3 posts categorized "Security Consulting"

July 01, 2011

Marketing 2007 Security in 2011 or LCD Security Marketing

I was reading an interview with an executive from a nameless security vendor the other day and the point he was making was that their security products are necessary because “hacking is now a for profit enterprise”. How absolutely 2007.

Most of the examples of hacking incidents he brought up were attributed to LulzSec or Anonymous. Those are not examples of “for profit enterprises”. They were exactly the malicious and “to show we can” type of attacks that he said disappeared 15 years ago. Not to mention that while cyber-war, cyber-terror and cyber-espionage all have a “profit” in mind, it is not exactly the same “for profit" as the Albert Gonzalez gang stealing credit card data.

In fact recent attacks if anything show that we may in fact be entering a new era of hacking and security that calls the whole responsible disclosure and “ethical hacking” issues into a new light. So why talk about security drivers circa 2007 halfway through 2011?

At first I chalked it up to having people who really don’t have any security background and not living security being put in a position where they are forced to talk about it. But then I thought about it some more. It is more than just another empty suit talking about security, it is a chronic problem in the security industry.

I have heard it from other security executives too. When speaking to customers and the public they don’t think the audience is sophisticated enough to really “get it”. So instead of giving it to them straight, lets give them what they can understand. It is LCD (least common denominator) security marketing. Give them something simple enough that they can put their mind around it, that has examples that have already been established in the public consciousness. This way we don’t have to explain too much and we don’t have to open the kimono about our solutions being perhaps only an inch deep. KISS, keep it simple stupid. If only the world really worked like that though.

But why should we be surprised with least common denominator security marketing when too many security companies sell least common denominator security solutions. You know, the check box security that allows people to say they have complied, but leaves them defenseless when LulzSec and the like put them in their sites.

I think the whole thing is an outgrowth of the old enterprise security vendor approach of watering and “dumbing down” their solutions for the mid-market.  It didn’t work then and LCD security and LCD security marketing doesn’t work now. 

Yes, you may fool some people for some of the time, but you can’t fool all the people all the time and sooner or later it catches up with you.  The people and organizations relying on the security industry deserve better and we as an industry should be better than that!

Related articles
Enhanced by Zemanta

Posted at 04:44 PM in compliance, General Background, General Security, other security companies, Security Consulting, the security industry | | TrackBack (0)

April 29, 2010

How do you look in stripes?

stripes I remember when I was really digging in to how consultants sell security services to customers. I was both amused and somewhat repulsed by one founder of a security consulting firm. He told me that he would get in front of the CEO, CFO and CIO and ask them “How do you look in stripes?” Because that is what you are going to be wearing if you don’t hire us to help you.

Talk about FUD with a capital F! I was reminded again of that today when I saw this article about the surgeon packed away for jail for HIPAA violations. Specifically peeking at medical records that he was not authorized to view.

In talking to merchants about PCI, nothing gets them focused as when they find out they could be liable for the losses of a breach, as well as up to half a million dollars in fines.

So back to the same old question.  Is FUD the only way to get the attention of customer? Do we have to lead off our conversations with “how do you look in stripes or broke”?

As security professionals how do you feel about that?

Posted at 11:23 AM in General Background, General Security, Security Consulting, the security industry | | TrackBack (0)

November 23, 2009

Seizing management power, is not keeping it

This past weekend I received my hard copy of the 20th anniversary issue of SC Magazine.  Hate it or love it, 20 years covering information security is a statement.  Congrats to Ilena and the rest of the team there! One article by Dan Kaplan caught my eye (BTW, I had no idea that Dan checks my blog for ideas, as Joe Franscella says). “Seizing Management Power” chronicles the evolution of the CISO position “from introverted techie into slick businessperson”. Dan looks at Howard Schmidt’s career from police officer and Ham radio enthusiast to security pro today. He also looks at several other prominent people who have held the CISO position at large corporations.  Interesting in that each of these people came in and set up security programs and then moved on.

Today’s CISO’s are as likely to have an MBA as they are a CISSP says Kaplan.  I agree with Dan, they are as likely. But just as the mission has evolved from techie to business speak, the scope has also been narrowly defined. It is an architectural position, not a long term place at the table. As the article points out, the CISO needs to be proficient in “people, processes and technology”.

Ultimately though Kaplan states that “going forward, though, as the CISO position assures its foothold in the corporate boardroom, some observers wonder if the function has an infinite lifespan”. My theory is not an infinite lifespan in terms of function. There will always be the need to come in and set up or reshape a security program.  But once that is done, what is next? How long does the CFO and CEO want to keep paying big bucks for the architect? The CISO comes in with a mandate and and power, but can they keep it? That is the hole in the bottom of the CISO bucket.

I think the CISO’s architect role can be accomplished with a proven methodology, in a given time frame and within an agreed upon a budget and then handed off to a caretaker and not the architect. CISO’s are too highly compensated to be expensive cheerleaders. At the end of the day that is why I think CISO is a great place for a consultant.

Posted at 10:12 AM in CISO, General Security, SC Magazine, Security Consulting | | TrackBack (0)

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About