2). This is also a good explanation why RSA looks the way it does.
Cheers, Halvar/Thomas
On Wed, 24 Aug 2022, 15:48 Dave Aitel via Dailydave, dailydave@lists.aitelfoundation.org wrote: If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Good morning everyone, greetings from Bogota DC, Colombia.
I consider that for the government is cheaper to make a deal with a software company to install a backdoor in their products in order to "improve the service or whatever" or "terms and conditions... etc..." as opposed to paying millions of dollars for a zero day vulnerability in the most used products by users in the world, Microsoft Windows, Adobe, Microsoft Office, Apple, Android or IOS... etc....
In all my experience in cybersecurity I have always considered that no security product reaches 100% protection of infrastructure or endpoint equipment, for me the code, the software is infinite; it has no limit! it is a loop that never ends ....
Here in Colombia there is a lot of ignorance on the issue of privacy, we all think we are safe behind a screen, but no one knows all the plans, sponsored or unsponsored cybercrime teams, government people always trying to break the user's privacy; we can no longer have confidence in anything! For Signal, Telegram, TOR, Tails or VPNs No Logs there are also bounties for zero-day exploits! So what can we expect?, can we really ever have peace of mind? Programs similar to zerodium leave us a lot to think about.
Greetings!
Jhonatan Ospina
twitter.com/jhonosps
El jue, 25 ago 2022 a las 8:10, Nathan Landon via Dailydave (< dailydave@lists.aitelfoundation.org>) escribió:
This reasoning is similar to why selling iOS 0-days for a million dollars a pop for a talented computer scientist is not the most economically appealing choice when you can potentially build and sell a neat $1 app to 100 million people.
On Aug 24, 2022, at 10:48 PM, Thomas Dullien via Dailydave < dailydave@lists.aitelfoundation.org> wrote:
Hey all,
2022 is a year in which I post to Dailydave *at least twice*. This hasn't happened in a while.
Dave's last paragraph hits on something that I have repeated to startup founders and other folks in security for the last few years. When I started optimyze, a lot of my acquaintances asked me: "Why not a security company?". And my reply was always a variant of the following:
In B2B, there are three categories of product, and the importance of your sales org goes up exponentially as you travel down that list:
- The best category to be in is "top line growth" products. These are
products that the customer buys, and they grow their top line -- e.g. they make more money. It is the best category of B2B product to build, and things like AdWords fit right into this category. You won't need a huge sales force for this, as the economics for buying the product are great, and it will be easy to find an internal champion that wants to shine by pushing through the purchase of your product. If you have an idea in this category, and the TAM is large, go for it. 2. The second best category is "bottom line growth" products. They essentially say "we will measurably save you money, without you having to drastically change the way you do business". They are not quite as compelling as the first category, and will work best in down markets or recessions, but they will still allow a good product to shine, and your sales org to not dictate all aspects of your business. 3. Everything else. This is the category where your success will largely be driven by your sales org, as the economics of your product are not clear-cut. The quality of your engineering, or whether your product measurably works, is secondary here - it is only relevant to the extent that it damages or enhances your marketing message, and deficiencies can be compensated by louder voices. (Engineering also matters "all else being equal", but in this category you cannot compensate a weaker sales/marketing org with better engineering).
Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in (1) or (2). This is also a good explanation why RSA looks the way it does.
Cheers, Halvar/Thomas
On Wed, 24 Aug 2022, 15:48 Dave Aitel via Dailydave, < dailydave@lists.aitelfoundation.org> wrote:
If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
Heya(s)
I knew if i did this long enough, i'd find a discussion where i disagreed with Halvar..
On Wed, Aug 24, 2022 at 23:48:17, Thomas Dullien < dailydave@lists.aitelfoundation.org> wrote:
Dave's last paragraph hits on something that I have repeated to startup founders and other folks in security for the last few years.
We've been talking about the market-failure in infosec for a while. If anyone is bored, we once gave an entire talk titled "The products we deserve" which some smart people said doesn't suck ( https://youtu.be/GHuQC1qLnJ4)
When I started optimyze, a lot of my acquaintances asked me: "Why not a
security company?". And my reply was always a variant of the following: ... 3. Everything else. This is the category where your success will largely be driven by your sales org, as the economics of your product are not clear-cut. The quality of your engineering, or whether your product measurably works, is secondary here Security usually falls into category 3. So as a technical startup founder that is not good at building sales orgs, you're probably well-advised to stay away from security products, unless you somehow managed to find a way to be in (1) or (2). This is also a good explanation why RSA looks the way it does.
I deeply believe this is changing. That it is increasingly possible to focus on your product/customer and win (without a huge sales org).
Some people thought that the "products we deserve" talk was a gloomy one (because it spoke about things broken in the sec product market) but i genuinely saw it as hopeful because we are seeing signs of it changing.
One of the frustrating things about the old-model, is how many of the stupid practices are self-reinforcing. - Companies do gimmicky booths and hand out cheap swag - Smart customers have low expectations and avoid the showroom floor (leaving ppl on the floor who just want to be entertained/care more about a $50 starbucks card) - The way to get those ppls attention is more gimmicks and less deep discussions.. (rinse - repeat).
With booths specifically (for example), we've found huge value in showing up with our engineers and support folks. People drop by and get to have real, meaningful discussions.. We get to meet customers and hear success stories which really charges up everyone and reminds us why we do what we do.. Young-me hates it, but current-me has to admit that RSAC/booths work amazingly well for us.. (longer post on booths here https://blog.thinkst.com/p/we-found-expo-incredibly-worthwhile.html)
When we started having some commercial success with Canary, people often remarked that it was cool but wouldn't scale. This response kinda changed when we passed the $11m ARR mark with no outbound sales-team. ( https://blog.thinkst.com/2021/03/we-bootstrapped-to-11-million-in-arr.html)
We are comfortably past that now and still invest almost nothing in outbound sales. A bunch of customers pay us hundreds of thousands of dollars annually without ever having seen us in person or had a sales-person try to upsell them.
Most of us wished the market would embrace this but most companies along the way are convinced they have to do it the other way…
While focusing on the gimmicks, the coin-operated sales teams, the president-clubs, the analysts and the airport ads, many companies stop focusing on the product (and the annoying cycle repeats)... but… i'm totally convinced there is another way (and for the most part, over the past few years we see empirical proof that it can be done).
I'm totally convinced we can focus on the product/customer and win without the historic vendor shenanigans in a way that wasn't possible before..
/mh
Ps. Dug Song often comments on spotting CEOs who can demo their company product. For a long time the big infosec product companies were led by sales/finance folks who efficiently allocated capital… One of the things i loved most about the Steve Jobs/Apple era, was that he showed that the CEO of a trillion dollar company could absolutely still be involved with product details/decisions..
Haroon Meer | Thinkst Applied Research http://thinkst.com/pgp/haroon.txt Tel: +27 83 786 6637
I couldn't quite figure out where Dave was mistaken with his "market failure" analogy - instinctively it didn't feel right. Twitter's market is selling customer data and attention to advertisers and as long as the a) platform is up b) eyes are peeled to the feed, the market is working[1]; i.e. they don't need better security.
What we are facing however is a "policy market failure", meaning that Internet users want better privacy on social media platforms[2], but the vendors don't deliver it. This is a little bit similar to seatbelts in cars. Manufacturers tried to offer seatbelts but were faced with resistance in the market (analogy - more secure social media) despite experts agreeing that it's a good thing. Unlike social media where choice is largely individual, if you need to get from point A to point B you probably need to get into a car and as a passenger you don't have much choice.
So, the policy market failure here is that those who sell policy - elected officials are unable to sell it to the public, majority of whom don't care but the disproporitionaly affeted minority - those whom Indian govt wanted to spy on can't afford.
The privatized utilities security issue can be solved quite effectively by demanding that they carry a specific type of (cyber) insurance or they have to have it back to govt. Insurers as of 2022 have developed a decent "cyber fire code". The caveat here, and its not a small one, is if private utility companies then pass these costs onto the consumers. Insurers won't write companies that are garbage. We'd have to work out some kind of adjustment formula for security dereliction (your annual spend on security should have been X, it was Y where Y<X, therefore you can't pass these costs onto consumers if you made profits those years)
[1] You could argue that there's also the barter of customers give their time in exchange for advertisement. [2] You could argue that if they want more privacy they can move to chat groups on Signal or IRC over Tor, but we all know that social media works when there's a critical mass which is the story about all these high valuations on businesses that either lose money or just about break even like Twitter.
On Wed, 24 Aug 2022, at 21:38, Dave Aitel via Dailydave wrote:
If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
"And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs. "
Long time lurker, first time poster. This hits me where I live because I run a Red Team for a large privatized power company, which is one of many strategic investments in security my company makes despite the fact that our budget is scrutinized and approved to the line item by the state's Public Service Commission and we must justify the value of, in some cases, individual tools. I've only been doing this a few months and it's been quite an education in how far the definition of capitalism can be made to stretch. It's hard to call something a failure of the market when there never was a market and it definitely wasn't free, notwithstanding the fact that it has shareholders and dividends.
Whether we do it ourselves, which we do, or ask the government to pay is somewhat academic, since taxpayers and ratepayers are the same people, and since our money is subject to state control just like the state's money. It's even more academic in the age of COVID, when people aren't paying their power bills and the state and federal governments are helping keep the lights on.
The standard model in our industry is to make a profit on capital expenditures but not operations and maintenance, e.g., all of security. The PSC/PUC rightly scrutinizes O&M expenditures because that's where you put the executive yachts and such if you are so inclined. Security does OK in the state where my employer is located because the PSC can read the news, but the point is: the Board of Directors isn't scheming to offload costs to the taxpayer. The Board of Directors spends what it's allowed to by the taxpayers' representatives.
We may not really be the target of that remark, though, because for all of that we're actually the haves. The have-nots in power utilities are the rural co-ops with ten employees, two servers, a bunch of distribution transformers, and zero profits, where IT is done by a local contractor and security is not done. Those are the folks who are really offloading security to the taxpayer, and they have no choice whatsoever.
On Wed, Aug 24, 2022 at 8:51 AM Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
If you were at a talk at Defcon this year in the Policy track, you probably heard someone talk about how they, as a government official, are there to address "market failures". And immediately you thought: This is a load of nonsense.
Because that government official is not allowed to, and has no intentions of, addressing any market failures whatsoever. If the Government was going to address market failures, they'd have to find some way to convince every cloud provider from making their security features the upsell on the Platinum package. They'd have to talk about how trying to get into different markets means every social media company faces huge pressures to put Indian spies on their network.
Obviously you know, as someone who did not emerge from under a rock into the security community yesterday, that the answer to having a malicious insider on your network is probably some smart segmentation, which we call "Zero Trust" now.
But Zero Trust is expensive! And most social media companies are not exactly profitable as the great monster known as TikTok has eaten every eyeball in every market because the very concept of having people explicitly choose who their friends are is outdated now.
In fact, as everyone is pointing out, almost all companies you know are in this position! They're cutting costs by sending jobs overseas while spending huge amounts of money propping up their stock prices and paying their executives to sell them to a dwindling market of buyers. Private Equity companies spend every effort on squeezing the last dollar out of old enterprise software by exploiting the lock-in they have on small businesses.
And as critical as Twitter is, we have the exact same dynamic with our privatized water and power companies - who have no plans to make strategic investments in security or anything really - which is why on public calls you can hear them humiliating themselves asking Jen Easterly to absorb the entire costs of their security programs.
The ideal practice for all of these companies is to offload their costs onto the taxpayer, which is why instead of investing in security, they cry for the FBI to go collect their bitcoin from whatever ransomware crews are on their network this week using offensive cyber operations that themselves cost the government an order of magnitude more than the bitcoin is worth.
As you're sitting in that Defcon talk, listening to someone from government talk about how they only want to regulate with the "input of industry" or something, you have to wonder: if this is every company we know, maybe the market failure isn't just how hard it is to buy a good security product because they all abuse the copyright system to avoid any kind of performance transparency. Maybe it's also how hard it is to SELL a good security product because every single company is trying to cut their budget to the exact minimum amount that will allow them to tell the FBI they did their best, and the FBI needs to go out there and pick up their slack.
-dave
Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org
dailydave@lists.aitelfoundation.org
-
Arun Koshy -
Bryan Buckman -
Dave Aitel -
Haroon Meer -
Jhonatan -
Konrads Klints -
Nathan Landon -
Thomas Dullien