About David Strom

David Strom is an old hand at enterprise IT, having worked in the industry from the early days of the PC. He has developed numerous print and Web publications for IT managers and developers and runs the Dice Security Technical Community here.

Are you paying yourself too much?

As we get into the holidays, I want to ask all of your startup CEOs this question. Could you be paying yourself too much, and risk losing your business eventually? No, this isn’t coming from my Scrooge side, but some practical thinking.

Last week, a Sili Valley startup (Yet Another Social Media Posting Tool) posted, in the name of complete transparency, their entire staff salary schedule, from the lowliest workers on up to the CEO, who is getting nearly $160k. While people weighed in on whether or not this is Yet Another GenY Oversharing, what got me going on this particular screed was what the CEO was paying himself. It should be about a third of his current draw.

CEOs should be working for peanuts. Yes, they have bills to pay, but if they are in the startup scene to make money, they should stick with a salaried position at a more established company. When you go into startup mode, you want to be building a company, and you do that with offering equity and a longer-term payouts. Offer more money, and chances are good that your venture will fail because you will be burning through your cash pile. I asked a friend of mine, a tech startup CEO, for his opinion, and he told me: “I personally don’t believe in the CEO of a startup having the highest cash salary. If CEOs believe the story that they are telling investors then should be taking as much as they can in stock. If they are concerned about the cash portion of their paycheck they should be seeking employment elsewhere.” Take a look a this poll taken last year of startup CEO salaries.

And lest you think this is just for startups, the CEOs of Facebook, Oracle, Google, Yelp and HP all had $1 salaries in the past year — granted, they all made megamillions on bonuses and other incentives, but still something to think about.

And while it is admirable that this one startup wants to be so transparent, they could be hurting themselves in the long run. Again from my friend the tech startup CEO: “I would never publicly disclose my company’s compensation model. Doing so provides your competition better insight into how you think and how to compete against you. It also gives potential employees a baseline by which to start negotiations” when they start thinking about going elsewhere.” He and I both think that experience is a poor metric to be used in setting higher salaries. What should matter is results, and what each staffer produces, or how the market will respond to having a rockstar on your team.

Happy holidays and hope you all have a great break and a wonderful new year’s.

SearchSecurity: The new breed of unified threat management tools

Unified threat management devices have traditionally been suited for small and medium-sized business networks. UTMs combine a number of essential technologies, including firewall, perimeter antimalware and antispam, VPN, Web content filtering and more, but historically have not been capable of handing the traffic load of a large enterprise network. Now, UTM vendors are integrating a host of new features in an attempt to become more competitive against other enterprise-grade security appliances.

You can watch the five minute screencast that I did for SearchSecurity here. I cover several different products, including Fortinet, Sophos, Checkpoint and Juniper.

ITworld: Your Strategic Guide to VDI

If you have not looked at VDI technology in a while, you will find that its changed. Faster, cheaper technology has made it an interesting option for some companies seeking a way to support flexible, work-from-anywhere environments. In fact, some CIOs say BYOD is driving new interest given that virtualized desktops can help keep corporate data on corporate servers, not on client devices.

In this PDF download (registration required) for ITworld, I wrote several of the articles talking about how to become more effective with deploying virtual desktops.

Dice: Time to Reassess Your Network Access Rights

At the heart of the celebrated case of Edward Snowden lies one important fact: The infamous contractor gained access to the trove of documents that he ultimately leaked to journalists by escalating his access rights. And despite this very real poster boy having been in the news for the past several months, many enterprises haven’t done much with reeling in — or even auditing – the access rights they have in place.

You can read the story posted on Dice here.

Top security stories for the week

The latest and most interesting security stories of the past week, as culled for the portal of the Dice Security Talent Community page.

Time to catch up on new encryption protocols

lock-and-key-icon-thumb355812Remember when encryption meant scrambling your hard drive and using PGP for your email? It seems so quaint. Nowadays encryption has gotten much more complex, thanks to our friends in government agencies that have tapped into the Internet and made copies of our data out in the Utah desert. Or, make that metadata, sorry, it is hard to get the precise information, even with the NSA giving demos of its software tools to CBS.

The Electronic Frontier Foundation recently compiled a report card of the many faces of encryption that a modern Internet provider needs to operate on. It is a daunting list, but one that you all should read carefully and see how much work needs to be done in this area.

The report lists five different encryption practices that the major cloud players need to take, including:

  1. Encrypt all of the links between their data centers that traverse the public Internet.  Ever since we all found out how the NSA was taping into public peering points, this seems like a good precaution for any provider to do. Microsoft and Facebook are in the process of implementing this; Google, Dropbox and Twitter already have.
  2. Support Secure HTTP by default for all Web access: this isn’t anything new and something that began several years ago, but Yahoo (always a day late) has only implemented this for its email services.
  3. Use HTTP Strict Transport Security (HSTS) protocols for all their Web traffic to avoid any of the newer browser-in-the-middle attacks. This protocol has been around for a year, although it is still far from being implemented widely.
  4. Use forward secrecy to hide encryption keys. Without this, someone who learns of a key can decrypt previously archived messages: does this sound familiar?
  5. Use the START TLS protocol to encrypt email traffic between different email servers, again to avoid man-in-the-middle attacks. This protocol has also been around for some time, but isn’t implemented universally.

If we look through the EFF list, LinkedIn comes up short on all measures, although promising to get started next year. The same is true for the many connectivity providers, such as Comcast, Verizon, and AT&T. Coincidently, that is where the government taps seem to be located. Harrumph.

One thing the EFF report could do a better job of is showing the major browsers and whether they support all these not-so-newfangled protocols: guess what, they don’t. For example, IE 10 lacks HSTS support. Here is a report from the good folks at OWASP that does show this information, although it is somewhat outdated.

Most interesting security stories of the week

In my weekly efforts to keep up to date on the latest and greatest security stories for the Dice Security Talent Community, here they are:

FedTech magazine: Cisco’s ASA-5512-X review

dashboard betterTo better protect the enterprise network, organizations need stronger firewalls. Cisco Systems’ Adaptive Security Appliance 5512-X delivers a solid set of features to address those needs: Zero-day malware protection, application-aware software and integration with endpoint device control for end-to-end security.

You can read my review here for FedTech Magazine.

Network World: Mobile Device Manager Review

airwatch 2Mobile Device Managers (MDMs) make a lot of sense when you are trying to control whom can access your enterprise network and applications from particular phones and tablets. But to effectively evaluate these products, you should first consider what exactly are you trying to control: the apps on particular devices, the pairing of a user with his or her device, the device itself, or the collection of files on each device. Each MDM has a somewhat different perspective, and has strengths and weaknesses in terms of what it can control best.

In my review today for Network World, I looked at six different products: AirWatch (pictured above), Apperian’s EASE, BlackBerry’s Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology’s Good for Enterprise. No single MDM product won this review; all had serious flaws that would prevent them from being successfully deployed, depending on your circumstances.

The need for better mobile security is obvious: witness this story from last year about a hospital volunteer taking pictures of patient records with his phone and them selling them. Sadly, most current MDMs still wouldn’t be able to prevent something this overt.

The MDM arena is still pretty immature, akin to where the anti-virus world was decades ago. Security profiles are somewhat clunky to install and administer and some vendors don’t support vintage versions of iOS or Android. Topping this off: once you find phones that have been compromised, there is no easy way to return them back to a pristine condition, largely through the fault of the mobile OS vendors.

Expect to pay between $20 to $75 per user or per device per year, which can add up if you have a lot of phones to protect. Few vendors are transparent about their pricing (Airwatch and Blackberry are notable exceptions).

Good and BlackBerry do the best jobs of protecting your messaging infrastructure, so if that is the primary reason for picking an MDM product you should start with these two. Divide had the most appealing management console and overall simplest setup routines, and also supports licensing unlimited devices per user. And Apperian is great for corporations that have developed a large collection of their own apps and want a consistent set of security policies when deploying them.

You can see the full range of screenshots for my review in this deck.