Leveraging Actionable Intelligence to Mitigate Risk Within Your Enterprise

I recently hosted a panel with leading CISOs from around the world. We delved into how “Leveraging Actionable Intelligence to Mitigate Risk Within Your Enterprise” can be approached from a set of common points and differences. We opened with an overview of ideas that led to each panelist posing their own comments and questions with initial answers. The comments and questions below recap our discussion flow, and provide a current base for understanding the breadth and context of mitigating cybersecurity risks.

Panel Opening Comments

  • Security threats are increasing both in frequency and complexity
  • Security leaders need to be proactive in this area and put programs in place (people, process, and technology) to protect critical assets
  • We have assembled a panel of experts in this area and our goal is to provide recommendations that you can immediately use when you return to your office

Initial panelist comments

As predictive analytics matures, we may see significant improvement in the value of threat intelligence data.

  • If you’re spending money on Threat Intelligence, you must have first solved a lot of common problems, such as patch management.
  • Be realistic about what you expect to get from Threat Intelligence. Are you looking for Indicators of Compromise? Attribution? Predicting the next attack? Understand the limitations of the various types of Threat Intelligence data.

Second panelists comments

  • How does the actionable intelligence change as you move “up the stack” or away from the stack (to human)?
  • How is the IoT changing the “actionable” part of actionable intelligence?

Third panelist

Leveraging actionable intelligence is the process of gathering analytics based on the identification and collection of relevant threat information. Unfortunately, threat intelligence is an elusive concept for many companies. By 2020 there will be 50 billion connected devices. There are not enough cyber specialists now to handle current security issues, so businesses need to leverage actionable intelligence and analytics for companies to protect themselves.

  • Should threat intelligence be managed internally by companies?
  • When threat intelligence is accumulated what is the important information for the c suite?
  • What are the company’s concerns regarding their employees in leveraging actionable intelligence?
  • How does actionable intelligence apply to regulatory compliance?

Fourth panelist

How do we deal with the increasing scale and frequency of attacks, and threat actors that far outstrip our budgets and resources? Traditional information security methods within the enterprise are not a match for any of the above seven events.

Threat intelligence provides a possible way to get ahead of these threat actors and threats — to have intelligence on the threats. But, threat intelligence is a new data source, another fire hose of information that requires analysis. And it has a different nature from traditional tools. We’ll only get value out of the threat intelligence information if we properly analyze it and make it actionable.

Mark Egan

@markeegan

@StrataFusion

Merritt College Applications and Infrastructure Security Graduates Ready to Be Hired

Two years ago we launched the Merritt College fully accredited two-year degree program in Applications and Infrastructure Security. The program is the result of a partnership with Merritt  College and the Consortium of Information Systems Executives (CISE) and we’re thrilled that we’ll be graduating our second class of qualified cybersecurity professionals at the end of May. The program is a huge win in working to solve the cybersecurity crisis and has the support of Congressman Ro Khanna.  Our objective is to place graduated (and soon-to-be-graduated) students within companies in the Silicon Valley. We’re looking for companies that are progressive and innovative in their approach to solving the cybersecurity issue.

We have students available for full-time and internship positions, and to streamline the hiring process we’re happy to announce that their resumes are available now at Jobvite.

Please contact Mark Egan (mark.egan@stratafusion.com) for access to Merritt’s site.

Secure Innovation

I recently hosted a panel on the topic of Information Security and framed our discussion around the concept of Secure Innovation. Information Security is often viewed as a roadblock to innovation and an obstruction to moving quickly in a highly competitive environment. The panel focused on how to foster innovation and leverage security as a competitive advantage, and provided strategies that can be quickly implemented to achieve the overall goal of secure innovation.

Each panelist provided openings statements on their experience with innovation that required a high level of security and privacy, and led to pragmatic solutions to challenges in this area. One of our goals from the panel was that CIOs would have 2-3 things they could immediately implement when they got back to their desk.

We covered a number of compelling questions across People, Process, Technology, with some of the key remarks conveyed in the following:

CISO at an early stage security startup

What are your recommendations on sourcing, as you can’t do all of this in-house today?

You need to be creative in your staffing solutions; it is very hard to hire experienced staff. We recommend getting less experienced staff and training them. The Merritt College Cybersecurity program is a great source and example of this model.

What do you recommend on security reporting relationships (CIO, CEO, COO)?

I report to the CEO directly as it is essential to our company being a small, early stage startup.

CMO at an early stage security startup

Who are the bad guys and what do they want?

There are three main actors: One who wants to steal our money; the second, our IP; the third seeks notoriety (think Anonymous.)

CEO at early stage security company

How do organizations find and attract good security talent?

You bring in less experienced staff and train them.

Mark Egan

@markeegan

Merritt College: Taking a Bold Approach to the Cyber Skills Shortage

On Friday, March 10, Merritt College in Oakland, CA hosted a Cybersecurity Employer/Industry Day with the objective of drawing attention to its innovative approach to “Solving the Cybersecurity Staffing Crisis.”  The global shortfall is expected to reach 1.5 million by 2019, according to a recent report by a leading cybersecurity company. This shortage stands in direct contrast to the explosion of advanced persistent threats and other vulnerabilities we see on the rise each year. Merritt offers a fully accredited two-year degree program in Applications and Infrastructure Security; the program is the result of a partnership with Merritt  College and the Consortium of Information Systems Executives (CISE.)  We have the best security staff in the San Francisco Bay Area, arguably the world, and we have to solve the cybersecurity crisis. We’re looking for companies that are progressive and innovative in their approach to solving the cybersecurity issue.

Our event last week gave students and employers the chance to meet and talk about career opportunities.

We hosted employers from a number of San Francisco Bay Area companies including Jacobian Engineering, Anaplan, Wente, and EFI in Fremont who became acquainted with students one-on-one to talk about their backgrounds and opportunities. Investor and CEO Supreet Manchanda also showed support by generously donating $5K to the Merritt program. 

Technology leader Leonard Gaines introduced Congressman Ro Khanna, who video conferenced in from Washington, D.C. Congressman Khanna has made it a top priority to address the shortage of trained cybersecurity professionals. “This country has about 220,00 unfilled jobs in cybersecurity,” he said in a recent interview. “How do we take Merritt College’s Cybersecurity program and do that across the country?” Traditional 4-year education is not resolving the shortage of skilled cybersecurity professionals in the U.S.  Congressman Khanna recognizes that we need a bold and innovative approach to resolving the problem and the cybersecurity program at Merritt is a great example of this approach.

Our other prominent speakers included District Chancellor Jowel LaGuerre, Merritt President Marie-Elaine Burns, Trustees Bill Withrow and Karen Weinstein, and David Silver, Education Director for the Mayor of Oakland Libby Schaaf. Also in attendance was Sidney Brown, assistant to Oakland Councilmember Delsey Brooks. In addition, a panel of students and employers discussed training and the solutions that could be brought to Bay Area organizations.

Program Director Anita Black worked with me and Jim Cates, President of LOBI Group, LLC, to drive the planning of this successful event.

Please contact me to learn more about how you can employee students from our Merritt College Cybersecurity Program.

Mark Egan

mark.egan@stratafusion.com

Do Not Miss This Event March 10 – Merritt College Solving the Cybersecurity Staffing Crisis

ro-khanna

On Friday, March 10, 2017, Merritt College will be hosting the event, Solving the CyberSecurity Staffing Crisis. The day will showcase its Cybersecurity training program and feature Congressman Ro Khanna as keynote speaker.

The current lack of trained cybersecurity professionals stands in direct contrast to the explosion of advanced persistent threats and other vulnerabilities we see on the rise every year.

Congressman Khanna,  who presides over Silicon Valley, has made it a top priority to address the shortage of trained cybersecurity professionals, as seen in this recent clip on C-Span. He sees a bold and innovative solution in referring to the Merritt College Information Security program created by staff at Merritt College in partnership with members of the Consortium of Information Systems Executives (CISE).

Action

Please mark your calendar to attend our event on Friday, March 10. There is no need to pre-register; you can just show up to the event at Merritt College, 12500 Campus Drive, Oakland, CA 94619.  Please click here to download the parking permit.

Here is a breakdown of the day’s activities:

  • 12:00-12:15 Welcome/Kickoff for Event; Merritt and CISE speakers
  • 12:15-12:30 Guest speaker
  • 12:30-1:00 Student panel with existing students, graduates, and companies who have hired our students
  • 1:00-2:00 Congressman Ro Khanna
  • 2:00-3:00 Meet and Greet with students

Mark Egan

CISE Education Fund President

Owning All Clouds

cloud-computing-multiple-clouds

By Doug Harr

As part of my career as an IT executive for the last dozen plus years, I’ve led several companies through a process of migrating their business application portfolio to the cloud.  At Portal Software, that meant deploying SuccessFactors for HR performance reviews, and OpenAir for Professional Services Automation.  At Ingres that meant deploying Intacct for Financials, Salesforce for CRM, and lots of other cloud solutions. The approach for me reached its zenith at Splunk, where we had a 100% cloud business application portfolio, and where 50% of our compute and store capacity was at Amazon. With so much functionality in the cloud the question of roles and responsibilities became a focus for the company. In this very cloud-friendly shop, what should IT’s focus be? What level of administration of these solutions could actually be owned and delivered by departmental owners, such as Sales Operations, Customer Support Operations or HR administration?

As one example, both at VMware, where I was program manager for their Salesforce implementation, and at Splunk, where I was the CIO, we had very strong sales operations teams, and fairly complex Salesforce environments. In those environments Sales Op’s began to take ownership of more functionality in the Salesforce suite. This included user administration, assignment of roles to users, territories to reps, and just about all reporting. This grew to include modifying page layouts, and other configuration capabilities normally owned and controlled by IT. In my view the idea of enabling the Sales Op’s team was attractive for several reasons: (1) they wanted the power to do these things (2) they were not waiting for IT on the things they felt were high priority (3) they were closer to the sales teams who actually worked inside the tool, and so they were good at interpreting issues and acting – as good certainly as an IT Business Analyst, or even someone with fairly good technical skills. In these scenarios it freed IT to work on deeper technical issues, level 3 incidents, environment management, integration, reliability, etc.

In another example, at Splunk we made wide use of Amazon EC2 for compute and storage capacity. In these cases, IT System Admins were not needed – environments were spun up and used directly by personnel in Engineering and Customer Support. This was an amazing success, and it freed IT to work on monitoring usage, working deals on cost, and managing the overall vendor relationship.

Not every department has a team or individual ready to own or take a major role in the management of a SaaS or IaaS platform. For every HR department that manages Workday, there’s a finance department that does not manage Netsuite. It depends on the tool, and the personnel. What I’ve found is it can also depend on the CFO and management of a business function – some execs are happy to have these resources placed in the business, some are more afraid of  “shadow IT spend” or they’re caught up suggesting that IT can’t deliver and granting this power is a cop-out. Actually, I had a moment like this at Splunk, where I had not adequately updated two peer execs on our intent to get more deep IT skills hired into Sales Op’s, and had to sort that one out, to make sure everyone understood this was not a shadow operation! So there can be bumps in the road, but in my view adopting this approach is inevitable really, as software platforms and micro apps are becoming widespread, and so is the ability and desire by departmental teams to be more involved in the direction of how those tools, platforms, and apps are rolled out and used.

All this speaks to the future role of IT, and I for one have lived that future, as least in part. It’s one where IT is more strategic, focused on vendor/portfolio management, integration and security. To be sure some functions that are broadly used across all departments, and some that are task specific, still accrue to IT in most cases, or to partners that offer elements of typical IT as a service (think Help Desk). But done well, each department owns more of its technology, feels more in charge of its future, its technology adoption, its responsible use, along with other benefits. And, IT focuses less on being everything to everybody, maintaining disparate queues of backlogged work, and more focused on higher level matters, transforming the business for the digital age, and accompanying delivery of more complex technical solutions.

Right where we should want to be.

@douglasharr

Welcome to Cuba

old-havana-with-cuba-flag

By Sharon Mandell

Introduction

It is an exciting time for Cuba, with its doors opening, and the positive impact this will have on commerce, IT, and global cultural integration.

Obama recently issued a presidential directive that seeks to institutionalize and cement his policy changes toward Cuba and encourage further engagement even after he leaves office. Obama called the presidential policy directive “another major step forward in our efforts to normalize relations with Cuba” and said it “takes a comprehensive and whole-of-government approach to promote engagement with the Cuban government and people and make our opening to Cuba irreversible.”

The landscape of technology and IT in Cuba, where it is currently, and how it will evolve is also of great interest.  I have been fortunate to be one of the earlier travelers to a newly opened Cuba and have witnessed first-hand where IT can go, in light of present challenges. I am going to delve into these challenges and sketch possible scenarios in a couple of posts.

Business didn’t take me first to Cuba; it was my daughter’s university research and my love of ballet. As a person whose business and technology career largely started overseas, however, I was eager to see what was true and what wasn’t about technology usage there. Whenever I travel to a new country, I’m eager to see what the environment looks like – visiting the tech marketplaces of Tokyo or Hong Kong, for example. Or participating in my company’s recruiting efforts at an international university campus.

My daughter was struggling on her first visit, adjusting to a new language and, more surprisingly, finding people who would engage with her openly. Our communications were largely limited to 30 minute WhatsApp sessions, given the ongoing embargo and still closed telephone networks to US companies. With the limited time (wifi remained very expensive, even for an American, at the time) and narrow bandwidth we had for our daily “conversations,” it was hard for me to understand her struggles, and I decided to make an unplanned trip to support her efforts in person.

Before leaving, I went online to see what I could learn about Cuban technology – I quickly found some published computer research and attempted to reach out to a few University of Havana professors in Computer Science. It was late June 2016, however, and most folks I could communicate with were unavailable for the summer.

Cuban culture, remnants of the past, steps towards the future

The contradictions began before I even arrived on the island. First, I was somehow upgraded to first class on my flight – always a welcome event. Still, it felt strange, as I was flying Cubana, the national carrier of a communist nation. As we drove through Havana to our “casa particular” in our restored Chevy, I could recognize the long term relationship with the Soviet Union in the Ladas, and the present day trading partners in the Kias. Despite the embargo, it wasn’t long before a motorbike appeared with an HP printer strapped on the back of it. While I didn’t see all that much computer technology that first trip (it was often a Dell) cell phones were oppositely abundant. However, many were of the pre-smartphone generation, and my iPhone couldn’t connect, so for the first time in a long time, I was on a forced digital holiday.

Cell phones weren’t the only thing that didn’t work for an American — neither did your credit or debit card, despite the recent announcements about financial openings. Commerce was, and I suspect is still, almost entirely conducted through cash. The first cadeca my daughter brought me to was even closed early, because it had run out of cash.

During that first trip, wifi was still available in limited locations (mostly upscale hotels) and if you didn’t want to lose your shirt paying for it, it meant standing in long lines at ETESCA offices to buy the access cards with the codes approximately $4/hour. While I was there, however, 11 new public hotspots (based on Chinese technology) were lit up and the price dropped by half. The buying process shifted, where most of the $2 cards were sold out early in the AM. Now, as a tourist, one buys them on the street from the guys who woke up earlier than you – with a 50% markup and risk of getting arrested, but still easier and cheaper than before. Recently it was announced the entire Malecon would be lit up, and I’m sure that will change the economics and process again.