Interview with a CSO

I was recently interviewed by the CISO Executive Network and my friend Bill Seiglein.

Perhaps others will find it interesting.

MEMBER INTERVIEW: Mark Silver – CSO at First Advantage

Q–What was your first job where infosec was part of the role?
A–I came to infosec in the late ‘80s as a journalist writing about technology and consumer applications. Security wasn’t a major focus then. In the ‘90s, I got involved in traditional infosec by joining a new government department in Queensland, Australia, focused on technology and its use in the enterprise. My team and I focused on R&D in the security space. We were one of the first organizations to conduct assessments and implementations of a Public Key Infrastructure (PKI), iris scanning, finger/whole-hand biometrics, retina scanning, and general network security. I saw a huge increase in security awareness after 9/11, and it was certainly one of the undivided centers of attention when I joined Siemens in 2003 as CISO for the Americas.

Q–Do you feel your role at Siemens, a large company, made an impact and reduced risk? 

A–I was fortunate to head a program I know was instrumental in changing how Siemens did business. The most fundamental change and the one I’m proudest of was introducing risk-based management to infosec using the principle of business enablement. When I got to Siemens, infosec was largely regarded as “those people who constantly say no to the business.” I adopted the mantra “information security is a process-proven business enabler.” It took about a year for us to live and breathe this, but all along I got good feedback from the business about changing attitudes.
And two technology examples: 1) introducing smart cards and PKI, which were instrumental in applying physical access controls consistently across business units to give executives who traveled a consistent way to enter multiple business areas; and 2) developing a comprehensive program to detect and remove malware. Remember, viruses and malware were among the biggest threats many businesses faced then. We also introduced critical application management and security zones to networks: the more critical the application and the more sensitive the data contained, the more rigorous the controls placed in the secure network zones.

Q–In your new role at First Advantage, both corporate and information security report to you. Can you share some pros and cons to centralizing both under one “roof”? 

A–I see only upsides. If both truly are symbiotic, then having both report to one place lets us implement strategic and systemic controls with the most potential for protecting information. As the business consolidates, rightsizes, and goes through exercises, having both functions collaborate with the facilities function lets the business minimize risks and maximize opportunities to use its workforce effectively—no more turf wars or confusion about roles and responsibilities. In short: the buck stops with me.

Q–As you assess the infosec landscape, what top 3 things should every CISO be thinking about? 
A–I’m a fervent believer in 3 priorities: 1. Every CISO should focus on ensuring that infosec enables the business while helping it understand, manage, and mitigate risk. 2. Every CISO should be a business leader first and a security strategist second. This means the CISO understands the business and its core processes–how it generates revenue, cash, and profit; the human capability and skill sets required to run it–and supporting technologies. 3. Finally, every CISO should leverage knowledge of the business and its processes to comprehensively understand and document risk and proposed mitigations, and to help the business execute those mitigations. If every CISO did these 3 things and was surrounded with talented security professionals, the business’s respect for our profession would skyrocket.

Arguments and intellectual dishonesty

There seems to be a trend among devotees of whatever dogma they pursue: “this is what I believe in/advocate for/is self-evident to me, but if you can’t see it, you must be stupid/lazy/moronic”.

Firstly, I have to admit this approach is entertaining, but also somewhat disheartening, mainly because it is *so* intellectually dishonest. And if you are reading this and getting angry because you think I am talking about your approach, well maybe I am. I don’t care if you are a right-wing fringe dweller, or a left-wing remote spectrum dweller, or a Christian, Buddhist, Hindu, Spiritualist, Jew, or some other religion. The obligation is on You to prove the validity/certainty or “truth” of your belief, proposition or theory. It is not on me/others to disprove it. (This is similar to the concept of proving beyond a reasonable doubt in criminal proceedings of the*guilt* of the accused. It is not incumbent on them to prove their innocence.)

So, for example, if I were to say (please note the use of subjunctive case) that “I know for certain that the world is flat, and if you don’t believe that, you must be brain-washed by the left/right wing media and incapable of vaguely coherent thought”, I should have to prove to a high degree of veracity that the world, is in fact, flat. (And to be equally clear, I am using this as a hypothetical example rather than actually advocating this as a position.)

In my opinion, too many people hide behind political correctness, or intellectual dishonesty and pretend to adopt the moral high ground rather than adopt a more reasoned approach.

Anatomy of a Cyber Attack

During the past few weeks, I have been researching how to attackers, whether they be lone-wolf hackers, crime syndicate based, or State sponsored attackers, I discovered that there are similarities between all the attacks.

Certainly, the less experienced usually short cut some of the steps: but the serious attackers? Well, they know what they are doing, what they want, and how to get it undetected (mostly).

But this always has been a game of catchup: security professionals design and implement a new technology, and the bad guys look for either holes in the armor, or weak spots, or ways to avoid it entirely.

Regardless, this presentation (in PDF format) is available for you to review and consider. Feel free to share it with your organization, your board, or your executives. Also feel free to contact me if you would like an executive briefing.

How ready is your organization to deal with a cyber attack? Or have they already compromised your organization and you don’t know it yet?

How companies screw up customer service

We all know the customer service is absolutely critical to establishing a reputation and a relationship with those people that we would like to call our customers.

Image

But so many companies do it badly. Let’s have a look at some examples:

“Your call is really important to us”. This would have to be one of the biggest annoyances to customers around the world. In fact, what your company is saying is “we’ve chosen the cheapest option in terms of an automated voicemail system, because we can’t possibly afford to pay a real person to pick up the phone to listen to you. However, our marketing department told us that we can’t possibly tell you that, so instead we’re going to launch this diatribe at you and hope that you believe it.”

Customers soon understand the meaning behind this recorded statement  if you haven’t picked up the phone in the first 5 minutes! At this point, most customers are fairly convinced that you don’t  really want to talk to them.

“Somebody will be with you shortly”. Now this would only be mildly annoying if it were in fact true. However, if you expect your customer to stay on the phone for more than 10 minutes, but tell them every 30 seconds that “somebody with will be with you shortly” you’re likely to get them seriously annoyed before a real person actually talks to them.

And what about my favorite: “please enter your 63 digit account number using the touchtone keypad followed by the hash symbol”. So, assuming that your eyesight is still capable of one finding your 63 digit account number, and that you can read off the account number with one finger, hold the phone in the other hand and use your nose to punch in the numbers, you should be just fine. My challenge of course is that one of two things happens to me: either I lose my place and get to the 53rd number and cannot remember whether I am on the 52nd, 53rd, or 54th number and now need to start at the very beginning. Or my nose is simply too large to press any one number at a time and I inadvertently press two or three. Of course the challenge will be that I won’t actually realize this until I get to the 63rd digit of my account number diligently press the hash key, and the system will repeat to me that it can’t find my account.

Now in the unlikely event that I have actually successfully entered my extremely long account number, and the system actually recognizes me, I invariably have the joy of having to speak to a customer service agent whose first words out of their mouth are “thank you for telephoning the Acme company. Would you please tell me your 63 digit account number?”

Naturally, I am starting to pull out hair that I have left.

So you’re often much snoring and gnashing of teeth, my adventure with telephone customer support will be at an end.

After all of this time, I am not so excited about talking to a company that doesn’t value my call, makes me wait, can’t synch between the automated system and the human with the entered details, and then engages someone who can neither speak English particularly well, nor understand it. 

Unexpected convergence of software and hardware

Photography has long been the domain of technology untethered to cyberspace.

However the release of the Nikon COOLPIX S800c and the $500 Samsung Galaxy point and click cameras herald a new direction: convergence of hardware and software interfaces for products that traditionally have not been in this space.

While it is a relatively new phenomena, it should not be unexpected. Smart phones are a great example of an early adopter for the early integration of an operating system (the term fast becoming an anachronism), or more popularly called things like “Jelly Bean” or “iOS”.

There are also conversations about computers becoming increasingly embedded into cars, but not as hidden systems (such as those that control fuel injection systems) but as human interactive systems that control things like self-driving and entertainment. http://usatoday30.usatoday.com/tech/news/story/2012-05-28/future-cars/54890066/1

I think few would argue that this is not a trend. It’s as inevitable as the Termainator saying “I’ll be back”!

If this is right, then the question for today’s business is how will this trend impact your products and services? Are you correctly positioned to leverage technology as a value add for your customers?

Equally, will you adequately address the myriad security, safety and privacy issues that such technology brings?

Sony Pictures’ Ultraviolet Columbiana doesn’t support iTunes

A scene from Sony Pictures "Columbiana" movie

So we just bought Sony Pictures Columbiana (great movie) and it includes an Ultraviolet copy.

Do you think I can get it into iTunes? Apparently not. So when I reach out to tech support for help, their basic response is “iTunes doesn’t support Ultraviolet content”. See below.

BEGINS

Dear Customer,

Thank you for your inquiry!

UltraViolet works on iPhones and iPads and many more devices (Windows PCs, Macs, etc.), but currently, the iTunes library does not support the listing of UltraViolet content. 

Sony Pictures currently supports streaming to iPhone/iPad/iPodTouch and download/streaming to PC and Macs. Check the website where you activated your disc for details and support of the necessary software. iPhone 4S and iPad2 can stream to Apple TV using the AirPlay mirroring feature (see http://www.apple.com/appletv/airplay.html for details). For Friends with Benefits, Smurfs, and other Sony Pictures movies you’ll need to contact Sony – https://ultraviolet.sonypictures.com/info/help_and_support

Flixster currently supports streaming and download to iPhone/iPad, PC, and Mac (and streaming to Android). For iPhone/iPad or Android you need to download the Flixster Movies app. Check the website where you activated your disc for details and support of the necessary apps. iPhone 4S and iPad2 can stream to Apple TV using the AirPlay mirroring feature (see http://www.apple.com/appletv/airplay.html for details). For Horrible Bosses, Green Lantern, Harry Potter and the Deathly Hallows Part 2, and other WB movies you’ll need to contact Flixster – http://support.ultraviolet.flixster.com

Please let us know if we can be of further assistance.

Thank You,
UltraViolet Customer Care
customercare@uvvu.com

ENDS

I and millions of other iTunes users have invested hundreds of hours and many $$$ into our movie collections. To find out that a movie I just bought doesn’t fit in with iTunes just irritates me. Not because I can’t get the movie to iTunes, but because it shows Sony is more interested in carving out it’s own little island in the digital universe and hoping consumers will play on their terms, rather than caring about consumers and what they need.

It’s an example of fracturing the marketplace and the technology platforms, not because it’s good for consumers, but because Sony (and I am sure that others will be in the same bandwagon) thinks it is good for their business.

So you can make up your own mind about whether it makes sense to use Ultraviolet copies of movies. For me, it’s a waste of time, and I certainly won’t spend my money on Ultraviolet copies. I’ll legally get my copies elsewhere.

Thanks Sony for your consideration.

P.S. Just got a response from Ultraviolet and here it is:

Dear Customer,

Thank you for your inquiry!

You will need to contact Sony Pictures for support regarding the necessary apps and requirements to download or play your movie on your mobile device or PC/Mac. 

Website: https://ultraviolet.sonypictures.com/info/help_and_support
Email: consumer@sphecustomersupport.sony.com

Please let us know if we can be of further assistance.

Thank You,
UltraViolet Customer Care
customercare@uvvu.com

I don’t know you, but I want your help…

Ever had someone be rude and just (try) waste your time?

What about the email that arrives from someone you don’t know that says: “Hi, I’m gong to be in your area, and I want to book an hour of your time so I can tell you how great I am. By the way, if you are not the right person for my service, would you please do the research and find out who in your organization is the right person, and then let me know? And the sooner you can do it, the better.”

Or what about this one: “I know nothing about your business and haven’t done any research, but I’d like you to invest a hour of your time so you can tell me what you are working on so I can work out if I can sell you something?”

It might be that I’m just getting cynical, or just plain intolerant of rude people, but these examples regularly happen to me once a day (if not more). So I usually just delete the email and get on with my life.

But do you know what is really rich? When I get an email or voice mail that goes something like: “Hey, I’ve left you 2 emails and a voice mail demanding your time for someone that you don’t know and is of questionable value, and you haven’t returned my call. I’d really appreciate it if you got back to me pronto!”

Yeah, like, that’s going to happen.

I just don’t get it. What is it that makes people think they are so important that the rest of the world will stop what they are doing to give them not just one or two minutes of glory in the sun; no, they want an entire 60 minutes!

Would you go to a cocktail party, walk up to a complete stranger and say: “Listen, I am a great person and you should listen to me so I can sell you something.” Now that wold be the fastest way to be labeled a boor.

So we wouldn’t do it in real life… but somehow we lose all common sense when it comes to email and suddenly decide that it’s really not all that bad. I’ll just pretty it up, which in this case is akin to putting lipstick on a pig: it’s still a pig no matter how you look at it.

Let me know if this has ever happened to you.