FIR B2B podcast #127: B2B SEO Secrets With Charley Spektor – Part 1

Posted on by
Reply

For the next two weeks we talk with Charley Spektor, principal at Saratoga B2B Group. Charley and his partner, veteran tech writer Paul Desmond, bring clients the one-two punch of SEO and content expertise for B2B lead generation. Charley was formerly lead managing consultant at Stone Temple Consulting for Home Depot, which has been one of the few great success stories of a brick-and-mortar retailer embracing e-commerce. In these two podcasts, we discuss what are the elements of success in a discipline that changes constantly, how B2B buyers use search differently than consumers and how even small companies can dominate search results if they pick their targets carefully. Read this this blog post about two recent Saratoga B2B customer success stories for further background on the case studies we discuss.

Listen to part 1 here.

CSOonline: The top 5 email encryption tools: More capable, better integrated

Posted on by
1

I have updated my review of top email encryption tools for CSOonline/Network World this week. Most of the vendors have broadened the scope of their products to include anti-phishing, anti-spam and DLP. I last looked at these tools a few years ago, and have seen them evolve:

  • HPE/Voltage SecureMail is now part of Micro Focus, part of an acquisition of other HPE software products
  • Virtru Pro has extended its product with new features and integrations
  • Inky no longer focuses on an endpoint encryption client and has instead moved into anti-phishing
  • Zix Gateway rebranded and widened its offerings
  • Symantec Email Security.cloud has added integrations

In my post today, I talk about recent trends in encryption and more details about each of these five products.

 

RSA blog: The Digital Risk Challenges of a Smart City

Posted on by
Reply

One of the things that I like about our hyperconnected world is how easy it is to virtually attend just about any tech conference. Most conferences today have streamed or recorded sessions that are well indexed and of high enough quality. Today’s post is about a session at the RSA Singapore conference in July. Before I talk about that, let me discuss why I think Singapore is so important for IT security professionals.

I have been interested in the island nation since I gave a talk there more than 20 years ago. Back then I saw the beginnings of where the country could go with playing a key role in IT. My audience had folks who spoke more than a dozen different languages and who came from almost as many nearby countries. Since then, Singapore has invested big-time in its IT development, particular with respect to smart city technologies: this is its fifth year of a series of major investments that include improving commutes, digital payments and secure identities. This year, the country will spend more than an additional US$1B in new smart city enhancements.

Part of these expenditures is in how the country has taken a page from the Israeli playbook. The nation has created various cybersecurity programs that are coming from a number of directions. For example, this summer it launched its third bug bounty program to improve its various digital services. And the government has helped to encourage startups with the incubator Innovation Cybersecurity Ecosystem@Block71, a partnership between the government, private investors and its National University. These government initiatives have encouraged others: in the past year, both BT and Cisco have opened up offices there to conduct research and support their southeast Asian customers.

Let’s turn to the RSA conference session that was led by President Rohit Ghai and covered issues on smart cities, privacy, and digital transformation by three panelists:

This panel is typical of the role that Singapore plays in that part of the world. It shows the diversity of nationalities and stakeholders that have to be assembled for successful cybersecurity solutions. If you watch the recorded video, you will first hear this panel express their concern about the cybersecurity toll that companies doing business in smart cities will have to deal with. Aswami Ariffin thinks that “we are opening the cyber floodgates with smart city implementations. We have to better understand the risks involved and make sure we have the right solutions.” He suggests that businesses look to partner and work collaboratively with government and communicate with the right stakeholders. Vishal Salvi pointed out that different industries have different cybersecurity implications when it comes to smart cities, both in terms of data risk and operations. “This could change conversations for their boards of directors, both in terms of basic cyber hygiene and infrastructure protection.”

When it comes to dealing with digital disruption, Andrew Woodward was concerned that many companies are still conducting business as it was done decades ago. “For many, their approach is still with a pre-digital mindset when it comes to risk management, with the justification that we have always done it a certain way.” Salvi mentioned that cybersecurity has always been behind IT innovation, particularly in the financial sector. “Now we have the sharing economy and connected cars where change happens in weeks, not months. This rate of change is putting pressure on CISOs and business owners to embed security while and where this change is happening. We have to provide agile solutions to support that transformation.” Ariffin gave his perspective for the appropriate role of government: “We don’t want to force businesses to create any white elephant projects. Our goal is to try to help private businesses over security hurdles and to educate them about other risks besides cybersecurity, such as with their operations and following regulations.” The Malaysian government has its Intelligence, Incidence and Investigation program as one of these activities.

Salvi mentions that cybersecurity should be front and center and set the foundation for any digital transformation future activities. But the price of doing nothing is also an issue. “Failing to do any digital transformation is the largest risk. You are looking at rapidly changing the foundations of your business models. We have to embed security in everything.”

Part of this challenge is when we empower users to take control over their data, it creates issues for security managers to protect this data and control appropriate access. “There is a tension between security and privacy, at some point we need a better balance,” said Salvi. “Eventually, the world will adopt better rights management and more common encryption methods.” Woodward said that this creates an “interesting tension with the drive to increase cybersecurity through regulation but we also want users to take control and be custodians of their own data.” This complicates how breach laws will be enacted and enforced, for example.

Given the dearth of qualified cybersecurity professionals worldwide, academia is rising to meeting these challenges by changing the way they are educating future cybersecurity workers. “The key is be able to work together with industry and government to address the right problems,” said Woodward. They have also reworked their curriculum and have created more online classes, even at the master’s level. “It isn’t one job for life anymore. We call them ‘conversion classes’ and they are designed for workers to become cybersecurity professionals in mid-career. Nowadays, students want on-demand classes with content-rich media and don’t want to attend lectures. It is all about reskilling and upskilling. We want our students to have hands-on experience when they graduate, so they are ready to join the workforce.” His reach goes beyond the traditional four-year degree too. “We have programs for elementary school students to get them to think about cybersecurity as a career.”

This panel could have taken place just about anywhere on the planet: cybersecurity challenges and solutions are truly universal.

Understanding new non-money uses for blockchain

Posted on by
2

When it comes to thinking about blockchains, most of us automatically go to cryptocurrencies like bitcoin and Ethereum and think about money. How much are these currencies worth in US dollars? How much value have they gained or lost recently? It took two financially-related but non-monetary examples that I heard about recently to convince me that I was looking at the wrong part of the elephant.

Before I tell you about how I came to this insight I want to talk about the money part of blockchain first. I recently read Dan Conway’s new memoir, Confessions of a Crypto Millionaire. The book is now out, and I would urge you to get a copy and read it. Unlike many business books that quickly run out of ideas and out of steam after the first chapter, Conway’s tale about how he became an early investor in Ether is both a cautionary and celebratory one. You can read my review of his book here, along with some insights from the email conversation we have had over its launch. From these emails, Conway told me about an experiment by the UN with an Indian local land registry in Panchkula. The issue is trying to identify the rightful owner of a plot of land, particularly in the developing world where paper records are scarce or misfiled. The UN has built a registry based on Ethereum smart contracts to create a single source of truth of ownership status and property history. The buyer will be assured that the land being bought is the correct plot, and that the seller is unequivocally its owner. Everyone can see in near real time who owns what, improving accuracy and transparency. The system doesn’t require computer access or Ether wallets and works in the background to support land transactions. Similar projects are underway in title registries the States and in other countries too.

Blockchain technology is being used in another interesting project as part of a new protocol from Kiva.org. I have been loaning money to various developing world entrepreneurs for a decade through this organization which funds millions of dollar-equivalents of such loans. I wrote about Kiva here in 2009 and since then have been active using their platform. Over the years I have funded 54 different people in more than 30 countries and loaned $1400. This was done with a very modest amount of “new money” because I very determinedly loan my funds when the original loans have been paid back. And what is interesting is almost all my loans have been paid back, with less than $30 lost from defaults, although some loans are paid in full but late. The way Kiva works, once you collect at least $25 back from your loan recipients, you can relend it to someone else.

Last year Kiva announced the creation of its own blockchain-based protocol, and last week announced its implementation in Sierra Leone. It will be available to the about 5M adults living there to use as an identity management device, based on their fingerprints to authenticate each person in financial transactions. One of the problems with many unbanked people is that there is no easy mechanism to verify someone who has no credit score, no previous financial history, no anything that you and I would consider part of our financial footprint. That is where the Kiva protocol comes into play. Whether it will work in Sierra Leone – or anywhere else – is still to be seen, but it is an interesting proof of concept. (I have yet to make a loan to anyone there, but you can be sure that I will look for someone to sponsor at the next opportunity.)

Being based on blockchain means there is no central repository of fingerprints that can be downloaded – they are stored in a distributed database that is created individually by each person. That was a hard concept for me to wrap my head around for some reason, but it makes sense when you think about it. It could be possible to decode each transaction to obtain a single fingerprint scan, but whether this could be done on a large enough scale would be difficult. Certainly, it would be a lot harder than just accessing an unprotected AWS S3 database, for example.

We are still in the brave new world of blockchain, to be sure. Expect to see other innovative ways to use identity and distributed databases in the future that have nothing to do with the bitcoin exchange rate. We certainly live in exciting times.

Review of “Confessions of a Crypto Millionaire”

Posted on by
1

You probably have read your fill of business books. Author tries to make it big, leverages tons of his money and time, hires the wrong people, fires them, then goes it alone before striking it rich and motoring off into the sunset in some expensive car. Dan Conway’s Confessions of a Crypto Millionaire is not one of these books. Most business books offer just enough advice to fill a chapter, maybe two. Conway has a lot more to say about his obsession and investments in cryptocurrency, in particular Ethereum. Over a period of several years, he used his home mortgage equity loan and borrowed additional funds because he believed blockchain held the future model for decentralized corporations and the way that we will all work together. He ended up cashing out $14M ahead. It is his obsession that drives the book’s narrative, along with the crazy up-and-down valuation of Ether, where you can gain and lose millions in a matter of minutes.

What isn’t in this book is also notable: sordid tales of wretched excess of “tech-bros partying on yachts” or trashing expensive Vegas hotel suites.  Conway is a father of three, and still married to their mother.

Conway’s confessions is a refreshing tale about his fighting his demons, his addictions (alcohol and pills), his insecurities, and his almost always-on self-destructive alter-ego he calls his “Flip Side.” This side rears its ugly head during client presentations where he fumbles and fails and during periods of self-doubt when he tries to reassure himself his huge bet on Ether isn’t about to land him in the poor house.

“The book forced me to make sense of how my addictive personality played a part in my undoubtedly reckless crypto investments,” he told me via an email interview. He is part visionary, buying Ether at a time and at a level few people had the courage, vision, or just dumb luck to do. “It took everything admirable and loathsome about me to make the plunge into Ether. The loathsome part includes my addictive personality. While betting everything was an extreme risk, all risk requires insight, courage and maybe a little recklessness.” He hopes his story will get others to think about how they formulate their own risk taking.

Conway starts out his story “working for the man,” doing marketing and public relations for large corporations, one of whom he calls Acme. He wasn’t a good fit as the organization man to be sure. And since his windfall with Ether, he is unlikely to return to corporate America “unless we suffer a financial catastrophe.” He still believes that the decentralized blockchain can disrupt the traditional corporate power structure and has a lot of merit as an organizing principle. One example he cites is the MakeDAO, where ordinary folks can originate loans and handle other financial transactions without any financial institutional limits. It could pay off; it could fall flat: that is the challenge of cryptocurrency.

One aspect of his book is dealing very honestly with two situations: first, with his addictions. “This undoubtedly played a part in my reckless crypto investments, and writing the book helped force me to make sense of it all.”

Second, the book also describes how his financial windfall changed his family dynamics and the relationships with his circle of friends. Even though Conway lived in Silicon Valley, he was very firmly rooted in the middle class before he made it big with Ether. He writes: “Crypto was suddenly like an overexposed celebrity, and everyone was rooting for it to fail,“ but then realizes, “one of the bittersweet feelings about making a bunch of money is that you can’t bring your (less fortunate) friends with you.” That takes some adjustment, both for him and his family. Still, don’t be too sad: Now he takes long exotic vacations, buys his kids “name-brand clothes” instead of Sears knock-offs, and does car pool duty with a vengeance. “It’s absolutely nice to have the car-ride conversations rather than pinning all parent child bonding on the “how was your day?” question when everyone is exhausted.” True dat.

Conway is committed to Ethereum because of its disruptive ability to change the way companies operate, the way companies get VC funding (the parts about the ICO shysters is worth reading alone), and the way the early pioneers — which Conway counts as himself — had to try to separate the criminals from the legit businesses. This book is well worth reading, even your own exposure to bitcoin and other cryptocoins is minimal.

FIR B2B podcast episode #126: unintended consequences

Posted on by
Reply

This week Paul Gillin and I discuss three examples of unintended consequences for B2B marketers that showed up in recent business marketing literature. Our first piece, which appeared in B2BMarketing.net, highlights recent survey by Acoustic that found a jump in email open and click-through rates in the past year – and in some cases a pretty substantial jump – thanks to new privacy regulations in the EU and elsewhere. The rules have forced marketers to hone their messages and to produce more precise email campaigns, which has resulted in better engagement with recipients. Talk about silver linings!

Next, we found a year-old survey from the British Marketing Week that found the influence of the marketing organization drops as brand value grows. This could be caused by several factors, including not understanding how customer acquisition and retention work or the fact that many marketers are still loath to employ data-driven technologies.

Finally, Inc. looks at a Harvard study about the unintended consequences of doling out awards to your staff. The researchers found that awards can have the revenge effect of actually de-motivating employees. Reasons include the unintended social cost of being singled out or employees slacking off once they realize they’re exceeding expectations. Businesses need to consider the reason people do the things they do and dig deeper to find out rewards that have more than just recognition value.

This could be an underlying reason why Facebook is thinking about hiding the “Like” counts on its posts, according to TechCrunch. Facebook says it wants to protect users from envy and dissuade them from self-censorship.

You can listen to our 13 min. podcast here.

Desperately seeking contactless credit cards

Posted on by
12

Lately I have become obsessed with contactless credit cards. This started about a year ago, when I was in London and tried to pay for a sandwich with my American credit card. I thought I was in the clear since it was a card with an embedded chip. This is a technology that is still so new in the States that many card terminals still can’t read these cards, despite regulations that have required merchants use them for several years. At what I would call the deli in London, my card didn’t work: the only way to pay was either pounds – the money version — or using a contactless card.

Contactless is big in the UK, as I found out – and probably in many places all over the world too. We are often the last to adopt new banking tech in America, despite our prowess in other areas. You can pay for your train ticket with contactless, and in many other vending machines, as an example. It made me feel like I was coming from a third-world country with my shiny new chip-enabled credit card.

But all wasn’t lost: I quickly figured out that I could use my phone and Apple Pay, and I could eat my sandwich. All you need to do is load your normal credit card into your Apple Wallet and you are good to go. Are the two the same? Not completely, but generally at a credit card terminal in the States you’ll see these two icons side by side, indicating that both Apple Pay and contactless cards are accepted:

Why the need for contactless? It is all about security: since your card never leaves your grubby hands, no one can surreptitiously steal its information. Yes, a hacker could monitor the radio frequencies around the card reading equipment, but that is a lot harder and more expensive problem to solve than a waiter carrying a portable card reader in their pocket to collect data from a bunch of cards.

Back in London, just in case, I made a trip to the local ATM, and got some pounds. But it bugged me that I didn’t have an actual contactless card. That got me started into looking for a bank that offered them. I quickly found myself down the rabbit hole of poorly designed banking websites and quickly got frustrated, so I dropped the project.

Then three things happened last week that renewed my interest in contactless cards. First, I began reading more about the latest card skimming exploits and particularly from criminals targeting gas stations. These skimmers are small devices that are placed literally over the card reader at the pump and collect your account information from the magnetic strip on the back of your card. The criminal then collects this data and sells it to others. Brian Krebs writes frequently about skimmers, if you want to read more.

I thought it might be useful to find local gas stations that use Apple Pay to better protect myself. Unfortunately, this became Another Project at searching poorly designed banking websites. For example, here are two that can help you locate contactless merchants: Square has this page for Apple Pay-enabled merchants and Mastercard has this page for merchants who accept contactless cards.

If you start looking around when you get gas, you will see few pumps that support contactless, with one estimate that there are less than one percent of them in the US that are currently accepting contactless payments.

I was once again motivated to go contactless especially when I heard that Apple Card was now available. This is a contactless credit card offered through Apple and Goldman Sachs. It doesn’t even have its card number printed on it. Instead, it is designed to operate with your iPhone’s Apple Wallet. Apple has done its usual great job when it comes to the experience of applying for and getting a credit line. This took me about three minutes. Maybe less, I wasn’t really timing it. What makes it so fast is that Apple already has most of the information it needs for your application, which is for another story. And while the Apple Card has its issues (you can’t do joint cards with your spouse, for example) it is an interesting concept.

While I was getting my Apple Card I saw that a new type of bank branch opened in my neighborhood from Commerce Bank. The branch is the first one that has a fancy new type of ATM that also includes a video conferencing link with a banker. I made an appointment to go visit the branch and talk to a banker about what they offered. One of the reasons I also wanted to talk to them is because Commerce offers contactless cards on all of its credit and debit cards. Needless to say, it took longer than three minutes to apply for one in person.

So now I have lots of contactless options. I am certainly ahead of the curve here at home: it is easy to find stores that don’t accept them more than those that do. But at least the next time I am in London, I will be able to pay for my sandwich.

Channel Futures webinar: Should you sell SOC-as-a-Service?

Posted on by
Reply

For MSSPs, offering security operations centers as a services can be a very profitable proposition — enough to offset the high cost of staffing and software. Given that a recent ESG survey showed 53% of enterprise IT pros have “a problematic shortage” of cybersecurity skills at their organizations, demand for SOC expertise is strong.
In this webinar, I will explain how MSPs and MSSPs can approach this opportunity from a variety of directions, such as combining managed security event, threat detection and endpoint security. I’ll look at what services are required and how they can be packaged, what the existing marketplace looks like, and the best vendors to partner with. (reg. req.)

During the webinar, I also mention a Ponemon study that has some additional data about SOC usage and the problems with retaining trained staffers, one of the many reasons why companies are looking to outsource their SOCs.

 

Beware of algorithms

Posted on by
1

You probably won’t expect a series on appropriate use of technology to appear on the English Al Jazeera channel, but that is what I am going to tell you about in today’s post. I have been watching a lot more of their news coverage, looking for a place to obtain some “other” news than the continuing political fascination that our American stations offer up these days. So check out the series, entitled All Hail The Algorithm, where you can find links to the five episodes here.

The series is the work of Ali Rae, a British producer for the channel. She travels the world in search of algorithms that have gotten out of hand. While some episodes are a bit uneven, she does a great job of interviewing primary sources including  researchers, tech vendor representatives, and rights and privacy advocates to present a very interesting hour or so of TV.

The first episode is all about trusting the decisions encoded in algorithms. Rae highlights the Australian welfare system and how its algorithm disputed payments made over many years. Computers automatically sent dunning letters to thousands of citizens, called robo-debt.

The second episode, which focuses on Facebook’s abuses, is the weakest, and most of you have probably already read enough about troll farms which have harvested likes and retweets.

The third episode covers the abuse of social media bot networks and how bad actors, under the pay of various political parties, are flooding these networks with incendiary posts that literally enflame passions and have caused all sorts of trouble around the world. This one struck home for me: we have seen (to coin a phrase) the growth of intolerance of people on both sides – both liberals and conservatives – to try to block freedom of expression. Many of the resulting demonstrations and protests are generated by social media ads and misrepresentative posts.

The fourth episode is about the potential abuse of biometrics. The vast majority of British schoolchildren now have their biometric data recorded for easier access to their lunches and libraries. And the UN is using biometrics to make it easier for refugees to access food and money supplies in the camps. The issue here is that once you give up your biometric data, you have no control over how it is used, and more importantly, abused. While the UN representative interviewed in this episode says they are trying hard to prevent security breaches, it is only a matter of time. Actually, last week’s Biostar 2 breach is a good example of how this could go horribly wrong. Millions of users of their “smart locks” now have their biometric data leaked online, something they can’t easily change unlike a password or a PIN. As Rae points out, the biometrics tech is being developed faster than any regulatory efforts, and the lack of transparency by the biometric vendors is alarming.

The last episode is about UI designers, privacy policies, tracking cookies and informed consent. Again, for many of you, this has been covered extensively but Rae interviews a couple of sources that have a few new things to say.

Overall, I learned a few new things from the series and think it is worth your time to watch all of them. Take a gander at what Rae has put together and feel free to share your comments here.

 

RSA blog: How many C-level execs own your security infrastructure?

Posted on by
Reply

Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the RSA conference in Singapore a few weeks ago, RSA’s CTO Zulfikar Ramzan described several different C-level executives who could have direct responsibility for some portion of your security infrastructure:  CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer. If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.

From the IT folks that I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to just pass the buck (or the token or packet) from one department to the next. Even something as simple as your firewalls could be an issue. You might think that they clearly are run by your network administrator. But this person could report to the CIO or the CTO or maybe there is that dreaded “dotted line” responsibility so the network admin needs to report to both of them. That can get messy.

What I am saying here is that security should be everyone’s responsibility, and not just the executives but the worker bees too. This is not a new idea. This post lists four reasons why:

  • Humans are always going to be the weak link
  • Tech is continually evolving, and everyone needs to stay on top of these changes
  • Our hyper-connected world magnifies mistakes
  • Our data privacy is under siege

But if the various execs can’t sort this out on their own, how do you expect your rank and file to get a clue?

Here is a short test to see how you have distributed your security responsibilities across your enterprise. Try to answer these questions truthfully.

  1. Who owns the breach response? When a breach happens, who is in charge, meaning who directs the deployment of resources and analyzes the investigation and mitigation?
  2. Taking the answer to the first question, is this the same person that owns a response to an accidental data leak? Or a leak that is done on purpose from a rogue employee? If they are two (or more) different execs, why?
  3. Who owns the day-to-day security operations, whether that be a SOC, NOC, SOC-as-a-Service, or some combination of those entities?
  4. If one of your C-level execs doesn’t follow best security practices, can you do something about it? What if it is the CEO who doesn’t ever change his default password?
  5. If you move a server out of your data center and spin it up in some cloud service, how many executives have to approve that move? And who takes ownership of the server afterwards?
  6. You probably have a few desktops that are running Windows 7 (or even older versions). Do you know how many outdated desktops you have? This isn’t completely a rhetorical question, given the research that shows that more than 800,000 XP endpoints are still unpatched and could be exploited by Bluekeep Whose budget pays for these updates? Whose budget pays for the endpoint protection software and keeps track of those PCs that haven’t been properly protected? If these are three different folks, how do they communicate in the time of a crisis, such as in the aftermath of a successful phishing attack?.
  7. Speaking of phishing, let’s say you want to establish a regular phishing awareness training effort. Who picks up that tab, and who handles the problems that are uncovered?

I hope you can see a pattern emerging: Chances are, the same person might not be involved in the problem and its resolution. That is what the bad actors count on: they can drive a wedge between these departments. This is how exploits can happen, and how your company can end up in trouble.

By now, you know that I don’t just raise issues, but try to provide some solid action items and offer a few practical suggestions on how to fix things. You mission, should you decide to accept it, is to try to align responsibilities to be more effective in managing your IT security.

First, develop a clear line of authority between different departments to handle breaches, leaks and exploits. Next, have a game plan when it comes to breach response, rehearse it regularly, and make sure that you update this plan as people or equipment change to keep it current. Third, security budgeting should be a joint exercise among the desktop, network, apps, data owners, legal and server department heads. It makes no sense to favor one over another: we all have to learn to share. Finally, in this spirit, identify where your information silos have been built and start thinking about ways to tear them down, encourage cooperation and collaboration to reduce your overall risk profile. That is a lot of work, to be sure, but it is needed, and there is no time like the present to start too.