Some businesses are great at creating excitement. Take Apple, for instance. They create demand for their new (and upgraded) products, which creates a feeding frenzy when the public can finally buy the newest shiny object. 2 million iPads in 60 days is astounding. I suspect they’ll move a bunch of iPhone 4 units on June 24 as well (I know I’ll be upgrading mine and the Boss’). They’ve created a cult around their products, and it generates unbelievable excitement whenever there is a new toy to try.

Last week I was in the Apple store dropping my trusty MacBook Pro off for service. The place was buzzing, and the rest of the mall was pretty much dead. This was 3 PM on a Thursday, but you’d think it was Christmas Eve from looking at the faces of the folks in the store. Everything about the Apple consumer experience is exciting. You may not like them, you may call me a fanboy, but in the end you can’t argue with the results. Excitement sells.

If you have kids, you know all about how Disney creates the same feeling of excitement. Whether it’s seeing a new movie or going to the theme parks, this is another company that does it right. We recently took the kids down to Disneyworld, and it sure didn’t seem like the economy was crap inside the park. Each day it was packed and everyone was enjoying the happiest place on Earth, including my family. One night we stayed at a Disney property. It’s not enough to send a packet of information and confirmations a few months ahead of the trip. By the time you are ready to go, the excitement has faded. So Disney sends an email reminding you of the great time you are about to have a few days before you check in. They give you lots of details about your resort, with fancy pictures of people having a great time. The message is that you will be those people in a few days. All your problems will be gone, because you are praying in the House of the Mouse. Brilliant.

I do a lot of business travel and I can tell you I’m not excited when I get to Topeka at 1am after being delayed for 3 hours at O’Hare. No one is. But it’s not like any of the business-oriented hotels do anything to engage their customers. I’m lucky if I get a snarl from the front desk attendant as I’m assigned some room near the elevator overlooking the sewage treatment facility next door. It’s a friggin’ bed and a place to shower. That’s it.

It just seems to me these big ‘hospitality’ companies could do better. They can do more to engage their customers. They can do more to create a memorable experience. I expect so little that anything they do is upside. I believe most business travelers are like me. So whatever business you are in, think about how you can surprise your customers in a positive fashion (yes, those pesky users who keep screwing everything up are your customers) and create excitement about what you are doing.

I know, we do security. It’s not very exciting when it’s going well. But wouldn’t it be great if a user was actually happy to see you, instead thinking, “Oh, crap, here comes Dr. No again, to tell me not to surf pr0n on the corporate network.”? Think about it. And expect more from yourself and everyone else you do business with.

– Mike.

Photo credits: “Magic Music Mayhem 3 (Explored)” originally uploaded by Express Monorail

Incite 4 U

1. Microsoft cannot fix stupid – The sage Rob Graham is at it again, weighing in on Google’s alleged dictum to eradicate Microsoft’s OS from all their desktops, because it’s too hard to secure. Rob makes a number of good points in the post, relative to how much Microsoft invests in security and the reality that Windows 7 and IE 8 are the most secure offerings out there. But ultimately it doesn’t matter because it’s human error that is responsible for most of the successful attacks. And if we block one path the attackers find another – they are good that way. So what to do? Do what we’ve always done. Try to eliminate the low hanging fruit that makes the bad guy’s job too easy, and make sure you have a good containment and response strategy for when something bad does happen. And it will, whatever OS you use. – MR
2. Fight the good fight – Apparently “Symantec believes security firms should eradicate ‘false positives’ ”. I imagine that this would be pretty high on their list. Somewhere between “Rid the world of computer viruses” and “Wipe out all spam”. And I love their idea of monitoring social network sites such as Facebook and online fora to identify false positives, working tirelessly to eliminate the threat of, what was it again? Yeah, misdiagnosis. In fact, I want to help Symantec. I filled out my job application today because I want that job. Believe me, I could hunt Facebook, Twitter, and YouTube all day, looking for those false positives and misdiagnosis thingies. Well, until the spam bots flood these sites with false reports of false positives. Then I’d have to bring the fight to the sports page for false positive detection, or maybe check out those critical celebrity false positives. It sounds like tough work, but hey, it’s a noble cause. Keep up the good fight, guys! – AL
3. Good intentions – I always struggle with “policy drift”; the tendency to start from a compliant state but lose that over time due to distractions, pressure, and complacency. For example, I’m pretty bad at keeping my info in our CRM tool up to date. That’s okay, because so are Mike and Adrian. As Mathias Thurman writes over at Computerworld, this can be a killer for something crucial like patch management. Mathias describes his difficulties in keeping systems up to date, especially those pesky virtual machines. The policies are there, everyone even started from a known good state, but the practical realities of running a day to day IT shop and *gasp* testing those patches throws a monkey wrench into the system. – RM
4. Logging as infrastructure… – As Adrian and I continue plowing through the Understanding and Selecting a SIEM/Log Management series, one of the things we may not have explicitly mentioned was that data collection is really an infrastructure function, and there will be applications that run on top to provide solutions to the usage demands. Seems everyone is still hung up on the category names, but Sam Curry on RSA’s blog gets it right. Every user (not just large enterprises) should be figuring out how to leverage the data they are collecting. Whether it’s for security, efficiency, or compliance reporting, things like forensics and correlation can be useful to pretty much any practitioner. Of course, that doesn’t make them any easier to do, but the first step on that path is to consider data collection an infrastructure function, not just a hermetically sealed security problem solved with an isolated security product. – MR
5. Must read from Ivan – I’m skipping the usual pithy title and intro to simply point you to Ivan Arce’s response to Michal Zalewski’s recent post on software security. Ivan is flat out one of the best security writers and thinkers out there. In this post Ivan lays out a compelling review of the pitfalls of formal models in secure software engineering, but it applies equally well to general security defenses. The key line, and a major theme in one of my current presentations, is, “Michal’s first argument simply points out that devising mathematical-logical formal models to define and implement security usually goes awry in the presence of real world economic actors, and that the information security discipline would benefit more from adopting knowledge, practices and experience from other fields such as sociology and economics, rather than seeking purely technical solutions. I agree.” I prefer cognitive science to sociology since it’s a bit of a harder science, but everything in our industry is driven by how people act, and the economics that influence their behavior. – RM
6. New Math – Does piracy occur? Yep. Does it have economic impact? Absolutely. But you have to ask yourself why would someone conduct a study like this: Piracy Cost Game Industry $41.5 Billion. Forget for a moment that the students conducting this survey failed their courses in logic, statistics, and finance, and focus on the question of why was this survey commissioned? Is it about piracy and theft? Was it so game companies knows whether they need to adjust their business and pricing models to combat the problem? Is it to gauge whether they should change their protection model? The answer is “D”, none of the above. This is paid PR to influence legislators into thinking that they are going to make billions in extra tax revenue if they can legislate this bad behavior. Dangle that carrot in front of politicians so they will do your bidding. An adjustment to the law will hopefully coax some extra revenue out of a handful of thieves customers without cost to the company. All without having to change their technology, pricing, or behavior. So the politicians don’t generate 1/1000th of what they were promised because the survey is based on totally bogus numbers, but they do get to pass a law, making it a total win/win! And when said billions in revenue fails to materialize, you can blame the government! Now, where is my trillion dollars? I have a budget deficit to erase! – AL
7. Binary as a second language – I’m sure a lot of folks working in an HP data center are feeling distinctly uncomfortable now. In fact, 9,000 of them will get a lot more uncomfortable as they are replaced with some kind of automation as HP makes a $1b investment to fully automate their data centers. It begs the question of your own value to your organization. Can you be automated? Replaced by a machine? We’d like to think not, but 9,000 folks will soon realize their assumptions were wrong. So always keep in mind that value is proven every day. The other aspect to the story is that HP is adding 6,000 sales and service reps. So it’s that time again to revisit your choice of career and make sure you are on the right path. Many data center ops folks are doing many other things. Like buying a Subway franchise. Kidding aside, HP is on the cutting edge, but the trend toward replacing ops folks isn’t going to go away. It may be time to start thinking about Plan B. – MR