Archives For security speaker

BYOD is the trend…Is It Good? Can Companies Keep Their Data Safe?

The fact is, people are going to bring their own devices to work…even if you lock your systems down, some (and it might just be the IT people) will still find a way.  No one wants to carry two phone, two laptops, two whatever….and most companies are not going to issue their employees smartphones….

Check out just three major issues people should be thinking about when they embark down the path of BYOD…

© 2018, David Stelzl


Tuesday We Heard From Prakash Panjwani – Moving to Security is not an option for Technology MSPs and Resellers…

Here are a few comments as I get ready to go on stage in Miami, at the WatchGuard Apogee Event – WatchGuard’s annual partner event for the Americas…

© 2018, David Stelzl


9990016123_29d261209d_zHere’s Why Executive Level Prospects Should Attend Your Next Lunch & Learn

And What You Should Be Presenting On

Next week I’ll be speaking in Louisville, KY, at yet another lunch & learn – The question is, do people still attend these? Why should they?  Well, this morning’s WSJ article, Boards Struggle With Cybersecurity, Especially in Health Care, answers the question.  “Board members, [and any C-Level executive] need more education,” writes columnist Kim Nash.

Every company is facing these threats on a daily basis, yet only about 11% of the business leaders claim to really understand data risk.  This data comes from a survey across 1034 directors.  And while healthcare data is some of the most sought after by cybercriminals, the healthcare leadership rank as one of the least educated groups in this study!  On the high ranking side (high-tech companies), only about 31% have a thorough understanding.  In other words, most industry leaders are completely unprepared to make wise decisions when it comes to mitigating risk.

Healthcare Leaders Need More Security Awareness Education

Last year I experienced this misunderstanding as a speaker at a Healthcare conference in Denver. Every security related session I attended focused on compliance. HIPAA is important, but it has little to do with risk.  I started my session by asking the audience to set compliance aside for an hour while we talk security. They seemed surprised by the idea. After my session, several commented that they had no idea what was going on.  Kim Nash quotes Charles W.B. Wardell, III, president and CEO of executive recruiter Witt/Kieffer, stating, “In health care, the need for security knowledge is urgent, …Many [health-care] organizations are conducting risk assessments regarding their information security programs and preparedness and are alarmed at what they’re finding.”  Having personally worked with many security providers who perform these assessments, I can confidently agree – most of them are turning up urgent issues.

Study results presented in this article showed that just about every industry, other than IT, scored 20% or less on having a high degree of knowledge.  More industries reported “Some Knowledge”, but many reported “Little Knowledge”.

When Is Your Next Lunch & Learn? Fall is a Great Time. Now Is The Time To Plan It.

Should you be setting up more security-focused lunch & learns? The answer is, Yes!

However, these groups don’t need product knowledge. They don’t need to hear sales managers, channel managers, or even you local SE talking about products, services, or esoteric technology jargon. What they do need is straight talk on trends, likely threats, big  mistakes being made, and why so many companies are losing the battle. They need intelligence they can use to make wise decisions regarding access to data, policy, hiring decisions, outsourcing decisions, and budget justification.

These are the kinds of things we’ll be addressing next week, and they’re the same things your clients and prospects need to hear. If you get push back on attending, you might want to point them to Kim’s article… (Access it on the WSJ website).

© 2015, David Stelzl

PS. Check out my new Security Website – it’s a work in progress, but here it is.

I’ve just scheduled the next Making Money with Security Workshop.  If you haven’t attended one of these, you need to…there are just too many security opportunities out there; unfortunately I routinely see people leaving money on the table simply because they are not prepared to sell the entire project.  In fact, the entire project is often not obvious because the client doesn’t know what they need, and the discovery process on the sales side is lacking. I am posting this along with the LinkedIn news, because I believe there is a tremendous opportunity here to really make a difference – I want every person I work with to have access to “Asset Owners” – to have access to the most important security issues their client have.  I am passionate about this…because I know it works.

Get More Information

Read more here and sign up using the early bird discount. – for dates and times, outline, etc.


The LinkedIn Issue So Far

This recent issue with LinkedIn is big.  It’s just one social network, but 6.5 Million passwords is huge, and most of these people use these passwords on every online account they have.  Look at some of the issues posted in a recent PC Magazine article:

  • A file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far – it’s just a matter of time for the rest.
  • This breach is so serious that security professionals advise people to change their LinkedIn passwords immediately – in fact, I recommend you change yours right now!
  • This was amazing:  “One common way people create passwords for different websites is to add the name of the site into the passphrase, says Thorsheim. So some people may use the password “1234Facebook” for the world’s largest social network, and then “1234LinkedIn” for LinkedIn and so on.”  This is a foolish way to create a password – something to educate your clients on.
  • If you know the password is hashed with SHA-1 (Which in this case – these passwords are), you can quickly uncover some of the more basic passwords that people commonly use – in other words, encryption is not that secure if you know what it translates to.

© 2012, David Stelzl

As I prepare for this week’s educational security event in Michigan, I am reminded that this is the perfect time to be reaching out to business owners with an educational message. Security issues are rampant, and businesses are being compromised every day.

I was talking with another one of my clients this morning reviewing  their blog posts and other educational social media programs online.  We were talking through some of the major challenges business owners face and what topics integrators and solution providers should be focusing on.  In his case, his entire company has moved to a security message simply because the need is there.  Everyone has a security need right now – areas may differ, but they all need it.  This is a time in history where security is urgent for businesses of all sizes.

In the case of the Michigan event, our initial response has been very strong – we’ll have a packed room for this event.  We have about 30 business leaders signed up – business owners and executives all facing the same issue; that of making sure their data is safe:

1. Wall Street Journal reports that 75% of employees admit to stealing data.  How should business owners view the hiring process and what steps should be taken to ensure new employees have the right access, with the right amount of accountability?

2. Gen Y hires are turning down jobs that won’t allow them to use their own smart phones and tablets.  How do companies address  this type of thing.  Smaller companies probably lack detailed employment policy handbooks and training on this sort of thing – what should they do?

3. Work-at-home programs are also growing.  The State of VA. has, in the past, offered a substantial grant to small businesses who move some of their office workers to home offices.  But how do these companies maintain control of  home based computers used to access sensitive information?

4. Recent advancements in malware have made many of the older anti-malware technologies useless.  With little or no info security skills on staff, how will these companies ensure computers are not infected with spyware and keystroke loggers?

5. Liabilities are growing as threats increase – what policies must be in place and how do these businesses deal with compliance?

On Thursday we will be going through some of the business level mindsets from my book Data@Risk to address the root problems most of these companies have.  It’s a difficult area for these businesses, but our goal is to give them some direction on how to get their company thinking about, and doing the right things to reduce the amount of exposure they have; things they can actually get started with right away.

© 2012, David Stelzl

Back from South Dakota – we had about 70 attendees last night, mostly business owners and leaders from the local community.  About 90% of the companies represented signed up to have their security assessed…why?

Because the event was focused on their business and a growing need every attendee had in common.  This event had nothing to do with products, or the WHAT Golden West Technologies (The sponsoring VAR) sells.  It had everything to do with educating those who have worked hard to build businesses, and who want to keep those businesses going in the future.

This is the time to be talking about security…just this week government representatives and consultants have made statements in the Wall Street Journal saying things like, “Consider every one of our networks to be compromised”, “All we can do now is focus on preserving the data”, “We are losing the war with cyber criminals.”  I also read in Wall Street this week that business leaders tend to shy away from knowing too much…but with a compelling campaign encouraging them to take action, we had over 70 responses in just a couple of weeks.  5 or 6 had to cancel, but consider some of the average attrition rates at lunch & learn programs and you’ll see numbers like 50 and 60 percent.  This was a great event and more are needed just like it.  The business leaders need the education, and the solution providers need to take a more active role in helping business leaders understand the issues and why they need to be involved personally.  Last night was a perfect example of this in action.

© 2012, David Stelzl


Cyber criminals are winning!  This should be no surprise, but here it is again in the headlines – straight from the RSA conference…companies are losing the war and admitting it.

  • Huffington Post – Straight from RSA 2012:  “Some 70 percent of employees in one survey cited admitted to subverting corporate rules in order to use social networks or smartphones or get access to other resources, making security that much harder.”
  • RSA was hacked last year shortly after the RSA 2011 conference using a simple “email with a poisoned attachment – which had been opened by an employee.” – this in turn gave hackers, “access to the corporate network and they emerged with information about how RSA calculates the numbers displayed on SecurID tokens, which was in turn used in an attack on Lockheed Martin that the defense contractor said it foiled.”
  • Speakers at RSA called 2011 “the worst year for corporate security in history”  pointing to “the rise of activist hacks by Anonymous, numerous breaches at Sony Corp, and attacks on Nasdaq software used by corporate boards”
  • Most importantly – they all agree, “there is more to come.”

While all of this is bad for anyone running a company that relies on securing information to keep going (and that would be all of us), it also represents a huge opportunity like any major unsolvable problem does.  Just like doctors and pharmaceutical companies working on heart disease, diabetes, cancer, and other major health issues that plague our world, security professionals will profit from this as they rise to the occasion.  I am amazed to see companies missing this opportunity after such a long track record of growth.  It’s not over – not even close.  If you are not in this business, it’s time to join the war against cybercrime.  Your clients need it, and they are willing to pay.

Now, you might think I am wrong on that last comment.  I just got off the phone with a VAR owner yesterday who questioned if his clients are really willing to pay.  It has everything to do with your approach…people don’t see it, so they don’t believe it.

I have a client in the Northwest setting up his first executive-facing marketing event.  After just a few days of advertising we have 18 business owners signed up (all asset owners – qualified buyers, and new prospects)!  We haven’t even made calls yet – this is just the response to the marketing letter we mailed last week!  The point is, we designed our marketing campaign correctly – this is not a product driven event, although it is absolutely sponsored by the product manufacturers.  (That’s right – we did get JMF for this even though everyone keeps saying there is no money available for this type of event).

Working with another client on the east coast yesterday, we just completed our first webinar event. Again, the event was designed from the start to appeal to the asset owner.  We had a strong call to action, and 90% of our attendees signed up to have their security assessed!  This was just a webinar – it cost my client almost nothing to do it, other than time and some upfront education to do it right.  His team attended the Making Money with Security event and applied the principles…not a bad return.

2012 looks like a strong year to me – for those focused on the right technologies.  Join the war – it’s time.

© 2012, David Stelzl