bill sieglein videoBack from my Florida vacation, and into snowy Boston.  This afternoon I’ll be speaking to IT leaders in Boston (Many thanks to IOVations and Check Point for their sponsorship and participation!) Education is critical right now….I had the opportunity to interview Bill Sieglein, Founder of the CISO Executive Network, earlier this week. (Part of my SVLC Insiders Circle) Perfect timing in preparation for this event.

There’s a lot of buzz out there right now about information sharing, Obama, Sony, and most recently the catastrophic losses at Anthem (Where a Hackers stole data on up to 80 million current and former Anthem health care customers, including names, birth dates, Social Security and medical ID numbers, email addresses, street addresses, telephone numbers and employment data , including income.)

Mr. Sieglein works with thousands of CISOs throughout the U.S. through a series of roundtables where they discuss the current trends, share ideas, and look for answers. I had the opportunity to ask Bill about this Obama info sharing proposal. Will this actually help? He and I both agree, it’s not the answer. This morning the WSJ published an article on this subject written by Steve Norton. who I’ve also met through past CSI interactions.  The bottom line – “Focusing solely on sharing specific threat information “only addresses one facet of a very complex space,” Mr. Libicki said in prepared remarks. “It is therefore highly questionable whether efforts to achieve information-sharing deserve the political energy that they are currently taking up.” More government oversight won’t stop hackers.

However, education can go a long way. Sieglein made the comment, “CISOs struggle to get the attention they need from other senior managers.” He went on to say, they do recognize that this is not about compliance – security and compliance are very different. It’s about predicted security and risk management.

In this afternoon’s session I plan to spend some time on the growing trends of mobility, cloud, and consumerization, and how these initiatives affect security. I’ll spend some time on the two big things companies are doing right now that are leading to big losses – one of them is, as I wrote in Data@Risk, the detection strategy is weak, or non-existent.

This issue us growing. If you’re not out there educating, you’re missing a great opportunity to help companies gain ground in the security battle. This is not a product sale. It’s a chance to help – which is a win/win for technology providers who understand the problem, and who have equipped their team to help solve it.

P.S. Next month’s SVLC Insider’s Circle Interview is with John Sileo – ID Theft Expert and Author of Privacy Means Profit. You can join us if you sell security technology or MSSP services – HERE.

Apple Video

(Click the Picture to Play)

Apple – Bigger Than Microsoft? How Can That Be?

Apple, $683, Microsoft $338 Billion (Market Cap).  Wow! (Be Sure to watch the video above).

This morning as I read this I was thinking about my Mac 128 – the one I purchased as part of Drexel University’s computer science program – one of the first accredited computer science programs offered in the U.S.  It was a great computer and it was the first Mac.  Today I’m sitting in front of my Macbook Pro. This one actually has a hard drive in it…I’m connected to various cloud apps, made calls to Europe on it this morning, and am sharing documents around the world, monitoring the other Mac’s on my local network, and syncing with my iPhone – the other half of my IT infrastructure.

How did Apple get here?

If you’ve not read Steve Job’s life story, I highly recommend it – if you’re in the IT space. If you’ve read it, you know what I’m saying when I say, “I had no idea.” Back in 1984 I had no idea who Apple really was, who Steve Jobs was, or Bill Gates. But reading about Steve’s life has been eye opening at the least. Regardless of the baggage you’ll read about, he was a genius. It’s amazing story or rags to riches…Blog Subscribe Ad

Now, have you read Simon Sinek’s book, Start with WHY? Interesting, Simon wrote this book in 2009. Apple was growing – but Simon had no idea Apple would be where they are today. Looking back at what he wrote, his wisdom is validated. People buy your WHY before they buy your WHAT. If you haven’t read his book – you should read it now. Apple is the company he’s talking about.

Taking the Risk vs. Following the Trend

Today’s Business Times article explains how Apple got to where they are today.  Read it!  <<  CLICK.

The iPhone – Steve was right. People can do everything they did on iPods, with a phone. And by making the phone bigger, they not only cannibalized  their iPod business, they ate into their tablet business.  “The most successful companies need a vision, and both Apple and Microsoft have one. But Apple’s was more radical and, as it turns out, more farsighted. Microsoft foresaw a computer on every person’s desk,… But Apple went a big step further: Its vision was a computer in every pocket.” (BusinessTimes).

The article goes on the show that “Microsoft has repeatedly tried to diversify, and continues to do so … But “it’s been more of a follower whereas Apple has been more of a trendsetter.”

The Wake Up Call To Resellers

This business is changing. I don’t know how long Apple can hold this leadership position. No one stays in front forever. But the bigger thing on my mind as I read this is the technology reseller business. Years ago Novell led the charge in building a successful channel – many have followed, and  there are some great channel programs out there. But the technology sales business is changing. In the 90s, Unix systems made the firm I was working for very successful. In 2000 it was VoIP. in 2003 I was running my own consulting company, helping resellers convert to Managed Services.

Those who are still hanging onto these offerings are doing the opposite of what Apple is doing. There are two things to focus on right now – helping clients gain a competitive advantage (largely through software), and helping them build in greater levels of security as they transition to cloud, BYOD, and online collaborate tools.  Those who wait will be too late.

© 2015, David Stelzl

P.S. Do You Have Your Copy of The NEW House & The Cloud?  << Get it on Amazon…

raleighYesterday I spent the day with business leaders in Raleigh, N.C.  Thanks to The Teneo Group and Check Point for sponsoring this educational event.

There’s a lot going on in the security space – I expect to see more security issues than ever before as we move further into this year….

My keynote focused on coming trends as the workforce transitions from Baby-Boomers to Millennials – the C-Generation.  This generation, according to recent WSJ reports, is not as concerned with security breaches. In fact, the assumption is that everyone has everyone’s data already so it’s not a big deal.  This is dangerous thinking. The other major mistake is trading security for convenience. I just finished an interview with a company in the mid-west, talking about EMR  and the future of healthcare security. The medical world is way behind when it comes to securing data, and the EMR movement is largely focused on accessing records, not restricting access. Expect to be compromised, and watch carefully to make sure people aren’t buying expensive medical equipment under your name – to be sold on the black market.

At the end of the event, The Teneo Group offered to assess the security of any company attending. Every company signed up! This is an important step for every company.  The traditional security assessments being conducted by most companies are not effective, and the pen-tests required by compliance regulations provide the wrong information.

© 2015, David Stelzl

How Should The Government Get Involved?

Compliance & Security Are Not The Same Thing

This week I’ll be speaking to CISOs in Raleigh, NC on this topic (Thanks for The Teneo Group and Check Point for hosting this event.) Security is not a simple thing. And it would seem that companies like Sony are on their own when it comes to defending against cybercrime.  Will Obama’s new proposals bring us greater security?

What is an act of war? What is organized crime? And how can a government defend Sony, Home Depot, JP Morgan, or Target? In some ways it’s like a bomb was dropped on these companies – but in some ways it’s not. Is this a war? Who should respond? Sony can’t really respond. They have no recourse. Will the government? No, they can’t really either. It’s a gray area.

When the government gets involved, it usually means more bureaucracy, not more security.

In N.C. where I live, it’s illegal to plow your field with an elephant. Who made that law and why?  These are the types of laws government responds with when something goes wrong. It appears to be action – a response to a problem that needs attention.  But compliance is not security and it’s not making us more secure. It’s a hard issue because we don’t always know who initiated the attack. The losses are big – so it seems like someone needs to do something. But more laws are not the answer.

From what I can see, these laws are just costing businesses more money. They get hacked and then our government hits them with a bunch of expensive laws to comply with. What should we do?

What If Companies Were Required to Report A Breach In One Day?

Will companies be more secure if they report breaches within 30 days or…what about one day? It doesn’t matter – they won’t be more secure. From a consumer point of view I’d like to know, but faster reporting does not mean better security.

There are several problems that should be addressed. First, most of the security budgets are being spent on keeping hackers out. That doesn’t work. In my book, The House & The Cloud I explain in simple terms why companies are losing the battle. Like all physical security, it is real-time detection that stops breaches. This is true in your house, and it’s true in the cloud. 80% of the security budget is still being spent on the wrong stuff!

There is also a need for better technology. The fact that we use credit cards in the U.S. that can be reproduced in seconds is just wrong. It’s not hard to fix this problem – and it will be fixed, but I’m not sure why we’ve waited until now to get this moving. Then there’s education. The people creating and using the data are often completely unaware of how they expose data.

On Thursday I’ll be walking through some of the biggest threats we face in 2015. Most of them are technology mindsets that have developed with the use of social media, cloud, and the smartphone.  Like handling a gun, some training should be required before an employee gains access to data with their iPhone. I will also be showing Security officers how detection strategies should be applied, and why most assessments are not providing the right data. The average assessment leaves business leaders guessing as to what to do next. Intelligence is needed. These leaders need more than FUD. They need a measure of likelihood – what are the odds they’ll be attacked in their current state, using the types of data associated with their industry.

Like a basic blood test, without the expert analysis, most of us would be clueless.  About the only number I understand on my last test is the cholesterol number. That’s because that’s the number insurance companies are always beating us over the head with. Everything else is a mystery.

What Should Technology Providers Be Doing?

If you’re a security solution provider, you can help. Your clients need education. The problem is, they may not know it. They might think they’ve got it covered…they might think this is just a technical problem, and IT should handle it. But the truth is, we need executive support. The budgets, policies, and strategies must start at the top – with education and support for making a change. The longer we wait, the more bureaucracy we’ll see. While Obama’s plan might sound good – it really just means less freedom, more oversight, and more compliance costs – which don’t equate to more security.

© 2015, David Stelzl

How would your clients respond?

(Watch the Video – it’s worth the two minutes) How would your clients respond to an interview like this one? I don’t mean the people in IT – the exposure is with those who don’t really understand computers but use them all day long, creating and using digital assets. Is this interview for real?  I think it is…I’m tempted to go out and try this.

Blog Subscribe Ad

The point is, no matter how secure the perimeter is, people still talk. It reminds me of the men working on Wall Street who gave their passwords out to the 21 year old Facebook woman last year (Wall Street Journal Reported on this.) I talk about this in my new House & The Cloud book (Second Edition), and what you can be doing to help your clients change this.

One thing is for sure, passwords don’t really work. They’re like your front door at home. They keep out bugs, heat in the summer, cold in the winter, and curious children living next door. But that’s about it.  Is anyone seeing more sales in strong authentication technologies…please comment.

One opportunity is to get into the security policy business – if you’re not helping your customers develop strong policies and enforcement, you should be. Compliance requires it, and for those who don’t seem to fall under any compliance regulations, they still need it. Password policies should specify lengths of at least 8 characters, with numbers and letters, and a special character.  But they still wont really work. At some point we should be moving to something more secure. Some sort of duel authentication. I love my thumbprint iPhone 6 button! Of course, you don’t need a thumb because you can always guess the 4 digit login – or accidentally erase the entire phone by guessing wrong 10 times in a row. Somehow that’s not great either.

© 2015, David Stelzl

targetDo you depend on the Gartner reports to predict this year’s business growth?  Don’t.

A few months ago Gartner projected 3.9% growth in IT spending. More recently this was downgraded to 2.4%. Does it matter? Perhaps. If you’re a major shareholder at Cisco or EMC you might be worried.  But if you’re a rep selling technology, manage a VAR, or spend your time consulting on technology, it really doesn’t matter.


Join Us for an informative session on how to grow your business using security! Sponsored by eGestalt!

The real question is, are you selling the right stuff? Software will grow about 5% according to Gartner, data center will be at about 1.8%.  If you’ve attended my training classes or read my books, I predicted this. VoIP isn’t even mentioned.  No surprise here. It’s a commodity. So is most infrastructure. I wrote back in 2007 that VoIP would die out within 10 years as a strong profit driver for most. If you provide a managed VoIP service you might still have a business, but it’s a commodity like most managed offerings. I also pointed out that Data Center is not a discontinuous innovation on Geoffrey Moore’s model (Insider the Tornado), and so you can’t expect it to act like one in terms of sustained profitability. The 1.8% growth Gartner has given us is pretty low compared the other growth areas.

Computerworld ranks it like this:


If you work on infrastructure, you’ll want to beef up your security offerings. If your income comes from managed services, make sure security is central to your offering – everything else is a $/seat sale – total commodity. If you work on the software side you want to be in the cloud, investing your time in analytics and intelligence or customer experience.  Everything else is destined to decline.  You’ll be competing on price.

How Much Will Gartner’s Number Affect Your Salary?

If you sell things people need – like security and customer experience, you’re selling something everyone will be buying. The question is, “Will they buy it from you?” It’s a value proposition and unique positioning statement question.

Value Proposition: This why people do business with you rather than someone else. If you’ve been in an account for a long time, don’t assume they’ll stay with you. Companies are demanding more and more in terms of customer experience. Recently my daughter, who owns a natural healthcare products business, asked me if she should refund a customer’s shipping charges on a product they didn’t like. “Of course!” I won’t do business with someone who won’t refund my money. A great buying experience is critical to your value prop.  But you also need differentiation of products and services. If all you do is resell a product, its time to wrap some consulting / advisory services around. Again, security is the most important thing you can possibly bring to your client.

Unique Positioning Statement: This is the message that sets you apart from everyone else. There are dozens of choices when it comes to buying infrastructure. Software is even worse – no one really has to come onsite. So what can you say to grab your prospect’s attention? The technology companies out there are spending very little on training when it comes to great messaging…big mistake. This is the first thing a customer experiences. If it’s not great, it won’t go any further.  In my book, The House & The Cloud I provide a number of ways to do this. One concept parallels The Challenger Sale. It’s coming in with a predictable message.  80% of your client’s security budgets are being spent on the wrong security controls – attempts to sure up the perimeter. Very little is being spent on technology that will detect an intrusion. In my book I explain why this is so important…but to get you started, the perimeter is an outdated concept. Mobility and BYOD have taken the data outside the firewall.  There’s much more to it…if you want to stay relevant, focus on what’s really needed, develop offerings that help clients move from their current state to a secure one, and be prepared to offer ongoing support, with security as the central part of that offering.

© 2015, David Stelzl

P.S.  eGestalt, a cloud based security management company is sponsoring a great session (online) in February. I’ll be presenting strategies to grow your business by adding cloud based detection and response offerings – the next step in developing a strong security offering… you can attend by registering here:

Build Your Business On Security  <<< Click to Sign Up For The Event!

HC Image

The House & The Cloud In Print!

Happy New Year!  And yes, The House & The Cloud, Second Edition is now in print!  It’s available on Amazon…here’s what you can expect:

  • First, the message. The House & the Cloud message is more relevant than ever.  I’ve used this same messaging for 15 years and it still works. Sometimes we get tired of our own message before the market does – but last year over 90% of my lunch & learn attendees heard this message and signed up for an assessment at the meeting.
  • This book is longer – however it’s easier to read. There are 275 pages vs. the old 150 page version….however, I’ve shortened the chapters making it easier to look up things after reading it.  I have also added details to clarify how to sell larger security deals as well as managed services.
  • Of course there’s the cloud – when I wrote The House & the Cloud, “Cloud” as we know it today did not exist…neither did big data, or BYOD…this version is up to date and relevant to your business right now…
  • Speaking of managed services, I invited a strong MSSP company to participate in this edition – So you’ll find content directly from someone who has done it – Steve Rutkovitz (President of Choice Technologies) and one of his senior sales reps wrote the chapter on building the MSSP business – you won’t want to miss this.

Free Resources Online…

Personally I like to read books printed on paper – however there is a place for video and audio. So as part of the book, you’ll have access to some great online resources. I’ve posted recordings of live security sales training using this material… as well as a keynote using this same message to convert over 60% at a lunch & learn in Tampa, FL.

You’ll also find several videos on using assessments to drive larger project business as well as managed services.

Finally, there is a place on my House & the Cloud website to ask questions and get input as you apply these concepts.  Buy the book and you’ll get a link (printed in the back of the book) to access this and more.

So as you get started with 2015 – I recommend reading The House & The Cloud. I guarantee it will give you a new perspective on how to access new accounts, discover their most important needs, and solve your client’s biggest problem.

© David Stelzl, 2015