Disruptive Innovation

Enough With the Disruptive Innovation. Collaborate or Fail.

[This is taken in large part from from an earlier blog, but I feel it needs updating to include more than just payments.]

‘Disruptive Innovation’ has become a common cry for anyone wanting to displace the existing players. It is defined as; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.

Unfortunately the original concept is now grossly misapplied. But like how ‘irony’ now has several meanings, I guess disruptive innovation will have different meaning based on its context.

However, I’ve never heard anyone using the phrase ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So why is everyone so interesting in disrupting the existing ecosystems? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. In payments – as my example -, non-cash payments work [mostly], and you have a large degree of faith in your bank’s ability to protect your monetary assets. Do you really want the whole thing to change? Do you even know what it is that you want that’s different?

But do things even need to change? Well yes actually, they do. And are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. However, can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true [potential] disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be through collaboration and fair competition.

I’ve used payments as an example, because that’s what I know the best, but the same can be said for almost every other industry sector. The drive to take away what others have, instead of providing a better service for the common good, is capitalism at its worst. And no, I’m not proposing some sort of socialism, it’s just logic; What’s easier? Completely replacing something, or improving what we have in collaboration with multiple players?

It’s not like there isn’t enough to go around.

[If you liked this article, please share! Want more like it, subscribe!]

PCI L1 Service Provider

From FinTech Concept to PCI Compliant in 6 Months?

Anyone wanting to start a new business in FinTech/payments – digital wallets for example – has to address PCI. Like it not, payment cards are still the dominant form of non-cash payment on the planet. By far.

So what if you have a great idea in this amazing world of opportunity, but your skill-set is in payments and innovation, and not IT or cybersecurity. How do you get your service to market, AND play by the rules? Can you do this in time to be ahead of game given the incredibly short timeframe of today’s competitive advantage?

Well, you could just self assess, but you are restricting yourself to a maximum of 300,000 transaction annually.  But more importantly, would you trust your money to a service provider who self assesses? No, neither would I.

However, I’m talking about full Level 1 Service Provider compliance through a reputable QSA (yes, there are some out there). How can you set up the infrastructure, get all the documentation in place, AND get all the way through a PCI DSS Level 1 assessment in 6 months? And if you do, have you really done it properly?

The answer is yes, you can, but there are MANY caveats, and if you deviate from these steps you will not get there. I am only interested in helping organisations get compliant properly, I have no interest in adding more crap service providers to the ecosystem.

First, you have to completely ignore the PCI DSS. Any plans you make to design both your physical infrastructure and your security program from scratch must be with real security in mind. Never compliance alone. For that, many organisations turn to the ISO 27001 standard. There are others, but try finding affordable consultants who can help you implement them. As long as you realise they are all just frameworks, not step-by-step instructions, then you’re ready to start asking questions.

So What Are the Steps to Compliance?


  1. Get Help – This should be no surprise. I don’t perform emergency appendectomies, I’m not remotely qualified, why would you try to achieve compliance when that’s not your experience or skill-set. Yes, is can be expensive, but nowhere near as expensive as any of the alternatives. There are some very good consultants out there, do your homework and find the best one for you.
  2. Outsource the Infrastructure – Unless you’re an expert in everything from hardened operating systems, to logging and monitoring, to firewall management, you will want to outsource as much of the platform as you possibly can. Unfortunately, finding a single provider who can take on anything more than physical hosting and some networking stuff is still ridiculously difficult. Amazon Web Services (AWS) for example is about as bad as you can get. Unless of course you want a dozen or so independent service providers to manage along with Amazon.
    You MUST ask the right questions, and this is where your  consultant comes into play. S/he will write your RFP, interview providers, and eventually produce a responsibility mapping of services against the PCI DSS. This will match their Attestation of Compliance, as YOU should only do business with L1 PCI compliant service providers.
    You are welcome to use my mapping if you don’t have one: PCI DSS v3.2 SP Responsibility Mapping
  3. Policies, Standards & Procedures – You have to start somewhere, so you will likely want to buy a Policy Set. Once again, you have to be very careful as there are dozens of options but few will be fit for purpose. In this case, ‘fit for purpose’ means the service must 1) get you through compliance, 2) provide a platform for your unique culture, and 3) be self-sustainable for the long-term.
    If you buy a Policy Set with ‘PCI’ in the title, you have already failed. Buy one that your consultant can customise on your behalf, and then teach you to manage yourself. Get one that; 1) Is already mapped to both the PCI DSS and your chosen framework (usually ISO 27001), 2) has document management built in (numbering, content standards, assigned coordination etc.), and 3) is easily distributed to the subject matter experts best placed to maintain them.
    I have written a quasi-white paper on how to choose the right the right service, you use the questions as an RFP: ‘Selecting the Right Policy Set
  4. Hire a Completely Independent QSA – While it may be very tempting to have your consultant take care of all the ‘PCI stuff’, bite the bullet and keep these separate. No, you don’t have to be an expert in this stuff, but if you are relying completely on your consultant you are building in a single source of failure. By all means have your consultant run with the assessment, but be involved. If you don’t, you’ll have no idea what you paid for in the first place. In fact, you may even want to build in some SLAs regarding how much remediation is required from by QSA. There will always be some, but if it involves significant scope creep or capital cost, your consultant has failed you. Remember, you have outsourced almost the entire function of PCI to your platform provider, validation of compliance should be a formality.

Of course this is oversimplified, but I’m already way over my self-imposed word limit. However, while I haven’t included any of the inevitable challenges, the process is a simple as security itself, it’s up to you to find someone who can make it simple.

[If you liked this article, please share! Want more like it, subscribe!]

Froud on Fraud: Cybersecurity Predictions for 2017

This time last year I wrote Froud on Fraud: Top 5 Predictions for 2016. Unsurprisingly, none of these things has transpired. At least not yet anyway [embarrassed silence].

So why do this again, when it’s fairly clear that any insight I have – if any – is aimed more towards potential long-term trends than to short-term results?

The reason I’m taking another stab is I can’t help feeling that 2017 is going to something of a watershed year for cybersecurity. At least I hope so, because there is so much hype, scaremongering and dross out there that something needs to change. And it must change soon, before cybersecurity professionals get lumped into the same category as the better known examples of sleaze; used car salesmen, estate agents, and lawyers (no offence Sis).

The last few years has been bad for the cybersecurity/privacy profession. From Snowden, to the Snooper’s Charter, from Target to Yahoo there has been no good news. Forget that the press will not print good news if they can possibly help it, things actually are getting worse. State sponsored attacks, organised crime, numerous vulnerabilities in Android and iOS, irresponsible Internet of Things manufacturers, there is little to smile about.

But instead of coming to the rescue, the cybersecurity industry seems Hell-bent on making it worse by cashing in on the confusion. From biometrics vendors disgracefully overstating their worth, to consulting practices doing everything in their power to cross-sell and upsell their wares, it’s becoming increasingly difficult to know where to turn.

The only bright side? Legislation.

Yes, legislation. The Payments Service Directive (PSD2) and the General Data Protection Regulation (GDPR) – for example – are both designed to start putting things right in payments and data privacy respectively. No one with a vested interest in keeping things the same was ever going to do anything themselves, so now they’ll have to. Banks, large retail, you name it, there will now be a price to pay for how you treat the consumer.

And let’s face it, it’s all about the consumer.

So with the above in mind, these are my predictions for 2017:


  1. ISO 27001 certification will be increasingly important: Unlike PCI which is entirely prescriptive, no other regulation that I have ever seen requires anything other than ‘appropriate‘ or ‘reasonable‘ security measures. Appropriate and reasonably to whom is always the first question. ISO 27001, and other frameworks like it, perform one overarching function; to provide demonstrable evidence that an organisation is taking security seriously. Whether the organisation is actually taking security seriously is another matter, but it is hard to fake certification. Not impossible mind you, just difficult. ‘Compliance’ with GDPR, and other data privacy regulations globally will look to ISO for help.
  2. Biometrics vendors will keep pushing their wares, and fail: OK, so this one is more of a wish than a prediction, but I am so sick of the hype around biometrics that I need to vent. Yes, biometrics if very important, yes, it’s better than a password in most scenarios, but it is NOT an answer by itself. Biometrics will not replace the password, nor will it ever be a solution all by itself. It will do what every other form of authentication should do; take its rightful place in the arsenal of identity management systems.
  3. Amazon GO will be the new model for brick & mortar: Any brick and mortar retailer not terrified by the opening of the Amazon GO store in Seattle is completely missing the point. The point is that consumers don’t care how they PAY, they care how they BUY. Cash, credit cards, even the Apple Pays and their ilk are just forms of payment, they are not relevant to how we choose the products and services we actually BUY. We demand a lot more from our merchants than a glorified cash register. In Invisible Payments, Are They Real? (Aug ’15) I went a little further than Amazon did, and will go even further in a week or so. And while I don’t expect 2017 to see a sharp increase in GO-esque stores, it’s definitely a glimpse of the near future.
  4. Containerised Security Services: Anyone who has looked to Amazon Web Services or Azure for hosting their e-commerce systems often do so in order to outsource security as well. The fact that neither of these services provide much is often a nasty surprise. Yes, the merchants asked the wrong questions (or none at all), but it is incomprehensible to me that vendors like AWM DON’T provide comprehensive security wrappers. 2017 will see an increase in modular and full-service security programs (at least to PCI minimums) from all of the major providers. Hopefully these will be easily understandable and transparent to non-experts, because even the better service providers do a piss-poor job of getting their point across.
  5. Automated Governance, Risk & Compliance: GRC is a fantastic concept, implemented poorly. However, with the ever increasing regulatory landscape, larger organisations simply can’t keep up with the audit  ommitments. GRC tools have traditionally been mostly manual in nature, which explains their lack of adoption. More and more GRC vendors are looking to automate compliance baseline input by providing APIs to end-point vendors (A/V, SIEM, vulnerability scanning etc) for automated input of production system data. 2017 will see GRC vendors finally focusing on the only thing that makes sense; asset management and automated baseline comparisons of known-good profiles.

OK, so 5. is a bit of a stretch, but there’s no way my OCD would allow for only 4 predictions.

What are your predictions?

[If you liked this article, please share! Want more like it, subscribe!]

Cloud Computing

Are Cloud Providers ‘Too Big to Fail’ – Let’s Hope So

In a rather ludicrously titled article (yes, even for me!) ‘Too big to fail’ cloud giants like AWS threaten civilization as we know it” the author nevertheless addresses an interesting point. And while I almost entirely disagree with the final conclusions, they represent a valid, if extreme viewpoint. If those conclusions are a little self-serving, this can be forgiven in light of my own issues with some Cloud Providers.

The basic premise is that traditional hardware (servers etc.) sales are dropping, while cloud-based and managed services are on the rise. With the corresponding drop in hardware related skills (no demand), eventually we’ll be dependent on one of the big providers (Amazon, Google & Microsoft).

This is apparently very bad, as: “If one of these goes down hundreds of thousands of other companies go down too.” This is the “interesting point” I referred to earlier, unfortunately the reasoning presented simply makes no sense. Two examples provided are:

  1. power grid failures or natural disasters – with the fallout propagated worldwide; and
  2. AWS’ hiking of its UK prices post-Brexit as an example of how quickly customers could be affected.

First, suggesting the Google, Amazon or Microsoft have a single point of failure that could take them down globally is ridiculous. Second, with regard price fluctuations, this is likely the result of organisations choosing a provider based on price alone, and not performing adequate due diligence. In trying to save money by using US based provider, and not writing mitigating language into contract, you are the ones leaving yourselves exposed.

I’m really not picking on either the subject of the article, or the author, I’m just using this to demonstrate my point. Cloud services, done PROPERLY, are the future. Or without the stupid buzz-phrase; outsourced services over the Internet are the future of infrastructure management. The issue is that a lot of Cloud services are abysmal, and the due diligence performed by many organisations nothing short of a disgrace.

But outsource they will, and they should. For example, how many organisation really want to hire dedicated teams to perform all of the following;

  1. Design Operating System Hardening Guides;
  2. Build and maintain servers;
  3. Install and configure all relevant security software/application;
  4. Patching and Vulnerability Management;
  5. Data Encryption;
  6. Access Control;
  7. Logging & Monitoring
  8. …and the list goes on.

Whilst finding a single cloud provider to take care of this is almost impossible at this stage, that’s where it’s going. Only the economy of scale available to large providers can make these offerings cost effective enough to be an option for non-enterprise businesses. And frankly, the only businesses who actually care about how data is made available, are the ones being paid to make it happen for someone else.

The motivations behind the referenced article are rather simple to deduce; 1) they have a vested interest in selling hardware, and b) they can make more money through channel than Cloud.

Fair enough, but channel’s loss of market share, and their inability to pivot is entirely their fault. They are now suffering because they have never tried to put their products into perspective. The rush to maximise profit margins was at the expense of making themselves a truly valuable partner.

If channel had only put a consulting wrapper around their offerings, they could still be selling solutions, not stuck trying to flog pieces of metal and plastic.

Perhaps this article will make more sense now they they are feeling the pain; Attention Channels/Resellers, Don’t Forget Consulting Services!

[If you liked this article, please share! Want more like it, subscribe!]

Gartner’s Top 10 for InfoSec in 2016: 10 More Useless Acronyms?

On June 15th, Gartner released it’s Top 10 Technologies for Information Security in 2016. As a security ‘professional’ with over 15 years front-line experience, it has taken me this long to find out what half of these things are even trying to achieve. My initial impression was that this was just an attempt to corner the market on acronyms.

Now that I’ve had a little more time to look at them, it’s not just about acronyms, it’s about selling things. Things the vast majority of businesses don’t need. Things that if you DID introduce them into your current environment it would be like building a castle on a swamp (hope you got the Monty Python reference);

Utterly useless, expensive, and completely missing the point.

The breakdown:

  1. Cloud Access Security Brokers (CASBs), provide a “…critical control point for the secure and compliant use of cloud services across multiple cloud providers.” – In the real world this is called performing proper due diligence, before you outsource to a cloud provider. The right reporting should be built into the SLAs. Good God, even the PCI DSS makes this a requirement!
  2. Endpoint Detection and Response (EDR), “EDR tools typically record numerous endpoint and network events, and store this information either locally on the endpoint or in a centralized database.” then compare the output to “known indicators of compromise (IOC)“. [Ed. note the 2-for-1 on the acronym front] – Why the Hell would you wait for a ‘known indicator of compromise’ instead of trying to fix the problem pro-actively first?!  Hardening guides, vulnerability management, system baselining, FIM et al are all designed to produce baselines of known-good configs thereby minimising exposure. This is nothing more than a rebranding of basic security tenet in order to sell a technology.
  3. Non-Signature Approaches for Endpoint Prevention, uses “machine learning-based malware prevention using mathematical models as an alternative to signatures for malware identification and blocking.” – Seriously (see 2. above)? Once you have your system at a known-good config, stop anything NOT that. Are you seriously going to spend God-knows how much on a new technology instead of doing what you SHOULD have doing all along …for free(ish)?
  4. User and Entity Behavioral Analytics (EUBA), “…provides user-centric analytics around user behavior, but also around other entities such as endpoints, networks and applications.” – This one just pisses me off, and I can only assume Gartner were paid a ton of money by EUBA vendors to add this to the list. This is the THIRD nod to baselining and I’m only at number 4 on the list.
  5. Microsegmentation and Flow Visibility, which is basically more granular segmentation (think system-to-system instead of the usual network-to-network). – So let’s see; most organisations have horrible segmentation at the network level, so to combat this, buy a technology that puts the ‘firewalls’ on each endpoint and maps your traffic flows at that level. I have an idea, why don’t you just do segmentation properly with the infrastructure you have and THEN decide if you need more. I seriously doubt you will unless you’re an IaaS/PaaS provider.
  6. Security Testing for DevOps (DevSecOps) – In other words; building security and security testing into every step of the development process. This is new? I have to assume this was just padding to avoid a Top 9 scenario.
  7. Intelligence-Driven Security Operations Center Orchestration Solutions, “an intelligence-driven SOC [ISOC] also needs to move beyond traditional defenses, with an adaptive architecture and context-aware components.” – So what you’re saying is; Let me know if something happens that’s not normal? Errr, isn’t that reporting events outside of a KNOWN-GOOD BASELINE!?!
  8. Remote Browser solutions “…remotely present the browser session from a “browser server” (typically Linux based) running on-premises or delivered as a cloud-based service.” – This one kinda makes sense, but haven’t we had jump-servers for decades that could do something very similar?
  9. Deception “technologies are defined by the use of deceits and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or disrupt breach progression.” – Anyone who uses this technology deserves to be hacked. This is perhaps the stupidest concept I have ever seen and I cannot believe it’s on anyone’s list. Gartner should actually be ashamed of themselves.
  10. Pervasive Trust Services, “As enterprise security departments are asked to extend their protection capabilities to operational technology and the Internet of Things, new security models must emerge to provision and manage trust at scale.” – Finally we agree on something; centralised management of end-points based on known-good configs.

As far as I am concerned, 99.9% of organisations can effectively ignore this Top 10 list. You will NEVER find a technology that fixes stupid. Just do security properly and you’ll achieve what every organisation is looking for; appropriate, value-for-money, security.

It’s a shame Gartner can’t monitise a ‘Top 10 Information Security Back to Basics’, that would actually be worth a read.