About the Author

Michael Dortch

Leap Day: A Good Time to Leap Into Better IT Security

Cybersecurity(Own)(4)It’s February 29. Leap Day. The only day of the year that only happens every four years.

Leap Day and the entire leap year are opportunities to adjust our timekeeping methods and tools to realign them with those used by the rest of the Solar System.

Leap years have also seen some significant historical events—some good, some tragic.

1752: Benjamin Franklin is believed to have flown a kite in a storm to prove his theory that lightning is in fact electricity. (Thomas-François Dalibard of France did in fact perform the same experiment the same year, based on Franklin’s writings).

1848: gold is discovered in California.

1876: George Armstrong Custer and his troops fight the Battle of the Little Bighorn.

1912: RMS Titanic, the largest ship afloat at the time, strikes an iceberg and sinks.

Leap Day just might also be a great time to improve IT security at your organization. After all, it is an “extra” day, and what security team couldn’t take advantage of an extra day?

One suggestion: review your patch management processes. Look for ways to shorten the vulnerability gap—the time between when a vulnerability surfaces and when your organization deploys the patch delivered for it. Kenna Security research found in 2015 that 90 percent of vulnerabilities are exploited within 40 to 60 days, but enterprises can take 120 days or more to deploy patches. Whatever you can do to reduce this gap improves security at your organization, and is definitely worth doing.

For some additional suggestions, check out “New Year, No Fear: Lessons Learned from 2015 and Resolutions for 2016.” Then, make your own “great leap forward” toward better security at your organization.

Cybersecurity in 2016: Predictions from Elsewhere

Cybersecurity(Own)(4)One of the best things about this time of year is the spate of predictions that accompany the season. Herewith, a look at some of the more interesting security-related predictions from various IT and security industry observers.

Forrester Research “is one of the most influential research and advisory firms in the world”—according to the company’s website. Hard to argue. On Nov. 30, 2015, Health Data Management published “5 Cyber Security Predictions for 2016,” a summary of predictions from Forrester. Here’s what Forrester predicts, according to that article.

  • We’ll see ransomware for a medical device or wearable
  • The U.S. Government will experience another significant breach
  • Security and risk pros will increase spending on prevention by five to 10 Percent
  • Defense contractors will fail to woo private industry with “military grade” security
  • HR departments will offer identity and credit protection as an employee benefit

On Dec. 15, 2015, Network World published “A Few Cybersecurity Predictions for 2016,” an article by Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). ESG is a firm with “a 360o perspective” and “remarkably detailed, nuanced views of technologies, industries, and markets”—according to the company’s website. Herewith, a summary of Mr. Oltsik’s predictions from that article.

  • Greater focus on cyber supply chain security
  • The consumerization of authentication
  • Cyber insurance continues to boom
  • A rise in ransomware

A wide range of predictions can be found in “The 2016 Websense Cybersecurity Predictions Report.” The report is produced by Raytheon|Websense Security Labs, part of a joint venture that combines Websense with Raytheon Cyber Products. The venture “brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats,” its website says. The predictions from its report appear below.

  • The U.S. elections cycle will drive significant themed attacks
  • Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
  • The addition of the gTLD [generic top-level domains] system will provide new opportunities for attackers
  • Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
  • DTP [data theft protection] adoption will dramatically increase in more mainstream companies
  • Forgotten ongoing maintenance will become a major problem for defenders [of IT security] as maintenance costs rise, manageability falls and manpower is limited
  • The Internet Of Things will help (and hurt) us all
  • Societal views of privacy will evolve, with great impact to defenders

Perhaps some of the most interesting predictions for 2016 and beyond can be found in “McAfee Labs Report 2016 Threats Predictions.” McAfee Labs, now part of Intel Security, “is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership,” according to the report’s introduction. The report begins with a five-year look into the future, created by 21 of Intel Security’s thought leaders. Here’s a summary of what they predict for the next five years.

  • The cyberattack surface will continue to grow, thanks to continuing explosive growth in users, devices, connections, data and network traffic
  • Attacks and defenses will continue and increase a shift in focus, away from systems and applications and toward firmware and chips themselves
  • Attacks will continue to become more and more difficult to detect
  • Virtualization will present more and different cybersecurity threats and opportunities, especially as network function virtualization (NFV) grows in popularity
  • New device types, including wearables and those connected to the Internet of Things (IoT), will challenge security efforts, and cyber threats will continue to evolve
  • IoT security standards will evolve and improve
  • The growing value of personal data will lead to more sophisticated thieves and markets, and more security and privacy legislation.
  • The security industry will fight back, with new and evolving tools including behavioral analytics, shared threat intelligence, cloud-integrated security and more automated detection and correction.

The range of these predictions and the common elements that link many of them provide valuable guidance and validation to any of you who are seeking to improve security at your enterprise. And of course, we at Shavlik have our own predictions to add to the mix, as well as a review of how well we did with our end-of-2014 predictions. You can download these here. We hope you’ll find all of these predictions, from Shavlik and elsewhere, helpful and inspirational. Here’s to a happy, productive, profitable and secure 2016 for you and your enterprise.

Your “ART-ful” Enterprise: Security and Trustworthiness

TechArt(own)resizesAs discussed here previously, to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into trustworthiness, why it matters, how to achieve and sustain it and the critical role of security in those efforts.

Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or business you could not trust. It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way. Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

Or, to quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies. Hank Barnes is a research director at Gartner, focused on go-to-market strategies for technology providers. In a Feb. 3, 2015 blog post, Barnes wrote, “Trust levels are the underlying current that drives buying. And providers are usually starting from a weak, un-trusted position. Everything you do needs to be about building trust between the buyer and you, your product, and your organization.”

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book “The Speed of Trust: The One Thing That Changes Everything.” from which the above quotes come. He is also the son of Stephen R. Covey, the author of the worldwide bestseller, “The 7 Habits of Highly Effective People,” and was CEO of the Covey Leadership Center. In three years, Stephen M.R. Covey grew that Center from $2.4 million to $160 million in revenues, before orchestrating its merger with Franklin Quest to form Franklin Covey.

A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust. As he says in his book, “Above all, success in business requires two things: a winning competitive strategy, and superb organizational execution. Distrust is the enemy of both. I submit that while high trust won’t necessarily rescue a poor strategy, low trust will almost always derail a good one.” Franklin Covey also operates a Web site that features case studies, task lists, and other resources intended to improve organizational trustworthiness.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said that they simply refuse to buy anything from those they don’t trust, while 80 percent will only buy from those they trust. Or as Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”

How to Achieve and Sustain Trustworthiness

Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.

Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.

Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy for them as possible to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.

Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders –from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business. Especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. And include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.

Next: tying it all together!

Your “ART-ful” Enterprise: Security and Resilience

Cybersecurity(Own)As discussed previously (in “Security and the ‘ART-ful’ Enterprise” and “Your ‘ART-ful’ Enterprise: Security and Agility“), to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business resilience (or its less common synonym, “resiliency”) is, why it matters, and how to achieve and sustain it.

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject seem to indicate. Those discussions tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity. True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption – planned or unplanned, minor or catastrophic.

Your “ART-ful” Enterprise: Security and Agility

techart2(own)As explained in “Security and the ‘ART-ful’ Enterprise,” to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business agility is, why it matters, and the critical role security must play for your enterprise to achieve and sustain it.

Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by that discipline many of us know as “change management.” (An aside: to succeed with change management, it is often necessary to…change management.)

Security and the “ART-ful” Enterprise

While every enterprise is different, there are three fundamental characteristics that appear common to every successful modern enterprise. The successful modern enterprise is:

Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.

Resilient – able to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

Trustworthy – able to credibly demonstrate and document operational transparency, in ways that both create and justify high levels of trust among all stakeholders.

One might even describe such an enterprise as “ART-ful.” If one were prone to such constructions. But I digress.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security.  Specifically, user-centered security.

What is “user-centered security?” It’s a focus on what users use to do their jobs—applications, information, devices and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important and valuable, you can also protect users from being conduits into the enterprise for malware and other threats. All while keeping critical enterprise resources safe as well.

How to Achieve User-Centered Security

User-centered security is not only desirable, but achievable. Building upon research conducted by elements of the Australian government, the Canadian Cyber Incident Response Center (CCIRC) estimates that up to 85 percent of targeted attacks on IT environments are preventable by four simple steps:

  • Application whitelisting;
  • Timely application patching;
  • Timely operating system patching; and
  • Restricting of administrative privileges to those users who really need them.

Unfortunately, such protections are like smarter eating and exercise habits. More of us know what would be best for us to do, but we don’t always do those things.

Take patching. In an April 2015 alert, the US Computer Emergency Readiness Team (US-CERT) identified the “Top 30 Targeted High Risk Vulnerabilities.” The newest of these dates from 2014; the oldest is from 2006. That means that there are patches designed to remediate all 30 vulnerabilities but that many if not most enterprises have not yet installed those patches, for whatever reasons.

The bottom line here is that agility, resilience and trustworthiness are impossible without pervasive, ubiquitous, invisible, user-centered security and that such security begins with comprehensive, timely patching. Agility, resilience and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, starting with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation that supports the pillars of agility, resilience, and trustworthiness.

Of course, none of these strengths can be achieved or sustained by any processes or technologies alone. As with almost everything else a successful enterprise does, ART is achieved and sustained by people. Specifically, you and your people. In concert with colleagues from across your enterprise. Evolution into an ART-ful enterprise requires leaders, evangelists, champions and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience and trustworthiness—possible.

During the next few weeks, additional posts will dig a bit more deeply into the market forces driving the rise of the ART-ful enterprise and how your enterprise can achieve and sustain agility, resilience, and trustworthiness. Next up: “Your ‘ART-ful’ Enterprise: Agility.” More to come. Meanwhile, as always, your comments, questions, and stories are welcome.

Cybersecurity: We Are All Vulnerable. We Are All Responsible.

Ashley Madison, the Web site that encourages married people to have affairs, is dealing with the theft and public release by hackers of personal information for thousands of its clients. The Impact Team, the hackers who claimed responsibility, didn’t hack the site for money, and didn’t steal the personal information to sell it. According to a Washington Post report, The Impact Team accused Avid Life Media, the company behind the Ashley Madison site, of “fraud, deceit, and stupidity,” and of faking most of the site’s female user profiles.

Target’s balance sheet and reputation are both still suffering from its widely reported 2013 data breach. That incident involved personal data, including credit and debit card information, of up to 40 million customers. Most recently, Target has reportedly agreed to pay up to $67 million to Visa, on top of the $10 million Target had previously agreed to pay to customers affected by the breach.

Such current events make one thing increasingly clear; hacking can happen to any organization, at any time, for any reason or no obvious reason at all. You and yours can be deeply affected by a hack, whether you work for the hacked organization or not. Truly, we are all vulnerable.

But if it’s true that we’re all vulnerable, it’s equally true that we all have a role to play in making ourselves and our organizations more secure. In fact, it is credibly arguable that cybersecurity is too big to be left up to IT and security teams alone.

A recent article on CSO.com highlights how enterprises such as Automatic Data Processing (ADP), Johnson & Johnson, Akamai Technologies, and others are “crowdsourcing” their cybersecurity efforts. These companies are sharing information about threats, vulnerabilities, and countermeasures with internal teams and external organizations, including peer companies. They are also encouraging users, including customers, to report incidents and suspicious behaviors to IT support, security, or both, as soon as possible. The thinking is that applying more bodies and minds broadens the range of possible effective solutions to security threats.

This is part of a larger trend of extending responsibility for cybersecurity beyond IT. Instead, organizations are increasingly separating cybersecurity budgets and activities from mainstream IT and spreading security budgets, efforts, and awareness across the entire enterprise. One implication of this is that companies can end up investing more in security-related measures, such as user training, than reflected by the security or IT security budget.

According to a recent article in The Register, such dispersed spending can improved security when combined with some other key political moves. “In an ideal world, the CISO will have an independent role and a friendly ear on an informed board. They will have a strong interest in ensuring that IT in particular conducts its operations securely and will work with the CIO from a position of influence to help achieve that. To that end, the CISO will demand that each relevant line of business allocate some of their budget for cybersecurity purposes and task them to show results for it,” the article says.

Everybody, at every enterprise, is an actual or potential victim of cybersecurity threats, and everybody, at every enterprise, can make meaningful contributions to the avoidance and remediation of those threats. Those responsible for leading cybersecurity efforts simply need to engage, encourage, and guide the participation and support of every user and decision maker at their respective enterprises, within and beyond IT and security. It’s a daunting task, but the rewards can be considerable.