Managing Information Security On a Limited Budget

The recent government shutdown got me thinking about budgets and information security. Having just submitted a proposal to a small business myself, I am asking the question: What is best practice for small or mid sized business (SMB) information security? Every SMB is going to have a limited budget. This budget has to cover control implementation and maintenance. There s no point in minimizing risks if you will run out of money for maintenance at a later date. In this post, I want to address the costs of running the security program on an ongoing basis. Gartner came up with Total Cost of Ownership (TCO) back in the 1980 s but hasn t applied it to information security. I am claiming that the cost of maintaining your security program is often overlooked and is critical for a SMB, where budgets are limited.There are several good references for SMB security. NIST has developed NISTIR 7621: Small Business Information Security: The Fundamentals . This document recommends taking an ...
Read more

Building a Security Start-Up

If only building a security start up was as predictable as transitioning from caterpillar to butterfly! But, it s not. Unfortunately it usually requires many turns and corresponding changes. Consider companies like Blackberry, once a ubiquitous handset provider, now an enterprise security provider. Or Radware, once a load balancing product company, now known for its DDoS solutions. The most dramatic change in our industry is Amazon, once a book company, now marketing a whole range of secure cloud solutions.If you are a start up, you want to avoid the dreaded pivot with its associated hard resource costs and, potentially, people costs. How do you keep up with constantly changing marketplace requirements without pivoting? I recently discovered an amazing tool for this purpose, the Business Model Canvas. It s not brand new, but if you aren t using it, please read on for a short introduction. For details and much more, please see the original work Business Model Generation (2010) by Al...
Read more

Cybersecurity Risk Management for Directors

There are many posts on corporate directors responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office. Directors obviously will have access to sensitive insider information that many unauthorized parties would like to get access to. Many directors will also be targets as High Net Worth (HNW) individuals. Cybercriminals always target the weakest link; as corporate information security improves, they increasingly will target the home networks of key executives or directors. Breaches such as Equifax have put so much personal information into the hands of criminals, that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware and social media.Earlier this y...
Read more

Should Your CIO Learn to Code?

This topic came up because of two recent headlines and one new book. The first was the news that the now former Equifax CISO was a music major, without formal college level tech or security training. The second was the recent article in the WSJ highlighting Bank of America s new Chief Operations and Technology Officer, Cathy Bessant. Ms. Bessant s outstanding background includes general management and marketing, but not specifically technology leadership. The book I mentioned is Mark Schwartz s Seat at the Table (2017). Mr. Schwartz argues that, today, tech leaders need a hard core of tech knowledge and can t be just managers putting on a propeller hat. He bases this conclusion on the rapid and deep penetration of technology into all business operations and the continued rapid change in that technology. In many cases, business leaders will take the initiative to adopt new technology. In this situation, everyone in the organization is tech savvy; but it is the tech leaders that mus...
Read more

How IT Leaders Can Keep a Seat at the Table

In this era of digital disruption, business leaders are turning to technology to keep up. But, will they continue to turn to traditional IT leaders to map out the future? This is the question addressed by Mark Schwartz s new book A Seat at the Table. Mr. Schwartz engagingly analyzes the present and provides guidance for IT leaders to get and keep a seat at the table .In the beginning, we had Waterfall systems development. CIOs could take orders from business leaders, translate the orders into technology roadmaps, develop milestones and implement systems. Then the business discovered SaaS and the Shadow IT department was born. The most recent trend is Agile/DevOps, in which business collaborates directly with development and DevOps engineers are tasked with implementing code. What is the role of IT leadership when business leaders are directing systems development?Gartner has defined Mode 1 and Mode 2 activities for IT. Mode 1 is keeping the lights on and Mode 2 is managing ...
Read more

Equifax points out again the need for speed in security management

The Equifax data breach illustrates again the need for speed in security management. If the breach was through a known vulnerability, we wonder why wasn t it patched? If through another path, we wonder why wasn t the attack detected? We have so many incident and event management tools for servers, desktops and networks, it is hard to believe that Equifax did not have such tools. In the past, breaches like this have resulted from delays in detecting or reacting to attacks.As the pace of digital business transformation continues to increase, security management needs to increase its rate of change. The OODA loop has been highlighted as a general approach to fast, accurate decision making. Recently I came across a really good explanation of this by John Braddock, a former CIA case officer. You can check out his book on Amazon: A Spy s Guide to Thinking. Let s look at what these frameworks are and how to use them in cybersecurity management.The original OODA (Observe Orient Decisi...
Read more

Anatomy of a Security Breach

In recent Information Security news, The Wall Street Journal reported on the upcoming trial of an alleged botnet master. The trial is in progress now. It is not often that we get a look at the details of a computer security breach, but in this case at least some details are in the docket of the Eastern District of NY. I have downloaded the original complaint of US v. Gasperini here. The accusations include violations of the Computer Fraud and Abuse Act, Wire Fraud, Conspiracy to Commit Wire Fraud, and Conspiracy to Commit Money Laundering. All of these acts were allegedly undertaken in a click fraud scheme. If you want to understand the details of these accusations, I uploaded the judge s jury directions here.The defendant allegedly hacked into QNAP NAS devices using the Shellshock vulnerability and downloaded click fraud software. This is a network device that many people will not patch regularly. Unfortunately, the court transcripts don t describe how he got past firewall security....
Read more

The Smartest Information Security Companies

Every year, MIT Technology Review publishes its list of the 50 smartest companies. This year, two information security companies made the list, along with big time players like Amazon, SpaceX, etc. TR doesn t publish the detailed selection criteria, but they include things like: ability to dominate the chosen market and innovative use of technology. The two security companies on the list are pretty much unknown in the general US marketplace, but according to TR, are not likely to stay that way.#11 on the TR list is Face++ (faceplusplus.com), a business that has gone beyond startup in facial recognition. The company is based in China where its technology is imbedded in many online services. Other companies such as LTU (www.ltutech.com) have pioneered in image recognition. Face++ has concentrated on facial recognition. Its $1B valuation may well be supported by the Chinese market alone. It s not clear whether this technology will be popular in the US, where many people may not wa...
Read more

Book Review: Play Bigger

Play Bigger is a new book by entrepreneurs for entrepreneurs (2016, Harper Business). The authors theme is that today s markets are so crowded that you cannot rely on niche marketing into white spaces; you have to create your own white spaces, or categories . The goal is to be a category king . The idea of niche marketing has been around forever. Ries and Trout documented these ideas in their classic, Positioning (2000). Authors Ramadan, Peterson, Lochhead and Maney propose that in today s markets, with enough money, genius and hard work you can create your own category. To build a business using their approach you need to create a category, a product and a company. They all need to work together. This is sound advice. The challenges are: what is your idea, how big is your category and is it defensible? IPads, ERP software and SaaS are examples of unique new categories that have gone to the business hall of fame. Even if you don t have ideas this big you can still take away very ...
Read more

Long Term Beneficiaries of WannaCry

The current worldwide attack from WannaCry is going to have lasting impact for information security. The question is: what will that be and who will benefit? In this blog post I will take a contrarian viewpoint and suggest that it will not be beneficial to security practitioners or security businesses. I think business leaders, who fund security programs, will take alternative approaches to mitigating this risk.At present, we have over 1600 security firms offering solutions to attacks like WannaCry. Unfortunately, this patchwork quilt mitigation approach isn t working. Not because of the security firms, but because there are too many potential leaks in the ship to manage. So, I predict that business leaders will change ships and increasingly move legacy systems and new systems into the cloud. This is already happening and incidents like WannaCry will accelerate it. No business person is going to upgrade XP systems to Windows 2016, when they can hand over security responsibility to some...
Read more
Page 1 of 3123