boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

p2BpCAshley Madison Digital Assets

For some reason people still think their data is safe with someone else…  

First it was Adult Friendfinder, now Ashley Madison, hacked…

In this most recent attack, 37 Million users are waiting to see what their online profiles might look like posted online somewhere. Back in March it was 3.5 Million users, taken from Adult Friendfinder.  The hacker says he did it for money, and was looking to shame government workers.  In case you’re not familiar with these sites, they specialize in extramarital hook-ups.

Speaking of this week’s hack, Brian Krebs writes, “The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison…In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”

Apparently that delete function doesn’t really work…but in the data world, you can almost never count on delete, actually deleting!

Why am I writing about Ashely Madison?  There are a few important lessons here…

1. First, no site is safe from hackers – and like this hack, disgruntled employees or customers should always be considered in the long term defense planning.  Many of your clients assume their employees and customers are safe. They’re not. One small problem can set off a business crippling sequence of events. Will Ashely Madison recover from this? Regardless of whether you agree with their business, the point is, it’s their data and their business – it could be any business.

2. Since no site is safe, people should be thinking hard about the data they entrust to someone else.  People forget, but passwords don’t work. We should all be considering what data we put on a device that connects to a network…of course most of us have most of our lives online right now. How hard would it be to erase your bank account?  It’s just data at this point.  It’s also true that altering your medical data could disqualify you from a job or lead to all kinds of questions being asked.  Data is an asset – the stakes are growing as we put more of it online.

3. When you move to the cloud, something most businesses are doing to one degree or another, the data is owned by someone else. Of course the cloud based provider will tell you it’s still your data, but when you say, DELETE, don’t be surprised if your data isn’t actually deleted – which brings up the $19 fee Ashley Madison charges to delete. Can you believe it? You have to pay to have your account deleted. And from what the hacker is saying, they don’t actually do the DELETE. They just collect the money. Do I hear another law suite coming?

The underlying problem here is education.  Most of the companies you call on don’t understand their risk. They don’t understand where the data is, what’s protecting it, and the odds it will be compromised. I’m not speaking of IT here. I am speaking of the company leadership. IT will just go get a new job – the leadership will be stuck with the lawsuits and the mess to a clean up. In many cases they will go out of business.  Only when they understand their likelihood can they make wise decisions to change their security approach.  Either that, or wait until the hack happens, and then start scrambling for new strategies and technology.

© 2015, David Stelzl

Donna+SeymourHow to Stop CIOs From Sending You Back To IT

And What We Can Learn From Donna Seymour

Are you talking about the most important things in IT when you meet with business owners and CIOs? It’s security – not managed services.  Cost savings are great, but security is crucial.  In fact, for some, not only do they need more security…they need more education and perhaps a lawyer.

What Happened to Donna Seymour?

Just a few months ago no one knew the name, “Donna Seymour”. Today, she’s becoming a household name.  Is it her fault that millions of employee records were taken from the OPM? It might be – but who knows. It would be easy to jump on the bandwagon and say she should lose her job. The truth is, any company can be successfully hacked and the CIO can’t stop it. However, there are some things to consider.  Due care means taking the steps that should be taken to decrease the risk of an attack.  But this is harder than it sounds.

First, how often do politics get in the way of making the right decision? You know, the budget constraints everyone works under.  I just got off the phone with a sales rep going through my Vendor to Advisor Mastery Program – he’s facing this issue right now. A very large company in the midst of a merger, not willing to spend any money. How should he respond?

With Donna, what we can say, based on a recent study I wrote about a few days ago, is that these business leaders are not equipped to make a case for better security because they can’t quantify the risk.  They don’t know how much risk they really have, so they don’t know how to budget, or how to justify more budget.

As a result, Donna Seymour is not only being pressured to join the Target leadership in resigning, she’s being threatened with lawsuits.  She blames it on outdated infrastructure – that’s probably true, but as Eric Ries, author of The Lean Start Up recommends, you need to ask “Why?” five times, to get to the root cause….and it’s not outdated infrastructure.

Why did OPM get hacked?

Outdated infrastructure – that’s what they are telling us.  But why is the infrastructure outdated?  Because Donna didn’t get budget to upgrade it sooner.  Why not….etc.  I bet it eventually boils down to not predicting the need. A security expert probably would have predicted it. The average CIO would have delegated  that meeting down to someone in IT Security, and that person would have delayed any sort of action due to budget constraints – not wanting to pressure Donna, or being too afraid to ask. That IT person is still unknown and still employed.  Donna on the other hand may not be for long.  Donna should have taken the meeting.

Or, it could be that there just wasn’t a sales person bold enough to ask for the meeting with Donna. Maybe should have listened, if the sales rep had offered the assessment. Who knows.

Of course they’ve had assessments, but were they the right kind? Did they just choose the low cost provider and get what they paid for?  Or did the provider deliver the right results, but Donna failed to take action?  Who knows?

These lawsuits are personal 

Donna’s being held personally responsible for the loss of millions of personal employee files. Whatever her organization wasn’t willing to spend, she’ll make up for personally (Of course she can’t really do that – millions of people are affected and a credit score service is not going to protect them on this one.)

Are You Talking To The People Who Need To Know?

Are you calling on CIOs that won’t take the meeting? The WSJ reports, “CIOs generally should expect to be sued in increasing numbers over cybersecurity issues…”  In my latest book, The House & The Cloud, on page 195, I explain exactly what Donna needed, and what every CIO, CISO, and board member needs to know.  So you have a great reason to make the call – what can you say to get them to listen. Hopefully, by understanding these recent attacks, you can get someone’s attention before it’s too late.

© 2015, David Stelzl

stock exchangeUptime – Something Every Client Needs

The New York Stock Exchange was down this week!  How many people lost money, or at least lost sleep over this?

United Airlines had 1400 delayed fights and 76 cancelation in just one hour this week – all due to down time.

Remember the old phone system? It was always up. Now that everything runs on networks and Microsoft, 5 – Nines uptime is hard to achieve. We have more functionality, but less reliability. Yet we have become far more dependent on these systems.  Everything is on the computer – including my alarm clock, and my personal trainer.

Downtime is a security issue.

The ISC2.ORG common body of knowledge includes three pillars in their CISSP training programs.

  • Confidentiality
  • Integrity
  • Availability

You can remember that by remembering the CIA…which has a “security” ring to it.  Some things need to be right (integrity), but don’t need to be confidential. For instance, the prices on Amazon.com.  If a hacker up’d Amazon’s prices by 20%, they would starting losing sales.  The integrity of those prices is critical. Uptime is also critical. If I go to buy something on Amazon, and the system is down, I’ll probably look for another place to buy.  If your client needs any one of these three – it’s security.

MSP is Security, If You Sell It That Way

Most managed services offerings provide some level of monitoring, with the promise of detecting problems before they result in downtime or data loss. This service is becoming more and more of a commodity. Just about every reseller I know has an offering, and they all sound pretty much the same.

The difference is coming down to price. 

The root of this price problem is in how the proposal was originally sold. If it was sold as a more cost effective way to keep systems up and running, the client is already thinking about cost savings and price. If a cheaper solution comes along, it would seem right to move to it.  After all, they signed your contract to save money. Why not look for ways to save more?

But if your contract was sold to mitigate risk – some impending threat, justification was built on stopping that threat. The key to keeping the first contract is keeping your price below the competition’s. The key to keeping the second contract is keeping the client focused on the threats you are stopping.  The more you can show that, without you there would be problems with one of the C-I-A pillars, the more likely they’ll stick with you.

Stop selling the commodity offering based on price, and start thinking about MSP as part of the operational security equation. From there, start thinking about the rest of the C-I-A puzzle. What other risks are your clients facing, and what is the likelihood they’ll encounter big problems if not well protected?

© 2015, David Stelzl

9990016123_29d261209d_zHere’s Why Executive Level Prospects Should Attend Your Next Lunch & Learn

And What You Should Be Presenting On

Next week I’ll be speaking in Louisville, KY, at yet another lunch & learn – The question is, do people still attend these? Why should they?  Well, this morning’s WSJ article, Boards Struggle With Cybersecurity, Especially in Health Care, answers the question.  “Board members, [and any C-Level executive] need more education,” writes columnist Kim Nash.

Every company is facing these threats on a daily basis, yet only about 11% of the business leaders claim to really understand data risk.  This data comes from a survey across 1034 directors.  And while healthcare data is some of the most sought after by cybercriminals, the healthcare leadership rank as one of the least educated groups in this study!  On the high ranking side (high-tech companies), only about 31% have a thorough understanding.  In other words, most industry leaders are completely unprepared to make wise decisions when it comes to mitigating risk.

Healthcare Leaders Need More Security Awareness Education

Last year I experienced this misunderstanding as a speaker at a Healthcare conference in Denver. Every security related session I attended focused on compliance. HIPAA is important, but it has little to do with risk.  I started my session by asking the audience to set compliance aside for an hour while we talk security. They seemed surprised by the idea. After my session, several commented that they had no idea what was going on.  Kim Nash quotes Charles W.B. Wardell, III, president and CEO of executive recruiter Witt/Kieffer, stating, “In health care, the need for security knowledge is urgent, …Many [health-care] organizations are conducting risk assessments regarding their information security programs and preparedness and are alarmed at what they’re finding.”  Having personally worked with many security providers who perform these assessments, I can confidently agree – most of them are turning up urgent issues.

Study results presented in this article showed that just about every industry, other than IT, scored 20% or less on having a high degree of knowledge.  More industries reported “Some Knowledge”, but many reported “Little Knowledge”.

When Is Your Next Lunch & Learn? Fall is a Great Time. Now Is The Time To Plan It.

Should you be setting up more security-focused lunch & learns? The answer is, Yes!

However, these groups don’t need product knowledge. They don’t need to hear sales managers, channel managers, or even you local SE talking about products, services, or esoteric technology jargon. What they do need is straight talk on trends, likely threats, big  mistakes being made, and why so many companies are losing the battle. They need intelligence they can use to make wise decisions regarding access to data, policy, hiring decisions, outsourcing decisions, and budget justification.

These are the kinds of things we’ll be addressing next week, and they’re the same things your clients and prospects need to hear. If you get push back on attending, you might want to point them to Kim’s article… (Access it on the WSJ website).

© 2015, David Stelzl

PS. Check out my new Security Website – it’s a work in progress, but here it is.

www.stelzlsecurity.com

moneyExpect Your IT Infrastructure Business To Shrink in the Second Half

Steve Norton, columnist for The Wall Street Journal, reported new shrinking IT spending numbers in this morning’s CIO Journal Report.

This is the third adjustment this year according to my notes. Earlier in the year Gartner was calling for a 1.3% decline, then in April 3.1%. Now they are saying we should expect 5.5% shrinkage!  These are some big changes.  What’s going on?

Date Center Is Over

Several years ago, when Cisco started really focusing on data center, I made a prediction. You might remember it – It’s in my latest version of The House & The Cloud, and From Vendor to Advisor, a book I published back in 2012.  I made a similar prediction in 2007, in the first House & The Cloud – however it was about VoIP.  These technologies commoditize quickly.  But data center is different.  It was already a commodity!  Cisco was developing what Geoffrey Moore called, in his book Inside the Tornado, a +1 technology.  Plus-One is like putting a popcorn button on the microwave oven.  It takes something that everyone already has and makes it better.  But there’s a problem….Blog Subscribe Ad

The Problem with Plus One Technology 

90% of the technology revenue is being sold today through the channel. If you look at Moore’s model, he shows how products enter the market as early adopter offerings, purchased by about 12.5% of the market. As the product matures, assuming that product enters the early and late majority markets, it enters the majority markets.  If the manufacture does things right, they might become the defacto standard as Moore’s Tornado (Inside the Tornado) heats up.  If that happens they will have 60% of the overall market just from their major market share, plus the earlier 12%; in other words, they’ll be dominating the market like we see Cisco doing right now in Route/Switch.

The problem is, that while the manufacturer is still holding the larger part of the available market share, their resellers don’t really make money on commodity sales. The margins get so thin in the late majority market, they face going out of business. Over the past 20 years we’ve seen technologies come and go. The new waves of technology fuel new resellers, or the reengineering of old resellers. Novell resellers became Microsoft LAN Integrators. The UNIX wave of the mid-nineties helped revitalize many companies that used to sell PCs or CAD-CAM software. And big server deals, including those UNIX systems drove endless storage sales and high-availability computing.  By 2000 there were countless resellers jumping on the  VoIP bandwagon.

In 2003 we saw a shift away from product.  The smaller integrators were all building managed services. Their customers were not candidates for big storage or server sales, so MSP became the goal of just about every reseller.  The consulting business was eroding, given the commoditization of products, so servers were moved to contractual recurring revenue. This was an excellent move for many – it gave stability to the reseller model that had historically struggled with fluctuating services utilization rates (Bench Time).

The larger companies, especially big Cisco integrators, turned to data center and big storage no available in a rack mounted Router chassis. But the plus-one technologies don’t revitalize the reseller for long because they are not what Moore called, discontinuous innovations. Rather, they are an attempt to eat away at existing market share. It’s just an upgrade from an existing commodity product – so competition is steep and margins are thin. The reseller is them left to make up their margin loss in volume. In the long run, this won’t work. The sales people I am working with, who are in this space are telling me their margins are too thin, and they can’t sell enough to make a decent living. They need something new.

The Problem With Managed Services

MSP doesn’t necessarily commoditize – its a different animal altogether. In a way, it’s already a commodity.  It’s really an offering to take on the management of commodity infrastructure.

Since the products involved in MSP offerings are a commodity, the only thing that had kept resellers from flooding the market with offerings was the cost of building the NOC (Network Operations Center). Without a NOC, it’s hard to have an offering. Enter appliances and the Cloud.

In 2003, companies like Nable lowered the barrier to entry by coming out with an appliance that would handle the SMB NOC needs. Of course it had it’s limitations. It didn’t really handle the security side of the equation. Since 2003, numerous offerings have emerged, basic security features have been added, and the SMB integrators all have one.

To make things worse, cloud now gives just about anyone the ability to offer a host of managed services.  I see resellers with just 2 or 3 employees offering services to hundreds of SMB companies, leveraging outsourced call centers and cloud based NOCs to handle just about everything but the initial sale.

MSP offerings are now just dollars/workstation sales. It’s a price sale, just like servers and storage.  There’s no margin left in it.

Back to The Four Things

In my book, From Vendor to Advisor, I make the case for focusing on one of four things. One of them is nearly impossible, so that leaves three. Two are in high demand. And Security has always been the most important of the four.  They are; ROI, Competitive Advantage (including Customer Experience), Operational Efficiency, and Risk Mitigation.  Competitive Advantage and Risk Mitigation are by far the best places to focus.  Some VAR owners will continue to offer all of the above, but like the medical field, the specialist always makes more money, and is always in greater demand.

© 2015, David Stelzl

shadow

32 Million Important Records

Are you up on OPM? 18 Million personnel records breached in the Office of Personnel Management.  It’s the latest in a string of high-profile data breaches our government has suffered. There’s been some reporting on this, but not nearly enough.  The number was first reported around 4 million, then 18, and now, after a recent congressional hearing, the number may actually be as high as 32 million.  But there’s more…

Here’s what you need to know…

1. L. Gordon Crovitz, columnist for the Wall Street Journal writes, “The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers …among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas.” He goes on to report, “That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information …that includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.”

2. Much blame is being cast on the Chinese for this attack, however Crovitz points out that, given the opportunity, any government who has access to another government’s records is going to take them; the US included. It’s up to the US government to make sure our data isn’t available to other countries.  We saw fines and personnel changes when Home Depot and Target were hit – what happens when the Government, the ones who impose these fines on private sector companies, make the same mistakes?  It’s an interesting question…

3. The fallout is potentially big.  While a recent Wall Street article suggests that the US data has not shown up in online chat rooms yet, Crovitz calls this issue a much bigger problem than Edward Snowden’s breach. He writes, “Millions of patriotic Americans entrusted with national secrets are going to lose much of their privacy because their government was unable to protect their confidential personnel records…That loss of privacy dwarfs the hypothetical risks from the NSA that have dominated the headlines.”

4. Other reports discuss national security… These “hackers accessed not only personnel files but security-clearance forms, current and former U.S. officials said. Such forms contain information that foreign intelligence agencies could use to target espionage operations.” WSJ. Apparently the government officials announced the personnel attacks, but held back on the security-clearance theft for at least a week.

Stay on top – learn the sound bites… in my book, The House & the Cloud, chapter 6, I discuss the power of sound bites and how to effectively use them (and how not to use them) in a sales call.

© 2015, David Stelzl