The plane flight from Atlanta to San Francisco yesterday was very bumpy. I’ve never been a nervous flier and I’ve flown so much that coach is like a second office. But, as the plane seemed to jounce down a dirt road yesterday afternoon, I sat there wondering if I could scare myself into some kind of irrational state, if I could truly grok the dark side of my situation.

When you think about it, flying in airplanes is scary. Here I was, 35,000 feet in the air in a 100-ton metal bus suspended only by invisible whorls of vacuum above each wing. And I’d stay there only if the plane kept moving forward at an adequate speed, only if the pilot kept doing his job competently, and only if the Delta maintenance personnel were thorough. Come to think of it, I was also relying on the FAA and the TSA to ensure I made it to San Fran safely. If that doesn’t initiate a panic response, I don’t know what will.

On top of all that, the plane was bouncing back and forth badly enough that I could scarcely type. The seatbelt light dinged on, the flight attendants strapped in, and the other passengers began to mutter nervously and clutch their drinks so tightly that condensation trickled slowly down the backs of their hands. The turbulence grew steadily worse and the bumps got harder. It felt like we were hitting rocks. I began to wonder if something really was wrong with the plane.

I thought about how long it would take to hit the ground once the plane lost power. Would we start to nosedive as we slowed or would we spin out of control? I thought about whether it would hurt once we hit the ground or whether the long fall and the certainty of my own death would be worse than any physical pain I might feel. I thought of my family and how they’d get along without me. I thought about how my wife would find out - would it be a midnight phone call or a CNN news report.

Nothing.

It’s gruesome, I know. But, despite my best efforts, I couldn’t really get worked up. Despite all the evidence available to me, I just didn’t perceive any personal and imminent threat. After all, I have been flying for a very long time and I’ve seen turbulence before and it’s never been a big deal. Statistically, flying is still safer than driving (and much safer than riding in a San Francisco cab).

Information security’s like that for users, I think. It’s not personal or imminent - just sort of a distant threat that's baked into our daily lives and always seems to happen to someone else. It’s hard to get too emotional about it. No real personal contemplation of what "the worst" really means. Information security involves forces many users don’t really understand and actions that are handled by someone else in their organization.

Of course, users can take more responsibility for their own information security than I can take for the safety of my cross-continental plane flight. But they tend not to. Do you think they would if the personal consequences were as dire?

This morning, I read this article about the IRS and its employees' failures to screen security-related phone requests. Nothing surprising here. Humans have always been the weakest link in the security chain. They stick passwords on monitors, they pick easily-guessed passwords, they install questionable software, they turn off agents, etc.

And everyone pretty much agrees that education is the right approach here. In fact, on paper, it seems like the better part of many security budgets might be more effectively spent on education than some of the security solutions currently deployed. There's a really interesting article on the 451 Group (paid subscription required) pointing out that the anti-data leakage (ADL) problem is driven just as much by error as it is by malice. And this makes ADL just as much an HR/education issue as it is a technology one.

There's no doubt we should strive to educate our user communities. But here's the problem: Humans are recidivists. Unless they're continuously reminded about sound security practices, humans tend to fall back into bad habits relatively quickly. Indeed, the article on the IRS states:

The IRS went through a similar test in 2001 and 2004. After each case, it was determined security measures needed to be updated. While it has added additional safeguards, the report said, "the corrective actions have not been effective."

So what's to be done? Should we allocate some unusually large percentage of our security budgets to continuing education? The answer is probably "more than we do now at least". The 451 Group article discusses one customer that has made such a shift, focusing relatively more spend on security education than in previous years.

Unfortunately, the IRS example illustrates that there are some problems that are specific to people and process. And either education or some extreme form of activity monitoring is probably required to address them. (Note to self: ADL for voice transmissions? Maybe when voice recognition technology matures some more...)

But I think this human behavioral entropy is also one of the reasons that some of us do sell so much security hardware and software. Where possible, buyers in the security industry address people and process problems with technology because it's one of pieces of the puzzle they can solve. In other words, you can't stop users from turning off agents, but you can use technology to detect it (and fix it) when they do.

I spent most of this week at the Gartner IT Security Summit in Washington, DC. Outside of RSA, it's probably the largest gathering of security companies on the US calendar and it's a great opportunity to get a sense of how the industry is trending without having to surf to a hundred web sites or talk to a hundred marketing people.

One thing I like to do at events like this is walk the show floor. I try to stroll past each and every booth at the same pace and without stopping. The challenge is to see 1) if you can figure out what someone does in the 3-4 seconds it takes to walk past the booth and 2) if there are any trends that emerge in messaging or types of solutions, etc. What I found this year kind of surprised me.

In 2006, there were two types of solutions that seemed to dominate the floor: network admission control and data leakage (with the old reliable identity and access management coming in a strong third). This year, the NAC vendors were almost all gone and there were many fewer data leakage vendors than I had expected. Nor was there any one type of solution that really seemed to dominate.

The question is: What does this mean? On the one hand, I continue to be staggered by the number of new vendors in the security space. They seem to be like ants in the kitchen -- acquire one and two more crawl out of the cracks in the window sill. It's madness, I tell you! There were a good half a dozen names I had never seen before and I wonder if the number of companies that continue to pop up is good or bad for our industry. It's certainly good that technological innovation continues, but I wonder about the financial status of these companies as funding for security startups continues to be more difficult to get. There sure is a lot of money that's been poured into security and I'm not sure how investors are going to get it back.

On the other hand, it seemed that there was much less hysteria than in years past. No "we-can-make-every-one-of-your-compliance-problems-vanish-overnight" or "confidential-data-is-seeping-through-the-cracks-in-your-network-while-you-sleep-Run!-Run!" pitches this year. There seems to be more maturity in how the industry is addressing its buying audience and I find this fairly encouraging. Despite the number of companies, maybe the industry is slowing growing up after all. It'll be interesting to see how this plays out.

My wife and I are considering a major renovation to our home and I found myself thinking about the likely impact on our property value. The "conventional wisdom" says that bathrooms and kitchens offer the highest return on investment.

And that got me thinking about the concept of "conventional wisdom". Conventional wisdom, in my opinion, is simply an excuse for people not to have to think too hard about the decisions they need to make. "Do the safe thing," they all say. "Nobody ever got fired for buying ______."

Now, speaking as a former marketing person, CW is your friend. If you can elevate your solution or your brand to the glorious pinnacle of "conventional wisdom", all the market mojo is on your side. It becomes much easier to sell your product because your audience already accepts its value. Of course, this usually doesn't happen for companies with revenues less than $1B.

On the other hand, as a product manager, CW is the enemy. Once you become comfortable that your solution rocks, then you must resist the inertial drag of success and continue to look for ways to make it better. Or for technologies that could displace it. One of the hardest things to do as a product manager is to continue to worry about how you're going to make your own successful product obsolete, even though you know there are competitors out there working hard to do just that.

My personal theory is that, when it comes to IT security, a concept is pretty much obsolete as by the time the market labels it "conventional wisdom". Our market moves too fast via aggressive innovation for any new concept to survive unchallenged and unchanged for too long. Even in the mature security sub-markets of firewalls and anti-virus, there is still innovation in the form of packaging and update mechanisms. Not to mention the coalescence of adjacent technologies like IPS and spyware.

And I don't think this is a bad thing, BTW. Innovation followed by evolution and then widespread adoption is a tried-and-true market curve. In this day and age, I just don't trust any pure security solution that labels itself as "conventional wisdom".

Of course, my wife and I are going to update our kitchen and bathrooms, so what do I know?

I cut my workout short this morning so I could get into the office to watch Cambia Security disappear.

As many of you know by now, nCircle has acquired Cambia Security and me along with it. It's a terrific move on the part of both companies (the technology part, not the "me" part necessarily).

As we've worked on this acquisition over the past few months, I've been impressed with two things about nCircle: How solid their (our) technology is and the extent to which nCircle has been able to establish itself as a standard with large companies. For a private and relatively small firm, nCircle has an astonishingly strong presence at the enterprise level for security and risk management.

So, I'm pretty pumped about the opportunity this acquisition represents. I really do think we have a combination of capabilities that few other companies can match. Still, when the moment actually came, the transition was more poignant than I thought it'd be.

For the past two years, I've worked hard with a team of incredibly talented people here in Atlanta to bring an agentless configuration compliance solution to market and to make it as effective and as well-known as possible. That journey ended this morning when the Cambia web site vanished for the last time and was replaced by the redirects to the nCircle site. I sat alone in a silent office at 8 am as I watched the Cambia home page go dark.

Now, I don't want you to think I'm unhappy with this acquisition. It's terrific. It was just harder to watch the Cambia stuff go away than I expected. Transitions like this often are, I suppose.

So one journey ends and another begins. Our mandate now is to execute. To get the products integrated and to deliver nCircle Configuration Compliance Manager as part of a larger, even more powerful, product line. It's a pretty good company I've joined and I'm very much looking forward to see where this new road leads.