Israeli Software

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

• Human error – cc’ing a supplier by mistake on a classified RFP document
• System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
• Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
• Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

1. Who is the buyer?
2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY	TYPICAL DATA SECURITY DRIVERS	DECISION – MAKERS
BANKING	A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events	CSO or CIO
CREDIT CARD ISSUERS	Ongoing theft of customer transactional information by customer service reps Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners	The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE	A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to data leakage of credit card numbers in online systems	General counsel, VP of internal audit, CFO
PHARMACEUTICALS	Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes	General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)	Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records	VP of internal audit, VP of technologies
HEALTH CARE	Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization	CSO, VP of internal audit
TECHNOLOGY COMPANIES	Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans	CEO, CTO

A recent post by Kevin Conway on LinkedIn drew over 500 responses to his somewhat dramatic statement that Social Media for Business is CRAP -

Maybe because my feeling for the hyped-up benefits of social media was recently confirmed by a top millionaire online guru. If you follow the most successful gurus his name is always at the top of the list. As a matter of fact, he was the first online entrepreneur to make a MILLION $$ in a day. That said, recently he published a PDF where he said “I think social media Su-ks”. When I read that I felt a sigh of relief, “maybe I am not off the tracks after all”. You see when you don’t “follow the pack” you tend to sometimes feel like you are going down the wrong path or at least missing an opportunity. Now, I must admit I use all the major social media outlets including Twitter, Facebook, Squidoo, etc, etc. However, not for direct marketing. And, even though I publish new product releases on Twitter, analytics tells me no convertible traffic comes from that source or Facebook. My primary use of social sites is for building backlinks, but that is for SEO purposes. And, of course the added exposure. i.e. “branding” doesn’t hurt.

I believe that there are several fundamental principles that Kevin and over 500 responses ignored:

ONE – “The media must fit the product”
If you are pitching 6 figure enterprise rights management systems on Facebook – then, yes – social media is crap. But if you are pitching consumer/personal oriented products – like fitness, fashion and self-improvement – you are in the right channel. And even though they are at the long tail – do not forgot that even the geekiest IT managers are on Facebook and they are always in buying decision mode.

TWO – “Social software is not Social media”
It is a common misconception to confuse open undifferentiated/uncontrolled social media like Twitter and Facebook with social networking software which is used for the most serious and professional applications from catching terrorists to helping medical sales professionals interact with their doctor customers.

Social network software can be used in serious B2B domains leveraging the network effect to generate 10x customer contacts – since it works in parallel – not in serial.

THREE – “Better to market to targeted people than to undifferentiated keywords”
My own experimentation using Twitter to build B2B communities in a particular niche showed me dramatically that social media is 3 orders of magnitude more effective at generating leads than google adwords.

The reason is simple – people with well defined interests are much better targets than content keywords.

My research article on “Social software – Reconstructing the market boundaries of pharmaceutical sales” was published on the rapidly growing UK healthcare site PharmaPhorum yesterday -  one of my first forays outside the data security space in a long time but a direction with a potential to make a big change in the way pharmas sell drugs:

Pharmaceuticals and Kirby vacuums: The last bastions of door-to-door sales?

A medical representative operates in the center of a “cluster”¹ of doctors that they personally know and meet with face-to-face. The power of social networking relative to conventional on-line marketing, stems from a social view of learning, where understanding is socially constructed, and the message we get is actually less important than whom we get it from.

Social and medical may be a perfect fit, but how will social influence medical sales?

Read more here

Sophos has announced that they will soon include endpoint data loss prevention functionality in their anti-virus software. Developed in-house, Sophos will have an independent offering – unlike Websense, RSA, Symantec, Trend Micro and McAfee (who all purchased DLP technology) and have integrated it into their product lines with various levels of success (or not).

The Sophos move to include agent DLP functionality for free is a breath of fresh air in a data security industry long known for long-winded, heavy-handed, clumsy and frequently amateurish attempts at exploiting the waves of data breaches into a franchise that would drive sales of products purchased from visionary DLP startups.

Sophos is known to be independent and may not be inclined to partner with other pure-play  data security vendors like the network DLP company – Fidelis Security Systems. They may not have to partner if the play works well.

Beyond strategic speculation, the Sophos move should give customers a very good reason to ask why they should spend $80-150 for a Verdasys Digital Guardian agent, or $40-80 for  McAfee agent DLP software.

If Sophos can do a solid job on detecting and preventing loss of digital assets such as credit cards or sensitive Microsoft Office files at the point of use, then free looks like an awfully good value proposition.

With the recent deal that Trend Micro did at Israel Railroads for almost free ($10/seat) for 2500 seats (Trend can’t be making money on that transaction); but free or almost-free is not a bad penetration strategy if it gets your agent on every desktop in the enterprise and you get footprint and recurring service revenue for anti-virus.

I know I will be taking a close look when the software is released.

I don’t really understand why anyone would want to pay Google money for Adwords.

I ran a little experiment recently to promote our web sites using Google Adwords and Twitter.

Here are the results:

The results of my little online marketing experiment show a huge advantage for Twitter with focused search phrases in bios over Google adwords with carefully chosen keywords.

Google Adwords
650 extra hits in 4 weeks
1 hour setting up 2 ads,
Campaigns ran for 4 weeks, cost 1100 sheqels,
Hit Relevance – none. (the keywords people actually used to arrive at the site were not the keywords I chose)

Twitter
2000 extra hits in 1 day
5′ in Twitter to create a user security_expert
1 hour in Twellow search looking for CSO, CISO, Chief Information Security, Security Director etc… in bios (about 300 people)
5′ posting 5 tweets from my blog
Campaign ran 1 day, cost: 0 sheqels
Hit Relevance – good, no spam on the blog in this 24 hour period (good sign…)

Now – I have to explain to my wife why I wasted 1100 sheqels on Google instead of  (insert requirement here)

I was in Moscow this week and was pretty disappointed with the Beeline WiMax offering – which basically didn’t work in the area where we were staying (not far from Mendeleevska Metro station)

WiMax is not there yet and mobile data is still shaking out. According  my buddy  Todd Walzer (Todd lives in Tokyo and is a managing partner in www.iland6.com Capital and Development Co., Ltd).

Japan’s phone carriers have been managing this recession pretty well. NTT even recovered the #1 position in corporate profits from Toyota Motors.

However the 4th largest mobile carrier – Willcom – is in deep trouble.

Willcom entered the Japanese equivalent of Chapter 11, and the company is being  restructured under legal supervision.

Willcom started in 1990, and has operated a PHS (Personal Handiphone Service) network.  Thanks to cost advantage of this “half-duplex” technology, Willcom could keep a 5% share of Japan’s 100 million subscriber mobile voice market until 2 years ago. It was a pioneer of wireless data services, and an early leader in that market.

But PHS remained a niche technology adopted marginally in Japan and China, while Willcom’s competitors DoCoMo, AU and Softbank adopted CDMA with economies-of-manufacture from worldwide deployment.  Meanwhile, newcomer EMobile leapfrogged Willcom’s data rates with an HSDPA service.

In 2007-8, Japan’s Ministry of Communications made two “Broadband Mobile” licenses available, and Willcom applied proposing a “Next Generation PHS” network. The ministry favored this “Made-in-Japan” technology and awarded Willcom a license. But Willcom has struggled to bring off development of a platform with few prospective users worldwide.  It buckled under the $Billion+ development cost, on top of its existing $Billion+ debt.

Meanwhile the other licensee UQC (a consortium led by KDDI) deployed its WiMAX service on schedule.

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

This seems to be my weekend for  product counterfeiting.   I was in Tel Aviv last week on Dizengoff and picked up a couple of paperbacks at the “Book Junkie” bookstore for 5 sheqels/book (that’s about $1.25!) – one of them was Michael Crichtons’ novel Airframe (The book is genuine… and they have an amazing collection of really cheap paperbacks.)

I won’t give away the plot – (you can read the outline on Wikipedia) but it’s a good read and it underscores a point that is extremely familiar to data security / data loss prevention practitioners – namely that human error and poor training and not sophisticated technology is usually the root cause of an event. Although a number of counterfeited parts were discovered in the wing slats, it was a person, not type-certified for the aircraft, that caused the death of 4 people.

I first got wind that age as a marketing segmentation parameter was becoming much less relevant about 3 years ago when I paid a sales call to Castro Model ( a big Israeli fashion house with a chain of retail stores)  to try and sell them a data loss prevention solution from Fidelis Security Systems.  The sales pitch had something to do with protecting fashion designs and was based on common knowledge that there is a lot of design theft in the fashion industry.

I reported back to a female colleague at the office and I commented that the dresses I saw in the showroom seemed to be cut for young girls and would probably not fit her (she is nice looking, in great shape and 40 something…).  Very Bad Idea.

Mary told me – “never tell a woman that a dress is too small for her”.

Read more…

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Read more…