The New Crisis in Cybersecurity

By Mark Egan

There is a new crisis in Cybersecurity.  A recent article highlights the current lack of trained Information Security professionals and ties this lack to the digital revolution and other technology advances, leading to “mega-breaches on an unprecedented scale.” Stealing IP has become a billion dollar business; couple that with the fact that it is also much easier to break into a system than protect it.  All the criminal needs to do is to find one hole in your environment and they can slip in. Why there is a dearth in Cyber Security professionals and what can be done about it I have outlined briefly in a few key points here.

One of the biggest reasons why there are fewer trained security professionals is due to the fact that the Office of the CISO is still a relatively new organization, compared to that of the CIO, which role has been around for significantly longer.  CIO titles started in the 80’s when Information Technology became a critical component of daily business operations. The CISO title is more recent and in 2006 only 43% of large organizations had a CISO. This has changed over the past 10 years and now most larger organization now have a formal security function and overall leader.

However, companies show a trend of being focused on hiring very experienced security staff externally, as opposed to developing and training individuals internally.  It would be more effective to take existing staff and train them, or hire in trained entry level professionals who you can develop.

Going Forward

The solution to Information Security is that companies have to develop their existing staff and then cultivate a mindset where everybody is “mindful” – like a Neighborhood Watch, where everyone is involved in the program. Most attacks still originate from phishing email – someone clicks on an email, and that email comprises that machine. And once they compromise that machine, they move laterally within the environment to elevate to a privileged level of access.  So if you have Neighborhood Watch, everybody is on alert. When they see the suspicious email, they notify someone, and through this behavior you can build and grow and perpetuate a more “security aware” program.

Ultimately security is a people issue. To this effect we created the Merritt College Information Security program as a fully accredited A.S. degree with majors in Applications and Infrastructure Security. The program has been two years in the making and serves the San Francisco Bay Area East Bay School districts, which include students from less advantaged backgrounds. It results from the partnership with the CISE CIO organization, Merritt College, and CIO’s / CISO’s from leading San Francisco Bay Area companies. The program provides trained, entry level security professionals from which an organization can then expand on and develop other existing staff internally.

They are currently for hire; please contact me for more info.

Information Security Training: Merritt College Enters Its Third Year

 

Merritt College in Oakland, CA will start its third year of classes this Friday, August 26.

We’re excited to be entering the third year of this program, having graduated our first set of students this past June 2016. The Merritt College Applications and Infrastructure Security program (as a reminder) is a fully accredited A.S. degree with majors in Applications and Infrastructure Security.

This program results from partnership with the CISE CIO Organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies. These groups have given their time and expertise toward building up this program from its inception. Donations from the CISE CIO group now amount to $130K, and with this amount, we have developed the current curriculum and put a new cybersecurity lab in place.

This program and its impact couldn’t be more timely, given that one of the biggest threats to companies is a lack of trained cybersecurity professionals.

You can find an overview of program here.

We are also looking to place our recent first class of June graduates into Information Security roles with leading companies and organizations. Please contact Mark Egan you are interested in hiring our students to improve your Information Security programs.

Improve Your Information Security Program and Give Back to the Community

We are very excited to announce that Merritt College in Oakland, CA has graduated its first Information Security class. Merritt College serves the San Francisco Bay Area Central East Bay School districts, which include students from less advantaged backgrounds. The Merritt College Information Security program is a fully accredited A.S. degree with majors in Applications and Infrastructure Security. This program has been two years in the making and results from the partnership with the CISE CIO organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies.  Please find a fuller summary of the program below:

• Courses are designed and delivered by security thought leaders from leading companies including Symantec, Wells Fargo Bank, and McAfee
• Security program includes 30 credits of Information Security classes, hands on labs, and internships with Bay Area companies
• Class projects include forensics of a pharmaceutical organization that suffered a security breach, securing systems on Amazon Web Services, and developing Information Security strategies

We are now looking to place these graduates into Information Security roles with leading companies and organizations. Contact Mark Egan if you are interested in hiring our students to improve your Information Security programs.

 

Rapid M&A Integration

By Mark Egan

• Focus on the people
• Take an aggressive approach to migrate the new business into existing systems
• Plan to complete the work within 90 days of deal closing

Mergers and Acquisitions (M&A) are an important strategy for expanding business. Unfortunately, many times these actions do not meet their intended goals. Although considerable emphasis is placed on technology, products, and new markets, some fundamental issues are overlooked. After working on over 60 M&A transactions, I recommend that you focus on three areas: engaging your new employees, integrating the new business into existing systems, and completing all integration work within 90 days.

Engage Your Employees

First, focus on the people. Make sure that you answer their top three questions:

1. Do I have a job?
2. Who is my manager?
3. What is my scope and responsibilities?

Until you answer these three questions, employees of the acquired company are not really listening and can’t focus on integration work. Be honest with employees, especially if you do not have a role for them, and provide assistance in finding a new role and incentives to work through transition period.

Migrate New Business into Existing Systems

Next, take a very aggressive approach to migrate the acquired company into your existing systems. With few exceptions, migrating acquired company systems over to your internal systems is much easier than investing a lot of time evaluating the acquired systems. Make sure that your existing systems have capacity to support increased volumes and additional businesses. This can be done as part of your IT readiness work well in advance of any M&A activities.

Have a 90-Day Plan

Finally, have a plan to complete all the integration work within 90 days of closing the deal.  Many IT tasks, such as e-mail, unified web site, and personnel systems can be completed on the first day of operation for the merged company. The remaining tasks should be aggressively planned for completion within 90 days. This approach positions your organization to take advantage of the newly merged company to develop new products and services and sell the expanded offering to your customers.

StrataFusion works with clients to develop their rapid M&A integration programs enabling them to improve the overall quality of their work as well as reduce costs.

Learn more about “Mergers and Acquisitions” in StrataFusion’s Knowledge Center and get to know our CIO/CTO Advisory practice.

 

Conquering “Big Hairy Audacious Goals”

An IT Transformation Starter Guide

By Mark Egan

• Complete a “Big Hairy Audacious Goal” within 90 days
• Clearly define the goal
• Recruit your best staff to work on the project
• Remove all barriers and set up the team to operate like a start-up

We all face “Big Hairy Audacious Goals (BHAG)” in our careers. However, many of them turn out to be crises we have to address rather than proactive initiatives that make significant positive impact on the organization. At StrataFusion, we believe in order to transform your IT organization successfully you need to set some BHAGs. At a former employer, we had a goal to set up the first private cloud and were asked to use company products. This was a big test of using all of the company products together for the first time and provided a showcase of this technology for our customers.

Step 1: Define the Goal (and Secure Support)

First, we started by clearly defining the goal: in 90 days, set up an operational private cloud that supports a mission-critical business application. We selected a business intelligence (BI) system supporting our marketing organization due to its critical requirement to understand our customers’ buying behaviors and design marketing programs to gain their attention. We then set up a regular cadence of meetings with our R&D organization to ensure we were using the products as designed. With R&D’s buy-in, we got support when we ran into issues, as many of these products had never been used together before.

Step 2: Recruit your Best Staff

Next we formed a BHAG team with the very best staff within our organization, recruiting them to the project full-time. Initially there was a lot of push-back as we pulled these key staff members out of their existing roles and key projects. We engaged the team and gave them a free hand in bringing in any staff from other organizations inside/outside the company.

Step 3: Remove Barriers

Finally, we removed all barriers for the team and allowed them to operate like a “start-up,” eliminating internal process constraints. The BHAG team did not have to follow change control processes, and was allowed to use non-standard hardware/software and bring in third-parties as required. We provided strategic management support for the BHAG team and held weekly meetings to remove any obstacles from completing their project.

Success

The private cloud project was completed on time, and the mission-critical applications continued to support key functions in marketing. We had developed a showcase for our customers demonstrating how to set up a private cloud in 90 days.

StrataFusion has worked with clients to develop big goals and transform their IT organizations so they can focus on key areas such as revenue growth, customer satisfaction and innovation. With the right team and the right strategy, conquering a “Big Hairy Audacious Goal” is achievable in 90 days.

Conquer your IT Transformation Project. Let StrataFusion show you how.

StrataFusion IT Transformation Practice

Trusted Information Security

How Safe is YOUR Information?

3 Simple Tips to Improve Your Information Security Program

By Mark Egan

1. Know who can access your systems
2. Keep your hardware and software current with security updates
3. Monitor your network for suspicious activities

Every day we hear about information security issues and the associated business impacts.  We are talking billions of dollars from data breaches, stolen valuable IP, and compromised sensitive information.  While legislators are busy “thinking” about how they will “help” protect us, I recommend that you focus on three areas that will greatly improve your information security program to minimize negative business impacts.

First and foremost, do you know who can access your systems?

This may seem like a simple question, however, our experience is that organizations do not do a very good job of managing personnel and systems access, especially non-employees. Make sure that only authorized personnel can access your systems and have an ongoing process to maintain personnel additions and deletions.  Recently, a major retailer experienced a security breach of 40M credit/debit cards that was a result of credentials being compromised that were provided to their air conditioning vendor.

Second, are you keeping your hardware and software current with the latest security updates?

These are generally provided free of charge by the vendors. Establish an ongoing process to ensure that occur on a regular basis to mitigate risks.  Take for example the “Heartbleed” bug that exposed about 17%, or half a million, certified secure web servers to encryption vulnerability and information theft. SANS Institute, a cooperative research and education organization dedicated to information security solutions, provides a wealth of free information on best practices for patching hardware and software (www.sans.org).

Finally, do you monitor what is going on within your network?

You would be surprised at what we found working with clients just starting to implement their security monitoring systems; everything from employees accessing inappropriate web sites to hackers that steal valuable IP and operate undetected.  You might consider having a third party provide this service for you, if you do not have the in-house capability.

StrataFusion has worked with several public and private organizations over the past year and we have found these simple security measures have not been addressed within their organizations putting them at risk.  The simple tips presented are not expensive to implement and provide considerable improvements to your information security program.

Start protecting your information today – learn more.

StrataFusion Security Practice

Read more.

Mark Egan’s Guide will walk you through the process.

The Executive Guide to Information Security: Threats, Challenges, and Solutions