I recently wrote a blog post at the request of the good folks at the Trusted Computing Group. After initial confirmation of receipt and acknowledgement that it would be posted, it seems there was some sort of intervention and it was never posted. I figure the most likely reasons are:
- it just wasn’t good enough
- it wasn’t centered enough on TGC/TNC specific matters
- it didn’t include the requisite amount of TNC cheerleading
- it lacked tact and was irresponsibly forthright
In any event, I’ve waited a few weeks to see if it would be posted but it hasn’t been, so I thought I’d post it here and you can be the judge.
~~~~~~~~~~
Confessions of an industry standards antagonist
I’m a fan of proprietary solutions. Being first to market, creating a solution to a problem that had, until then, not been solved is what innovation is all about. Watching potential customers get excited because someone finally has brought to market a novel approach that solves a real problem they have; that’s what gets the blood pumping.
The problem is, of course that the forces of ‘do more with less’ and the ‘zero day’ IT security landscape make this proprietary chaos incredibly destructive to the folks managing enterprise IT systems. Consider that the vast majority of IT security systems implemented over the last 10 years (Firewalls, IDS/IPS, Anti-Virus, Anti-SPAM, Anti-everything else, Encryption, Web Proxy, SIM, SEM, 802.1X, NAC etc.) barely communicate with one another and when they do, its most frequently because one of the products can ingest syslog or retrieve and interpret text files. The resulting system is often one that instead of doing more with less, forces the customer to simply do less.
Industry standards can be a slow process, and from what I’ve seen it requires the patience of Job to navigate the process while balancing a very diverse set of opinions and the requirement to make progress. However, if industry standards were available and leveraged by vendors in IT Security for information sharing alone, enterprises would experience fewer audit findings, the operation of the IT system would be dramatically more efficient, new technologies would be deployed with less risk, and in a fascinating turn of events; customers would be able to dedicate more time to new and emerging technologies (that’s code for - they’d buy more stuff from the vendors that adopted the standards).
Over the last 15 years the phrase “nobody was ever fired for implementing...” has been used frequently in a myriad of situations. My first recollection of this was when folks used to say it about IBM (they don’t anymore), and over the last 8-10 years its Cisco whose name is inserted as the company most likely to help someone not lose their job. I would say, however that looking back over the last 15 years it’s ultimately even more accurate to say that nobody has ever been fired for implementing industry standards.
~~~~~~~~~~
Subscribe