Disruptive Innovation

Enough With the Disruptive Innovation. Collaborate or Fail.

[This is taken in large part from from an earlier blog, but I feel it needs updating to include more than just payments.]

‘Disruptive Innovation’ has become a common cry for anyone wanting to displace the existing players. It is defined as; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.

Unfortunately the original concept is now grossly misapplied. But like how ‘irony’ now has several meanings, I guess disruptive innovation will have different meaning based on its context.

However, I’ve never heard anyone using the phrase ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So why is everyone so interesting in disrupting the existing ecosystems? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. In payments – as my example -, non-cash payments work [mostly], and you have a large degree of faith in your bank’s ability to protect your monetary assets. Do you really want the whole thing to change? Do you even know what it is that you want that’s different?

But do things even need to change? Well yes actually, they do. And are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. However, can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true [potential] disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be through collaboration and fair competition.

I’ve used payments as an example, because that’s what I know the best, but the same can be said for almost every other industry sector. The drive to take away what others have, instead of providing a better service for the common good, is capitalism at its worst. And no, I’m not proposing some sort of socialism, it’s just logic; What’s easier? Completely replacing something, or improving what we have in collaboration with multiple players?

It’s not like there isn’t enough to go around.

[If you liked this article, please share! Want more like it, subscribe!]

Peerlyst: Essentials of Cybersecurity

PEERLYST e-book: “Essentials of Cybersecurity”

In almost 4 years, and over 250 blogs, I have only promoted something  – other than myself of course – once: The Analogies Project.

I find myself doing the same thing for PEERLYST for much the same reasons; 1) it’s purpose is to educate, not sell, 2) it’s members are incredibly generous with their time, and 3) it’s free. I recommend that anyone already in, or WANTS to be in the field of cybersecurity, to not only join, but actively participate.

To me, an important measure of any of these forums is the output. I’m not looking to promote myself or my business – that’s LinkedIn, I’m not looking to vent – that’s Facebook, and I’m not looking to be as pointless as Donald Trump – that’s Twitter. Therefore, a forum that allows me to share my knowledge to anyone desperate enough to listen, as well as support me in the countless instances where I need guidance, will get my attention.

As for output, PEERLYST recently published a new e-book – their second – free to all members; “Essentials of Cybersecurity[The link will only work if you’re already a member]. It consisted of 10 Chapters, the first of which I was given the honour of writing:

  1. Starting at the Beginning: Why You Should Have a Security Program by me
  2. Understanding the Underlying Theories of Cybersecurity by Dean Webb
  3. Driving Effective Security with Metrics by Anthony Noblett
  4. A Security Compromise Lexicon by Nicole Lamoureux
  5. Building a Corporate Security Culture by Dawid Balut
  6. Why People Are Your Most Important Security Asset by Darrell Drystek
  7. Basic Security Hygiene Controls and Mitigations by Joe Gray
  8. Understanding Central Areas of Enterprise Defense by Brad Voris
  9. Telecom Security 101: What You Need to Know by Eric Klein
  10. Strengthen Your Security Arsenal by Fine-Tuning Enterprise Tools by Puneet Mehta

Some of these folks not only donated significant amounts of their time on this e-book, but have already signed themselves up for one of the THREE new e-books already in the works! THIS is the kind of forum with which I want to be associated.

Go take a look, hope to see you there.

[If you liked this article, please share! Want more like it, subscribe!]

What Will Brexit Mean for Cybersecurity?

No idea.

But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.

This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.

Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.

The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?

Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?

I don’t think so somehow.

Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.

And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.

Not one.

Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.

However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?

UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!

Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.

Don’t know how, ask.

Why I Offer a ‘CEO Discount’

A CEO Discount is when I offer an organisation a 10% reduction on my consultancy day-rate if they can arrange for a 30 minute 1-on-1, face-to-face, with the CEO.

Sound like a gimmick? Well, it is partially, I’m trying to run a business, but it’s only partially a gimmick, as it is also extremely beneficial to both sides. It also addresses to most fundamental of all security challenges; management buy-in.

From the client side; no project, especially ones related to security, get anywhere near the amount of support from all levels of the organisation that they need to be; a) operationally effective, and b) cost effective. If the CEO offers not only their verbal support, but active/pro-active support behind an objective, it becomes everyone’s priority. As I’ve quoted incessantly; “If my boss doesn’t care about something, guess how much I care about it.“. This begins at the CEO level and doesn’t stop until the most junior person is equally infected by apathy, indifference, or both.

If the CEO cares, or is seen to care, security related projects tend to finish in half the time, at half the cost, and with double the effectiveness and sustainability. Yes, I just made these statistics up, but in 15+ years doing this stuff I would be very surprised if I’m off by much.

From my side; If the prospective client is not prepared to even entertain the notion of approaching their CEO, that tells me all I need to know about their security culture. They don’t have one.

A phrase I have used MANY times now; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.

I should UP my day-rate if I DON’T get to see the CEO!

So with just 30 minutes of prep, which will hopefully result in an agreement from the CEO to send just 3 emails over the next 6 months (which I will even draft), I will have removed the vast majority of roadblocks faced by every security person, usually on a daily basis.

Most security people feel, and in the words of the hopefully immortal Billy Connelly; “…as welcome a fart in a spacesuit.”, anything I can do to deflect that stigma is worth a measly 10%.

Anyway, what are the 3 emails I referred to (with gross summarisation)?:

  1. Dear All, a company-wide security program is happening, this is VERY important to me, pay attention and give the implementation team your full support. I will be receiving regular reports.“;
    o
  2.  “Dear All, we have finished the security framework, and released the new policies, procedures and standards that will dictate how we conduct our business from this point forward. An education and training program will be released shortly, and your FULL cooperation is expected. I will be receiving regular reports.“, and (if required);
    o
  3. Dear Some, [and I know who you are from my reports] you are not taking this program seriously, start doing so or there will be consequences.”

Of course, this is all very negative, but there is no reason this could not be organised as more of a ‘carrot’ than ‘stick’ exercise. Marketing/PR should be allowed to focus their communication skills and efforts internally when stakes are this high.

It takes just one visionary CEO in an organisation’s history to get the ball rolling in the right direction, the security program should then become completely self-sustaining as the obvious and ever growing need for security becomes embedded in the culture. There is no security until everyone accepts their individual accountability for it, and are active in doing their part.

With any security program, individual incumbents in ANY role should take a backseat to the company-wide culture, even the CEO. The reason most security programs fail is because they were driven by the security department without the necessary support from senior leadership. From my perspective, if the CEO doesn’t support something, don’t even bother trying to implement it, even if it’s the right thing to do.

Why do you think so many CSOs and CISOs fail? A few are clearly incompetent, but the majority of them just didn’t get enough support to make positive change.

If a few hours a year of the CEO’s time to instill a business saving culture is too much to ask, they will be breached, and they will deserve it.

Manager or Leader? I’ll Take The Third Option Please

Have you ever noticed that a lot of organisations purporting to embrace change and innovation end up hiring the same type of people who are the majority cause of their current challenges?

‘Talent acquisition’ is much like the famous [mis]quote by Henry Ford; “If I’d asked my customers what they wanted, they’d have said a faster horse.”. By sticking to standard job descriptions and not looking for PEOPLE to fulfill the leadership’s vision, companies will get what they ask for, and not what they need.

I’ve never seen a job description yet (that wasn’t written by me, FOR me) that did not set me up for failure before I even began. There are people much better at certain things than me, and who may actually enjoy doing them, why would you give those things to me?

Worst of all, above a certain level of seniority, you wind up being lumped into one of two categories, and if you’re REALLY unlucky, both; Leader and/or Manager.

What if you’re neither?

Here’s a little experiment I conducted:

I typed; “books on leadership” into Google and got >271,000,000 hits. If even 0.1% of those are ACTUAL books, that’s 271,000 books on leadership, some of which may even have been written by a true leader. Possible, but unlikely.

Then I typed “books on being a manager” and got >170,000,000 hits If I apply the same criteria as above, that’s another 170,000 books to plough through.

Finally, I typed “books for neither a manager or a leader” and these are the top 5 hits;

  1. 3 Things That Separate Leaders From Managers – Business Insider
  2. Managers and Leaders: Are They Different? – Harvard Business Review
  3. Why All Managers Must Be Leaders – Forbes
  4. Leaders and managers, leadership and management … – CIPD Courses
  5. Why Managers Can’t Lead and Leaders Can’t Manage

OK, so I’ve completely tipped this in favour of the point I’m trying to make, but not ONE article on the first 5 pages of hits gets close to what I’m saying, which is;

People who are very good at what they do don’t need to be a Leader or a Manager, they need a great leader in whom to believe, and great managers to get the right people on board.

My favourite phrase on leadership is on www.despair.com; “Leaders are like eagles, we don’t have either of them here.”. The same could be said for managers, both leadership and managing people are talents not skills, and the really good ones are equally rare.

What if the skills you need, even temporarily, are actually in someone who’s neither? The odds are they are not, well, not good ones at least.

A good leader has specific attributes that VERY few people have (hence LEADer I suppose), and I truly believe leadership is not something you can learn.

A good manager is, to me, someone who can recognise the talents and skills you HAVE, not the ones they either a) think you might have, or b) want you to have, or c) need you to have for the job at hand.

Focusing on these 2 senior-level talents ignores the vast array of available of other talents that require neither of these attributes to provide enormous benefit. Call them subject matter experts, gurus, trusted advisors, or a whole host of meaninglessly clichéd names, what you get is the same; someone who can take the leader’s vision, and translate it into something the managers can act upon. Leaders usually can’t manage, managers should rarely lead, and neither has the necessary talents / skills / knowledge to bring the vision to life.

So if you have failed at fulfilling either of these roles (as I have many times), maybe they are not for you. But what you DO have could be of equal importance, if you know what it is.

No one likes to think they’re not a good fit for a senior position, but there’s little reason to extrapolate one or two bad ‘corporate’ fits into the rejection of an entire line of opportunities. Just make damned sure you ask the right questions up front. No you can’t guarantee an honest answer, but hopefully you’ll know pretty quickly if they sold you down the river.