Strong Authentication isn't for the future, it's all about now.

I recently read an article by one of my favourite reporters in high tech; Ashley Carman from SC Magazine, wherein she was discussing the USA Governments 'Cyber Security Sprint' initiative.

I genuinely had to read the piece twice before I could comprehend the madness that I was reading, not because I disagreed with Ashley’s narrative, but because the data and stats that were being expressed were mind-boggling. You can read the piece HERE and see all the data laid out in front of you but the key point for me was that something as simple as true two-form factor strong authentication has not been fully adopted in a central government body.

I understand that 100% of anything is difficult, improbable even, but to be jogging along at 33% coverage when tokens, key cards and dongles have been available for well over 10 years and widely used in the private sector for at least two thirds of that time is staggering.

Most of the banks I have worked with offer free tokens to normal consumers that require the “something you have and something you know” adage to access your current account, make transfers etc. In this instance for someone who is likely going to transfer fifty bucks, five pounds or twenty Euros for an online transaction, a train ticket or the latest kindle book download using a token to secure that transaction makes sense to me and is prudent.

I can't imagine many companies - even a one or two man band - wanting access to their hard earned cash and only requiring a pets name or the town they grew up in as the only question before making unauthorised withdrawals start to occur! All of those people and businesses have embraced strong authentication across multiple vectors of their daily life, not only accessing bank accounts but also entering and leaving buildings, controlling network access availability and much more.

So why do we hear about local and central governments still having unsecured, unencrypted easy to access systems, files, folders, PC’s and more. Particularly, when the solution to this issue is not only simple to employ but no longer costs the earth and near integrates with your entire world at the flick of a switch or press of a button.

Thank you for the interesting (and worrying article) Ashley and please catch up US Government, lead by example and “sprint” towards where you should already be.

For more information on how Strong Authentication could benefit you or your organisation you can always take 10 minutes to respond to AssessMy Strong Authentication HERE. As a reward AssessMy and HID Global will send you a bespoke executive report identifying your Authentication operational strengths and weaknesses to help you 'get to great'.

Cyber Security for the Future: What can we learn from academia?

The true value of academic life passed me by when I was at school and especially during my university years, to the point where I could have missed that whole period out from my life and I would be in a similar position and role as I am now (without being able to read or write but otherwise similar).

Today, many more courses are vocational in a way that means that students who have a good idea as to the employment direction they wish to go in can accelerate those opportunities in ways that 30 years ago were just not possible. Universities that were previously the crème de la crème for English Language, Physics, Veterinary sciences or History now additionally offer International Business, Game design and Cyber Security.

One of the more complex aspects of a CIO or CISO’s work life is keeping ahead of the hackers, criminals and disgruntled employees and out of the front page of the Wall Street Journal or Financial Times. Nothing kills a stock valuation faster than the loss of 1.2million customer’s details. This is something that will keep a security admin up at night and companies spend significant funds on solutions, consultancy and services to make sure the likelihood of this ever happening to them is limited and yet it still does.

A quick review of the latest Stanford University Cyber Security course shows the degree of complexity that students are learning about today to defend against those attacks in the future and it makes for interesting reading. Cryptography, National Security, Operating Systems and Bitcoin encryption are just a few of the topics on the syllabus however any course of this ilk is structured, planned and in many ways static for at least a year or more, giving the folks on the other side of the fence, who may well have started on a course similar to this, can range and explore every corner of the web for the latest and scariest Cyber Threats which can then be adapted and morphed into what ever imaginative daemon their skills will allow them to create.So where does that leave the CISO? Best practice is effectively out the window, systems have to evolve, technologies innovate and experiences need to be shared. The Cloud security market has exploded in the past 24 months with a multitude of security companies taking shared experience and knowledge from multiple customers globally and comparing and contrasting those scenarios to reduce the overall impact any specific Cyber Attack can create. The largest system integrators have an even greater advantage because not only do they see the pure data but they also engage and communicate with those customers on a daily basis, learning and sharing those best practices while creating case studies and disaster recovery plans for customers who have been or are going through the latest threats so that the next clients will learn from all that experience.

The combination of true Academic excellence and a defined learning process interacting and merging with past masters who have literally 1000’s of hours of joint experience make vendors like Intel Security, Kaspersky lab, Trend Micro, Symantec and Sophos the go-to contacts for businesses of all shapes and sizes to ensure they don’t end up on the front page of their national press.

To discover your Cyber Security unknowns in the comfort of your own office with a cup of coffee, take just 10 minutes to complete AssessMy Cyber Security HERE. Your response is secure and you will see instantly anonymised benchmarking information and a high level of your key Cyber Security operational strengths and weaknesses. As an additional reward Dimension Data will also send you a bespoke Cyber Security executive report indicating the areas you should be focusing on today to limit your own threat of attack. Don’t wait for tomorrow, do what you can do today.

Mothers go offline due to DDoS

On the evening of Tuesday the 11th of August the inconceivable happened: Mumsnet was taken offline be it only for hours by an apparently disgruntled father @dadsecurity by a Distributed Denial of Service attack or “DDoS” attack.

The response to this attack was two-fold. Firstly, Mumsnet service provider increased the bandwidth and sever capacity to cope with the attack and, in a seemingly related secondary threat, @dadsecurity resorted to a swatting attack normally reserved for the very rich and famous where the police are told a violent, armed incident is occurring at the address of the target and police rush round to apprehend the suspects in full body armour while armed to the teeth which is what occurred at the Mumsnet founder’s house.

The reason for these incidents and underlying motivation is something that will no doubt become clear over the coming weeks and months, most probably in court when @dadsecurity will be unceremoniously unveiled as will surely happen. The fact that an unhappy member of the public can effectively remove the target of his hatred from the web in this instance mumsnet by deploying a home grown or purchased DDoS attack is certainly concerning.

These stories are becoming more and more regular as the ability to create these DDoS storms or attacks becomes easier to achieve even from a home office or purchased from the darkweb. My primary concern is not the effect or even the cause but the response, adding server capacity, changing firewall settings, increasing bandwidth, disconnecting cables all might have a short term impact on the threat but in the medium to long term are like trying to catch raindrops so they don’t wet the ground it just isn’t going to happen. The top IT networking and security companies understand this and either partner with specific DDoS mitigation companies, buy them or steer well clear of the problem. A denial of service attack can be infinitely increased in a very short period of time and can be sustained indefinitely and I don’t use either descriptive word lightly. The weight of a DDoS attack can be crippling to any size of organisation or entity including central governments and so what hope does a hosted website for mums have to defend against a determined attacker?

What is worse is that specialist DDoS mitigation security companies like Arbor Networks consistently prove that a DoS attack is statically just a cover for some other web based threat and in the Mumsnet scenario is appears to be just that. As a follow up @dadsecurity claims to have stolen user data and since then unauthorised posts have been made by administrative users which have later been found to be fraudulent. All this is yet more proof that DDoS mitigation is the front line for preventing fraud and a host of hacking, theft and damaging online threats.

Mumsnet is not the first, and most certainly will not be the last, but dedicated DDoS prevention solutions would have limited the impact, and potentially removed the threat entirely, by blocking the data in the cloud or at least reducing the impact on the service provider thereby buying more time for the smart IT folks to lock down the Mumsnet servers preventing the follow-up threats.

See the original Mumsnet post here.

For more information on how true best in class DDoS mitigation would benefit you or your organisation you can always take 10 minutes to respond to AssessMy DDoS Mitigation here.
As a reward AssessMy and Arbor Networks will send you a bespoke Executive report identifying your DDoS operational strengths and weaknesses to help you get to great.

Become a Social Pariah in one simple step

A good friend of mine found herself single and alone after a 9-year relationship when her “soul mate” cheated on her.

The concept of dating filled her with dread, as she had not been on the social scene for quite a few years. So she was shocked when she discovered the world of dating has changed dramatically in almost every way. She downloaded Tinder on her phone and spent multiple hours a day (literally) sifting through images of prospective partners… She struck up conversations with a small number and effectively stalked them on Facebook to find out if they were genuine or not and then arranged to meet the number one pick! All the while her friends from work and family made sure she was supported throughout the whole process. Six months later and they are looking at a life together and she is far happier than she had been a year’s before.

Contrast this with colleagues and associates I have in the IT industry looking for their next role and the story is cyclic, repetitive and more than a little disappointing.

Over the past 4 years I have had the opportunity to both contract and consult with some really interesting businesses, working not only in the UK but in the USA , EMEA and beyond and with this sort of role you meet lots of new people. The cream of the crop quickly make themselves known and those are the ones even after a few short days of interaction that you keep in touch with.

Almost three years ago one of these contacts was forced to take redundancy, they had a reasonable pay-out for years served etc. but these things rarely become life changing so with three months wages in the bank he started to look for a new position. I noticed the change on Linked in and reach out to offer support, his plan was fairly standard:

• Contact recruiters
• Trawl LinkedIn Job pages
• Reach out to colleagues and friends from the industry
• Draw up a list of ideal companies and track recruitment pages
• Re write the CV and make sure that references are set up and prepared to take all the very many calls!

I offered what little support I could in this instance, I happily checked the CV (iterations 1- 99!!), introduced him to people who I knew were recruiting, introduced him to my friendly recruiters, and wrote a reference in LinkedIn. Most importantly, I made a mental note to pick up the phone to him as often as I could not, just to update or to get an update, but also to support and ensure he knew he wasn’t alone. Three months down the line and no job had materialised …. We met for a coffee to discuss strategy and potential issues, to review his CV and to ensure that every I was dotted and T crossed.

What came out of the conversation shocked me more than that fact that an A-grade player had not been snapped up within a couple of weeks.

He had contacted a number of the head-hunters and recruiters in our space and they were all happy to add him onto their systems but none of them followed up past that point. The odd recruiter would try and fit his round peg into a square hole but none of them took the time to really engage of introduce him out to there own contacts and really market him. But far worse than the apathy from recruiters not a single other personal or professional contact had bothered to respond to emails , call him back after he left messages and certainly no one picked up the phone to him to offer support , no one had referenced him or forwarded potential positions nothing of any conceivable value had been offered.

A few weeks later after putting significant effort into the task we managed to find him the perfect role, two interviews and a couple of tests later and he was working for a Tier 1 vendor at VP level earning great money. So where did he go wrong and why so badly?

Well the short answer is he didn’t. I have seen this over and over again to the point of sickening regularity and constant disappointment. I have two friends at the moment who are senior level people, very good at what they do in different departments (so this is not just Sales) and they have very little, if any, support from people they have worked with for years previously. Calls get pushed to voicemail; recruiters rarely pick up and hardly ever call back. In the few instances where they get interviews, the roles are poorly qualified so they either choose not to progress or are not put forward and even then when feedback is gold dust, they rarely get any.

This madness has to stop.

We owe it to each other as professionals to take a little time to support those we have worked with or around who are in that transition phase.

Check on LinkedIn for those people struggling to find a job, as your network is different to everyone else’s.

Pick up the phone and offer support and words of advice, actually make the intro when you promise to do so. Make time to meet them for a coffee and introduce them to other people who might help. Validation from someone is worth far more to a recruiting manager than almost anything else.

Finally if you are a recruiter or a hiring manager, please give feedback honestly, in a timely manner and every time you interview someone. Not only is it good practice but it makes your business look professional to the outside world and your feedback will certainly help the person to close out the next role.

Too soon to go international?

I started out selling Widgets and Grommets early on in my IT career. Almost always the solutions were physical and, more often than not, the only real software was the management system, which sat in a datacentre run by the customer. ASIC’s were the cool new solution with speeds and feeds all the rage where software was embedded onto a chip in a factory and then plugged into a metal case and sold for many times it’s individual build cost, where all the investment had been paid for up front in creating this piece of silicon.

Way back then international business was a risky business with directly acquired costs and impacts that needed to be foreseen before the choice was taken to actually make the first move.

Now though, many aspects of selling and supporting internationally have changed. The only real constant has been translation but, even then, many companies successfully maintained English as the only support language and, for the most part, customers were happy to work with that.

In my last company we were based in Boston, USA and the first 10 or so clients were local, almost all within a 20-mile radius from the office. At C View Technologies, we were all based in the UK but our first client was headquartered in Japan and our second was headquartered in Moscow, and neither thought that strange or out-of-the-ordinary, and so this is just one example of how times have changed.

Hardware sales have always had the extra issue of logistics to contend with; shipping, returns, customs, and installation services all add to the cost of doing business further from your office.

On-premise or installed software has had the advantage for decades as it could be shipped on disk, CD or DVD.

Nowadays that exact same software can be downloaded and installed straight from the internet without that extra cost. Granted, it still needs to be supported and updated over time, but in many cases this can be done online rather than on premise. The only real barrier with this model then is language.

2 or 3 years ago, this paradigm shifted in a way few expected thanks to the introduction of off-premise offerings or ‘The Cloud’, mostly notably in the form of Software-as-a-Service (or Saas) offerings.

Cloud had been a buzzword in tech for nearly a decade and analysts, vendors and industry spectators have been waiting with baited breath to see how this development would manifest itself within the industry.

The beauty of Software-as-a-Service offerings lies in that they need never be installed or updated onsite and rarely need direct support. SaaS provides a stage, not only for small start-ups, but also for tiny businesses to sell their wares on a global scale.

In a similar way to the App store from Apple or Google Play, SaaS offerings are gaining ground attaching to platforms like Salesforce.com, Microsoft Azure and others besides. This allows businesses to evolve quickly with lower risk and, because contracts can be a fraction of the cost of an installed software or hardware solution, customers take a much lower financial and physical risk trying out new solutions.

My company, C View Technologies, is a prime example of this.

When we started, it was just me and my Co-Founder working out of my home office. Yet, after only 6 months, we had a raft of customers and not a single one of them was smaller than $1b business.

And guess what? None of them cared that we were early stage or that we were only two people.

The same applied to CVT when it came to global engagement with customers. CVT now engages with customers across 23 countries on 4 continents and we are able to offer the same level of service and the same high standard across all our clients, not least because we built a product from scratch that enabled multi-lingual support.

I strongly believe that “For a region to invest in a company, the company must first invest in the region”. This ability to invest in, and focus in on, a region is the only limit to how many areas you can work in or reach.

If you are looking to expand into regions outside your own the best advice I can offer is this:

Find a sponsor or confidant in that region that can help you escape the pitfalls and traps and partner with those organisations where a win/win comes from them supporting you where you are weak, and you supporting them with a product or service that they would struggle to create themselves.

If you have any questions or comments please feel free to ask and I will answer them as soon as I can.

It's not WHO you know, it's HOW you do it!

When I first started to hire enterprise sales people for our North American sales team, the advice from recruiters and other Execs was very similar, “Hire lone wolves with an impressive rolodex”. Much of the time I took this advice and the lone wolves would start off at a significant pace often hitting target in the first quarter. At the same time I would be hiring inside sales people who would join and be trained and integrated into a strict program. While at Proofpoint I was introduced to one of the most process-driven people I have ever had the pleasure to work with. Jim would sheep dip any new inside sales starter and then sharpen and hone the skills they had to within an inch of their lives while also identifying where they needed help and support. I have used my version of this structure ever since and continue to be amazed that not every business does the same.

I found the problems would normally start at the end of the first year, when the rolodex that the lone wolves had brought to the business, and the personal contacts they dined out on, would begin to dry up. This did not happen every time, as the very best Enterprise sales person will always be growing contacts and connections, but still it struck me that I needed to rethink my strategy. Using Jim’s methods for managing and building the inside sales team would never run out of opportunities or new contacts to connect with, constantly filling the funnel and growing the pipeline daily.

In Direct Sales, the numbers don’t lie or at least rarely. However, the same cannot be said of Channels. Channel sales can seem like a numbers game but this is a critical mistake to make.

Anecdote time… Last year I was working with a mid tier IT vendor who sold 100% via channel partners. They had almost 4000 partners globally with 99% of their revenue coming from just 42 partners; that’s 1%!

The Head of Channel was asked: “How are you going to grow revenue in 2014?”

The answer? “Increase the number of contributing partners by doubling the partner base from 4,000 to 8,000.”

Imagine the time and cost it would take to find and contract with 4,000 new partners!

This is an extreme example of a dysfunctional channel model. However, with a minor amount of adaptation this could have been transformed faster and more efficiently while also increasing the chance of success 100 fold!

Most large vendors will need to apply a degree of standardisation to channel programs and individual partner relationships. The key to ensuring success and scalable success for that matter, is in the hiring of dedicated Channel sales staff. This is a difficult task as in my experience very few “lone wolf” Channel sales people are out there. You will find many relationship focused Channel managers who believe that the road to success is through infinite alcohol-fuelled weekends away and a constant supply of Pizza on the sales floor. This model perhaps works when you have a handful of partners but doesn’t scale, is difficult to model and certainly doesn’t help anyone to forecast.

There is a more functional model!

It involves having well-liked, well-respected Channel sales people who focus on a defined program, adhering to the rules without constantly trying to break them. These people will be able to manage 5 or even 10 times the number of partners, and often much more effectively, than the lone wolf.

When we review data around regularity of contact and communication, it is very clear which model is used across partners with a higher overall level of satisfaction.

Both the process-driven sales person and the lone wolves have their roles to play. Early stage companies looking for the “impossible win” are best served by the go-get-it attitude and historic relationships of the wolf. However, businesses looking to for a mature Go-to-Market model, a scalable solution with predictable results need an operationally sound plan and focused, structured, professional players to make it happen.

To be a successful sales organisation, you need to apply a degree of standardisation to channel programs and direct sales processes. If you can create a great partner program, and find and build solid talent you will then watch your effective partner numbers rise , your close ratio will build and your revenue will soar but only if you are supporting that with an equally effective direct sales model.

Why cash flow is king for businesses and how the government needs to step in to help.

I had a meeting with one of C-View Technologies board advisors on Friday afternoon, we try to catch up at least once a month over a coffee and a piece of cake. This meeting was no different from every other as we started by discussing the cash flow, this particular advisor is from a blue chip company and very financially / operationally focused but you can tell she is often perplexed by the regularity of cash flow hitting the conversation. For our business we are in many ways very lucky we have a subscription model with customers paying regularly every month in a fairly predictable manner, as a SaaS business our fixed costs have always been lower than you might expect and all the stake holders from day one have been in this for the long haul and not the quick win so we don’t drive Astons and can run lean and fast as required. The issue for CVT when it comes to Cash flow is our investment planning and the fact that very few clients pay on time or in any predictable way.

Many of our customers are globally recognised brands which is a double edged sword as often Finance has very little communication with the people we work with. The payments people have targets of their own and will tell you one thing and do the opposite. We have some customers that pay over 120 days late but the same clients might also pay us on time for a different invoice. This makes growth and investment predictions and planning almost impossible and that has an impact on hiring, our own payments, and purchase choices for third party providers the list goes on. The knock on of this is that the economy (For CVT the UK economy) loses out and to what end? Most importantly we are not alone as we communicate with an ecosystem of tens of companies all in the same or similar situations.

So what can be done?

My suggestion is simple with predictability comes stability which allows growth and that is in itself a reward for a government trying to grow out of a global recession. The plan has X steps:-

1. Legislate payment terms of 7 days. The EU mandates payment terms of no more than 60 days but why that long?
2. Provide standard terms and legal recourse. T&C’s are a mine field for the smaller business and few shop keepers or start-up founders etc. understand what the implications mean to them and certainly don’t often have the reserves to create new versions so end up copying terms from the web.
3. Provide a central form of recourse. Almost two years ago we had a significant client who walked away from a significant debt for us. We could have chased in court but the time it would have taken and the cost meant that we had few options. If the government could provide a fund to up front pay a proportion of the debt and then the infrastructure to hunt down the debt then most companies would not risk it in the first place but also small to medium businesses could afford to take bigger bets.
4. Speculating to accumulate. I spoke to a Web business MD in January about why he turned down a significant contract with a G500 account. His answer was the upfront investment combined with the payment term delays meant he couldn’t afford to take the deal. Worse still the business didn’t go elsewhere the opportunity died on the vine.
5. Investment would be more secure and easier to find. Many people lament about the lack of funding for small businesses either from banks or the government but actually with the way the economy is still moving this is a risky business to be in even now. Many more start-ups go bust than survive to grow and so interest rates need to be significant to sustain this model. But with a legislated payment plan a centrally managed investment fund backed by banks could actually be a very safe vehicle for the investor community. This also benefits the entrepreneur as they can clearly borrow what can and will be payable with the X factor of cash flow being at least significantly reduced in the medium term.

Obviously these concepts need to be thought through and expanded by smarter people than I but the basic concept of supporting companies to reduce the issues of cash flow born from success, as opposed to cash flow that kills a failing business that doesn’t have customers, has to be considered in this day and age.