Tag Archives: Security

Amateurs Study Strategy; Experts Study Logistics – Battlefield Leadership series

Angoville ChurchIn the business world, the military analogy “Amateurs strategy; experts study logistics” emphasizes the importance beyond the initial success of a surge effort. Specifically, in relation to D-Day, the analogy shows the importance of establishing a port to provide fuel, reinforcements, ammunition, food, and supplies to the troops. The initial Normandy invasion of 135,000 troops required a daily landing of 15,000 tons of supplies a day and as the presence increased so did the supplies. Thus, the Allies were forced to secure a port.

The Allies chose to build two ports and bring them to the coast of Normandy. This allowed them the opportunity to establish a port at an area that was not heavily fortified (the Germans defended port locations closely). This out of the box thinking allowed the Allies to achieve the objective and support the ongoing mission on land.

Business Reflections…

The importance of innovation and ability to think beyond the traditional structures is sometimes the only pathway to success. Think about Uber, Amazon, and other disruptive methods of transacting business. Each approached the same objective (black cars, books for reading), but achieved the ‘big picture’ in a manner not conceived viable by the incumbents.

The key elements to achieve innovation from lessons at Arromanches:

  1. Focus on the objective and not the details on ‘how.’ This allows for iterations on methods while maintaining the continued support structure.
  2. Establish a team with a leader to drive the innovation. The team should be organized differently than the primary organization. This was done in Britain and allowed the the Skunkworks group to succeed. The Skunkworks failed the first time and were reorganized in a new team to finally reach success.
  3. Plan redundancy. Two Allied piers were built. One of the piers was destroyed by weather (an identified risk), but luckily there was still one standing and supported the logistics for many months.
  4. Demonstrate success capability through detailed analysis. To allay counter arguments, it is necessary to present a clear and evidence-supported case proving how the solution will be successful.

The Supply Chain

Here are a few generally obvious but necessary statements on the make-up of supply chain. The service of the business and the delivery of product depends upon the inputs. These inputs are as important as the final work product. Failure to receive any input or damage of an input will lead to failure in the market. Each input must meet the integrity, quality, and security standards of the product it seeks to become.

Suppliers need to posses integrity to ensure the inputs are not damaged, sabotaged, or fraudulent. The reliability and availability of the inputs need to be vetted with redundant providers and consideration of every part of the delivery channel is key. For instance, regarding a Cloud service provider hosting data: what are the ISPs, routers, equipment, regional laws, etc. that effect this delivery of such a service?

A business must be able to achieve entry into a market category and sustain it! It is not enough to put a toe in the water, but rather sustain the patience and capability to grow in the market. Success is achieved through building scales into the business architecture and forming teams that are innovative and strong enough to become the senior management and leads.


What is Battlefield Leadership and what is this series about … 

This is the fifth paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

 

Innovating and penetrating the market – Battlefield Leadership Series – lessons and thoughts

Longues Sur Mer

At this location on the coast of Normandy you can see the immense naval guns setup to attack oncoming ships in World War II. The Germans expended resources and relied heavily upon on these guns in their defensive strategy. Unfortunately for the Germans, the treatment of the workers and locals, the sheer lack of natural intelligence, and exposure of building such vast emplacements was their downfall.

The Allies often received intelligence on the exact positions of German construction. This was provided by those building and living in the area. Specifically, a local farmer boy who was blind and actually counted each step precisely and then supplied locations through the French resistance and Allied intelligence networks.

The result was a gap in the German defensive strategy, a waste of resources, and ultimately, a failure to defend the coast.

Business Reflections: Innovating and Penetrating the market…

  • How are you establishing a product development strategy and running your business as a whole?
  • Are there defensible attributes that you deem critical, and how can they be routed?

Practical example: In the information security and intellectual property sector, there are very real threats and running a secure business requires constant new methods of defense.  How have you reevaluated these based on the shifts internally of your business and the known threats in the market itself? How did this analysis compare to prior years, and how have the effectiveness of your defenses proven?

From a product innovation perspective – are you developing in features from the highest and lowest levels? What are the high impact:low development efforts underway, and what could be added. Product and innovation requires views on the long and short run – to often we make complexity because we are able to handle complexity, when sometimes the user really only needs something less complex.

Leadership requires action:

Simply acknowledging the risks and accepting the situation does not prevent disastrous outcomes.


 

What is Battlefield Leadership and what is this series about … 

As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new bookHow Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

 

Change all your passwords, now.. it is that simple

There is a lot of reason to change passwords and in most business settings passwords are requested to be changed every 90 days. This is usually for the end users and rarely for the system to system accounts. A recent vulnerability creates the possibility that any account that accesses a system on the internet (specifically using HTTPS w/ OpenSSL, but lets not complicate the clarion call here) is exposed and known by someone other than the owner.

By that very condition the password should be changed, and now.

So if you are a person reading this …

  1. Pull up your accounts and begin methodically changing them to a fresh new version (there is a condition here that the site you are updating at has already fixed the vulnerability and has internally followed good practices, but lets presume best scenario here)
  2. Add a note on your calendar 3-4 months from now, to again change the passwords

If you run an technology environment that had OpenSSL installed and was vulnerable, grab a cup of coffee and sandwich, then…

  1. Begin the methodical (perimeter first .. working your way in through layers) and careful task of updating all of the certificates, credentials, and end-user accounts. Also consider end-users too.
  2. Write amazing and clear explanations to the need, value, and importance of this process to your users
  3. Set all users that have accounts accessing your services, to be forced to reset.
  4. Log out (invalidate sessions) all Apps and online cookie sessions (revoke, etc..)
  5. Reissue your private key and SSL certificate
  6. Review and examine your API and third party connections to confirm these are updated, reset, and secured
  7. Add a bit of extra monitoring on the logs for a bit

This is all the result of the Heartbleed.com disclosure, but lets not get technical here .. these are good practices, but now with the probability above 'unlikely', it is a timely habit to re-embrace.

 

Stay safe,

 

James

What do major developments in big data, cloud, mobile, and social media mean? A CISO perspective..

Screen Shot 2013-02-26 at 6.52.56 PM

Tuesday afternoon the CISO-T18 – Mega-Trends in Information Risk Management for 2013 and Beyond: CISO Views session as presented focused on the results of a survey sponsored by RSA (link below).  It provided a back drop for some good conversation, but more so it gave me a nice environment to elaborate on some personal observations and ideas.  The first tweet I sent, hammered the main slide:

“Major developments with Big Data, Cloud, Mobile, and Social media” – the context and reality here is cavernous.. “

My analysis and near-random break down of this tweet are as follows with quotes pulled from the panel.

First off – be aware that these key phrases / buzz words mean different things to different departments and from each level (strategic executives through tactical teams). Big Data analytics may not be a backend operational pursuit, but a revenue generating front end activity (such as executed by WalMart). These different instantiations are likely happening at different levels with varied visibility across the organization.

Owning” the IT infrastructure is not a control to prevent the different groups from launching to these other ‘Major developments’.

The cost effectiveness of the platforms designed to serve businesses (i.e., Heroku, Puppet Labs, AWS, etc…) is what is defining the new cost structure. CIO and CISO must

>The cloud is not cheaper if it does have any controls. This creates a risk of the data being lost due to “no controls” – highlighted by Melanie from the panel.  <– I don’t believe this statement is generally true and generally FUD.

Specifically – There is a service level expectation by cloud service providers to compensate for the lack of audit ability those “controls”. There are motions to provide a level of assurance to these cloud providers beyond the ancient method established through ‘right to audit‘.

A method of approaching these challenging trends, specifically Big Data, below as highlighted by one of the CISO (apologies missed his name) w/ my additions:

  • Data flow mapping is a key to providing efficient and positive ‘build it’ product development. It helps understand what matters (to support and have it operational), but also see if anything is breaking as a result.
  • Breaking = violating a contract, breaking a compliance requirement, or negatively effecting other systems and user requirements.

Getting things Done – the CISO 

Two observations impacting the CISO and information technology organization include:

  1. The Board is starting to become aware and seeking to see how information security is woven within ERM
  2. Budgets are not getting bigger, and likely shrinking due to expectations of productivity gains / efficiency / cloud / etc…

Rationalization on direction, controls, security responses, must be be fast for making decisions and executing…

Your ability to get things done has little do with YOU doing things, but getting others to do things. Enabling, partnering, and teaming is what makes the business move. CIO and CISO must create positive build-it inertia.

Support and partner with the “middle management” the API of the business if you will.

  • We to often focus on “getting to the board” and deploying / securing the “end points” .. Those end points are the USERS and between them and the Board are your API to achieving your personal objectives.

Vendor Management vs procurement of yester-year

Acquiring the technology and services must be done through a renewed and redeveloped vendor management program. The current procurement team’s competencies are inadequate and lacking the toolsets to ensure these providers are meeting the existing threats. To be a risk adaptive organization you must tackle these vendors with renewed. Buying the cheapest parts and service today does not mean what it meant 10 years ago. Today the copied Cisco router alternative that was reverse engineered lacks an impressive amount of problems immediately after acquisition. Buying is easy – it is the operational continuance that is difficult. This is highlighted by the 10,000+ vulnerabilities that exist with networked devices that will never be updated within corporations that must have their risks mitigated, at a very high and constant cost.

Panel referenced the following report:
http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Thank you to the panel for helping create a space to think and seek answers, or at least more questions!

James DeLuccia IV

Information Security executives … is responsibility being abdicated?

Is “it is your decision not ours” statement and philosophy a cop-out within the Information Security sphere?

This is a common refrain and frustration I hear across the world of information security and information technology.  Is this true?  Is it the result of personality types that are attracted to these roles?  Is it operational and reporting structure?

In Audit it is required for independence and given visibility. Does not the business (the CIO) and the subject expertise (CISO) not have that visibility possess a requirement of due care to MAKE it work?

The perfect analogy is the legal department – they NEVER give in and walk away with a mumble, they present their case until all the facts are known and a mutual understanding is reached. Balance happens but it happens with understanding.

This point is so important to me, that it warranted a specific sharing of the thought.  I hope we can reframe our approach, and to follow a presentation off TED – focus on the WHY.  (need to find link…sorry)   These individuals in these roles provide the backbone and customer facing layer of EVERY business.

Thoughts and realizations made from stumbling around our community and today during RSA resulting from the presentations with underlying tones.

Always seek,

James DeLuccia