Business Dress in Tech’s Cloths
It has been 15 years since my introduction into Cyber Security, Intelligence Operations, and Information Technology in a professional capacity. Thinking back to my ripe age of 18 years old, when I realized information warfare would be the next iteration of human to human exploitation, one could say the future would be obvious. My realization, however, came in the most unlikely of ways. The value of information, classification of data, and how it’s conveyed to others was revealed to me during one of the historic times in history where 2 US Navy Ships collided into one another. Back then, US Navy ships communicated in a much different fashion than they do now. There were the Techs who maintained communication equipment, the Operation Teams who processed the data about ships, and the Intelligence groups that “fused” the data for presentation to the ships Senior Officers.
If you can only imagine for a second: the ironically named, social experiment game of Chinese Whispers. You sit in a group of people in a circle. One person starts by whispering an initial message. Let’s say in this case, “These ships will crash if you don’t change course now,” into each person’s ear in the circle. Inevitably by the time this message has passed through the ears of 10 people, the final recipient will not hear the original message. “These ships will crash if you don’t change course now.” But instead, something completely different due to politics, ego, fear, or other reasons that message has turned into, “Perhaps it would be best if, sometime, we check our charts to make sure the Captain’s course is being maintained. We don’t want to crash.” Similar to the events on that day, I had a realization that Information if not conveyed, processed, and executed properly could end up in catastrophic circumstances.
The aforementioned story brings me to the topic at hand: Choosing A Cyber Security Vendor. This week alone, we have had 3 news level event situations where a company (or group of companies) entrusted their entire Cyber Security, Data Security, and Privacy countermeasure responsibilities to a “Cyber Security” vendor resulting in epic (yes, epic) levels of failure. One of these “hacked” Managed Security Services Vendor was exploited so easily the hackers replaced their website with a “List of Security Best Practices.” This amongst being a slap in the face for the company was also a slap in the face of the Cyber Security industry, unfortunately. I will say with confidence the reasons these Cyber Security companies got hacked was the same reason US Military and Fortune 500 companies experience breaches at record levels. They Don’t Practice What They Preach. As with other examples in history, when the wrong people are influenced by the wrong set of people major failures occur. In this example, it is Business getting in the way of Function and Performance.
“It’s a tricky game, but if you have the right vector and pay attention to the ‘source’ and not the ‘chatter’ you will be fine.”
Because the cyber security waters are so rich with opportunity, every MBA-rich Dev, Startup Incubator, and Investor group is joining the “rush” to capitalize on organizations’ fears of being hacked, breached, or worse, being the item of front page news because of the aforementioned. Because business is a studied, perfected, and, to an extent, synthesized model, the application of Business along with Cyber Security has most surely diluted the competency of service you see in the industry. Before I continue, let me say THERE ARE companies worth their weight in gold. But similar to the Precious Gem industry, finding a vendor worth protecting and safeguarding your data is a delicate operation. It should take more than fancy presentations, big words, nice suits, and wonderful business dinners to convince you of a vendor’s acumen.
We face this issue often at bits&digits working to explain what went wrong. How things failed in a cyber security event a company had entrusted with other cyber security companies technology or Service Solutions only to find either the Salesman had sold no more than a fraction of the services expected by the customer. This sort of salesman sleight of hand is Social Engineering to a degree. Putting business before security leaves companies, intellectual property, and personal data at risk of exposure.
“The first step of Security Vendor selection is knowing what you don’t know, then close second is knowing what you need.”
Is there a way to fully vet a Security Vendor? Absolutely, you betcha there is. My first piece of advice is to ensure you have the right people in the room making the vendor selection decisions before you go shopping. I’m not saying your Human Resources VP is not qualified to evaluate whether a SIEM (Security Information Event Management) solution provider is the appropriate person. What I am saying is perhaps your System Engineer, who knows your technological landscape like the back of their hands, would reap better results.
Remember the business connection as well. Hiring a consultant to determine your security needs will always carry the possibility of that consultant leveraging an associate company’s technologies instead of what’s best. The first step of Security Vendor selection is knowing what you don’t know. Then close second is knowing what you need. Don’t fall into the trap of a vernacular wormhole when speaking to tech or security vendors. When you hired your Chief Legal Counsel, I’m sure you wanted to see university credentials, Bar Approval, and a list of other references before you allowed them into your organization.
Deploy the same caution when selecting a vendor. Make sure they can provide industry recognized certifications and review how they conduct business with you from the onset. Did they take your organization’s privacy into concern when discussing possible vulnerabilities of your company by executing a NDA (non disclosure agreement)? Most importantly does your CIO and Lead Engineers agree the solution they offer meets or exceeds the requirements your organization is faced with presently? These are just a few tips, but the message here is not to be swayed by the glitz and marketing glamour of a Cyber Security vendor. If they do not practice their own InfoSec policies, what makes you believe they will take yours into consideration?
It’s a tricky game, but if you have the right vector and pay attention to the “source” and not the “chatter,” you will be fine. You’re always welcome to drop an email to we@bitsdigits.com if you need some advice. We are with the Universe, and we are here to help.
Signing out J. Tate CISO @ Bits&Digits.
Edited January 2020.
Original Exclusive feature by Tech Expert Mr. J. Tate, Chief intelligence Officer in bits&digits, in BizBahrain magazine April 2016 issue, pg. 84 – 85.
Business Dress in Techs Cloths
It has been 15 years since my introduction into Cyber Security, Intelligence Operations and Information Technology in a professional capacity. Thinking back to my ripe age of 18 years old when I realized that information warfare would be the next iteration of human to human exploitation one could say the future would be obvious. My realization came in the most unlikely of ways, however. The value of information, classification of data and how its conveyed to others was revealed to me during one of the historic times in history where 2 US Navy Ships collided (http://csi.agency/2-us-navy-ships) into one another. Back then, US Navy ships communicated in a much different fashion then they do now. There were the Techs who maintained communication equipment, the Operation Teams who processed the data about ships and the Intelligence groups that ,“fused” the data for presentation to the ships Senior Officers. If you can only imagine for a second the ironically named social experiment game of Chinese Whispers where you sit a group of people in a circle, one person starts by whispering an initial message; lets say in this case “These ships will crash if you don’t change course now” into each persons ear in the circle. Inevitably by the time this message has passed through the ears of 10 people the final recipient will not hear the original message “These ships will crash if you don’t change course now”, but instead something completely different due to politics, ego, fear, or other reasons that message has turned into “ Perhaps it would be best, if sometime we check our charts to make sure the Captains course is being maintained. We don’t want to crash”. Similar to the events that took place on that day, my realization that Information if not conveyed, processed and executed properly could end up in catastrophic circumstances.
The aforementioned story brings me to the topic at hand, Choosing A Cyber Security Vendor. This week alone, we have had 3 news level event situations where a company (or group of companies) entrusted their entire Cyber Security, Data Security, and Privacy countermeasures responsibilities to a “Cyber Security” vendor, that resulted in epic (yes epic) levels of failure. One of these “hacked” Managed Security Services Vendor was exploited so easily, that the hackers replaced their website with a “List of Security Best Practices”. This amongst being a slap in the face for the company was also a slap in the face of the Cyber Security industry unfortunately. I will say with confidence that the reasons these Cyber Security companies got hacked was the same reason US Military and Fortune 500 companies experience breaches at record levels; They Don’t Practice What They Preach. As with other examples in history when the wrong people are influenced by the wrong set of people, major failures occur. In this example it is Business getting in the way of Function and Performance.
“Its a tricky game, but if you have the right vector and pay attention to the “source” and not the “chatter” you will be fine.”
Because the cyber security waters are so rich with opportunity every MBA rich Dev, Startup Incubator and Investor groups are joining the “rush” to capitalize on the fear organizations have from being hacked, breached or worse being the item of front page news because of the aforementioned. Because business is a model, that has been studied, perfected, and to an extent synthesized the application of Business along with Cyber Security has most surely diluted the competency of service you see in the industry. Before I continue, let me say that THERE ARE companies that are worth their weight in gold. But similar to the Precious Gem industry finding a vendor worth protecting and safeguarding your data is a delicate operation. It should take more than fancy presentations, big words, nice suits and wonderful business dinners to convince you of a vendors acumen.
We face this issue often at bits&digits, working to explain what went wrong, how things failed in a cyber security event that a company had entrusted with other cyber security companies technology or Service Solutions only to find that either the Salesman had sold no more than a fraction of the services expected by the customer. This sort of salesman sleight of hand is Social Engineering to a degree. Putting business before security leaves companies, intellectual property and personal data at risk of exposure.
“The first step of Security Vendor selection is knowing what you don’t know, then close second is knowing what you need.”
Is there a way to fully vet a Security Vendor? Absolutely, you betcha there is. My first piece of advice is to ensure you have the right people in the room making the vendor selection decisions before you go shopping. Im not saying that your Human Resources VP is not qualified to evaluate wither a SIEM (Security Information Event Management) solution provider is the appropriate person, what I am saying is that perhaps your System Engineer who knows your technological landscape like the back of their hands would reap better results.
Remember the business connection as well, hiring a consultant to determine your security needs will always carry the possibility of that consultant leveraging an associate companies technologies instead of whats best. The first step of Security Vendor selection is knowing what you don’t know, then close second is knowing what you need. Don’t fall into the trap of a vernacular wormhole when speaking to tech or security vendors. When you hired your Chief Legal Counsel, I’m sure you wanted to see university credentials, Bar Approval and a list of other references before you allowed them into your organization.
Deploy the same caution when selecting a vendor. Make sure they can provide industry recognized certifications, review how they conduct business with you from the onset. Did they take your organizations privacy into concern when discussing possible vulnerabilities of your company by executing a NDA (non disclosure agreement)? Most importantly does your CIO, Lead Engineers agree that the solution they offer meet or exceed the requirements that your organization is faced with presently? These are just a few tips, but the message here is not to be swayed by the glitz and marketing glamour of a Cyber Security vendor. If they do not practice their own InfoSec policies what makes you believe they will take yours into consideration?
Its a tricky game, but if you have the right vector and pay attention to the “source” and not the “chatter” you will be fine. Your always welcome to drop an email to we@bitsdigits.com if you need some advice. We are with the Universe and we are here to help.
Signing out J. Tate CISO @ Bits&Digits.
