Wednesday, 13 December 2017
Building a Security Start-Up

If only building a security start-up was as predictable as transitioning from caterpillar to butterfly!  But, it’s not. Unfortunately it usually requires many turns and corresponding changes. Consider companies like Blackberry, once a ubiquitous handset provider, now an enterprise security provider. Or Radware, once a load balancing product company, now known for its DDoS solutions. The most dramatic change in our industry is Amazon, once a book company, now marketing a whole range of secure cloud solutions.

If you are a start up, you want to avoid the dreaded “pivot” with its associated hard resource costs and, potentially, people costs. How do you keep up with constantly changing marketplace requirements without pivoting? I recently discovered an amazing tool for this purpose, the Business Model Canvas. It’s not brand new, but if you aren’t using it, please read on for a short introduction. For details and much more, please see the original work—Business Model Generation (2010)--by Alexander Osterwalder and Yves Pigneur.  It is one of the best practical business books I have read.

Business Model Canvas

This canvas approach allows you to build a picture of your prospective business in one page using a one day brainstorming session. The 9 categories in the canvas above illustrate the key things you need to get right. Notice that technology is not specifically one of them!  Of course, it is imbedded in all of the categories, especially “Value Proposition”. Value Proposition is not what you do great, but why prospects will choose you over competitors or over doing nothing. It is the business elevator speech.

The other great thing about the “Canvas” is that it is easy to change. Whereas a formal business plan might fill up 30-100 pages, the Canvas can be changed on a regular basis. This facilitates the incremental, lean approach to business model optimization. In today’s rapidly changing market, this is a critical success factor. The one page canvas forces you to consider all of the components needed for business success. Who are your customer segments? If you don’t have marketing focus, you don’t have marketing.

Osterwalder and Pigneur have some great suggestions on how to build the canvas for your venture, and then how to follow it up and execute. The next step after building the model is developing a formal business plan. Their prototype plan has five section: “Team”, “Business Model”, “Financial Analysis”, “External Environment”, “Implementation Roadmap”, and “Risk Analysis”.  The material supporting the canvas can be used as input for each of these sections. For example, “Cost Structure” and “Revenue Streams” will map to “Financial Analysis”. What we have here is a business plan in a box! Now you just need to test it with real customers and tweak as needed.

What if you are an intrapreneur, within an existing business? Osterwalder and Pigneur show how to map their 9 business model categories to the 5 key domains within an existing organization:  strategy, people, structure, rewards and processes.  By using the language of the existing parent organization, you can achieve start-up goals effectively.

Posted on 12/13/2017 10:27 AM by Fred Scholl
Friday, 1 December 2017
Cybersecurity Risk Management for Directors

There are many posts on corporate directors’ responsibilities toward the organizations where they are board members.  In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection.  This protection should include both home and professional office.  Directors obviously will have access to sensitive insider information that many unauthorized parties would like to get access to.  Many directors will also be targets as High Net Worth (HNW) individuals.  Cybercriminals always target the weakest link; as corporate information security improves, they increasingly will target the home networks of key executives or directors. 

Breaches such as Equifax have put so much personal information into the hands of criminals, that individuals increasingly will become targets.  Directors represent a perfect demographic cross-section to be attacked.  Attack vectors may include phishing, ransomware and social media.

Earlier this year, an NSA employee was in the news as hackers apparently stole US government secrets from his home network.  Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses.    Another attack path may be through tools and services used by directors.  In 2010 attacks were reported against Directors Desk, a NASDAQ meeting portal.  It is not clear if any sensitive information was stolen at that time.

What should directors do?  First, make sure your home network is built to corporate standards.  You need a commercial firewall, not just a consumer router.  Most critically, any devices, especially firewalls and routers should auto-update their firmware.  Auto-update is now included in Windows 10, most smartphones, and many home network devices, but not in older devices.  Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out. 

Passwords represent a second critical area; many breaches result from theft of user credentials.  You should use two-factor authentication to log in to sites with your financial or personal information.  Applications for your smartphone such as Google Authenticator and Duo Security generate one time tokens that serve as a second factor.  More familiar is the text messaging that many sites still use to send one time codes to users.  This process has been deprecated by the Federal government (because of potential eavesdropping attacks), so use the dedicated security apps, if possible.  Still, other financial sites do not yet have any two-factor authentication available.  For these make sure to use 12 character strong passwords.  Such complex passwords should be managed using password vaults like LastPass or KeyPass. 

The last factor to consider is encryption.  Never store any sensitive data online without encrypting it, using a password known only to you.  It is true that collaboration sites like Dropbox do encrypt the data you save there.  But they still have the encryption keys and can view the data.  These keys can be hacked or stolen by a disgruntled employee.  That’s fine for 99% of the information you store online.  But for the other 1%, especially personal or corporate sensitive material, only you should have the encryption key.  Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.

These three security precautions will help you keep your personal and professional information secure.  Since threats and vulnerabilities are constantly changing, you must keep up to date using the online resources and other peer group information on this topic. 

Contact us today to learn how we can assist you in any aspect of your IT security program.

Posted on 12/01/2017 10:02 AM by Fred Scholl