Brightfly is pleased to announce that Managing Director of Research, Brandon Dunlap will be presenting at this exciting event brought to you jointly by (ISC)² and the International Association of Privacy Professionals (IAPP) on May 10th, 2011.

This event promises to be a day packed full of discussions on common threats and risks to online security and privacy.

In addition to Brightfly’s perspective on building “Guardrails on the Road to the Cloud”, you’ll also  hear from leading members of the security community as they address recent developments across a number of areas that include mobile communications and social media with a focus on effective techniques for ensuring online security and privacy.

This event will be held at the Sheraton Newark Airport:

Just click the button below to register for the event. Hurry, they fill up quickly!

Related articles:

1. (ISC)2 Secure San Diego 2011 Based upon the fantastic feedback on the Competitive Compliance material...
2. (ISC)2 Secure Chicago 2010 Please join Brightfly’s Managing Director of Research, Brandon Dunlap, on...
3. (ISC)2 Secure Chicago 2011 The Business Model of Security: Competitive Compliance v2.0 Built  upon...

With a focus on not just technical, but also management issues, the topics spanned industry and organizational strata across the security landscape. Because of the unique blend of attendees and sponsors, this was the ideal venue to begin a discussion about how to manage security responsibility across both the hosted or cloud environment and the traditional data center.

The genesis of this discussion began during the background research phase as we prepared for the (ISC)2 Web Roundtable, “Split Responsibility in Cloud Services“,  I moderated on June 24th, 2010. As with many of the events we are involved in, we found the audience questions outstripped our time allotted, so some questions remained unanswered. In chasing down many of the answers, I uncovered yet more questions. The Infosec10 conference was a fantastic opportunity to present our current findings for feedback and gather additional insights from the attendees. I’m looking forward to hearing more from them over the coming days.

I’ll be releasing our view on managing security responsibility across the fractured enterprise later this week, after I have some follow-up conversations with the fine folks I met in Nashville. Stay tuned.

No related articles.

Here in the US, many client companies we work with have been struggling through a “reconciliation” projects of one stripe or another. By reconciliation, I mean the cross-mapping of multiple regulations and industry best practices to one another as a sort of gap analysis for the controls that are being implemented in the enterprise. This practice has been pervasive for at least 5 years when we first began our Illumination project, (acquired by BindView in 2005, now a part of Symantec’s ITGRC offering) and continues to this day.

We have watched as vendors have not only promoted this problem, but have actively worked to solve it. There has been a sort of Cambrian explosion in the marketplace as vendors have ramped up the number of controls in the libraries of their products. Archer’s acquistion of Brabeion is a perfect example. In the press release, and subsequent media coverage, the addition of Brabeion’s controls library was touted as a key benefit of the deal.This arms race shows little signs of slowing as projects such as the Unified Compliance Framework are starting to show up in RFPs for tools in this space.

One of the things we have realized in our research is that having more controls to choose from is not necessarily better. From the end user’s perspective, having a product with a gigantic library of controls actually makes the problem more difficult, since there now needs to be a long and drawn out process of justifying and rationalizing the vendor’s content against the risk appetite and audit guidance within the organization. Having more controls implemented is also of dubious benefit, especially since it is not actually indicative of due care (what a reasonable person, in similar circumstances would do). This particular problem is the genesis of our latest effort, The Consensus Controls Project , a portal where organizations can anonymously share what controls, regardless of origin framework, that they are actually using.

Contrast this approach to what we saw in the UK. While there were many booths on the expo floor from the US heavyweights in the IT GRC space, and many UK-based start-ups, the attendees didn’t seem to understand GRC as a concept. The term itself was often met with confused looks that ended upon explanation (usually starting with defining the acronym). Nearly every person I talked to, regardless of organization type (public sector, private, publicly traded, etc.) or size, seemed to be focused on ISO and certification. They saw this as a stamp of approval on their security program by an independent outsider and one worthy of pursuing for competitive advantage. When pressed about other control frameworks, such as COBIT, we were quickly dismissed. What these people saw was a need to get back to basics. Considering our long held view that nothing has fundamentally changed in information security in nearly 30 years (except for the underlying technology, the basics still apply), this viewpoint resonated with us.

To sum up, what we found was that the people we talked to in the UK were more focused on picking a framework (in this case ISO’s) and working to be the best that they could be at managing to that framework, as opposed to cobbling together a controls environment from multiple frameworks and working to reconcile it internally.

No related articles.

Not all messages will resonate with, or be accepted by, all audiences equally. That means that the user population should be segmented into distinct groups, each getting targeted with messages that are tailored to their “demographic”. For even the largest of organizations, it is rarely necessary to segment beyond 3-5 target groups (for example: Executives, Middle Management, Employees).

Tailor the message

Since each group has their own worldviews (not just on security issues, but also on corporate culture, their standing in the organization, the requirements for their job, etc.) it is important to use language and messages that take these needs into consideration. A good place to start in crafting your message is to consider how you would approach conveying the topic to the target audience member in a conversation. Composite personas work well for creating “use cases” for the conversations. You can then work within the communications group to establish appropriate wording and the level of formality that is appropriate for each persona or group of personas if more than one is created for each demographic slice. You will also want to consider who the sending party is in each message. If you can “borrow” authority from the executives on an important topic, that might give the message higher receptiveness than one coming from Corporate Communications or Security.

Plan the campaign

According to some estimates the average person gets bombarded with 3000+ advertising messages per day. Since you are within the confines of your company, this number is lower since I am assuming you don’t allow major brands to put up billboards in your offices. The reason we are inundated with marketing messages is that it has been shown that it takes multiple attempts to reach us in order for the message to sink in. It has also been shown that utilizing multiple mediums increases this effectiveness. By taking a campaign based approach, you can target key messages across posters, brochures, e-mail messages, presentations, etc. to increase the retention of the material being offered.

Test the campaign

This is a luxury that allows you to craft a series of messages on a given topical area and deliver them over time. The benefit to this is that you hit each person with multiple instances of the same message, but each one should be crafted and communicated slightly differently. Each message then reinforces the previous, or hits where that one missed. With a defined messaging campaign, you can then test each message for its effectiveness against a target population. You can use tools you probably already have to search on the number of your messages that are sitting unopened, or in people’s trash folders on the mail server. This will help you better adjust your subject line to ensure they at least open the message, for example.

These techniques are just a start, but hopefully will offer you insight into a new and interesting way to view your awareness campaign and will give you an idea of how to define for the communication’s team how best to address the issue of getting the word out to the masses.

No related articles.

This is yet another fine example of how your geography and the cultures created by past experiences shape your views and responses to risks. I know many of my friends and colleagues in Houston, TX have similar views about hurricanes, especially after last fall when Ike caused widespread outages across the region. This has been a background topic of discussion for us since those first few events we held and since then, we’ve been wondering: What other sorts of concerns have others seen in their particular parts of the world and how has it shaped your views and actions on risk management?

No related articles.

What we find a bit surprising however, is that the vendor communiy, in some cases, is scaling back their outreach to their own customer base. In this case, Symantec has cancelled their annual Vision conference, opting instead to bolt it onto their ManageFusion event under the guise of an "expanded track" list in Vegas the first week of March. At the other end of the spectrum however, is McAfee, who appears to be going ahead with the show, in this case, their annual Focus event, also in Las Vegas.

While I fully understand the need to cut back on travel and expenses in this economy, it seems to me that curbing an opportunity to really connect with a wide swath of your existing customer-base at one time is just too good of an opporunity to pass up. The benefits of filling a room with the combined talent of your clients is a HUGE chance to gain valuable insight and direction about what is *really* keeping them up at night and what you can (or cannot) do to help them. also, in this crazy job market, providing an event where folks can cross-pollinate and make new contacts also serves a purpose and goes long way toward positioning the vendor as a trusted advisor. afterall, despite what your marketing department says, all business really is done between people…not companies.

For those of you attending either event, please reach out to us. We'd like to help you make the most of them while you are there and would love to know what you are expecting from your vendors as 2009 unfolds.

No related articles.

Now more than ever security professionals need to embrace reality, that reality is simply this, you will either adapt or you and your respective department will become marginalized or potentially eliminated.

The time has come for us to consider options that we may have not considered before, in short I believe partnership is the key to success, this partnership must be derived from all fronts. We must embrace the departments inside our firms, which can assist us in achieving our goals, additionally it is time to align with business partners that have the ability to operate outside the norm. 

It is my opinion that there are three keys to success in the current market conditions. The first is to focus on customer or consumer confidence, this will obviously shift as folks look to find margin in every aspect of their business, this includes the training, services and products you procure.

Secondly, now more than ever, as security professionals we (whether inside the four walls or as a service provider) must become the trusted business partner, this can and must be accomplished by providing intuitive business planning. Most of us have been there and done that, although these are new global conditions, we have seen pieces and parts of this before. Reflect on what actions enabled you to transcend those difficult times, your baseline is now close to being identified.

The last step is to ensure your department or service is invaluable, call it value added, call it cross selling, call it what you may. In the end, the tighter you are aligned with mission at hand the better chance of not only survival but also excellence. 

The immediacy of quality service is of essence, the need for knowledgeable staff has never been higher that now, your background should speak volumes but your actions are more relevant than ever before. If you have concerns, do not wait, ask your counterparts both in and outside of your firm for assistance.  There is no time for barriers in this global situation.

No related articles.

Brandon Dunlap [BSD]-We’ve had a lot of “boogeymen” in the past that have fueled security spending. Hackers, Russian mobsters, clueless employees, the list goes on. For the past few years, it seems as though Auditors and Regulators have been the enemy de jour. Do you think they will still be the driving force as the economy continues to slow and organizations look for ways to trim costs while adding additional protection?

Peter DiStafano [PJD]-I do believe highly regulated public companies will still, to some extent,  sustain security and compliance market spending.  I do believe that the enterprise segment will try to leverage what they’ve already spent to secure the infrastructure, but to do this well security and compliance management are required and I believe will continue to grow.  I don’t think the enterprise segment is going to spend dollars on security and compliance due to FUD in the market.  There will be more regulations, but they are all off- shoots of existing regulations, more detailed, less detailed, etc.  I believe that there will be more companies that will spend the time to evaluate the costs of a breach or some type of data loss vs. the cost of preventing them and make a dollars and cents business decision on whether it is worth the investment.   I believe that smaller companies that are emerging as tomorrows enterprises are not as sophisticated from a security perspective, and  will be one of the key segments that will fuel growth in security spending, along with the most sophisticated, most knowledgeable, large enterprises.  The difference is the largest most sophisticated enterprises require different solutions, more in line with implementing a single global IT GRC program.

BSD-After BindView was purchased by Symantec, we watched their product line sales triple within the first 12-18 months. Obviously, Symantec’s legions of salespeople had an impact on this by providing reach that BindView couldn’t match as a standalone company. Do you think the IT GRC market will continue to support this kind of growth and if so, what do you think the smaller players can do to gain market awareness in the face of juggernauts like CA, Symantec, and others?

PJD-The IT GRC market is growing fast, but starting from a very small base.  My experience has been that only the largest and most sophisticated enterprises know enough about their security environment, what their goals are, and where they have gaps.  My belief is that the upfront assessment of your security and compliance posture, mapped against company goals is the most important step in implementing IT GRC.  Smaller players are at a disadvantage to the juggernauts, as you mentioned above, however having key consulting services, experts who understand security, compliance, and IT GRC can be the difference maker.  Software alone will not get it done.  I think a smaller player that has these skills can grow, are growing in this space, fast or faster than the larger companies.  It is when those juggernauts get their consulting skills in order that the challenge will be a much more daunting task.

BSD-There has been a lot of talk about the convergence of physical and information security over the years and we are starting to see some interesting products come to market in attempts to bridge the gaps between the two sides of operations. Do think that the incumbent IT GRC players are going to be able to catch this wave and push it forward or do think it will continue to be a niche play supported by smaller/start-up companies?

PJD-This is an interesting question.  Today this convergence is, as you’ve mentioned, just a niche play, but the big companies are looking at this opportunity just as smaller companies are.  I believe this convergence makes sense, just as there is a convergence between compliance and security management is taking place today.  I think the rate of adoption will be gated on the cost/ROI, and the benefit derived from such convergence or integration.  I think a couple of big partnerships between physical security and information security vendors might also accelerate the adoption of the convergence.

BSD-Knowing what the various products in this market have to offer, where do you think the channel can add the most value and differentiate them from the pack and add the most comprehensive solutions for their clients?

PJD-I believe, after my previous answers to these questions, it should have become obvious how I will answer this one; up front consulting services.  Companies need help figuring out what they have, where the gaps are, and how to create a cost effective roadmap to build out a strong security and compliance program.  The focus should be on the company’s objectives, inclusive of external mandates.  There is significant money to be saved, and consulting can show companies, up front, the value of these implementations.  If you are a key resource to a project on the front end or the assessment phase, you should be as valuable through the entire implementation which will drag software and hardware.

In summary, don’t go in solving a SOX or PCI compliance problems, help them to define their objectives, inventory their environment, and then recommend a course of action.  My belief is that taking a PCI or Regulatory approach to have a discussion is OK, but if you are really going to add value, you need to show a company how the work you do to support a specific regulatory mandate, if done as a consolidated, singular effort, can be applied to the entire enterprise saving significant expenditures over time.

BSD-Based upon what you have learned over the past few years, if could start from scratch, what angle would you take with the IT GRC space regarding a go-to-market strategy?

PJD-I would have put together a tiger team of 8-10 highly skilled consulting resources and driven a go-to-market strategy that communicated three critical messages.

1. Reduce current costs for security and compliance.   I know this seems boring but this element has got to be there and you have to be specific in where and when those savings will be realized.
2. I would aggressively communicate the expertise that we bring to the table at every phase, and develop a true consultative partnership with companies.  I would leverage this tiger team and put them in front of these prospects, face to face, leveraging technology, thought leadership events, etc.  I would avoid the focus on selling boxes of software.
3. I would drive a message that all companies are not the same.  IT GRC should be implemented in steps based on where a company is on a maturity scale.  I would message our capability to bring them along over time based on meeting corporate objectives.  One company’s full blown IT GRC implementation might not look the same as another, but the one thing they will have in common is that they will have an IT GRC program built based on the corporation’s goals and objectives.

BSD-Thank you Peter for your time and insights. We are looking forward to what the market has to say about this space in the coming year.

No related articles.

KPMG

PwC (PricewaterhouseCoopers)

Deloitte and Touche

E&Y (Ernst and Young)

As always, we look forward to comments from the community about any items we may have missed or corrections in our reporting.

No related articles.

There is an old saying in the sales business: "People don't care how much you know, until they know how much you care." After all these years, I still believe that this is case for many of us practitioners. We want to see that the sales person isn't just spouting off of a marketing "cheatsheet". We want them to fundamentally understand what their solution means ot our operations. And that, takes a significant amount of investment on their part. That investment gains the trust of the already skeptical security person, and allows the sales person to continue to engage them in the future. I'll be more likely to take your call when I know that younot only understand my position, but that you have aligned your own interests with it. when we both have skin in the (same) game, then we can both work toward a common goal: my success.

Of course, this is a double-edged sword. If at anytime the sales person starts being less than genuine or truthful, or just as bad, introduces someone else into the equation (a partner, Product Manager, Regional Sales Director, etc.) that pegs the needle on my BS Detector, they go back to square 1. In especially egregious cases, they will never again get a reply to an e-mail, a phone call answered, or even a courteous 'hello' at a tradeshow. They have violated the trust that had been built and undermined their own poistion by takiing away the single most valuable thing I have: my time.

This is not an overnight thing. Just as with all relationships, it takes time to build trust. And a single person, ad campaign, webinar, or other communciation from your company can do a lot of damage. So, be careful what I get exposed to. Talk straight with me, and I'll let you in.

So Alan, keep having those conversations with your customers. Genuine conversations, about them, not you. And you will see the benefits emerge over time.

Until then, don't worry. I'll address how the community finds out about your products in another article.

No related articles.