Security: A Marketing Conundrum: why IT security experts are taking marketing directors to lunch

I was reading an excellent InformationWeek analytics report by Michael Davis called Global Threat, Local Pain: 2010 Strategic Security Survey (May 2010). As someone involved in cyber security and working with Narus, this report was especially enlightening. Technology alone is not sufficient to keep your networks secure. Working with marketing to incorporate people and process as part of your holistic solution is a good first step to protecting the integrity of IP networks.

We know that technology can be used to initiate or defend against network attacks. This may enable planting of malware and the potential to exfiltrate or move data out of the network or system. In many cases, firewalls and intrusion detection and prevention systems are used to reduce these types of attacks. These technical approaches are far from sufficient. Security directors need a holistic view of the network and multi-layered approach to security especially when fighting against the newer types of attacks.

There are more insidious ways to attack a network. Yet, we – the general public- don’t think of compromising security through psychological, behavioral, and social engineering means. Yet that is exactly what is happening today. And that is where marketing comes in.

Marketing is the battle for the mind as Al Trout and Jack Reis claimed in their seminal work called “Marketing Warfare.” Who would have thought that the concepts in a book written more than twenty years ago- prior to the tsunami called the internet- would have repercussions in maintaining the security of networks? Marketing is tasked to get customers to become aware of products or services, and to find ways to get customers to take an action through a promotion, a click through, or an interactive dialog. Think about the tools that marketing uses: search engine optimization (SEO) techniques or a well worded direct email program with embedded URLs.
When a customer clicks on a URL it opens the possibility for someone in a corporation to open a “window” to confidential or private data. Pieces of malicious code can be downloaded and over a period of time be used to send information out. The InformationWeek survey indicated that the second greatest security risk is from authorized users/employees mostly due to phishing expeditions. We see legitimate email programs all day with embedded URLs. Why wouldn’t we assume that a phishing expedition is legitimate as well? These attacks are on the rise because people are susceptible to clicking on messages that seem to be real. You don’t need the technology to get information from corporate networks. Rather, with these social engineering attacks all you have to do is to convince the user to voluntarily provide information!

SEO attacks whereby a user search for specific items- say those high on Google analytics ratings- sends the user to a site that looks real. In reality, the user is redirected to a “spoofed” or “fake” site where the user can be targeted, with the intent to gain credit card or account information of an individual or corporation. No wonder the survey made this interesting comment that there is a potential new bond between the marketing people who understand the psychology and how to get customers to take action through marketing programs and social engineering, and the IT directors who tend to work on technical solutions.
How can companies and organizations reduce their risk of cyber threats from these new social attacks? Let’s make the assumption that the IT Directors implement the right technology such as the combination of signature based malware protection, policy management, and traffic intelligence by companies such as Narus. In addition to technology, policies such as filtering, blacklisting, and most of all training of employees are needed to prevent attacks. First, the security officers have to work on policy and filtering of sites that are normally risky. Perhaps screening certain emails which contains known types of embedded risks has to be done. Most importantly, the marketing directors must work with the IT directors to help educate employees on how to protect themselves against these social engineering attacks which will have the attendant benefit of protecting both the employees in their private lives as well as their companies.

Unfortunately, it’s a complicated problem. Yet the combination of people, process, and technology coupled with a good bond between marketing and IT specialists may be a good first step to protect the integrity of IP networks.

Cyber Policy and Customerization

Congress is near to passing a bill that emphasizes that federal agencies consider buying security that is baked into hardware and software. Additionally, this potential bill (probably to be introduced next year) establishes an executive cyber office in the White House and calls for continuous monitoring. My first reaction is that this bill is great and long overdue given the growing number and complexity of cyber attacks foisted on government entities and enterprises with “high value assets”.

While the words ring true, I have to stop and wonder if this initiative is enough, or merely a compromise. My reaction as a businessman is that it is great to have security and continuous monitoring built in to protect against cyber attacks. For many cases, this type of security is probably acceptable as a good baseline. Yet, as an executive in the security business, I see the problem as more complex. Can security be “standardized” or do you need to understand the complexity of security in the context of the application and the type of assets and applications you need to protect? I believe that it is the latter.

The industry clearly must champion the cause whereby security is heightened in the decision process of buying hardware and software and in the management of the IP networks which are the lifeblood of business.

In a recent survey we conducted with Government Security News Magazine, 80% of those surveyed felt that one company could not provide all the cyber security needs. Additionally, more than 60% indicated that they don’t have adequate skills necessary to manage security. So in addition to the bill – which is a great start – the industry must make buyers aware of the options at their disposal. Moreover, if we are to really make progress in our collective effort to combat cyber threats, participants in the industry will need to provide a more comprehensive plan and more robust tools that complement security that is built into software and hardware. By way of analogy, think about integrated stereo systems e.g. boom boxes, vs. a specially designed audio system tuned to the uniqueness of the environment. In cyber security, especially in protecting carrier, government, and high value infrastructures, I believe we need the custom version or at least “customerized” version of security.

Maintaining the integrity of critical network assets

This is a little different than a marketing blog but it has to do with keeping business assets protected. And that certainly fits into the business of doing business.

Did you know that more than 25 million new strains of malware were uncovered in 2009? And that the US Senate Security Operations Center reported nearly 14 million cyber attacks per DAY!!! These are staggering figures. According to the Department of Homeland Security, cyber attacks roles three fold from October 2005 through October 2007 and the belief is that the attacks are increasing at an exponential rate. These alarming statistics have awakened the government and the President has made cyber security a top priority with the initiation of the Comprehensive National Cyber Security Initiative and the appointment of Howard Schmidt as the government’s cyber czar.

I was reading some comments that George Kurtz, EVP of McAfee, made at a recent FAA conference on Cyber Security and it made me think. He said that we need to find a way to solve an attack (on a network) in 15 minutes vs. the 24-72 hours we now take. For the home user, using McAfee with its signature-based approach is fine, and I probably can wait for a short time to have a new virus or Trojan signature uploaded to my computer. (Full disclosure: I use McAfee on three of my PCs). However in a critical network – be it FAA, a carrier network, a government agency, a SCADA network, or a health care network- where the asset value is high or the compromise of data would result in economic loss or even physical disaster, we don’t have the luxury of time. At line speeds now approaching the multi-gigabit level, 15 minutes means that an inordinately large amount of traffic/data has worked its way onto a target network. It’s not that signature based approaches are bad at all; they serve a purpose. Yet, they don’t go far enough for a critical network.

The key to protecting these critical networks is based on a dynamic understanding of what is happening. By definition, once a signature is developed, it is old- still useful for some but not all users. To maintain the integrity and availability, companies, carriers, and government entities must have situational awareness and know what is happening at all times. This requires a mosaic of different protection devices such as the normal firewalls, IDS/IPS systems, and forensic analyses. Yet, these systems and appliances must be complemented by a new class of products called network intelligence analytics which provide a dynamic three dimension view of data correlated with other data and correlated in both space and time. Only through this three dimensional view and the visualization of what is transpiring in the network will protection against cyber attacks be minimized. This nascent part of cyber protection is led by companies such as Narus whose traffic intelligence platform called NarusInsight provides the dynamic analytics that the network and security officers need to see what is happening across layers 2 through 7 in their networks. By processing the data in real time and applying real time analytics vs. mere forensics, the network and security officers can act swiftly to mitigate attacks.

Still, attacks will occur and the industry needs a call to action to aggressively respond to these attacks. The industry nees to band together in a collaborative fashion to thwart these attacks- or at least slow them down. At a recent RSA conference on security, several experts, including Greg Oslan, CEO of Narus, suggested a joint collaboration between government and private entities. That is thankfully coming about. Yet even within companies and across companies, network managers and security officers must share information, work across silos ( security and network operations are not necessarily engaged together nor share common platforms), and work across all areas of business. By doing so, we can view the problems and therefore the solutions through a multi-faceted approach. Coupled with a mosaic of complementary and new technical solutions, the industry will have the best opportunity to maintain the integrity of critical network assets vital to our economy and national defense.

Don’t Give Up: There are People that Appreciate You.

I enjoy listening to Josh Groban and one of the songs he sings is entitled “Don’t Give Up.”   To me, this song is uplifting.   In this economic climate it would seem like a good mantra to chant and, in fact, I sing this song in my head when the pressures of the world mount.  And for many of us, those pressures can come from being in transition, the uncertainty of whether your current job or career will be eliminated or downgraded, or the uncertainty of the new contract or consulting assignment that you were expecting.  Don’t despair.

I was thinking a lot about my friends and colleagues in transition (or soon to be in transition) this weekend and therefore dedicate this blog to them, especially those who are 55 and older.   I have a new hero.   His name is Michael Mancuso and he is the CFO for Computer Science Corporation.  I don’t know Michael at all yet through his efforts and hard work, he was able to help CSC beat the analyst views ….. by 34 cents!!!!  That is nearly a 60% betterment of what the analysts expected.

Several things strike me.  First, he is an excellent leader that was able to get these results by discipline and hard work.  He is humble, giving credit to his team that was in place prior to his joining CSC late last year, right after the economy tanked.   Third, he is 66 years young.  And this combination of things makes Michael my hero.  You can read his Q&A with IBD in Investor’s Business Daily at http://www.investors.com/NewsAndAnalysis/Article.aspx?id=502848.

What kind of lessons can we learn from Michael and CSC and which can be applied to business in general and to executives in transition specifically.    First, no matter how many people say that age discrimination should not exist in today’s market and 60 is the new 40, don’t believe it. Age discrimination exists, right or wrong.   So to ensure you don’t ensnared by this, network with people and take the age factor off the table.  Just remember, Michael Mancuso got his job because he knew the CEO and the CEO knew what Michael could do for CSC.   To make sure you network well, go to functions that are in your domain area as well as others that are tangentially related.   I live in SoCal and spend a lot of time in San Diego.   Some of my friends from TechCoastAngels in San Diego feel I spend more time down there than in Orange County because they have so many great events in San Diego for a techie.   In the next month there will be meetings with the San Diego Venture Group and soon after that will be meetings at the West Institute which focuses on wireless and healthcare.  That supplements some of the meetings in LA and in Orange County such as Tech Biz Connection, Octane and AEA.   The point is, you have to get out and talk with people and make yourself known.  And through this process you can establish trust and build a relationship.

The second thing that is probably not as well known but can be useful in meeting new people but also giving back is under the general category of “mentoring.”  There are formal mentoring programs through the universities that would love to have experienced executives work with the younger and next generation of business leaders.   I, for one, am involved with the UC Irvine Paul Merage Graduate School of Business mentoring program and am enjoying mentoring an IT manager.  Not only is it a great way to help others,  but I feel great by participating because I know that I can contribute and my advice and counsel are well received.   During times of transition, it is nice to have the ability to look at yourself and feel that you are important and believe you have lots to offer.  When you feel good about contributing to helping others, you feel better about yourself and I can guarantee that there will be an extra spring in your step – so to speak.

And if you cannot or don’t want to mentor 1:1, you can always join a charity or volunteer group to help out as part of a committee or on the board.   Volunteer groups are always looking for results oriented people that can make a difference.  Consider groups such as Habitat for Humanity, the Boys and Girls Club or Big Brothers and Big Sisters, or the local zoo, or the animal shelter, or hundreds of other groups that need help.   The sense of pride and accomplishment and knowing you make a difference gives you positive energy and people want to be around those that exude such energy.   And you may find your next opportunity comes from one of these affiliations.

What is the great take away from this?  You have an opportunity to control your own personal destiny.   You can give back and that positive energy will be infectious and people will feel that energy.   There are things that you control and things outside your control.   Giving back through mentoring and volunteering enables you to take control of this part of your life.   Add to volunteering, and active networking plan to build relationships with people for now and the future.  And don’t forget the role models that are out there, like Michael Mancuso and others who through relationships built over time have been given an opportunity to make a difference regardless of age and who succeeded.

Marketing ski high wi-fi

I thought I would take the opportunity to post Mary Kirby’s blog on an interview Mary did with me prior to my leaving ATX Group. I have fond memories of working with my colleagues to implement Internet and entertainment services on international flights and that was certainly one of the highlights of my career. Unfortunately, that service offering was not a commercial success.  Yet I learned a lot about working with new cultures and many of the marketing innovations my team developed now live on in other companies pursuing commercialization of Internet on board airlines using either satellite or cellular frequencies.  While Mary calls me “king marketer” I feel that this was a team effort, not only the marketing team but the entire organization.  

David
—-
Connexion by Boeing’s former king marketer uncensored

By Mary Kirby, May 27, 2009. In RunWayGirl.

David Friedman used to be the king marketer at Boeing’s now-defunct satellite-based connectivity service Connexion. As VP, marketing and direct sales Friedman was responsible for product management, service evolution, pricing, distribution, sales, and promotional activities. Through his efforts, nearly 500,000 customers had the opportunity to use Connexion’s service in the first two years of operation and satisfaction levels were greater than 90%.
A few months ago I had the very good fortune to speak with Friedman, who is now the executive vice-president and chief marketing officer for ATX Group, which provides telematics and information services to automobile manufacturers. It was an enlightening conversation to say the least.
First off, Friedman made clear that he no longer represents Boeing so his comments here are completely his own. But while Friedman has been out of the aviation industry for two years, he stays in touch with what is going on. His comments are particularly apropos in light of yesterday’s conversation about whether passengers will pay outright for in-flight connectivity when the same high-speed services are free or virtually free on the ground. Here is Part 1 of a two-part blog based on our conversation.
One of the big challenges associated with offering Ku-band-based connectivity – the likes of which was offered by Boeing – versus the air-to-ground (ATG)-based offering provided by Aircell is cost. “The equipment Aircell is putting on board is about $100,000, whereas Connexion was reported as $600,000 on up by the press at the time. I cannot give you the actual [Connexion cost] number. But half a million is a very safe number. Connexion was larger. It weighed a lot more. And the equipment used on the plane is different.”
With such a hefty price-tag for Connexion, airlines were reluctant to pay for installations.

“We [initially] offered to give it away as a trial for free but the airlines said, ‘If this is successful, you want us to pay for all these antennas?’ They were concerned that if customers were demanding it, it would put them [the airline] in a tenuous situation in terms of customer relations.
“So you have the cost of the system and cost of the infrastructure. You can offset that through a variety of ways, such as advertising. But sponsorship and advertising and direct fees is not enough! People believe, by the way, that they should have Internet for free because they are used to having Wi-Fi for free. Then couple that with the issue of power outlets. If an airline doesn’t have enough power outlets on the plane, how are they going to charge a flat fee?”
“What we did in Connexion was we set up our pricing for two hour blocks. We were able to set up a system in the plane and on the ground that said if you only have a battery that lasts two hours and you don’t have power, then the best thing to do is to buy it in the one hour or two hour or 30min grouping so we had little cards. We specifically set up that pricing so we can adapt to what the customers wanted.”
Friedman says Connexion had upwards of 500,000 users after two years. “It wasn’t insignificant and our loyalty rates were extraordinarily high – I think around 90-plus percent. If you used it once, you wanted to use it again. The problem was we only had 200 planes equipped and to cover that cost, you needed a dramatic increase in the number of planes. They did have to pay for the installation. Lufthansa made a commitment. But if you look at the keys to success, you had to get American and United and we just couldn’t get those planes to commit (after 9/11 and the SARS scare). So you had a fundamental issue relative to timing. Timing is half the battle in any kind of business.”

TrackBack URL for this entry: http://www.flightglobal.com/cgi-bin/mt/mt-tb.cgi/53900

Categories:Air Transport,In-flight Entertainment/Communications,Original Equipment Manufacturers,US Air Transport