My Top 3 Takeaways for Vendors from #RSAC 2019

One of the things I currently enjoy is being able to attend an event like RSAC without a vendor badge on. It enables me to have much more honest, and often diverse conversations. Below are my three top takeaways from this year that we, as vendors, need to take an interest in.

Abundance of choice is slowing down adoption

The inrush of investment capital we saw 3-4 years ago has resulted in fragmentation between and within categories. Buyers described to me being in states ranging from stuck in extended evaluation cycles through to complete decision-making paralysis. Many also said that coming to RSAC instead of helping them narrow their searches, has in fact complicated them as they run into vendors/solutions they did not previously know. I can absolutely sympathize with them, there is too much choice in the market and in many cases very narrow differentiation between them. Some customers have opted to play a waiting game. They expect strategic vendors to make some of these decisions for them, to acquire the best in breed and allow the rest of the market to rationalize through a combination of survival of the fittest and the natural attrition that follows market leaders being acquired.

Unless money becomes cheaper and exit expectations temper I do not see a corporate development-based solution to this any time soon. Instead vendors need to think how their messaging is either fueling the problem, through over reliance on marginal feature differentiation and FUD, or helping address it, by for example showing the strength of the product in terms of how it integrates with existing things the customer already has, or better with the vendor’s, or its partner’s other products. In many cases this is a tough pill to swallow as it means moving away from messaging that often verges on there being a silver bullet.

The Mid Market needs to be sold to as if they are Large Enterprises

This is something that I have been hearing from a minority of well informed sales and marketing people for a decade but has snowballed recently. An event with a big show floor like RSAC brings the issue front and center. In the era where cyber threats take one of the two top spots on the risk dashboards of most organizations we have seen a trend towards organizations of all sizes making someone directly responsible for these risks. They may still rely on channel partners to procure and implement solutions, but these people want to be much more deeply involved in product/service selection. At the same time the technologies they have in their environments, both in terms of the systems they have to protect but also the technologies they use to protect them have become more complex. At a time when many large organizations are simplifying their enterprise IT infrastructures it is getting increasingly hard to tell them apart.

So, the person walking up to a booth from a 1,000-person company a decade ago is very different from today. Yet by and large most vendors treat them the same as they did back then. Missing that this is not someone looking to make a simple product selection, but they are evaluating where to invest budget across technologies, are looking at complex issues such as cloud or supply chain, and are working in environments that often include competitive products that they cannot afford to displace as well as those that may complement your offering. Just the same as someone from a 100,000-person org.

On the stand and in the sales process, they need to benefit in a scale and deal size appropriate engagement that looks much more like what most vendors reserve for large enterprises. Less focus on feeds, speeds and product sheet differentiation. More consultative, more aware of the complexities of their technical and business environments and more leverage of what they have which means vendors open to partnering, even on occasion with vendors who may compete with them in some way. This is not easy as a lot of it is about developing your people and that requires significant investment, but for the vendors who crack the nut, it will provide significant ROI.

InfoSec vs. Cyber Insurance

At the beginning of RSAC week I read an open letter to conference attendees from Pascal Millaire, the CEO of Cybercube a provider of cyber risk analytics to the insurance industry. It aimed to dispel some of the myths or misinformation that exists around cyber insurance. In it he made some good points, but I was unsure who the intended audience was. After a week in San Francisco it is clear to me that his remarks are applicable to both customers and vendors alike. What I heard time and time again was misinformed opinion being used to form a defense against a perceived threat. A threat that could equally be an opportunity if it was better understood. Vendors believe budgets are being diverted or even worse directed at the whim of insurance companies. Customers fear the same loss of budgets and control, as it was put to me “I totally understand the process of transferring some of our risk to insurance providers, what I cannot live with is the transfer of budget that sends our security posture backwards”.

It is time that more InfoSec vendors work out how to work with the cyber insurance ecosystem. It is not going to go away and yes it will take a slice of the pie. Delivering products and services that help lower the cost of the coverage, reduce duplication and increase accuracy in the evaluation of risk will enable some of that money to be “recovered” and benefit customers by enabling them to make better decisions. It will just be a very different sales motion and involve working with an industry that moves at a very slow pace. 

Transmit 5 from Panic

If you work on a Mac and do things with files and remote servers you have probably heard of Transmit. It is the go to tool and one of those things that kind of felt done, problem solved, as good as it gets etc. Well a while ago they announced version 5 (the first new version in 7 years) I thought I would pass, hey I had everything I needed. Then yesterday when re-imaging a machine I needed Transmit and downloaded the trail version. After a few hours of use I updated to the full version. Somehow they took something that felt complete and made it so much better. Not an easy trick. A fair few UI tweaks and then more services which just makes it easy to connect. It saves you time and makes more possible easily and those are things I like.

So if you are a Transmit user I recommend it and looking at it while they have 22% off the upgrade.

https://panic.com/transmit/

Wanted: Algorithms that create useful outputs

I love smart algorithmic approaches to problems. Created and used well they make many things in our lives and environment better. I trust the algorithms in my thermostat to work out the most efficient way to heat or cool my home and shut it down when I leave. As I do with the plethora of algorithm driven safety systems in my modern cars constantly analyzing the objects around me. I find some recommendation engines really useful because when buying a box of bolts, I want the nuts and washers that go with them and I may in fact be in the market for a new wrench to tighten them up with.

What I do not like are algorithms that create bad outputs due to either inappropriate design or techniques to build them. Or poor quality or understanding of the data that powers them. A case in point is an email that I just received from an on-line travel agent I used to book some hotel accommodation earlier this year.

West Drayton for those of you who do not know it is not a small exclusive Caribbean or Pacific Island resort. It is a residential neighborhood just to the north of London’s Heathrow Airport. Do I as the subject of the email asks “remember West Drayton?” Nope, firstly because the Airport hotel I stayed in is not actually in West Drayton and secondly it was just an overnight when coming into LHR very late on my way back from the arctic circle. Apart from the very enjoyable breakfast I had with an old friend the next morning, the only thing I remember was jumping in a rental car and getting out of there. I am hoping that there was some data science behind the 5-month filter, but I am starting to doubt it.

If vendors are not going to use good algorithms on my data I am going to take some guidance from Andreas Weigend’s excellent book Data for the People: How to Make Our Post-Privacy Economy Work for You and choose not to provide this particular on-line travel agent with data about my future travels for free by using them again. I intend to do the same with others, and encourage you to do the same when presented with a bad algorithms output.

A Truck Load of Analogies

One of the clearest pieces of communication I have ever heard given to an enterprise sales team leveraged my favorite analogy, that of the go-to-market truck.

“All I want you to do is sell everything we have on the truck, nothing else”

Now there are people who do drive real trucks full of stock around and sell it. In fact, it is a well-established business model in some industries. I have met a handful of people in enterprise technology sales who started their careers doing it. There are however not enough of them to explain why the analogy resonates so well with their peers. How the idea of a truck that takes product from the factory to the customers and the roles that are needed along that chain are so easily understood. It is easy to see product teams as the factories, marketing ensuring potential customers can recognize the truck and understand what is in it, sales operations keep the delivery network is working, sales teams getting customers to allow them to drive the trucks up to the unloading docks and taking the order with services teams helping with the unloading.

For me it has become a useful analogy to explain the different things I have done in my career. Early on I spent some time in the factory on an assembly line building the products. More of my time though has been spent making sure the right things are being put on the trucks by defining product strategies, rationalizing portfolios and building solutions that make the products easier to consume. I have developed and then taught truck drivers how to tell the stories of the products and portfolios. When products on the truck have been new or complex to unload, I have hired and trained specialists to act as driver’s assistants. I have been on thousands of ride-along trips where I helped the drivers explain what was on the truck and what will be coming on later trucks. I have worked with other factories to get access to their products or their truck network through technology partnerships and alliances, and I have gone out and found new factories to buy so that we can get their goods, factory workers, trucks and truck drivers. The only thing I have not actually done is been the truck driver, although there have been occasions when I have had to help out by grabbing the steering wheel or changing gears. Ironic really as there was a time when I was licensed to drive an 18-wheeler on the highways of Europe!

Like all great tools the analogy is also fungible and easy to extend. With the advent of the cloud there are new ways that we are getting our products and services to market. In recent years, I have worked on projects to replicate the work that Amazon and others are doing by using analogy drones to deliver APIs and technology directly into the hands of developers.

Do you have a go to analogy that you have used for years and has developed with use? If not I have a truckload of them.

Always use Scarily Sharp knives

A few years ago, I was in search of an activity to do with my son one weekend. I found a class on the Scary Sharp technique run by a Steven Tucker at TechShop in San Jose. Scary Sharp was something my teenage son had introduced me to after finding it on YouTube. It is one of those things that takes something that is deceptively complex, and makes it simple by combing some clever use of materials with simple repetitive process and the ability to assess the quality of your work. Our workshop involved sitting round a workbench with a group of likeminded souls as Steven worked both the whiteboard covering a mixture of math, physics, metallurgy and a bit of history with helping us each use pieces of float glass, spray adhesive, sandpaper and photocopier paper to make blades we selected from the small pile of edged things he had deposited in the middle of the bench scarily sharp.

Some Sunday nights after the rest of the house has gone to bed as I spend time preparing for the week ahead I like to apply what I learned that afternoon and sit and sharpen our kitchen knives. It is one of those things that is best done when the house is quiet, the repetitive motion helps clear the mind. Tonight, as I sat there in the dark house honing edges I realized that there are so many great lessons that I have learned from this that could be shared in an epic blog post. Amongst other things I could write at length on the:

  • need to always be open to learning new things and getting outside our comfort zone
  • value of a great teacher like Steven and how he teaches
  • quality time we need to invest with our kids to enable us to pass on our values
  • benefits and discipline of a repetitive process like knife sharpening
  • appreciation of evaluating quality and understanding when things are sharp enough

but instead I just want to point out how good it is to cook with sharp knives.

The question all security buyers need to learn to ask, and vendors answer

In the last few months I have had the opportunity to talk to a wide range of people in our industry unencumbered by a business card that sets an agenda. I have spoken to vendors, investors, analysts and customers of all types and sizes. In doing so I have seen so many examples of vendors and investors who are almost blindly pivoting to the next bright shinny thing, egged on by analysts who have become swept up in the fervor of creating new cyber security market segments. The resulting turmoil is causing our customers to be left behind asking what they should do.

There is no doubt cyber security is hot. Over the last couple of years, I have had a string of VC and PE firms wanting my help to get them a slice of the pie.  Money has flooded in to fuel what is in effect a war effort happening on commercial terms. Like many modern wars industry is not supplying a centralized army or war office. Instead individual militias who are short on resources and often sound like cavalry officers in World War I. Finding themselves overly exposed as they watch tanks roll by, biplanes overhead and clouds of mustard gas around them. This is a war where the speed of innovation in weapons development is unprecedented and the results massively asymmetric. Every day there are adversaries out there doing the equivalent of an infantryman in the trenches of Flanders creating a tactical nuke complete with delivery system all without all the fuss of 25 years of science, the Manhattan Project or Werner von Braun and Redstone.  Weapons that if they were conventional would only be available to nation states can now be acquired by almost anyone. No wonder so many customers are left confused as to where to turn next in the search for something, anything that will make the world better.

Therein lays the problem. Desperation. When you are injured in battle and the trusted therapy or medication stops working you will look at alternatives even the ones that in other circumstances you would have written off as crazy. Focus also shifts to treating increasingly significant symptoms rather than the underlying condition and that is where I believe we are today. We have a war being fought with unprecedented scale and weapons sophistication creating casualties that are looking anywhere they can to patch their wounds and get them back into the fight. They have plenty to choose from and people prepared to offer almost anything. So how does a CEO, CIO or CISO make the right decisions at this point? Well I believe that there is one question they need to be asking when evaluating a new product or service, and ensuring it gets answered to their satisfaction.

What guarantee can you provide me that what you offer it is going to reduce the number of bad things that happen?

In other words, prove to me that what you offer is actually going to increase my security.

It is that simple. Demand proof and focus on things that stop incidents. That last piece is important. I am not advocating a defense only strategy, that stopped working a long time ago. If you believe you can build an impenetrable wall that will never get breached you are nuts! Just like on the battlefield you should be prepared to treat wounds that have pierced the body armor that protects vital organs or hard to protect ones like the head very differently to a flesh wound in a limb. Finding and getting that bullet or shrapnel that is sitting next to a major artery or organ quickly and efficiently under fire is a priority. Having armor that either stopped it in the first place, made it less lethal or helped you pinpoint the exact location is better.

So, who are the vendors who can answer this question? I am not going to name names but I can tell you what I see them working on.

  • Identity – Enabling you to know someone or something is who or what they say they are.
  • Information – Making it only accessible to those who have a real right to see it.
  • Automation – Less focused on the mundane and more on helping the battlefield troops.
  • Disruption – Of attacks and attackers.
  • Expertise – Providing you with access to mercenaries or helping you develop your militia.

In each of the above I have come across vendors who can put real data behind their claims that I can map directly to better outcomes for their customers. The form of the guarantee may vary. Some offer results based payments, a few are working on insurance backed guarantees, others are just able to show and explain with hard customer data how they have stopped bad things happening by for example identifying bad actors before they act or enabling organization wide encryption.

If more people learn how to ask this question and not be swayed by arguments to address symptoms or generate false propaganda showing how they are winning the war and vendors focus on delivering products and services that stop bad things from happening we will win in the long run.

What we can learn from “Envelopegate”

Many years ago, I ran a technical production company supplying lighting, staging, AV equipment and the people that went with them. We did our fair number of awards shows. Nothing on the scale of the Oscars, but I was there when people received awards that changed their lives and their company’s fortunes. I have also had the opportunity to work on live televised events. Nothing with the audience of the Oscars but with the majority of the same roles and processes in place. I have also been the “talent” on stage at events with live audiences often bigger than those in the Dolby Theater and have an understanding of what that entails.

If you have not experienced the backstage of a large event then picture a time when you felt most out of place, make it very dark, speed up time by about 50% and you are there. There is a new language to learn, strange customs, a complicated organizational hierarchy, invisible sight lines to stay behind and an understanding that no matter what “the show must go on”. It is not the natural environment of two no doubt highly accomplished partners from a very well respected accountancy and professional services firm.

Like most I was not overly surprised that the Academy elected to scape goat Brian Cullinan and Martha Ruiz of PwC and have them kicked off the account. A mistake was made and action was needed to quell the developing media hysteria. Some commentators have questioned why Martha was also sacked given that Brian handed Warren Beatty the wrong envelope. In an article from the BBC that I read before based on an interview with Martha revealed the process they go through to memorize the results so that the person stage left and right know what should be announced in each category. This made them both responsible for not identifying and resolving the issue faster.

Only a few people were backstage at the Dolby Theater on Sunday night and saw what actually happened in the seconds after Faye Dunaway said the words “La La Land”. An interview in The Wrap based on an interview with the lead stage manager Gary Natoli loads the blame on the PwC partners claiming “they froze”. To hammer home the point the article mentions that there was some discussion the prior day of the protocol should an event like this this happen. Natoli alleges that Martha was that Natoli was stood 5 feet away from her as this unraveled and she said nothing. He says he had to walk past her during this as he escorted the host Jimmy Kimmel into the audience where he could get into position to do a closing piece with Matt Damon. My read of this is that Martha was left alone at the side of the stage.

So why does this all interest me?

It is because I think it is a great and very public demonstration of how not to deal with an incident, or more precisely how not to prepare for one.

The reason that the stage has its own language, strange hierarchies, customs and working pace is that it is an environment where things are expected to go wrong and people have been drilled in how to deal with change. Any production requires planning and rehearsal which builds on years of practice. Everyone in the system learns their role and gets to test their capabilities and learn how they react. This is not the case for two partners from an an accountancy firm. Once a year they get to step outside of their world and go backstage. If there was a discussion about the potential of a mix up then they should have rehearsed what to do. Used that exercise to identify issues and worked to resolve them. Perhaps the stage management team would have chosen to allocate each accountant with an assistant stage manager to stick to them and act as a liaison. Proactively checking everything was OK at every step and the second it was not reporting it up their chain of command to the stage managers and show’s producers in the gallery.

Now imagine a similar event occurring Inside your organization, say a major data breach. Hopefully you have a plan. You will probably have done tabletop rehearsals with the core team. You will have identified internal stakeholders and key external resources. What thought have you put into how all the human interfaces will work, and have you tested them?

Or will you just keep your fingers crossed and hope for a repeat of last Sunday, where there just happened to be a professional well versed in spotting problems, reacting quickly to changes and taking charge on hand? Unfortunately, people who are able to do what Jason Horowitz did are rarer than you think. Also, having your customers clear up after your mistakes is not the way to go. Do what the Oscars team should have done. Recognized that they had people as part of their team who will not be as practiced or potentially skilled at reacting and so practiced and implemented compensating controls as needed.

Oh, and if I were PwC next year I would for the night hire two retired Secret Service Agents to work with your partners, memorize the results and be empowered to step out onto that stage.

The Password is dead. Long live the Passphrase.

Eliminating the need for a user to enter a password to authenticate themselves has been a hot area of research and development for many years. I have played my part in this process, partly because it has been my job but also because like just about every sane person I hate passwords. My hatred is multifaceted, but after an awful lot of consideration I have boiled it down to just two primary reasons.  Firstly, there are just too many of them, most nearly everything we access has a password or a PIN. One of my favorite slides to use is a waist line shot of a medieval jailer with a big ring of keys. The idea being to imagine what we might look like were all of the keys we have made physical. Secondly it is the inconsistency in length and complexity between sites and applications. I am not going to name the companies but if you limit or implement strange rules on the combinations of uppercase, lowercase, special, and numeric characters I can use I am going to suspect that you have a problem inside your authentication system (I have seen rules set so that users cannot set passwords that look like the ones that are either hard coded inside an app or have hardcoded special characteristics). Oh, and if you limit the number of characters you are going to make my blood boil as I want to be able to kill your password with a passphrase!

Yes, that is right. Even though I fully support all of the efforts to replace a wide array of authentication mechanisms with something that is based on “something I have” or “something I am” or a mashup of them like UnifyID. I still want to have “something I know” as part of certain authentications. And I want it to be a long and as complex as I want and I want it never again to be called a password.

I especially want to use passphrases to authenticate me at critical points in important transactions. I might be really happy to use a password less authentication mechanism to gain access to my email, a great improvement over the saved cookie offered now. Should I however want to delete my mail account do I really want to trust that to an “are you sure?” dialog? Probably, actually most definitely not. Same as when transferring large sums of money, electronically signing an important document or granting delegate access to a key system. I want to be forced to supply something that I and only I know, have both length and complexity but be easy to remember. Enter the passphrase.

I do not need to explain the science when there is an XKCD cartoon that does it so well

XKCD Cartoon on Password Strength
https://xkcd.com/936/

https://xkcd.com/936/

Anyone who has watched me while setting a passphrase will have seen me scouring my environment looking for inspiration. One thing that I have learned is that I can associate where I am, the items surrounding me and my physical sate when I set a passphrase for a particular service. Once upon a time my main corporate passphrase revolved around a chance encounter with the actor Warwick Davis having a good time in the bar of a London hotel where the heating in the bedrooms was stuck on in that rare thing a British summer! It read like a tabloid headline but to this day I can remember it.

There is another reason I want to be able to use passphrases and that is they are a very good mechanism to detect duress. When designing a secure system, process or procedure we must always look to the limits. Duress codes are not something that most private individuals will be that familiar with. The only likely contact they may have is via a home or business security system where entering a special reset code triggers a silent alarm but at the premises appears to have performed a reset (usually by swapping the last two digits). The use and application of duress codes is complex and in some situations contentious but I would like to maintain the ability to be able to implement them. They are also much easier to hide in a passphrase as the user can set their own subtle rules that distinguish the real from the distress.

To get the ball rolling I am suggesting that we all adopt one simple change. Delete the word “password” from our vocabulary and replace it with “passphrase”. Then as we start to roll out more modern authentication solutions and ask users to define a phrase they will see it as a clean break from the past and into the future of easy to remember high entropy phrases that can support features such as hard to detect distress codes.

RSA Conference 2017: In Search of a Theme

This is the first year in a very long time that I have been at RSAC and not been there representing a major exhibiter. I was expecting that to give me more time to explore see things that I often miss. Turns out that is not the case.  Through a combination of having to walk further as the conference has definitely spread beyond the Moscone and the nearby hotels, and being stopped every few minutes by people asking what I am up to, I think I am actually seeing less than I did last year!

My big observation so far is that I am not really seeing one unifying theme. I do not mean the one that the organizers create which this year is the ever optimistic “The Power of OpportUnity”. I mean the common thing that appears in most presentations, stand shows and hallway chats. The only common thread as with so many other aspects in life at the moment is some degree of uncertainty in the forthcoming stances that will be taken by the incoming administration. If however you dig down a bit you do hear the usual perennial themes. The reality of the lack of skilled personnel in our industry. The need to provide effective controls to our information and identities. The fear that is building within organizations around their reliance on and therefore vulnerability to attacks on their IT infrastructure, be that DDOS, ransomware or fraud, I have heard a dozen people predict a major public business fails in 2017!

It is going to be a long week and I look forward to trying to see more of it.