Archives For Leadership

cloud diagramIf You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk

Too Many Security Assessments Start and End With Technology – Big Mistake!!!

Data Security is a BUSINESS RISK issue, not a technical exercise…

Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.

The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…

With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…

In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.

(For More In-depth, Step By Step Selling Ideas… See Page 194 of The House & The Cloud – Get The Book for Just $1 Right Here!) <<< Click For More Info!

Over the past several months I’ve written a series of articles on how to approach data security risk assessments.

However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.

The approach you take, and the people you include, have a lot to do with your conversion rates and business success.

Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).

Remember, the purpose of assessing risk is to move the company forward on remediation efforts.

If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES.  Threats and security vulnerabilities are everywhere!!!

Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.

By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.

The First and Only Place to Discover a Company’s Most Valuable Assets

Years ago I was struggling with just how to get executive attention with security assessments.

We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).

In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).cloud computing

DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.

When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.

In order to create a successful failover, business people have to be involved. Every step must be planned and tested.

The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).

DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture.  But DR is SECURITY!  That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.

In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS.  They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.

Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…

And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact.  It’s UNTHINKABLE.

Only These People Can Tell You How Data Gets Created and Where It Sits

Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.

The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…

Maybe in a very small business…but go upstream and talking to end-users becomes necessary.

Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews.  Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.

Finally, It’s Time To Invite Technical People To The Party

It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)

Enter the SECURITY technical subject matter expert(SME).  In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let  the tech guy do it.

Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…

However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.

You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…

Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.

You and your team are asking the question: What would need to be true to keep this company safe?

DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).

NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).

It is from this list your technical team will begin their analysis.

You May Now Look At The Network

List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance.  Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.

Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.

ASSET FOCUSED – I call this…

Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?

In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!

And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.

Time To Deliver Results – Don’t Leave Out This One

You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????

In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).

Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.

If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.

Important Factor: After All, You’re Liable!

Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment.  Insist on it! Don’t take NO for an answer.

After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.

© 2017, David Stelzl

 

Advertisements

santa-clara-marriott

Aggregated Data In The Hands of The Hacker

Is Allowing Hackers to Become You…

Yesterday I presented to business leaders in Santa Clara California, and the Santa Clara Marriott Hotel…I was surprised, but not so surprised, at how few of our attendees had recently performed risk assessments. Many of them had never had an actual risk assessment!

In our session we covered a number of evolving  trends – one important one is the trend of aggregated data and deep machine learning. If you remember the recent report from Verne Harnish – the emails used to steal over $400,000 sounded like they came right from Verne’s desk. How does that happen?

We’re all being watched. Our data is being both monitored and collected. It’s being aggregated and analyzed.  

Our data describes everything about us. Where we go, what we do, what we view online, where we eat and shop, and everything we write. This data is stored, aggregated, sold, and stolen…in the hands of the wrong people, it can be disastrous.

Using deep machine learning computers create an amazingly accurate profile, exposing things we would never share openly. For instance, who has posted their salary on Facebook? Probably no one – yet Facebook advertising can easily target and audience in a specific income range. How does it know?

2016-11-11_10-44-10

With the right data, just about anyone can become you online.

That means they’re sending email, giving directives, and even interfacing with your customers and suppliers. But don’t think for a minute that they’re helping you out. In Verne’s case they were ordering Accounts Payable to wire $400,000. His team had no way of checking the validity of this request – other than making a call. But given hundreds of request just like this, who would question it?

Several attendees came up after the session sharing similar stories in their own businesses.  In the end, our sponsor, Truman Roe, President of  TruTechnical offered each attendee a risk assessment. From my count, every company in attendance took him up on the offer!  This is the best place to start…with a clear measurement of risk, companies can be more confident in how they approach their security strategy.

© 2016, David Stelzl

 

 

buffalo_shipConsulting Skills Needed

Speaking In Buffalo, NY this Morning – This ship (above) sits right across from our hotel!

If you want to succeed in selling technology solutions, there are a variety of skills sorely lacking in most technology sales organizations. Today I’ll be meeting with Ingram Micro’s Advanced Solutions Team in Buffalo, NY exploring some of these.

Years ago the relationship might have been enough. While you can’t sell without a relationship, it’s not enough. Clients want more. The truth is, there are lot’s of relationship people out there. Here are some of the skills we’ll be discussing today. None of these are out of reach. They just take some extra effort. Apply just a couple of these and they’ll put you out in front of your competition…

Skills That Set You Apart

Public Speaking: I can’t say enough about “speaking”. Most assume good speakers are born that way. It’s not true. Perhaps there’s a handful, but most great speakers have worked at it. In fact I was speaking with an executive just the other day who told me he was getting ready for his annual sales meeting and needed to submit his recorded speech to his speaker coach.  There are a number of routes to take here.

Some are nearly free. For instance, Toastmasters. Every city has multiple Toastmaster groups, so join one and get some speaker critique. Learn how to engage an audience and your sales calls will be more fun, and far more productive.  Imagine clients who like hearing you present!

Facilitation Methodology: Disagreement among colleagues in a business you call on is one of the primary reasons they never take action. Learn how to bring synergy and you’ll shorten sales cycles and increase close rates.

Dr. Edward De Bono’s book, The Six Thinking Hats has been a pillar in my library for some time. I’ve also had training from one of their authorized instructors – which I highly recommend. This one skill will likely double your business if you work at it.

Copywriting: Your high school english teacher would likely have a heart attack, but I am much further ahead having studied copywriting. We’re talking about marketing communications or “Marcom”.  It breaks most of the rules you learned in school – but copy is what sells. Great copy is expensive, but you can learn to write your own. Stop sending out boring emails, and you might even decide your own company’s data sheets are poorly written. John Caples has several books on the subject. Any one of them is a great place to start.

Presentation: Different than public speaking, but related, is the art of presentation. People learn in various ways, but most presentations miss the mark complete. Chip and Dan Heath, in their book, Made to Stick, do a great job of educating us on how to make content appealing and sticky.

We’ll cover a lot more today, but this is a great start…Check out my book, “From Vendor to Adviser” for more details on these, as well as consulting skills, assessment methods, and event how to price with higher margins.

From Vendor to Adviser” <<< Click here to get it on Amazon

© 2016, David Stelzl

 

ohioSpeaker Notes for Tomorrow’s Session in Cincinnati…

This morning I am headed to Ohio to meet with business leaders in the Cincinnati area – Another Digital Money session on Stopping Hackers!

If you provide IT services to businesses, I hope you’ll consider doing one of these with me at some point. Every business needs it, and most don’t understand the threats they are up against.

It’s a busy fall for us. Last week we wrapped up a session in San Francisco with large reseller executives, then headed down to work with a large sales team in Irvine, CA.  And tomorrow, Cincinnati, a session sponsored by InTrust-IT…

The Most Frequently Misunderstood Truth In Small Business

The big question always comes up, “Why would anyone want my data? After all, we’re just a local business. There’s nothing interesting here.”  I think Verne Harnish answered that question last week. If you’ve read his books, Rockefeller Habits, and Scaling Up, you know he’s a small business with very little in the way of infrastructure. Like me, he’s a speaker and a business coach, supported by a small team. Yet his blog post tells the story of a $400K ruse that caught him and his team completely by surprise.

Why small business? Because small businesses still have money, take out loans, and process credit cards. They have bank accounts and payrolls. Today’s hacking tools are largely automated. So sending out hundreds or thousands of scamming emails takes the hacker very little time. When one lands, the hacker will follow up. Small businesses are also largely unprotected by this sort of thing.

It might be a fraudulent invoice or request for ACH wire transfer. In Verne’s case he writes, “They sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places.” This is getting more and more common. The more data we put online about ourselves, the easier it is for someone to impersonate us!

Tomorrow’s Session is About Digital Money and the Value of Data

Digital Money, my latest book, goes into detail on this. Data aggregation is in motion, pooling our data in one place where it can be analyzed.

There are several major data aggregators out there doing this. But the idea is to collect enough data to profile YOU. This is usually for the purpose of some analysis or marketing effort. We’re seeing it used right now in the election. That’s right. The candidates are leveraging this data to figure out who is likely to be on the edge, and needs a push. The data tells them both who to target  and how to influence them.

That data in the hands of the hacker allows the hacker to act just like Verne, or whoever they need to be, to issue orders to the team. Verne’s on stage in Russia, meanwhile his team is getting instructions to transfer funds. Will they? Of course. They’ve received these requests in the past, and they were real. There’s no reason to question them now, and the hacker knows that. These attacks are well scripted and highly successful. And the likelihood of prosecution is low.

Can it be stopped? Not completely. But there are ways to reduce the risk…and that moves us to a managed security program that involves people and technology, well equipped to deal with these common attacks. A program that detects these threats early on, before data has been compromised, and stops them before damage is done. Tomorrow, my goal is to give our audience the business-level understanding they need to make wise decisions going forward. And then to point them to the tools and process they’ll need to combat these attacks in the coming year.

© 2016, David Stelzl

 

At The DropBox Office

October 18, 2016 — Leave a comment

dropbox

The Important, But Difficult Transformation…

From Vendor to Advisor

Last week I had the opportunity to meet with Ingram Micro’s Datacenter Advisory Board to discuss the important transformation: From Vendor to Advisor.

Meeting at the DropBox office in San Francisco (Amazing office space!), I covered five key areas of transformation. But one important one, every sales person should be engaged in right now is that of understanding the CIO and their current challenges.

CIOs are in trouble in many respects. If you call on businesses large enough to staff a actual CIO, and you were to get their honest input on where things are headed, you might be surprised to hear what’s going on.

The office of CIO is under fire right now from two sides…

On one side, the business leadership is looking for CIOs to lead the charge with digitalization. That means figuring out how to leverage transformational technologies to compete in a digital world. Customer experience is the focus here, and customers want to be connected online. Amazon-like interaction is becoming more and more expected. The sales rep who can provide business insight on how to transform the business is going to be highly sought after.  CIOs can’t so this alone.$1 HC Book Ad

But few reps are doing anything more than parroting data sheet features and functions. The answer? Every rep should be back in school! By that I mean taking time to learn about business.

Reading the CIO Journal is a great start. But don’t stop there. Read books written by the top business authors. Every month I recommend books I find value in through my Insider’s Edge Newsletter.  One book I recently recommended, Traction, offers great insights into the business planning process.  Business planning might not sound like technology sales stuff, but it is central to what business leaders need. Start with the things they are already engaged in, and then move to the digital age to help them solve real-world problems.

On the other side there is security. The fact is, security is changing, and CIOs are being asked to present a measurement of risk to their board. Where does that data come from? In the very large enterprise, such as Bank of America (where I used to work years ago), there are teams that handle that sort of thing. But come down a step or two and it doesn’t exist.

One of my clients, who manages this entire process for regional banks, recently reported achieving over 400% of his quota in just 6 short months, simply by providing this to his clients.  They need it, and they’ll pay for it.

The  Trusted Advisor  Formula

There are two ingredients – Trusted and Able to Advise. It’s obvious. Maybe even silly. When I say this on stage it usually gets a laugh.

But there is an important question here.  Are you able to advise on the things your execute-level clients really need advice on? If not, how will you equip yourself to make this transformation? It’s not easy. It takes diligence in reading, studying, and listening to/ watching great content. Those who take the time to study will see the results. Those who don’t may find the next decade in this business to be impossible.

© 2017, David Stelzl

 

img_4188

Stage Set Up

300 Security Leaders Meeting in Miami

Looking for More Tools to Combat Cybercrime!

I’m just heading back from meeting with over 300 CISOs and CIOs, all part of the Florida International Banker’s Association –  Celaes Event, at the Trump Hotel, Doral.  

Great event, very well run, and an opportunity to connect with security leaders from all over Central and South America.  I was also able to reconnect with old friends from Kaspersky and Dimension Data.

Here are a few pictures…You’ll notice Former Mayor Giuliani on stage as well!  The living room shot was part of my amazing suite…

And I’m leaving just in time to avoid Matthew, the latest hurricane headed this way.

 

brainCreativity is Essential

But where does creativity come from?

Success comes to those who are truly creative, but how many people do you know, that you can truly say have great, creative ideas?

My 13 year-old son and I were discussing creativity and inventions just yesterday. Who actually invents something or comes up with an idea that turns into millions or billions of dollars? Much of it is technology today and Steve Jobs is a great example. Read his life story and you’ll see some character attributes you may not appreciate, but you can’t deny he had some genius in him. Is this creativity limited to just a few people? Or can you build your capacity to create?

Creativity is a character trait. Some may be more creative  than others, but don’t for a minute believe that you can’t become creative, or more creative than you are right now. Here are three things to consider if you want to be more creative, and therefore achieve greater success.

Taking Time To Build and Organize Knowledge

Napoleon Hill calls each one of us  to become learners – but not generalists. He calls out the university system as broken. The university system would have you believe the lie that a broad, general, liberal arts education is what you want if you’re going to lead. They have also instilled in us the lie that you need a professor to master something. This is not the case. Hill says, “No, you want specialized knowledge – to be an expert in something.” And that comes from research, reading, and organizing knowledge as you learn it.

Greg McKeown agrees in his book Essentialism.   He stresses the importance of choosing to either know a lot about a lot of things, and therefore be mediocre in all of them, or to specialize and become the expert; the advisor. Of course he urges us to choose the latter. Choose to be an expert in something that matters.

Hill encourages us to be reading every month and to subscribe to online courses (what he calls home study courses) that give us that specialized knowledge in our field of choice.

Taking Time To Brainstorm

Seth Godin, well known author and former VP of Marketing for Yahoo (back when they were a stock you’d want to own), tells us that great ideas are the few that pop up in the midst of hundreds of bad ideas. In other words, taking time to brainstorm and write out ideas leads to lots of bad ideas and a few good ones.  Those who don’t have good ideas, don’t actually have any ideas. They just don’t take time to think up ideas.

Before Thomas Edison solved the lightbulb problem, he first came up with a thousand things that don’t work. You can’t expect to have great, creative ideas, unless you first spend time coming up with all kinds of ideas, good and bad.

Hill points to our inherent fear of failure as the hurdle that keeps us from creating. It’s one of the six major fears common to all men according to Hill. No one wants to be different. But being the same just means you’re average. If you want to be more successful, you have to somehow be different.  Again, it was likely the school system, where the oddly dressed person was the outcast. Everyone had to be the same – same clothes, same music, same hair style, same lingo. Different was bad…Just ask Bill Gates.

Taking Time to Rejuvenate

Finally, McKeown compares us to our cell phones. If we’re not charged we won’t perform. Looking back at the industrial revolution he describes our mindset as one that values constant work, not creativity. The idea of a machine being down simply means it’s broken. So when it’s time to take time off for renewal, we cringe. It’s seems like a waste of time. The guy working next to you, who never takes any sick or vacation time, and who works 80 hours per week, is seen as more valuable. The truth is, creativity is worth more than any machine can produce. And more than the average workaholic will produce.

McKeown schedules his vacation days first. Days to completely let go of work, put away the phone, and ignore check email. These are days of renewal, to reset the mind and prepare him for great things.

Taking McKeown’s advice, I am, right now as you read this, trekking through the most northern mountain range in New York with my 13 year-old son Josiah. There’s no cell service out here, and no place to charge a laptop. Our only electronics are GPS and a satellite phone in case of emergency. It’s a time for relationship and renewal – one that will lead to greater self-awareness, productivity, and creativity.

If you want to be creative, and therefore more successful, start reading, organizing knowledge, brainstorming from that knowledge, and taking time off to renew your mind.

© 2016, David Stelzl