Key Lesson From The US Airways #Fail: Marketers Need Help Managing Risk

Nick Hayes

Everyone makes mistakes, but for social media teams, one wrong click can mean catastrophe. @USAirways experienced this yesterday when it responded to a customer complaint on Twitter with a pornographic image, quickly escalating into every social media manager’s worst nightmare.

Not only is this one of the most obscene social media #fails to date, but the marketers operating the airline’s Twitter handle left the post online for close to an hour. In the age of social media, it might as well have remained up there for a decade. Regardless of how or why this happened, this event immediately paints a picture of incompetence at US Airways, as well as the newly merged American Airlines brand.

It also indicates a lack of effective oversight and governance.

While details are still emerging, initial reports indicate that human error was the cause of the errant US Airways tweet, which likely means it was a copy and paste mistake or the image was saved incorrectly and selected from the wrong stream. In any case, basic controls could have prevented this brand disaster:

  • US Airways could have built a process where all outgoing posts that contain an image must be reviewed by a secondary reviewer or manager;
  • It could have segregated its social content library so that posts flagged for spam don’t appear for outgoing posts;
  • It could have leveraged technology that previews the full post and image before publishing.
Read more

New Research: CISOs Need To Add Customer Obsession To Their Job Description

Edward Ferrara

The CISO And The Customer

Next month Forrester will publish research focusing on the role the customer plays in security planning. Customer attitudes are changing, and companies need to recognize these changes or risk losing customers. These changes put enormous attention on the CISO and the security team. But CISOs should also look at this as a big opportunity for CISOs to move from the back office to the front office. Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating. If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere. Sales will fall, stock prices will follow, and the CISO will be accountable. CISOs need to improve their security program by focusing on the company’s true customers – the ones that create revenue – clarifying and speeding communications and implementing customer-focused security controls.  Look for it next month!

Target Breach: Vendors, You're Not Wrestlers, And This Isn't The WWE

Rick Holland

Yesterday, Bloomberg Businessweek ran a story providing some alarming details on the Target breach.  The article, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” didn’t paint a pretty picture of Target’s response. 

Some of the highlights in case you haven't read it yet: 

  • Six months before the incident, Target invested $1.6 million in FireEye technology.
  • Target had a team of security specialists in Bangalore monitoring the environment.
  • On Saturday November 30, FireEye identified and alerted on the exfiltration malware. By all accounts this wasn't sophisticated malware; the article states that even Symantec Endpoint Protection detected it. 
Read more

Symantec Challenges Financial Services Security

Edward Ferrara

Symantec Challenges Financial Services Security

In this age of the customer, there is nothing more important than the effective and safe operation of the global financial system. Trillions of dollars move around the world because of a well-oiled financial services system. Most consumers take our financial services system for granted. They get paid, have the money direct deposited into their account, pay bills, use their ATM card to get cash, and put family valuables in the safety deposit box. The consumer’s assumption is that their cash, investments and valuables are safe.

Symantec’s 2014 CyberWar Games set out to prove or disprove how correct are these assumptions. Symantec’s cyberwar event is the brainchild of Samir Kapuria, a Symantec vice president within the Information Security Group. Symantec structures the event as a series of playoff events. Teams form and compete, earning points for creating and discovering exploits. Out of this process, the ten best teams travel to Symantec’s Mountain View, California headquarters to compete in the finals.

Not Just Hackers Need Apply

Read more

You Should Attend Next Year’s RSA Conference Innovation Sandbox

Rick Holland

Last week I attended the RSA Conference (RSAC) Innovation Sandbox for the first time.  Not only was I an attendee, but I also was fortunate enough to host a CTO panel during the event. For those that aren’t aware, the Innovation Sandbox is one of the more popular programs of the RSAC week.  The highlight of the Innovation Sandbox is the competition for the coveted “Most Innovative Company at the RSA Conference” award.  This is basically the information security version of ABC’s Shark Tank.  If you want to learn about the up-and-coming vendors and technologies, this is one place to do it. To participate, companies had to meet the following criteria: 

  • The product has been in the market for less than one year (launched after February 2013).
  • The company must be privately held, with less than $5M in revenue in 2013.
  • The product has the potential to make a significant impact on the information security space.
  • The product can be demonstrated live and on-site during Innovation Sandbox.
  • The company has a management team that has proven successful in the delivery of products to market.
Read more

The Shuttle Challenger Anniversary Still Offers Risk Management Lessons, If We Are Willing to Learn Them

Renee Murphy

January 28th was the anniversary of the Space Shuttle Challenger disaster. The Rogers Commission detailed the official account of the disaster, laying bare all of the failures that lead to the loss of a shuttle and its crew. Officially known as The Report of the Presidential Commission on the Space Shuttle Challenger Accident - The Tragedy of Mission 51, the report is five volumes long and covers every possible angle starting with how NASA chose its vendor, to the psychological traps that plagued the decision making that lead to that fateful morning.  There are many lessons to be learned in those five volumes and now, I am going to share the ones that made a great impact on my approach to risk management. The first is the lesson of overconfidence.

In the late 1970’s, NASA was assessing the likelihood and risk associated with the catastrophic loss of their new, reusable, orbiter. NASA commissioned a study where research showed that based on NASA’s prior launches there was the chance for a catastrophic failure approximately once every 24 launches. NASA, who was planning on using several shuttles with payloads to help pay for the program, decided that the number was too conservative. They then asked the United States Air Force (USAF) to re-perform the study. The USAF concluded that the likelihood was once every 52 launches.

In the end, NASA believed that because of the lessons they learned since the moon missions and the advances in technology, the true likelihood of an event was 1 in 100,000 launches. Think about that; it would be over 4100 years before there would be a catastrophic event. In the end, Challenger flew 10 missions before it’s catastrophic event and Colombia flew 28 missions before its catastrophic event, during reentry, after the loss of heat tiles during take off. During the life of a program that lasted 30 years, they lost two of five shuttles.

Read more

Actionable Intelligence, Meet Terry Tate, Office Linebacker

Rick Holland
sdfasdfaasdfThe #Forrester Security & Risk team is hiring. We are looking for consultants to join our team bit.ly/M9gWS5 #infosecasdfasdasdfasdddsadfas

We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.)  As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.  

One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!

Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker.  Terry Tate first appeared in a 2003 Reebok Super Bowl commercial. 

Read more

New Research: AWS Cloud Security - AWS Takes Important Steps For Securing Cloud Workloads

Edward Ferrara

Security is the No. 1 impediment to Cloud Service adoption. Forrester’s research has shown this over the last three years. Cloud Service Providers (CSPs) are responding to this issue. AWS has built an impressive catalog of security controls as a part of the company’s IaaS/PaaS offerings.  If you are currently or considering using AWS as a CSP you should check out the following new research.

AWS Cloud Security - AWS Takes Important Steps For Securing Cloud Workloads

Master Has Presented MDM With Clothes! MDM Is FREE!

Tyler Shields

Mobile device management is a fully commoditized market. In the strictest definition of MDM, the available functionality is limited to those application programmer interfaces that are made available by the operating system vendor (Google or Apple). There is very little that traditional MDM offerings can do to differentiate themselves from the other 100+ vendors in the market. This causes significant price pressure on the offerings. Value for MDM is rapidly approaching zero. As we have seen over the past year-and-a-half, core MDM component offerings have been continuously lowering their prices in an attempt to maintain market share. There is a transition by the major MDM players to expand well beyond the traditional "wipe," "lock," and "locate" concepts available to them into more advanced technologies such as content and collaboration systems, security components at the network and application layer, as well as partnerships and integrations with secondary market offerings. These features have value. MDM at its core does not.

I think it's about time someone came out and said it. Just like Dobby from the Harry Potter books, MDM should be free. I've been telling all of the vendors that I work with that if they don't put out their MDM offering in a freemium model very shortly, the other vendors will beat them to the punch. Traditional MDM offerings are a land grab for enterprise market share and should be used as an upsell or wedge into more advanced and differentiable offerings. I predict that in the next 6 to 9 months we will see most, if not all, of the leading MDM vendors giving away their core functionality.

Read more

Just Let Me Fling Birds At Pigs Already! Thoughts On The Snowden/Angry Birds Revelations

Tyler Shields

“But until a person can say deeply and honestly, 'I am what I am today because of the choices I made yesterday,' that person cannot say, 'I choose otherwise.'” 

― Stephen R. CoveyThe 7 Habits of Highly Effective People: Powerful Lessons in Personal Change

"Privacy is a decision best left in the hands of the professionals."

- Tyler Shields, Senior Analyst Forrester Research

This posting is in reference to the recent Snowden revelations that mobile applications are a conduit for governments to spy on citizens. New York Times article HERE.

Read more