Cisco Blogs

Cisco Blog > High Tech Policy

Business Blogs…Are you ready?

March 1, 2005 at 12:00 pm PST

Riva Richmond of The Wall Street Journal today writes about blogs and how they are being used by businesses. Her article states that there are now 8 million US bloggers and 32 million blog readers. By my cursory math, that means that there are approximately 4 people reading this posting.

We are still trying to find our voice on this nascent public policy blog and I’m sure we’ll go through several iterations before we fully understand what type of information our readers are looking for. It was created to extend our reach and get some of our “unofficial” thoughts down on “paper” for the purpose of discussion, information and interaction. A recent question we received was regarding how we got the blog up in the first place…the logistics, the approvals, etc. We definitely followed regular order: we made a plan, researched the technology, got the appropriate leadership and IT approvals and then got the blog up as soon as we could before anybody could change their mind!! : ) By the way, we chose blojsom ( as our technology.

So, let us know what you want and check out the Journal article and see what you think about business blogs. You have to have a subscription to read the story, but access to blogs is free, free, free. The story:,,SB110963746474866537,00.html OR, of course you can stop by your local coffee shop or library and check out the article on page B1.

San Jose Mercury News on Stock Options

February 25, 2005 at 12:00 pm PST

Check out today’s editorial in the San Jose Mercury News. It calls on regulators at the Securities and Exchange Commission (SEC) to stop the expensing of stock options. If they cannot do that, it calls for Congress to step in and take action. HR 913 was introduced on February 17th by Congressman Dreier (R-CA) and Congresswoman Eshoo ( D-CA) and calls for an economic study of the impact of expensing options as well as a delay in expensing while the study is taking place. Check out the editorial at the San Jose Mercury News (free registration is required).

Getting Some Things Off My Chest…Stock Options…

February 24, 2005 at 12:00 pm PST

Please read this blog’s disclaimer before reading this one. : )

After the FASB decided to treat stock options as an expense last December, the chairman of that august board was quoted in a Bloomberg story as follows: “Stock options have been a ‘free good’ because their cost was omitted, Herz said today. “Once you have the accounting costs, you get a much more robust debate on the appropriate way of compensating executives.”

So, that definitely confused me, as I thought that the FASB was the Financial Accounting Standards Board and not the Financial Executive Compensation Board. I was under the impression that the FASB wanted to expense options because, to them, it made accounting sense, but all along, it appears they wanted to work on the executive compensation issue. I don’t remember voting for any of the FASB members in the last election. Do you? I’m not an apologist for executive compensation, but in reading the FASB mission statement, I don’t see anything in there about being the judge and jury on corporate compensation. (See statement below).

“The mission of the Financial Accounting Standards Board is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors, and users of financial information.”

Help me understand their role in executive compensation. Or their role on the economy -- and the potential impact that expensing stock options would have. Yes, the House passed legislation last session on this (by a 3 to 1 margin) and 53 Senators sent their concerns to the SEC on this, but the June 15 date still looms (expensing of stock options is to begin at the first interim or annual reporting period that begins after June 15, 2005).

So, clearly I’m venting, but I think that some questions still need answered…and we’re still working on this. For more information on stock options, please visit the stock options coalition website at

Why people don’t report intrusions…

Interesting piece in ComputerWorld about why companies don’t report security breaches-- the piece says it might hurt their reputation, and their business. The inverse of this is that security matters and that companies have incentives to get secure (this on the theory that eventually, most everything becomes public….).

The piece cites the 2004 CSI/FBI (see upper right of page) 9th Annual Computer Crime and Security Survey, which I find to be about the best set of statistics on security incidents. It has been tracking data consistently for years and shows trends over 5-6 years. Other interesting stats in the FBI study include: the other big reason people didn’t report is because ‘competitors would use to their advantage’ (Figure 21); 82% of companies preform security audits (Figure 17); the biggest $ losses are from targeted events -- DDoS, theft of IPR, and insiders (Figure 15); expenditure varies widely by sector — of course the risk varies widely by sector-- one size does not fit all (Figure 7); and most firms use Return on Investment (ROI), Net Present Value (NPV), or Internal Rate of Return (IRR) calculations to determine investments, with 55% using ROI (Figure 8). This survey is worth a look.

The ComputerWorld piece ends asking about whether mandatory disclosures of breaches provides disincentives to look for them… Interesting area….. Will look at this more later… Cheers.

More RSA…

Earlier I said I was looking forward to hearing the law enforcement vision of the USSS to stamp-out cyber crime…. Didn’t get to (although I hear it was meaningfully robust). Instead I spent time on spyware.

Spyware was discussed a lot at RSA. We announced that as part of our Adaptive Threat Defense next phase of the Self Defending Network, anti-spyware is covered (part of our Anti-X initiative, where X is spyware, DDoS, malware, other things you want to stop), Microsoft announced that it was providing anti-spyware (from their Giant acquire) on the desk top at no additional charge, and pretty much all the AV vendors had booths at the show explaining what they assured us were their very effective new anti-spyware technologies. This lines-up with AOL and other ISPs adding anti-spyware into their service for no or little additional fee. Lots of market action here.

Proposed spyware bills try aim to stop bad actors from doing devious things with spyware. The challenge has been how to define and stop the problem without chilling innovation. I previously have talked about our position on spyware on a VOD The problem is of course difficult in part because bad actors may be overseas, do spoof their identity, and may be unlikely to stop. Law enforcement here is key. Unintended consequences can have non-trivial effects, and we need to make sure that as people look for legislative approaches, we don’t inadvertently chill current and future innovations in things like network management, maintenance, security, and other areas that make the Internet and enterprise networks efficient, productive, global, safe, secure, and robust. Networks are becoming fully interactive, passing instructions and information constantly to maximize utility, quality of service, and function. These are good things…. Not spyware…. The work on these issues needs to continue….

Even though I didn’t get to hear the USSS tell us about the next Elliot Ness, earlier I did hear a raucous discussion about regulation and security — the RSA company wanted to have people with very different views -- and they were there. I have previously talked about security policy, both in text and VOD. My view is the the answer lies in market-driven innovation. Panel members at RSA who were open to some (undefined) kind of security requirements on ‘critical infrastructure sectors,’ like electricity, seemed to be under the impression that these sectors had few incentives to get secure. I’ve never subscribed to that. They talked about the Internet as if it were a public good, and were afraid of a ‘tragedy of the commons,’ in the traditional economic sense. My view is that it is not. Every piece of the network is owned by somebody — somebody with an incentive to get and stay secure. In electricity, for example, (where the Northeast blackout was used as an example of what could happen -- which was caused by a power line sagging into a tree), someone said companies in the electric industry have little incentive to get secure because security was only a cost -- again my view is different, first, going down does not go unnoticed, and second, the state electricity regulators at NARUC have said security is a positive thing and of course you can recover your investment, and in fact NARUC provided a road map for cost recovery through the rate-base, see the second report referenced on NARUC’s site. Certainly work needs to, and is, going-on regarding hardening SCADA systems, but it strikes me that the incentive issue is pretty clear. One panelist seemed to want ISPs to provide security, and in any case the market has driven AOL to roll-in AV to all its customers at no additional fee — which was followed by Earthlink, and then Net Zero to stay competitive with AOL. That has to have rolled-in about 30 million users in just the last 5 months. On the enterprise side, the Wall Street Journal reported in November that ATT/MCI/Sprint were competing against each other in the enterprise market based on security. Customers are asking for it, and ISPs are responding. Enough on that for now.

The big take away from RSA is the intensity of innovation. Someone who was there (and should know) said the vibe was like networking was 15 years ago. Fast, complex, fun and the place to be. That hit me as right. So long for now…..