Time to have a cybersec guru on your board

Posted on by
Reply

IT Security Guru (@IT_SecGuru) / TwitterLast month, the Securities and Exchange Commission proposed some new guidelines to promote better cybersecurity governance amongst public companies. They make for interesting reading, particularly in one area where the SEC is trying to track the level of cyber expertise on the boards of directors of these companies. They ask that companies disclose whether “any director has prior work experience in cybersecurity,” which includes a fairly broad range including if someone has been a CISO or has had any position that mentions security in its title, had any cyber certifications, or has specific cyber knowledge.

Now, just the way this is worded in the proposed rulemaking makes me very skeptical. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on their backs and will be blamed for any future threat or exploit. Then, what if I took an exam (like a CSSP or Security+) and didn’t pass? I still have some cyber knowledge. Does this mean I still have to disclose to the SEC?

The wording of the qualifications also implies (at least to me) that just about any Computer Science grad would probably have taken some infosec training (hope springs eternal) and would need to disclose this. I am not sure this satisfies the SEC’s intention.

But let’s get to the meat of the matter and address two important questions.

First, will these proposed rules motivate firms to hire any effective cyber experts as board members? My guess is probably not. At best, boards meet quarterly, and what is a board member supposed to do in between meetings if something is awry? Does this mean a CISO has a shadow reporting relationship to the cyber-aware board member? That is not a recipe for good corporate governance.

Here is a thought. A few years ago, I developed (somewhat tongue-in-cheek) a cybersec quiz that you can give your boss. It is easily repurposed for vetting your potential cyber-friendly board members, if you can get them to answer the questions truthfully. You may want to use that as a screening tool if you are going to expand your board of directors, or if you are going to have a separate “technical advisory board” that could be useful in directing your future digital and cybersec policies. (I have served in this capacity, BTW.)

Second, will having this kind of expertise make a difference in terms of better breach response? One of the other proposed rules by the SEC is to mandate a four-day turnaround period once a breach has been determined. That is probably more important than anything else in these proposed rules, especially as most firms have a culture of hiding a breach for as long as they can get away with it. How this turnaround period is measured isn’t really well defined either.

If you want to submit a comment before 5/22/23 on File No: S7-04-22, go to this page on the SEC’s website, scroll down the page and find this file number to bring up the appropriate form.

How to be more curious

Posted on by
3

I am by nature a curious person. I spend a lot of time trying to answer questions, which is why I love my job and what has contributed to my success as a tech journalist. One term that was popular was “life-long learner” (as I wrote about this term in relation to my non-retirement strategy back in 2021) but I think curiosity is a better description. I noticed that many analysts looking at our AI-enabled future have called attention to this skill as something we will need to cultivate and develop. So in this post, I want to examine what it will take to train folks to become more curious.

Before you do any formal training, it helps to understand what type of learner that you are. We all learn in different ways: some of us have to go through the actual experience — these people respond better to tactile situations. Others learn better through more visual or auditory cues and need materials specializing in these methods.

How do you figure this out? One way is to take this short online quiz to find out which style you are. Once armed with this data, you should focus your attention on situations that offer those types of materials so you can learn things your way and retain it better. For example, if you are an auditory learner, you may wish to listen to recorded lectures or presentations. This is a boon for online webinars, where you can stop, rewind, and replay the key portions. In some cases, you might want to take notes, or recite what was just said to fix the concepts in your mind.

If you are more of a visual learner, then by all means be sure that you look carefully at the study materials. Use charts, maps, movies, notes and flashcards. Practice visualizing or picturing words/concepts in your mind. Finally, if you are a tactile learner, think about ways that you can involve more of your senses besides just watching a particular lecture. Make study sheets and refer to them often.

But knowing how you learn is just one part of your journey. Next comes having the right motivations. I have been lucky to be a self-starter and get myself motivated, whether that involves writing one of these essays or tackling a more in-depth project. Sometimes, just seeking knowledge isn’t enough. If you’re not that motivated to learn, find someone who’s also interested in becoming more curious. That link will take you to other suggestions on how to become more curious. Here is another resource, posted on the site Natural Training, which describes the ten most common habits of curious people. Things like listening without judging, willing to be wrong, and staying in the moment are all important skills to acquire.

I was thinking about this when I read something that Naomi Wu, a Chinese maker, said recently about how the education of Asian students has to change. “The key skill- prompting, asking questions. Is something our kids are generally not taught and are often quite poor at. I’d even say it’s discouraged. The ability to ask good questions becomes incredibly important with AI.” I saw this first-hand when I gave lectures in Singapore and Japan years ago: I had to seed the audience with someone who was willing to ask the first question to break the ice.

ChatGPT For DummiesLongtime freelancing colleague Pam Baker’s forthcoming book on ChatGPT, has more tips on how to become an expert at using these tools. She told me, “Many worry that ChatGPT will erode the critical thinking skills of users. But that’s not likely because the most successful users will employ advanced critical thinking skills in forming prompts. The key is not in what you say to the machine, but in how you say it.” She tells me she is also putting together classes on LinkedIn Learning on the topic too.

I was thinking how fortunate I have been in my job as a freelance journalist. I have been able to to call up all sorts of people and ask them questions about their lives and jobs, as I wrote about ten years ago when I described two of my sources in this blog post on how to question everything. The two people had an insatiable curiosity for the unknown, to be constantly learning something new, and figuring out how the world works. While that extreme case of hyper-curiosity might not be your cup of tea, it might make you more motivated to become more curious about something.

Facing tough choices on TikTok

Posted on by
2

Last week Shou Chew, the CEO of the American TikTok, was called on the US House hearing room carpet. Combining the current anti-China paranoia with social media crimes against teenagers was a potent political mix that brought a tremendous amount of bipartisan angst. The five hour hearing was attended by seemingly the entire House membership, and for me it was noteworthy in that almost none of the members were folks that I have ever heard of, but all managed to ask unanswerable questions that they demanded simple yes or no answers so they could save time for their own take.

The best commentary was Jimmy Kimmel who simulated what the app does on his show (shown here at right). More insights from Casey Newton here.

Also last week, Utah became the first state to place legal restrictions on social media usage by children (<18).  This law goes into effect in a year; we’ll see how they will enforce it, which will be difficult. TikTok seems to be included in its framework, although Google might not be (there is an exemption for online emails, so Gmail might not apply but YouTube might be covered).

The hearing wasn’t a total time waster. In addition to getting acquainted with our Congress (a couple of whom actually have had tech jobs, interestingly), it also brought to the public’s attention a few reports that I will highlight here. But what I saw was that America will probably join others in some form of ban, whether it be just for the government employees (as the US has done, as have the UK and France did last week) or something that is contemplated by other bills that are making their way through Congress.

Second best commentary was by security maven Bruce Schneier, who wrote last month  “There’s no doubt that TikTok and ByteDance, the company that owns it, are shady. If we want to address the real problem, we need to enact serious privacy laws, not security theater, to stop our data from being collected, analyzed, and sold—by anyone.” He explored on the blog various kinds of bans, all of which would be ineffective or place Chinese-style restrictions across our internet. That message was lost on Congress, sadly. The UK ban is ineffective if you use your own Wifi or data provider, for example.

Who is Shou Zi Chew, TikTok's chief executive? | The EconomistThe relationship between TikTok and its parent company was explored in detail in this report done for the Australian Senate and released earlier this month. This was cited several times by various Congress members. The research found that ByteDance should be considered as a hybrid state/private entity, collaborating closely with the government on its operations. Chew made an effort to show TikTok’s independence from its parent and the Chinese Communist Party (CCP), an effort that fell on deaf ears and “didn’t pass the smell test” as one member said. The report looked closely at two days’ worth of content last November and compared the depictions of the CCP across TikTok when compared with what was posted on Twitter, Instagram and YouTube. While the researchers couldn’t assess the cause, they did find both Twitter and TikTok had more pro-CCP content than YouTube or Instagram.

Another issue is how TikTok tracks users across the internet. Consumer Reports did a report last fall that found hundreds of organizations sharing data with TikTok using tracking pixels and other canvas fingerprinting techniques. Before you sound any alarms, these are common for Facebook, Google, and numerous commercial websites, and TikTok’s tracking efforts are a small fraction of what these other companies do. Still Chew’s answers were less than satisfying in this area.

Much was made about the differences between the TikTok app we use in the USA versus the ByteDance app called Douyin that is only available in China. The excellent Citizen Lab issued a report last year that examined what data leaks from both apps. Not surprisingly, the Chinese app had more potential security and privacy issues, although the researchers said neither app had any noticeable malware characteristics.

So let’s answer some questions.

Is the TikTok app spying on its users? Not according to Citizen Lab and other security analysts. Could it become weaponized? Sure. But so could any other phone app.

What else should the government ban on its own phones? Well, if you are going to ban TikTok, how about deleting dozens of other apps that collect private data too? That is what France just did, or is trying to do. Good luck with that.

Will selling the company accomplish anything? Not really, other than improved optics. Look no further than Facebook to show misuse of data by a wholly-owned American company. Ownership doesn’t mean total control.

What about the Oracle Cloud migration? TikTok is making a big effort towards migrating its servers to the Oracle Cloud, and promises to keep all US data on these servers eventually. That clearly comes under the heading of “security theater,” since these servers can still transmit anything back to their Chinese parent company. Chew made a big deal about the Oracle project, but what he neglected to say is that any third-party code audit would be nearly impossible, since the servers started out in a pristine “bare metal” state and TikTok could put anything on them. I am not sure what is accomplished here other than having better app latency for US users. Again, a lot of effort to improve optics, but not much else.

What a security manager needs to know about chatbots

Posted on by
1

When I last wrote about chatbots in December, they were a sideshow. Since then, they have taken center stage. In this New Yorker piece, ChatGPT is called making a blurry JPEG of the internet. Since I wrote that post, Google, Microsoft and OpenAI/ChatGPT have released new versions of their machine learning conversation bots. This means it is time to get more serious about this market, understand the security implications for enterprises, and learn more about what these bots can and can’t do.

TechCrunch writes that early adopters include Stripe, which is using GPT-4 to scan business websites and deliver a summary to customer support staff; Duolingo built GPT-4 into a new language learning subscription tier and Morgan Stanley is creating a GPT-4-powered system that’ll retrieve info from company documents and serve it up to financial analysts. These are all great examples of how it is being helpful.

But there is a dark side as well. “ChatGPT can answer very specific questions and use its knowledge to impersonate both security and non-security experts,” says Ron Reiter, Co-Founder and CTO of Israeli data security firm Sentra. “ChatGPT can also translate text into any style of text or proofread text at a very high level, which means that it is much easier for people to pretend to be someone else.” That is a problem because chatbots can be used to refine phishing lures.  

While perhaps the prediction of the coming of Skynet taking over the world is a bit of an over-reach, the chatbots continue to get better. If you are new to the world of large language models, you should read what the UK’s National Cyber Center wrote about them and see how these models relate to the bots’ data collection and operation.

One of ChatGPT’s limitation is that its training data is stale and doesn’t include anything after 2021. But it is quickly learning, thanks to the millions of folks that are willingly uploading more recent bits. That is a big risk for IT managers, who are already fearful that corporate proprietary information is leaking from their networks. We had one such leak this week, where a bug in ChatGPT made public titles of user chat histories. This piece in CSOonline goes into further detail about how this sharing works.

My first recommendation is that a cybersecurity manager should “know thy enemy” and get a paid account and learn more about the OpenAI’s API. This is where the bot will interact with other software, such as interpreting and creating pictures, or generating code, or diagnosing human behavior as a therapist. One of my therapist friends likes this innovation, and that it could help people who need to “speak” to someone urgently. These API connections are potentially the biggest threat vectors for data sharing.

Gartner has suggested a few specific things, such as favoring Azure’s version for your own experimentation and putting the right policies in place to prevent confidential data from being uploaded to the botsCheck Point has posted this analysis last December that talks about how they can easily create malware, and further more recent analysis here.

Ironscales has this very illuminating video shown above on how this can be done. Also, to my earlier point about phishing, IT managers need to think about having better and more targeted awareness and training programs.

Infosys has this five-point plan that includes using the bots to help bolster your defensive posture. They also recommend you learn more about polymorphic malware threats (CyberArk has described such a threat back in January and Morphisec has specialized tools for fighting these that you might want to consider), and review your zero trust policies.

Finally, if you haven’t yet thought about cloud access security brokers, you should read my review in CSOonline about these products and think about using one across your enterprise to protect your data envelope.

Book review: Stalked by Revenge by Lynn Lipinski

Posted on by
1

Stalked by Revenge (Zane Clearwater Mystery Book 3) by [Lynn Lipinski]This is the third book in a series of mystery novels featuring Zane Clearwater, a character who has had a shady past. It can be read independently of the others and there is a fourth is in the works. The story centers on Clearwater’s family, including a gun-packing grandmother and a private detective who comes to the aid of the family to stop a revengeful assailant who starts out in prison at the story’s beginning. Lipinski’s descriptive prose is first-rate, and the various characters are well drawn, with some very realistic challenges in their lives. By the end of the book you will feel that you know them and have a lot of empathy for their circumstances. Fans of mystery novels will enjoy this book, and I highly recommend it.

Buy it from Amazon here.

How to know when you are ready to expand your career

Posted on by
1

“There may be nothing I’ve seen wreck the careers of high-performing, hardworking people more commonly than stepping into a manager role the person isn’t ready for,” tweeted Kieran Snyder earlier this month. The CEO of linguistic analysis firm Textio then follows up this with some very cogent remarks about knowing when to take that leap into management that really resonated with me.

This is because I faced a similar circumstance in my own career back in 1990, when I took the job to run Network Computing, a brand new computer publication. I have often mentioned that decision as a pivot point in my professional life in these essays, At that time, I was managing a group of about a dozen editors for PC Week — and this would be a big promotion to running an entire publication, hiring its entire staff, and learning how to get the magazine from words to a coherent whole. It shaped the rest of my career, to be sure.

I also addressed this topic a couple of years ago in this post about whether super coders should take the next step into management. It is worth reviewing that piece and listening to a discussion with Jaya Baloo and Troy Hunt on the subject.

Snyder lays out four important questions you need to ask yourself whether or not you are ready:

  1. Can you communicate complex expectations clearly? And behind this question is also holding people accountable — and avoiding eventual disappointments — for these expectations too. Even when you know this, it is still hard to achieve. “This is an issue I have faced, and often management fails to set clear expectations,” said Alan Elmont, who has been a recruiter and staffing professional for decades. “This has been particularly an issue with small companies or mid-sized companies that are growing too quickly.”
  2. Can you engage and mange conflicts well? Being fair in these fights is more important that being well-liked.
  3. Where do you fit in the scale between being a hero and being predictable? “Managers mostly do hero work to compensate when their team isn’t delivering,” she says. That could be caused by a variety of failures, such as unclear feedback or expectations or poor solutions delivery — or a combination.
  4. Finally, do you have the right combination of technical skills and a solid functional foundation to properly lead your team? That is a tough one to dispassionately assess, either by yourself or with your prospective hiring manager.

Now let me take another moment from my career when I got a job to run another publication. It was a major failure, and because I couldn’t do any of the first three things that Snyder mentioned above. I barely lasted a year there before being fired. I should have spent more time understanding the lay of the landscape and the management style of my eventual boss. Now, this happened years after my Network Computing anecdote, so you would think being older and more experienced I would have spotted the danger signs. But no, I was too caught up in the thrill of being chased for a new job. Live and learn.

While on the topic of career development, I had an opportunity to talk to a group of mid-career folks who are considering jobs in cybersecurity this week. You can see my slides below, and some of the issues that we discussed.

 

 

Book review: A Likely Story by Leigh McMullan Abramson

Posted on by
Reply

A Likely Story: A Novel by [Leigh McMullan Abramson]I really enjoyed this new novel which has characters and a plot line I found appealing, as a full time freelance writer for many decades.

The story is about a famous novelist and his ne’er-do-well daughter who is in her mid 30s, trying to figure out her life and try to finish her first book, which seems to have been started ages ago. It is set against the death of her mom, and interwoven we are privy to the draft of a novel (which plays an important role in the character’s lives without giving away any spoilers). The description of literary life in NYC and all its trappings and ridiculousness resonated with me, as do the challenges of 30-somethings.

The novel concerns the relationship of the famous writer to his wife and daughter, how the three of them collaborated on various projects, and the perception of the dad towards his family members. That is about all I can say in this review, but it is deliciously wicked, real, and poignant. Being related to the writer and enduring his oversize ego drives many of the plot points along. At one point the daughter feels that “writing was like being on a submarine, where she spent years being submerged, silent and secret, working toward the day where she would have something to show for all her time underwater.” The novel is interesting, amusing, and thoughtful and I highly recommend it.

Book review: All That Is Mine I Carry With Me

Posted on by
Reply

This novel by William Landay has plot points that approach numerous other thrillers — such as the missing title character in Gone Girl — but takes things just a bit further in telling the tale of a missing mom who is presumed killed by her husband. You hear from various family members in the first person, but again it is done to introduce some interesting plot twists that I don’t want to spoil you with here. Initially I was a bit annoyed by the mixed narrator style but came to appreciate it about halfway through the novel. The narrative arc covers decades as we move way beyond the actual missing/murder conundrum and into the finer aspects of the children and other family members’ personalities, relationships, and whether they think the dad did the deed or not. Having the dad as a criminal defense lawyer is also a nice touch too!. Highly recommended.

How is that right to be forgotten going?

Posted on by
1

Right To Be Forgotten – Chicago PlaysThe right to be forgotten isn’t part of the US Constitution, or for that matter in any other country’s founding documents. But it is part of the more recent regulations, which define how this data is collected, how it is processed, and mostly importantly, how and when it is erased. The phrase refers to where individuals can ask to have their personal data removed from various digital repositories under certain circumstances.

It is not a new term. Indeed, the EU got going on this almost ten years ago, eventually enshrining rules in its General Data Protection Regulation (GDPR), which have been around now for almost five years. This motivated a few (and I emphasize very few — so far that number is five) states here in the US to enact their own privacy laws, including California’s Consumer Privacy Act (CCPA) and others that mention the “forgotten” rights. Here is a handy comparison chart of what the five states have passed so far.

Security blogger David Froud also wrote about the issue more than four years ago. He pointed out then that the term forgotten doesn’t necessarily mean total erasure of your data, such as the hypothetical case of a convicted criminal in applying for a job. But then, should the stain of that conviction follow someone for the rest of their life? Hard to say. And this is the problem with this right: the subtleties are significant, hard to define, and harder still to create a solid legal framework.

What got me thinking about this issue is a recent survey by Surfshark of the actual progress of the forgotten actions across European countries. They found that residents of France alone accounted for a quarter of the actions recorded by both Google and Microsoft’s search portals, with England and Germany residents together accounted for another quarter of cases. These requests are on the rise since the onset of Covid, and both Cyprus and Portugal have seen a 300% increase in requests since 2020. Interestingly, Estonia (which is a leader in implementing all sorts of other digital tech across the board) had the largest proportion of cases with 53 per 10,000 residents. Compare that to Bulgaria, which had 5.6 requests per 10,000 residents. At the bottom of the page linked above, you can see references to the various search portals’ request removal forms, and yes, you have to submit separate requests for each vendor (here is Google’s link). The EU “suggests” that the process from request to its fulfillment should take about a month, but the way they word it means there is no legal response time encoded in the GDPR. According to the Surfshark report, millions of requests have been filed since the law went into effect.

As the authors of the survey say, “Time will only tell which countries will join the fight for online privacy and to what ends our data is private online. Is the right to be forgotten a universal truth or a way to hide the past indefinitely?” I don’t honestly know.

Temper the Surfshark report with the results of a Spanish university research study that looked at the 500 most-visited websites in that country. They found a huge collection of tracking technologies that were hidden from any user consent, with less than nine percent of the sites actually obtaining any user consent.

But tech doesn’t stand still, and the right to be forgotten has taken on new meaning as the rise of AI chatbots such as ChatGPT that can seek out and find your personal data as a way to train their machine learning models. As my colleague Emma McGowen mentions in her Avast blog from last month, there is no simple mechanism to request removal of your data once the AI has found it online. You don’t know where your data is online, and even if you do there isn’t any simple form that you can fill out to request deletion.

Note: OpenAI released this opt-out form after I wrote this essay.

If you have ever tried to put a credit freeze on your accounts at the four major credit bureaus, you have some idea of the chore involved here. At least there are only four places that process your credit data. There are hundreds if not thousands of potential data collections that you would have seek out and try to get any action. Chances are your data is out there somewhere, and not just in Google’s clutches but on some hard drive running in some darker corner. Good luck tracking this down.

So where does that leave this right to privacy? It is a good sign that more countries and some US states are taking this seriously. But, each state has slightly different takes on what the right means and what consumers can do to remove their data. And for those you happily chatting up your AI bots, be careful about what private info you have them go searching for, lest you unwittingly add more data that you don’t want others to find about you.

FIR B2B PODCAST #158: ANNA GRIFFIN ON MARKETING IN UNCERTAIN TIMES

Posted on by
Reply

We are back after a hiatus and speaking to Anna Griffin, who recently joined cloud storage provider Commvault as Chief Market Officer. Anna has held marketing leadership positions at Smartsheet, Intercom, Nortel, CA and Juniper Networks, among others. That longevity has helped her gain perspective in how to operate in good times and not-so-good times, and our interview explores what she has learned from these experiences.

Anna told us about how marketers have to be careful not to let their organization appear to be a cost center. Rather, they should believe and demonstrate that they are a necessary and valuable asset to the company. Take advantage of a downturn by leaning in and focusing on customers so that the company can craft a message that’s more relevant to their needs. She suggested that marketers should fight for their budgets and focus on high-value activities that will help the company grow. “Someone has to grow, even in lean times,” she said.

Anna spoke about how she has embraced many of the tenets of B2C marketing, even though she has spent more of her career in the B2B world. “I believe that is true since the beginning of time; we are selling human-to-human after all.” Maybe we should start using the term H2H?

“We should remove any frictions in the purchasing process by understanding that community is the new B2B playbook and that customers want things now,” she said. The sales organization needs to be part of the marketing effort, and marketers should be sure playbooks are coordinated.

Being a market leader isn’t just about touting your company’s presence on some “magic quadrant” because customers don’t buy MQs, Anna said. “We have to show more specifics about how we can solve the actual customers’ problems. This means we have to be more targeted in how we can add value for them on day one.”

Listen to our 19 min. podcast here.