Why you might need live cybersecurity exercises

When it comes to preparing for cyber attacks, there are a variety of tools and techniques that you should employ: firewalls and intrusion detection devices for sure. But some tools are less obvious, and involve more of the human organizational element. This is where a company called CyberGym comes into play.

In one of my favorite scenes from Jerzy Kosinski’s Cockpit, the secret agent protagonist is applying to become a spy. He is sitting in a room with his fellow recruits, waiting for the testing period to begin. What he and his compatriots don’t realize that is that the waiting room is actually under observation and part of the testing process to see how well the newbies will collaborate with each other. The recruits are subjected to a variety of temperature extremes and every so often an employee will come in to tell them that there will be additional delays before the tests will begin. The goal is figure out which of the recruits will get annoyed with the forced wait and how each one will endure these hardships. This is a lot like the CyberGym live fire exercise: you want to see how people do under pressure and how they will create allies. Who is going to crack and make things difficult with others? Who is going to demonstrate leadership?

CyberGym was co-founded by managers from the Israel Electric Corporation and has some specific facilities that relate to SCADA controls and power conditioning equipment that are found in the typical power plant. It has been used by global corporations from many different industries. The average engagement last several days as they run through a series of attacks and other malware intrusions.

IMG_2006I visited CyberGym‘s offices in Israel last month as part of a trip that was partially sponsored by the America-Israel Friendship League and the Israeli Foreign Ministry. Their operation is contained in a series of huts that are scattered around a historic eucalyptus grove about a half hour north of Tel Aviv. The notion is that nothing prepares a group of IT security workers better than having to be part of a live fire-fight exercise. One hut contains the attack team, a second contains the defending team, and a third is for judges and observers. Each team contains both security staff, IT and corporate management, and others from a specific company.

The idea is to replay a particular attack and see how the teams respond. Since its inception, CyberGym has conducted hundreds of these exercises, and they now have facilities in Portugal and the Czech Republic in addition to Israel. They look to see what the defenders do first, how they work together, and what things they fall down on. When I visited, the company’s founder Ofir Hason said that often the right response wasn’t anything technical, but coordinating what the team was going to do and how they actually worked together.

Fighting cyberthreats is a team effort, and involves a combination of technical and non-technical skills. Often convincing your management that you have to do something relies more on your power of persuasion than knowing how to block a remote shell executable or neutralize some malware. I like the name CyberGym too, because it implies that you need to condition your response “muscles” with real exercises, not just doing some academic threat management scenarios. Like a physical gym, you need to bulk up and do some resistance training to build your strength and add to your conditioning.

Sure, there are other teamwork-building exercises that can be done less expensively (everyone falling backwards or trying to climb through a ropes course) – but these aren’t specific to the cybersecurity realm and don’t really address this specific realm. If you want to see how your cyber team handles the next attack, you might want to book some time at the gym – the CyberGym that is.

Network World: Netanyahu wants Israel to become a cyber power

It isn’t often that a speech from a head of state at a tech conference is relevant to IT security managers, but Prime Minister Benjamin Netanyahu’s address at last week’s third annual CyberTech 2016 focused on where the Israeli government and its IT security industry are heading.

Netanyahu offered a plan for cross-country sharing of cybersecurity threats, demonstrated his knowledge of the tech industry, described the economic opportunities of cyber-tech and outlined policy changes that he wants to see to further strengthen Israel’s role in both overall technology and cybersecurity in particular. You can read more in my story on Israeli cybertech progress in today’s Network World.

TechTarget seminar: How to make the move to hybrid cloud computing

The benefits of cloud computing have been hammered into IT – streamlined processes, improved accessibility, greater flexibility, and so on – but latent concerns around security, performance, and access have kept many organizations from realizing the true value of the cloud.

You need to objectively compare the capabilities and costs of cloud services against those of traditional on-premises infrastructure – even if you’re already doing some mix of the two (in fact, especially if you’re doing a mix of the two).

This five-city event provides that objective perspective by focusing on building a data center infrastructure that realizes the true value of cloud computing across your IT infrastructure – including automation, high availability, appropriate utilization rates – and not just limited, low-impact use cases. Sign up for one of the cities that I will be speaking here.

Network World: Google’s Pixel C Android tablet is sexy but won’t replace your laptop

NexusRYUKey_O_SILVER_TQFPixel C is the first all-Google Android tablet. It has a 10.2 inch screen and is designed to be used with a companion keyboard that also doubles as a protective cover. The tablet isn’t quite a total replacement for your laptop but it could qualify as the sexiest Android tablet on the market. The Pixel C shouldn’t be confused with an earlier Pixel model, which is a fully decked out Chromebook laptop that costs twice as much.

In my review today for Network World, I talk about the pros and cons for this tablet, and the unique magnetic keyboard that is its most interesting feature.

Why referrals are the best customer acquisition channel

Last week I was giving a keynote speech at a tech conference in San Jose. I always enjoy public speaking — at least after the first two minutes that I am on the podium. One of the many things that I take away from these experiences is how smart everyone else in the room is. I got to meet some of the IT professionals that were in the audience and listen to their trials and tribulations about running their businesses. One of them shared a graphic with the audience that I thought was important.

pestechIt was a pie chart shown here with the cost per customer acquisition for various methods: Yellow Pages advertising, online, and word of mouth referrals from existing customers. It also showed the proportion of customers who came in through each channel. Not surprisingly, the Yellow Pages had the highest acquisition cost and delivered the fewest actual customers, and nearly half of his business was coming from online.

This is a small retail business, and what is important is that my friend actually collected this data. Too often many business owners don’t step back and do this kind of analysis — no matter what their size and market segment. Either they don’t keep track of the numbers, or don’t bother to ask their customers how they came to knock on their door. They have no way to effectively examine whether their ad programs are actually bringing in customers, or are just expensive window dressing or ego satisfaction.

What the pie chart immediately shows is why Yellow Pages advertising is going the way of the dodo: at least for this business, it costs the most and delivers the fewest customers. The best option is to get referrals, which is something that should be obvious but oftentimes isn’t.

Speaking of ego gratification, this reminds me when I travel how I always spot the tech companies that spend a lot of money with backlit displays in the airport concourses, usually featuring box shots of their products or head shots of their CEOs. Do you really think by putting a picture of your firewall or some other 19 inch hardware in an airport is going to generate business? Unlikely. Another take is what I saw when I was changing planes in the Phoenix airport last week: one tech vendor had hung banners across the concourses and set up special “charging stations” around.

My IT contact also mentioned about his referral fee policy that I found interesting. He offers a $20 rebate to any of his customers that refer business. The trouble he has is actually paying out this bounty. It isn’t for lack of trying, or because he is cheap. It turns out his customers are so happy doing business with him that they don’t want to take his money: they are just glad to spread the joy and to have their friends benefit from being a customer too. How often do you find that situation?

Certainly, providing great customer service is critical. No amount of data analysis is going to make up for poor service (just ask your local cable company — on second thought, you probably are going to spend too long on hold so you probably won’t be able to ask them). But if you do have a great service record, having a customer for life is priceless.
This makes me think about my auto mechanic that I have been using for many years. A few years ago, I took my car into his shop for a repair. He called me an hour or so later, which is usually a sign that he has found the source of my problem and wants me to approve spending a bunch of money to fix it. Au contraire. This time, he told me that my car was fixed and it took him so little time that he didn’t feel good about charing me anything for what he did. It was at that point that I became his customer for life. The few dollars that he might have received for my repair have been eclipsed by the many more times that I have brought my car in for subsequent service visits. And of course I have told my friends and neighbors about my mechanic so he has generated more business from that single repair. Referrals can really deliver.

A Shark Tank success story

Screen-Shot-2016-01-06-at-5.44.50-PM-300x397I am a big fan of the show “Shark Tank” and find it both entertaining and educational. It’s also the the one place on network TV celebrating entrepreneurs. Over the years, the show has funded many ventures some that have become quite successful. One venture I’ve followed even before it swam in the Tank is Myself Belts.I recently spoke to its founder for a story for EQ magazine on how the continuum of mentorship changes as the founder acquires new skills and new challenges. The choice of your mentoring team is important, but just as important is understanding when you have outgrown your mentors and when you must seek out new advisors.

PC Magazine: the evolution of spreadsheet analytics

Like some of you, I got my first introduction to the PC from the spreadsheet. It has been around for more than 35 years in one form or another, and most of us have at least a basic working knowledge of how to use it for rudimentary calculations. In my computing career I have seen numerous spreadsheet abuses – it is amazing what people can force a spreadsheet to do for them. I actually wrote about this in 2014 for Intuit’s blog here.

One of the reasons that Excel and other spreadsheets are so abused is that it can be a very addictive tool, and users are fearful of having to learn something else. Another reason is given by Ron Shaich, the CEO of Panera Bread who says that too often middle managers “manage from the spreadsheet, viewing it as an oracle.They make decisions believing the numbers of the past loaded into the spreadsheet foretell future outcomes.” Sadly, the future is never as certain as we might hope.

If you can break from its charms, you can make use of your computer for a lot more useful activities such as data collaboration and analysis. For the former, you often see the spreadsheet context as a way to share a simple database (not surprisingly, Intuit sells one of these tools) among a work team. For the latter, there is the category of what has been called self-service business intelligence tools. I looked at the best of these for a review I did for PC Magazine last month of ten different BI tools.

The hard part is that these collaboration and analysis tools often have steep learning curves and make it trying to understand their user interfaces. Some products are better at data exploration than data analysis and reporting, so keep that in mind as you look at them. Some tools also cost five or more figures and thus aren’t very appropriate for smaller businesses. Finally, these BI tools come in several different versions, including browser-based SaaS and desktop and server versions: keeping the features straight among them will require some careful study.

Still, spreadsheets are reaching the end of their utility as work teams spread out across the globe and as we want to build better and more useful data models to run our businesses. At their core, the spreadsheet is really a souped-up calculator, not a way to model and share data. Spreadsheets lose their potency when they grow to beyond a single screen to display your calculations or hold a sparse matrix that doesn’t neatly line up in rows and columns.

PowerBI field editorIf you are going to break free of the spreadsheet’s orbit, you probably want to start off with Microsoft’s PowerBI tool (the controls are shown in the screenshot at right). This is free and works both in conjunction and independently from Excel. For a free product, it is amazingly capable. For example, you can query Mailchimp email lists so you can monitor data and trends about your campaigns, reports and individual subscribers, and also query Quickbooks online data. There are both desktop and browser-based versions and a huge collection of learning resources to help you over the hump of getting started.

Besides Microsoft, there are more than several dozen different BI tools: I have looked at a total of ten for PC Magazine, and each has some advantage over a simple spreadsheet. Does this spell the end of the spreadsheet? Hardly. But it does show the beginning of a new market that is worth looking into. As Shaich says in his post, “A spreadsheet is merely a way to organize data. Its numbers generally capture trends of the past, but it is in no way predictive of what’s to come.”

Time to outsource your R&D to entrepreneurs!

I was at an interesting panel discussion last week where I first heard a very radical idea: your business needs to outsource its research and development department, and the best place to do so is with your local startup community. The person saying this was the chief operating officer of his company. I will tell you who in just a moment.

The notion makes a lot of sense. Spending on R&D isn’t cheap: Google spends $8 million a year, and Microsoft about $10 billion, both a little bit more than 10% of their revenues. Car and drug companies are also big spenders. These companies, along with IBM and Intel, generate a lot of intellectual property from this R&D, and a lot of innovative products and services. But not everyone can be an IBM or a Microsoft and have the funds to pay for original research. That is where your local startup ecosystem can come in handy.

Almost every city in the world has some sort of startup incubator, a co-working space, a shared lab or some other facility that is a gathering place for entrepreneurs. In St. Louis, we are blessed with many of these outfits, in fact so many that I still haven’t visited all of them yet. That is a Good Thing.

We are also blessed in St. Louis with a lot of laid-off talent, particularly in bioscience and IT. That sounds odd saying it like that, but when you have a big company like a Pfizer or Anheuser Busch that lets go of several hundred folks, it can be the best thing for your startup community. These people don’t necessarily want to leave town and move their families across country. If they have an idea for a startup, they tend to bring together more folks and create more jobs. So it isn’t just the real estate, but having the talent pool too.

Okay, back to my COO that I quoted above. His name is Kevin Demoff and he works for the St. Louis Rams football team. Yes, football. Not the kind of cutting-edge business that comes to mind when we are talking about R&D. One of our startup communities here in St. Louis is called Stadia Ventures, a sports-related accelerator that leverages our city’s sports-crazy universe. Demoff was quite candid about how little the Rams have spent in past years on R&D, and how the NFL is more of a follower than a leader when it comes to implementing new ideas. “It is more likely that the league is going to copy something that we or some other team does than to actually help with innovation,” he said at a Stadia panel session last week. “That is why we have to support the local entrepreneurs and be a part of the startup culture.” It was a very insightful thing to say.

So go visit your local startup offices. Talk to a couple of entrepreneurs, and buy them a few lunches. Better yet, become a corporate sponsor of efforts like Stadia or other startup accelerators. Volunteer as a judge at one of their demo day or pitch competitions. Help mentor one of the young companies. The more you put into these efforts, the more you will be able to outsource your R&D and pick up some new idea that your company can run with and make a few touchdowns. (You just knew a sports metaphor was coming.)

Understanding how to better exercise your brain

We all know that we should exercise more to stay fit and maintain muscle mass, but when it comes to exercising our brains we ironically are somewhat stupid about what this means. For this column, I want to describe my own personal journey towards maintaining my brain’s health. It is still ongoing, and still a struggle.

For close to two decades, I have been bothered by a variable ringing in my ears, what the doctors call tinnitus. Actually, I should say, in one of my ears, since I am deaf (and have been so since birth) in my left ear. The sound varies in loudness, and varies by how much it bothers me: early morning and late evening is more noticeable. It is usually with me 24×7.

This ringing in my ear isn’t the only kind of illness that people have where they imagine odd things about themselves or their environment. For example, there are people who suffer from Morgellon’s disease, where subjects literally think their skin is crawling with something, or think that their tongue or other parts of their mouth is burning or experience phantom pain in amputated limbs. The only common elements are that you can’t make these things stop, and  there is no known single cure and the physiological causes are mostly unknown. One school of thought is that all of these afflictions are in the subjects’ heads and not in the ears or mouth or whatnot. If you can figure out how to harness control of these issues with your brain, a subject can  control how much awareness about the malady and ultimately could be trained to ignore it.

This field of study is called neuro-plasticity and refers to research that has found that you can teach an old brain to do new tricks, in some cases actually reorganize its neural pathways. While this sounds like something out of the SyFy channel, it is very real stuff. There is an interesting blog post on Scientific American that is very readable that goes into more detail if you are interested. One area is using mindfulness-based stress reduction meditation techniques to build up more control over your environment and perceptions. Another is in developing better brain exercises.

Like some of you, for many years I have been doing crossword and Sudoku puzzles daily. I like doing them and it is a way for me to relax and get started with the day’s activities. But these aren’t really exercising my brain: think of them as doing arm curls with one pound weights. It might look like “exercising” but it is just movement and not building any real muscles. Or think about just being able to complete the Monday New York Times crossword — the easiest of the week’s puzzles — and not trying to do the Saturday or Sunday puzzles. You are short-changing your brain exercise routine.

To really work out your brain, you need a stronger set of exercises that can build the neural equivalent of muscle mass. A few years ago, I took part in a research study with my ENT doctor. I was part of a group of his patients that were using an early version of a software program that was designed to do these brain exercises. For 30 or 40 minutes every day, I had to use this tool to try to make my brain stronger. It was a frustrating experience for me, largely because it was the equivalent of trying to immediately bench press 400 pounds. Like I said, it was an early version.

Since then, the company has created a SaaS version called Brain HQ and has a freemium model where you can try out a few of the exercises online or using an iOS app here.  I haven’t tried out either yet and will document my experience at a later date. In the meantime, I still struggle with the ringing sounds. Some days are better than others.

When I was first diagnosed with tinnitus I went online and did a lot of my own research. I was lucky enough to find my way to the American Tinnitus Association and a load of help, including local meetups with fellow sufferers. Since then I have gotten more or less used to the ringing.

Feel free to share your own experiences in the comments.

Network World: ten best enterprise password managers reviewed

In my 2013 review I looked at several different password managers, some suitable for enterprises and some primarily for consumers. Since then the field has ballooned and there are now more than two dozen different products on the market. As a data point, even the popular TV show “Shark Tank” evaluated a password manager startup in its current season.

LM1 2factorFor my own current season, I looked at ten tools: Dashlane for Business, Keeper Security’s Enterprise, Lastpass’ Enterprise (now part of LogMeIn), Lieberman’s Enterprise Random Password Manager, LogMeOnce Enterprise Edition (shown at right), Manage Engine’s (now part of Zoho) Password Pro, Agilebits’ 1Password for Teams, StickyPassword, SplashID’s TeamsID, and SingleID. The two strongest products in terms of protecting individual user logins are Lastpass and Keeper.

You can read the full review here, along with a description of some larger issues and overall trends with using these tools.