Archives For target

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015


What Questions will get the CIO’s attention?

The better you know what it means to be a CIO, the better chance you have of making it through a meeting with one. 

If you know something about information security – you’re in luck.  It’s time to strike. With Target in mind and Home Depot in question, Rachael King writer for the WSJ tells us, board members are asking lots of questions. I suspect the CIOs don’t have the answers. How could they?

In a recent interview, John Stewart, chief security officer at Cisco Systems was asked, “What questions are being asked?” So maybe its less about asking the CIO questions and more about knowing the questions CIOs are being asked – questions they don’t have answers to. This is the heart of what I call Predictable Messaging.

If you know what CIOs are being hit with – if you know the questions they’ll be asked, and that they probably don’t have answers to,…and you know how to get answers, you might become one of their most valuable assets.

Here are three questions reported this week by the WSJ (from Stewart’s Interview):


  1. “Do you have a set of security controls that are provably in place, are measurable and are actually effective for the state of business and all the business types you’re currently operating? Even if the answer is no, Mr. Stewart said that he hopes this question starts a conversation in the business about how cybersecurity needs to be approached.”
  2. “Have you ever had any material breaches that have or have not been reported to the board and should have been?”
  3. “With regard to cybersecurity is there anything else I should know right now?”

Chances are the CIO won’t give you answers to these questions…however, knowing what they’re being asked for is the key. Can you help them answer these questions? Going back to an earlier post – do you know the top 3-5 threats, how likely they are to hit this company, and how the company is trending with security – up or down…how do we know. These are all things the board wants to know.

Do you want to be the chosen technology and risk advisor for the companies you call on?  Check out my most recent report on staying relevant in the technology sales industry…

Download the Report << Click to Get it!

© 2014, David Stelzl

P.S. Join me on 9/11 for a live online workshop where I will be discussing key strategies for working with top level executives in the technology world. Specifically Designed for Technology Resellers.

Save me a seat!  << Read more and register…


skiingIs Security Still an Opportunity in 2014?

This week we’re at the Westcon Security and Beyond Conference in Park City, Utah.  I’ll be speaking first thing Wednesday morning, delivering a keynote session on Moving from Vendor to Adviser, in the world of security.  14 years ago, my then current employer asked me if I thought SECURITY was still an opportunity for technology companies moving into the new millennium.  Not only is it still an opportunity…there’s a lot more out there for companies who understand the growing need and capitalize on it.

Digital Disruption Creates More Need

My session will focus on steps companies need to be taking to move up the ladder, accessing those responsible for the security and protection of company secrets, innovation, customer privacy, and the success of their 2014 initiatives…which will involve new trends in technology.  Expect to see more and more companies moving to the cloud – in a recent WSJ survey, IT people guessed that larger companies were running up to 50 different applications in the cloud.  When the WSJ went to the department level they discovered a much different story.   On average, large companies were running over 350 cloud applications – and IT has no idea where.  This is just one example that completely changes the security model and demands a look at the department level.

If your company engages in assessments, but is not spending a significant amount of time out in the departments, chances are you’re missing some of the biggest gaps.

CiSOs Are Becoming More Business Saavy

By business saavy, I don’t mean that CISOs are going back to school.  I mean the old style CISO is being replaced by business minded security leaders.  In my session we’ll be talking about what that means, and how solution companies should be changing their approach to align with these new business leaders.

Leveraging Assessments and Building Justification

Several related points will be covered – but one that stands out is the need to really understand the justification process.  I just read a post updating the Target credit card thefts this past December.  In it, John Stengel shares that this attack was done through a third party vendor.  No surprise here – but in his post he also notes another company that refused to do an assessment due to cost.  Whether you’re proposing an assessment, or following up with remediation recommendations – companies continue to delay due to budget. Learning how to create this justification is crucial. This is exactly what happened with TJM years ago.  I personally know sales people who tried to warn TJM that their wireless networks were open – it took 100 million credit card loss to wake them up.  The good news is, there are ways to build this justification and I’ll be covering some of them  this week.

For a more detailed look at this process, join us in the SVLC Insider’s Circle and attend my session online on Feb 10th.  For more details – (CLICK).

© 2014, David Stelzl

Here are some important words from my friend and colleague, author and speaker, John Sileo.  We can stop talking about TJ Max now…The Target Hack was big.  And even though the bank tends to cover the stolen card issues, Target did report significant drops in both sales (6%) and profit –  cutting it’s profit forecast by (20%). How many companies can stand this kind of loss?

It’s interesting that even after this event – Gartner Group’s recent report shows that Information Security has dropped from the #1 CIO concern, down to #8.  This is not a good sign…


© 2014, David Stelzl

Despite Hacks…People Still Don’t Take Action.

Earlier this week, CBS correspondent Candice Leigh Helfand interviewed me for an article,

Despite Hacks: Info Leaks, Americans Still Lax On Digital Security.

In the wake of Target and Snapchat news just a month ago – CBS-DC wanted to know what to expect in the coming year, and where companies need to refocus.

Target Hacked!

The Target case is interesting because it’s not an online hack!  Just around the holiday peak shopping season, “Target disclosed that encrypted debit-card PINs, credit and debit card numbers, card expiration dates and other bits of sensitive information were stolen from millions of customers (around 40 million) who shopped at the retailer between Nov. 27 and Dec. 15 of last year.”  Wow! How did that happen?  They got it all – PINS too.  By Tampering with credit card swipe machines.

Snapchat Hacked!

The Snapchat hack is another story – only “4.6 million of its users”.  But the news here is that it happened right after, “Security experts warned the company at least twice about a vulnerability in its system.”  In an earlier post I mentioned that I’m speaking on these topics in Chicago next week…but I know several of the executives invited responded back (as they always do), “I don’t get involved in that stuff”…that’s exactly the problem.

When business leaders don’t have any involvement – or take the time to understand, you end up with a Snapchat.  In fact, just after TJX was hacked, losing around 100 million credit cards, I met with several security teams that had called on TJX companies – getting the same response.  Even worse, one of them tried to tell TJX that their wireless networks were accessible from outside the building!  Did they take action?  No.

In the linked news report, Candice writes, “Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.”  In other words, this is a big one and it will be costly.

The need is there – the problem is getting through to the right people to educate them on the need.  The impact vs. likelihood model I present in the House & the Cloud has been the most effective means of doing this.

© 2014, David Stelzl

In Early January I’ll be kicking off my first security executive briefing on  January 14th – taking a look at the major cybercrime trends, what business leaders should be watching and doing over the next 12 months, and what I believe is the root cause of this kind of failure to protect customer data…

© 2013, David Stelzl