Do you need a chief trust officer in your c-suite?

I recently read this blog post which talks about having a chief trust officer as part of your executive team. This is a different kind of title from someone working at a bank that actually involves managing financial instruments with that name, so it is a bit confusing at first. But what the post talks about is someone being in charge of overall data and customer trust relationships.

The author says, “In our internal discussions, security is not the sole realm of the CISO. The concepts of trust, reliability, and security figure into every aspect of our business.“ Informatica moved its CISO from its IT organization to its R&D group and gave him this new title as a way to increase transparency and improve overall security and communications. Certainly the recent events surrounding Equifax and other data breaches have brought these issues to the forefront.

Certainly, having new kinds of staff titles is a growing trendlet. We have chief people officers (which used to be called HR), chief fun officers (now that is a job that I could do), chief curator (this one decides what content to put on a corporate home page), and chief amazement officer or chief troublemaker (who both turn out to be the company’s founder). Certainly, some of these titles are just annoyingly cute, and could be more confusing that clarify any particular corporate role.

But I think the chief trust officer is actually a title worth thinking about, if you dive into understanding why you are giving it to someone.

I spoke to Drummond Reed, who is an actual Chief Trust Officer for the security startup Evernym, about why he calls himself that. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three subjects is “to build and support trust. So for a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Reed makes an important point: the title can’t be just an empty promise, but carry some actual authority, and has to be at a level that can rise above a technology manager. The chief trust officer has to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust.”

That brings up something else. How many businesses don’t depend on trust? Those that are out of business, it seems. I think it is appropriate to signal not just that someone is in charge of infosec or privacy issues, but covers everything in the trust workflows and lifeblood of the business.

So whether you have trendy titles in your company or not, think about having a chief trust officer. If you are serious about building (or in the case of a post-breach, rebuilding) trust with your customers and staff, it might make sense. And dollars, too.

Read More
Bike fundraising with my sister

I started riding my bike like most suburban teens and took my first long trip with my friend Karl when we were 16, riding 250 miles in five days to the end of Long Island, camping along the way. Since then, I have always been a big bicycling person. After college, I led a couple of biking trips for teens for one of the hosteling groups, and then to get to grad school I rode my bike across Canada for a summer-long course of about 2500 miles. After grad school I was working in DC and led the effort to get bikes on board the subway trains there. So I wasn’t just a rider, but a biking advocate.

In my late 40s, I decided to take up bike charity fundraising, and started doing a series of annual rides. My first ones were to benefit AIDS research and went from NYC to Boston. I later did rides to benefit diabetes, cancer and MS research, and thanks to many of you, was able to be one of the top fundraisers for my rides.

My sister Carrie’s experience though with riding was completely different. She didn’t touch a bike until after she turned 55. “I figured I survived breast cancer, I might as well tackle a bike.” So she taught herself to ride, got a pretty new bike and signed up for the 24 Baltimore ride and started a team with me and another couple. Carrie and I had done several multi-day breast cancer walking events over the years in different cities. We try to find an event that has some meaning to us, challenging and exciting. One year we did one of the Avon walks in Philadelphia: it was so cold and rainy that we had to be evacuated from our campground to a local high school, where we spent the night sleeping on the floor. At least it was warm and dry.

When we signed up for the 24 ride, I didn’t realize that it would be such a benefit for helping Carrie learn how to be a better bike rider. She had limited experience using gears, for example, and tackling hills. Since she got her bike, she has fallen several times and cracked a few ribs. I am amazed that after these experiences she would want to get anywhere near a bike. But that is the kind of person she is.

This photo of us then represents something very unusual: both of us on bikes, going through the “finish” line on one of our laps. After doing so many of these events with and without her, it is the first time we have been together on two wheels.

The structure of the 24 ride is doing a tight 2+ mile loop over and over again. While it can get tedious, it turned out to be just the right thing for a beginner such as Carrie. This is because she got to try out her gearing and her climbing strategy over the series of laps. Many of the other riders saw that she was a newbie and gave her lots of encouragement, and it was fun to be on my bike with her throughout the day. No, we didn’t go all 24 hours, but we still did more than 25 miles around the course.

I was very proud of her prowess, and how much she enjoyed the event. And glad that we got to do this together too.

Read More
Interview with Yassir Abousselham, Okta CSO

I spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.

When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.

“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”

“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.

Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.

How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.

Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”


Like what you are reading?

Subscribe to Inside Security!

Read More
FIR B2B podcast #82: Doing data-driven marketing right

Can data drive a marketing campaign and still keep it creative? Yes, provided you bridge the divide between art and science by benefiting both sides. Paul Gillin and I examine a recent article in Marketoonist that discusses this issue. Blogger Tom Fishburne quotes an agency head who heard a principal from another agency say, “Data drives every piece of creative we put out today.” The agency chief’s reaction: “Boy, your creative must really suck.” When marketers stray from being data-driven to being data-blinded, campaigns fall flat.

One piece worth reviewing about this appeared on one of the Google blogs last year. Google, DoubleClick and an ad agency collaborated to explore how to best do data-driven campaigns, and came up with three suggestions:

  • Know all the sources of data available, and figure out which can fuel smarter creative.
  • Bring in the agency at the start of a project and talk about what data makes the most sense before any creative program is designed.
  • Collaborate and communicate to the extreme.

Fishburne cites an example of a creative video campaign for the state of Tennessee that struck the right balance. Data was used to determine what versions of pre-roll ads to display, with the creative being designed to evoke an emotional response.

Speaking of creative, Amazon has unleashed a slew of actions by various cities around North America in its response to its quest find a site for its second headquarters. Tucson delivered a 21-foot Sagauro cactus, while Kansas City posted creative product ratings on Amazon’s own site to explain its advantages. Some mayors have put together their own wacky YouTube pitch videos. This is every bit a B2B campaign, although not one most marketers can relate to very closely. What we like about it is that Amazon didn’t state the rules too clearly, leaving a lot of room for bidder interpretation. That led to greater creativity. We can’t wait to see who wins (hope it’s St. Louis or Boston).

You can listen to our 16 min. podcast here:

Read More
Notable TechWomen, in honor of Ada Lovelace Day

The TechWomen program brings emerging women STEM leaders from around the world to the Bay Area for five weeks of mentoring and career development. Sponsored by the US State Department and run by the Institute of International Education, over the past six years it has brought more than 400 women here.

I spoke to two of the women that are taking part in the program, both are 32 and from different parts of Africa. Martine Mumararungu runs the core traffic engineering for a Rwanda ISP and has a BS in CS. She was one of seven women in her classes. “Most girls in Rwanda think STEM is just for men,” she told me. Luckily, she had an older brother and sister who were interested in science, and that sparked her own interest. She started out in programming, taking classes in C++ and Java, and got more interested in networking technology. She eventually earned her CCNA and CCNP certifications and has found them very much in demand in Rwanda and very valuable for her job at the ISP. She is using the program to learn more about IT security and how she can beef up her ISP’s profile in that area.

Umu Kamara hails from Sierra Leone where she is the assistant IT manager for a private shipping company. She got her BS in Physics and also got several Microsoft certifications. She switched to IT because she was always interested in systems and databases. She started out wanting to become a medical doctor but wasn’t accepted into the program because of low English grades. Now she is glad she didn’t go that route and likes being in IT. Her father (who died when she was four) was a mechanical engineer, and that motivated her to get interested in science at an early age. She is using the program to learn more about cloud technologies and data center security. She may try to switch her EDR products to more cloud-based ones. When I asked her about the relative bandwidth that she has in the States versus at home, she just laughed, agreeing with me that yes, here it is “a bit faster.” She also agreed that the Internet is here to stay no matter where you live, and even if you have just a marketing company you still need an online presence. “You can’t do without it.”

She experienced a data breach at her company; unfortunately, it was just after her boss left town for a seminar so she had to handle the situation. It was caused by an infected cell phone that was connected to the corporate network, and used malware-infused PDF and Word documents. She had to work long days to reinstall her servers and updates. “It was a good experience but I wouldn’t want to do it again.” The company was offline for several days and the revenue impact was huge, since ships couldn’t unload without the appropriate systems operating.

Read More
Remembering AIM

AOL is eliminating its AIM service after a 20 year run. It is sort of an ignominious end to the once-popular IM platform. Many of us were teens (or parents thereof) when AIM was in its heyday, and I was a big user back in the early 2000s when I worked at CMP to communicate with our far-flung staff (and even the folks sitting a few feet away from me too). That brings up how IM can bring together work teams to collaborate, and how IM has been an essential tool with many of my jobs since then. Just this morning I was using IM to “talk” to my editor in Pittsburgh and another researcher in Europe for my Inside Security newsletter. Like many of you, I take these conversations for granted and like many tech companies, has standardized on Slack, and indeed I participate in numerous other Slack groups now.

More than ten years ago, I wrote this story for the NY Times, The I.M. Generation Is Changing the Way Business Talks. In it, I describe the opportunities and challenges that IM faced in the modern business. To me, the timing of this article points out that there still were plenty of businesses that hadn’t even considered any IM tools. IBM was quoted in the piece as using its own IM tool for sending millions of messages daily, and eliminating voice mail tag. In my article, I called IM “the new black,” meaning it was trendy back then.

Today my phone rarely rings — to the point that I haven’t had a “desk” office phone in so long that I can’t even remember. Between IM and emails, there really isn’t any need to “talk” to anyone anymore.

One of the reasons why businesses loved IM is that its own workers literally grew up on the service. “AIM was a domain parents didn’t understand, giving it a feeling of clandestine cool.” This is from Tech Crunch, which has this tribute. In that link is a clip with a reminder of its pernicious sound effects. Boy does that bring back memories. One of my favorites was when my daughter was a pre-teen, deeply steeped into using AIM to communicate with 100 of her closest friends. I had trouble getting her to sign off when it was bed time, and so told her that she was going to get kicked off the system promptly at 10 pm. I had set up a firewall rule on our home router to block access to IP port 5190 at that time. She didn’t think I could do that, and after a few warnings I remember her realizing that I meant business when the hour struck. Being a parent back in that era was a lot easier than today, to be sure.

Speaking of pre-teens, I found this awkward story about making dating decisions using AIM. Again, a typical use case from back in that era.

But while AIM set the standard for IM, it didn’t keep up with the times. Ironically, as more users became mobile, they migrated to other IM tools because AOL’s mobile clients were late to the party and under-powered. They were slow to provide APIs, something Slack does in spades and one of the reasons you can find Slack “bots” for all sorts of add-on applications. And as users migrated to other IM services, AOL itself stopped using the service for its own internal communications, at one point using Slack itself. That is bad news when you can’t even find the tool capable for your own people.

AIM was also victim to SMS services and smartphones. As more people used both, the use cases blurred further between personal and corporate messaging. My daughter, who is now in her late 20s, told me that she hasn’t used AIM in years. Now she uses WhatsApp for both business and personal reasons, and that can be an issue when she is trying to get her work done and can’t easily find a conversation.

Well before Facebook-stalking was a thing, AIM profile stalking became slang for many users. This Ars writer recalls he had his “first taste of how the Internet could enable asynchronous self-expression and personal broadcasting amid a tight-knit social group.” That was before blogs, before MySpace even. So while I haven’t used AIM in a long time, I am sad that it is actually getting turned off soon.

Read More
iBoss blog: Implementing Better Email Authentication Systems

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.

You can read my latest blog for iBoss here to find out more.

Read More
Protecting your Windows endpoints with VIPRE Endpoint Security Cloud

VIPRE offers a nice package for small and medium-sized businesses that is easy to use and manage with a wide array of protective features.

We tested VIPRE on a series of different Windows clients during September 2017. It supports all versions of Windows desktop since v7 and servers since v2008R2. It currently protects more than six million endpoints and finds more than a million daily malware infections. VIPRE also sells an on-premises endpoint solution that also includes patch management features.

Pricing starts from $30/yr/seat with significant volume discounts. VIPRE offers free phone based US support during business hours.

Read More
Software shouldn’t waste my time

One of my favorite tech execs here in St. Louis is Bryan Doerr, who runs a company called Observable Networks that recently was acquired by Cisco. (Here is his presentation of how the company got started.) One of the things he is frequently saying is that if a piece of software asks for your attention to understand a security alert, we don’t want to waste your time. (He phrases it a bit differently.) I think that is a fine maxim to remember, both for user interface designers and for most of us that use computers in our daily lives.

As a product reviewer, I often find time-wasting moments. Certainly with security products, they seem to be designed tis way on purpose: the more alerts the better! That way a vendor can justify its higher price tag. That way is doomed.

Instead, only put something on the screen that you really need to know. At that moment in time. For your particular role. For the particular device. Let’s break this apart.

The precise moment of time is critical. If I am bringing up your software in the morning, there are things that I have to know at the start of my day. For example, when I bring up my calendar, am I about to miss an important meeting? Or even an unimportant meeting? Get that info to me first and fast. Is there something that happened during the night that I should jump on? Very few pieces of software care about this sort of timing of its own usage, which is too bad.

Part of this timing element is also how you deal with bugs and what happens when they occur. Yes, all software has bugs. But do you tell your user what a particular bug means? Sometimes you do, sometimes you put up some random error message that just annoys your users.

Roles are also critical. A database administrator has a lot different focus from a “normal” user. Screens should be designed differently for these different roles. And the level of granularity is also important: if you have just two or three roles, that is usually not enough. If you have 17, that is probably too many. Access roles are usually the last thing to be baked into software, and it shows: by then the engineers are already tired about their code and don’t want to mess around with things. Like anything else with software engineering, do this from writing your first line of code if you want success.

Finally, there is understanding the type of device that is looking at your data. As more of us use mobile devices, we want less info on the screen so we can read it without squinting at tiny type. In the past, this was usually called responsive design, meaning that a web interface designer would build an app to respond to the size of the screen, and automatically rearrange stuff so that it would make sense, whether it was viewed on a big sized desktop monitor or a tiny phone. If your website or app isn’t responsive, you need to fix this post-haste. It is 2017 people.

Read More
iBoss blog: What Is WAP Billing and How Can It Be Exploited?

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.

Read More
1 2 3 195