Archives For Compliance

How Should The Government Get Involved?

Compliance & Security Are Not The Same Thing

This week I’ll be speaking to CISOs in Raleigh, NC on this topic (Thanks for The Teneo Group and Check Point for hosting this event.) Security is not a simple thing. And it would seem that companies like Sony are on their own when it comes to defending against cybercrime.  Will Obama’s new proposals bring us greater security?

What is an act of war? What is organized crime? And how can a government defend Sony, Home Depot, JP Morgan, or Target? In some ways it’s like a bomb was dropped on these companies – but in some ways it’s not. Is this a war? Who should respond? Sony can’t really respond. They have no recourse. Will the government? No, they can’t really either. It’s a gray area.

When the government gets involved, it usually means more bureaucracy, not more security.

In N.C. where I live, it’s illegal to plow your field with an elephant. Who made that law and why?  These are the types of laws government responds with when something goes wrong. It appears to be action – a response to a problem that needs attention.  But compliance is not security and it’s not making us more secure. It’s a hard issue because we don’t always know who initiated the attack. The losses are big – so it seems like someone needs to do something. But more laws are not the answer.

From what I can see, these laws are just costing businesses more money. They get hacked and then our government hits them with a bunch of expensive laws to comply with. What should we do?

What If Companies Were Required to Report A Breach In One Day?

Will companies be more secure if they report breaches within 30 days or…what about one day? It doesn’t matter – they won’t be more secure. From a consumer point of view I’d like to know, but faster reporting does not mean better security.

There are several problems that should be addressed. First, most of the security budgets are being spent on keeping hackers out. That doesn’t work. In my book, The House & The Cloud I explain in simple terms why companies are losing the battle. Like all physical security, it is real-time detection that stops breaches. This is true in your house, and it’s true in the cloud. 80% of the security budget is still being spent on the wrong stuff!

There is also a need for better technology. The fact that we use credit cards in the U.S. that can be reproduced in seconds is just wrong. It’s not hard to fix this problem – and it will be fixed, but I’m not sure why we’ve waited until now to get this moving. Then there’s education. The people creating and using the data are often completely unaware of how they expose data.

On Thursday I’ll be walking through some of the biggest threats we face in 2015. Most of them are technology mindsets that have developed with the use of social media, cloud, and the smartphone.  Like handling a gun, some training should be required before an employee gains access to data with their iPhone. I will also be showing Security officers how detection strategies should be applied, and why most assessments are not providing the right data. The average assessment leaves business leaders guessing as to what to do next. Intelligence is needed. These leaders need more than FUD. They need a measure of likelihood – what are the odds they’ll be attacked in their current state, using the types of data associated with their industry.

Like a basic blood test, without the expert analysis, most of us would be clueless.  About the only number I understand on my last test is the cholesterol number. That’s because that’s the number insurance companies are always beating us over the head with. Everything else is a mystery.

What Should Technology Providers Be Doing?

If you’re a security solution provider, you can help. Your clients need education. The problem is, they may not know it. They might think they’ve got it covered…they might think this is just a technical problem, and IT should handle it. But the truth is, we need executive support. The budgets, policies, and strategies must start at the top – with education and support for making a change. The longer we wait, the more bureaucracy we’ll see. While Obama’s plan might sound good – it really just means less freedom, more oversight, and more compliance costs – which don’t equate to more security.

© 2015, David Stelzl

Can companies really say, “We’ve got it covered?

Caught by detection, but too late to stop thieves from accessing over 200,000 customer credit card credentials.   Citi is a big company under strict federal security guidelines, and compliant as far as we know, at least up until this latest discovery.  As I read these reports, I recognize that compliance is needed – companies don’t take action just because there’s a threat.  But having worked for one of this country’s largest banks year ago, I know security is taken seriously at firms like Citi.  The problem is, you can’t really keep every door closed and locked, every day.  Especially when insiders can be paid off.  In this case, there is no report of insider cooperation (that doesn’t mean there isn’t any), however we’ve seen this before – a website used as the open door to gain access to sensitive data.  The world demands access to their “stuff” through portals, VPNs, and through the use of personal computing devices that now include smart phones and iPads.  Can companies really keep data safe?  It’s almost impossible to lock down every access point and still provide access.  Software has bugs in it, and bugs represent holes to be exploited.  Foreseeing this in every case is just not reasonable.

What an we expect  going forward?

According to experts – “The expertise behind the attack, … is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.

The “… demand for the data is on the rise. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation.”  New York Times…

It’s been some time since Albert Gonzalas made his way into larger companies including the historical breech at TJX.  Recent news has focused more on politically motivated attacks by Anonymous and the LulzSec group – attacks that didn’t target financial information and seemed to be motivated by something other than ID Theft.  This article brings us back to the bigger issue that has plagued companies for over a decade – tens of thousands of hackers and hacker groups targeting financial information that will in turn be sold online for billions, and in recent reports, over a trillion dollars in revenue.

It would seem that, while companies can be doing a lot to beef up security, it is simply not true that some IT group out there has their company covered.  Technology companies must be equipped to address this either internally of through partners.  Application providers can greatly increase their value by having security experts on staff, and managed services providers should be approaching their offering from a security point of view.  Data center experts, unified communications, SMB resellers and larger enterprise consulting groups; everyone should be thinking – Security.

© 2011, David Stelzl

Off to Boston

February 23, 2010 — Leave a comment

Landing in Boston last night, the weather here was actually nice although they are calling for snow this week – we’ll see.  As I am preparing for meetings  this week with Courion (Access Assurance and compliance) to discuss messaging strategies, I have marketing and branding on the forefront of my mind.  This seems to be the weak link in many of the companies I’ve worked with or encountered over the past decade.  While some are investing in building a brand – as this company is, others are still trying to push ahead with brute force and more sales micro-management.  The problem is, when a sales person finally does get a qualified meeting, their message is weak, they are immediately demoted to IT,  and the opportunity becomes a long drawn out sales process to sell a widget to people with no money to spend.

Build the message – begin establishing the brand by focusing on the urgency.  Keep asking, “Is this worth reallocating time, money, and resources to?”  If it isn’t, you may be selling the wrong thing.


An article you may want to skim on hackers in China: – this was on the front page of Wall Street and well worth reading.  The point is, this young man from China explains how he got into hacking, how the code is put together to steal data, and how much money he made doing it.  Knowing this kind of information makes your message more relevant – it’s not the high tech theoretical data many are running around with.  This is what is actually happening on the street and all around us.

© David Stelzl 2010

My business planning podcast will post on Friday – regardless of whether you listen to it or not, you do need a plan.  You are sure to be inundated over the next two to three months with economic woes and tips to keep your business running.  Some will be worth reading; others will just spur more whining.  As I come across meaningful input I will be sure to pass it along.  Here are some considerations for 2009 – along with a link to eWeek’s Channel Insider – Factors for Profitability in 2009.  It’s worth a quick skim – mostly bullet points as follows:

Mergers and Acquisitions; this is a time to pick up new clients as unhealthy companies fold.  Make sure you’re healthy, invested in marketing and branding, and are keeping you sales efforts well tuned and focused.

Managed Services; I’ve been preaching this for over five years now.  If you don’t have it your company may be in trouble.  If you are still approaching this as a monitoring or ROI sale, the same is true. 

Cloud computing; this will be interesting.  I think Microsoft is in trouble with Vista…do you have a strategy that includes SAAS, HAAS, and other Cloud Computing concepts.  You may want to build some partnerships here that will allow you to play in the new world of thin client computing. 

Virtualization; this isn’t new but you’d better understand the value proposition and how to get it sold in a weak economy.  The last thing you need is a big ROI study on your hands.

Server and Storage Consolidation; this is obvious – are you in the storage game yet?

Compliance; what was once a hard sale may be required now.  Make sure you at least have a partner that can do this.

Security; this should be no surprise.

Database Consolidation; expect some consolidation as new releases come out and better management of data is required.

License management; here is an area of waste if there ever was one.  Partner with companies like SoftwareOne and get some benefits out of software mismanagement.

Video conferencing; and other technologies that help people stay home.  Sales people need to learn how to sell without leaving the office.  Did Cisco see this coming when they bought Webex?  Smart move on their part!

Read more here: