Disruptive Innovation

Enough With the Disruptive Innovation. Collaborate or Fail.

[This is taken in large part from from an earlier blog, but I feel it needs updating to include more than just payments.]

‘Disruptive Innovation’ has become a common cry for anyone wanting to displace the existing players. It is defined as; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.

Unfortunately the original concept is now grossly misapplied. But like how ‘irony’ now has several meanings, I guess disruptive innovation will have different meaning based on its context.

However, I’ve never heard anyone using the phrase ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So why is everyone so interesting in disrupting the existing ecosystems? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. In payments – as my example -, non-cash payments work [mostly], and you have a large degree of faith in your bank’s ability to protect your monetary assets. Do you really want the whole thing to change? Do you even know what it is that you want that’s different?

But do things even need to change? Well yes actually, they do. And are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. However, can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true [potential] disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be through collaboration and fair competition.

I’ve used payments as an example, because that’s what I know the best, but the same can be said for almost every other industry sector. The drive to take away what others have, instead of providing a better service for the common good, is capitalism at its worst. And no, I’m not proposing some sort of socialism, it’s just logic; What’s easier? Completely replacing something, or improving what we have in collaboration with multiple players?

It’s not like there isn’t enough to go around.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Fines

GDPR and Cybersecurity, a Very Limited Partnership

If a security vendor has ever told you that the GDPR is imposing fines of up to 4% of annual global revenue for data breaches, they are either:

  1. ignorant of the standard; and/or
  2. lying to you.

Being generous, they may not actually know they are lying, the General Data Protection Regulation (GDPR) isn’t exactly easy to decipher, but even a cursory review tells a rather obvious story. I will attempt to address the following assumptions in the course of this blog:

  1. The GDPR is >95% related to enforcing the RIGHT to privacy, not the LOSS of privacy through data breach;
    o
  2. The maximum fines for ANY organisation are 2% of ‘annual turnover’ for even the most egregious loss of data through breach, not 4%; and
    o
  3. Fines are entirely discretionary, and an appropriate security program will significantly reduce any fines levied.

Wait, there are 2 types of privacy!?

Ask a lawyer in the EU what privacy is and s/he’ll likely quote Article 12 of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

From a GDPR perspective, this equates to two of its three fundamental aspects. Grossly simplified these are:

  1. Explicit consent; and
  2. Legitimacy of processing.

In other words, the vast majority of the GDPR is concerned with obtaining explicit consent for the personal data collected, and then ONLY using that data for legitimate purposes in-line with the consent received.

Even when GDPR refers to ‘security’, it is more concerned with these two fundamentals than it is with security of the data itself. That is what they mean by “security of processing“.

However, from a cybersecurity professional’s perspective – and the third fundamental aspect of the GDPR – privacy also involves  loss. i.e. The data was stolen during a breach, or somehow manipulated towards nefarious ends. This is a very important part of the GDPR, Hell, it’s a very important part of being in business, but it should never be used to sell you something you don’t need.

Maximum fines?

Of the 778 numbered or lettered lines of text in the GDPR Articles section, there are only 26 that relate directly to data security (or 3.34%). These are contained within Articles 5, 25, 32, 33 and 34.

Per Article 83(4)(a) (a.k.a. ‘2% fines’) – “(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

While Article 5 is contained within Article 83(5)(a) (a.k.a. ‘4% fines’), all but one line refers to security of processing, not the security of the data.

So, if it can be assumed that if the maximum fine for ANY data breach, no matter how egregious, is 2% of the annual revenue from the previous year (in the case of an undertaking), that 2% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €10,000,000 would be reserved for any organisation with revenue over €500,000,000 annually. Fines are never there to put you OUT of business!

It must follow that if 2% is the maximum, then fines will go down the less egregious is your offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.

In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Caveat: I am NOT a lawyer, and this is based entirely on my own experience, not anything resembling known fact.

Finally, bear in mind that as per Article 58(2), there are many ‘corrective powers’ that a supervisory authority can resort to long before levying a fine, including simple warnings (Article 58(2)(a)). Fines should be considered as a worst case scenario in their own right, let alone the amount.

Appropriate security program?

There is no such thing as 100% security, so the more you can demonstrate that your security program is appropriate to the levels of risk, fines should be the least of your problems.  As long as you have everything from senior leadership buy-in, to incident response, to disaster recovery and breach notification – you know, the basics! – it is not a foregone conclusion that fines will even be considered.

Go here for more on what a security program should look like: What is a Security Program?

In conclusion…

In the UK, if you are an organisation that processes personal data and you were already a) complying with the Data Protection Act (DPA), and b) doing security properly, GDPR compliance would require only relatively minor adjustments. For those that weren’t, you have a lot of work to do now once the supervisory authority has the powers that GDPR bring to bear, and not much time to do it in (May 25, 2018).

That said, don’t do anything for compliance alone. Do it for the business, do it properly, and compliance will fall out the back end. So while it is reprehensible that security vendors are trying to exploit the GDPR for profit, if you fall for it it’s entirely your fault.

By the way, if you’re a business that is predominantly centered around the processing of personal data, the Article 58(2)(f) – “to impose a temporary or definitive limitation including a ban on processing;” can take you offline indefinitely. And yes, you can be fined on top of that.

I hate to say it, but don’t do anything until you’ve spoken to a lawyer.

[If you liked this article, please share! Want more like it, subscribe!]

Peerlyst: Essentials of Cybersecurity

PEERLYST e-book: “Essentials of Cybersecurity”

In almost 4 years, and over 250 blogs, I have only promoted something  – other than myself of course – once: The Analogies Project.

I find myself doing the same thing for PEERLYST for much the same reasons; 1) it’s purpose is to educate, not sell, 2) it’s members are incredibly generous with their time, and 3) it’s free. I recommend that anyone already in, or WANTS to be in the field of cybersecurity, to not only join, but actively participate.

To me, an important measure of any of these forums is the output. I’m not looking to promote myself or my business – that’s LinkedIn, I’m not looking to vent – that’s Facebook, and I’m not looking to be as pointless as Donald Trump – that’s Twitter. Therefore, a forum that allows me to share my knowledge to anyone desperate enough to listen, as well as support me in the countless instances where I need guidance, will get my attention.

As for output, PEERLYST recently published a new e-book – their second – free to all members; “Essentials of Cybersecurity[The link will only work if you’re already a member]. It consisted of 10 Chapters, the first of which I was given the honour of writing:

  1. Starting at the Beginning: Why You Should Have a Security Program by me
  2. Understanding the Underlying Theories of Cybersecurity by Dean Webb
  3. Driving Effective Security with Metrics by Anthony Noblett
  4. A Security Compromise Lexicon by Nicole Lamoureux
  5. Building a Corporate Security Culture by Dawid Balut
  6. Why People Are Your Most Important Security Asset by Darrell Drystek
  7. Basic Security Hygiene Controls and Mitigations by Joe Gray
  8. Understanding Central Areas of Enterprise Defense by Brad Voris
  9. Telecom Security 101: What You Need to Know by Eric Klein
  10. Strengthen Your Security Arsenal by Fine-Tuning Enterprise Tools by Puneet Mehta

Some of these folks not only donated significant amounts of their time on this e-book, but have already signed themselves up for one of the THREE new e-books already in the works! THIS is the kind of forum with which I want to be associated.

Go take a look, hope to see you there.

[If you liked this article, please share! Want more like it, subscribe!]

PCI L1 Service Provider

From FinTech Concept to PCI Compliant in 6 Months?

Anyone wanting to start a new business in FinTech/payments – digital wallets for example – has to address PCI. Like it not, payment cards are still the dominant form of non-cash payment on the planet. By far.

So what if you have a great idea in this amazing world of opportunity, but your skill-set is in payments and innovation, and not IT or cybersecurity. How do you get your service to market, AND play by the rules? Can you do this in time to be ahead of game given the incredibly short timeframe of today’s competitive advantage?

Well, you could just self assess, but you are restricting yourself to a maximum of 300,000 transaction annually.  But more importantly, would you trust your money to a service provider who self assesses? No, neither would I.

However, I’m talking about full Level 1 Service Provider compliance through a reputable QSA (yes, there are some out there). How can you set up the infrastructure, get all the documentation in place, AND get all the way through a PCI DSS Level 1 assessment in 6 months? And if you do, have you really done it properly?

The answer is yes, you can, but there are MANY caveats, and if you deviate from these steps you will not get there. I am only interested in helping organisations get compliant properly, I have no interest in adding more crap service providers to the ecosystem.

First, you have to completely ignore the PCI DSS. Any plans you make to design both your physical infrastructure and your security program from scratch must be with real security in mind. Never compliance alone. For that, many organisations turn to the ISO 27001 standard. There are others, but try finding affordable consultants who can help you implement them. As long as you realise they are all just frameworks, not step-by-step instructions, then you’re ready to start asking questions.

So What Are the Steps to Compliance?

o

  1. Get Help – This should be no surprise. I don’t perform emergency appendectomies, I’m not remotely qualified, why would you try to achieve compliance when that’s not your experience or skill-set. Yes, is can be expensive, but nowhere near as expensive as any of the alternatives. There are some very good consultants out there, do your homework and find the best one for you.
    o
  2. Outsource the Infrastructure – Unless you’re an expert in everything from hardened operating systems, to logging and monitoring, to firewall management, you will want to outsource as much of the platform as you possibly can. Unfortunately, finding a single provider who can take on anything more than physical hosting and some networking stuff is still ridiculously difficult. Amazon Web Services (AWS) for example is about as bad as you can get. Unless of course you want a dozen or so independent service providers to manage along with Amazon.
    You MUST ask the right questions, and this is where your  consultant comes into play. S/he will write your RFP, interview providers, and eventually produce a responsibility mapping of services against the PCI DSS. This will match their Attestation of Compliance, as YOU should only do business with L1 PCI compliant service providers.
    o
    You are welcome to use my mapping if you don’t have one: PCI DSS v3.2 SP Responsibility Mapping
    o
  3. Policies, Standards & Procedures – You have to start somewhere, so you will likely want to buy a Policy Set. Once again, you have to be very careful as there are dozens of options but few will be fit for purpose. In this case, ‘fit for purpose’ means the service must 1) get you through compliance, 2) provide a platform for your unique culture, and 3) be self-sustainable for the long-term.
    If you buy a Policy Set with ‘PCI’ in the title, you have already failed. Buy one that your consultant can customise on your behalf, and then teach you to manage yourself. Get one that; 1) Is already mapped to both the PCI DSS and your chosen framework (usually ISO 27001), 2) has document management built in (numbering, content standards, assigned coordination etc.), and 3) is easily distributed to the subject matter experts best placed to maintain them.
    o
    I have written a quasi-white paper on how to choose the right the right service, you use the questions as an RFP: ‘Selecting the Right Policy Set
    o
  4. Hire a Completely Independent QSA – While it may be very tempting to have your consultant take care of all the ‘PCI stuff’, bite the bullet and keep these separate. No, you don’t have to be an expert in this stuff, but if you are relying completely on your consultant you are building in a single source of failure. By all means have your consultant run with the assessment, but be involved. If you don’t, you’ll have no idea what you paid for in the first place. In fact, you may even want to build in some SLAs regarding how much remediation is required from by QSA. There will always be some, but if it involves significant scope creep or capital cost, your consultant has failed you. Remember, you have outsourced almost the entire function of PCI to your platform provider, validation of compliance should be a formality.

Of course this is oversimplified, but I’m already way over my self-imposed word limit. However, while I haven’t included any of the inevitable challenges, the process is a simple as security itself, it’s up to you to find someone who can make it simple.

[If you liked this article, please share! Want more like it, subscribe!]

PSD2

The Key to PSD2 Adoption? Mobile Phones!

On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.

Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.

From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.

PSD2 itself is supposed to promote 2 things:

  1. Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
  2. Promote innovative mobile and internet payment services. [competition in other words].

The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.

The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?

Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly areinnovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?

Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.

That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.

As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:

  • By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
  • In 2015, 58% of all smartphone owners used banking apps

It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.

The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.

PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.

Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?

[If you liked this article, please share! Want more like it, subscribe!]