Insights For Success

Strategy, Innovation, Leadership and Security

General

Quebec to change tax collection rules for foreign tech companies

GeneralEdward Kiledjian

Montreal's La Presse newspaper is reporting that "two high-level government sources" have confirmed that the upcoming Quebec budget (March 27, 2018) will include new sales taxes levied on foreign tech companies like Netflix, Amazon, Google, and Apple, that do not have a Quebec presence. 

As it currently stands, these non-resident foreign companies are not expected to collect sales taxes from consumers. Under current regulations, the government expects consumers to auto-report these purchases and submit the necessary taxes. 

Based on a November report, the Quebec government believes it lost 270M$ during the previous fiscal year because of this collection model. 

Additionally, the government believes local merchants selling online are disadvantaged by the extra tax burden

The intent will be to:

  • collect sales tax on products and services (intangible) coming from outside of Canada
  • collect sales tax on physical goods physical goods coming from outside of  Canada
  • collect sales tax on goods (tangible or intangible) coming from the rest of Canada

La Presse reports that these new tax rules will be implemented regardless of Ottawa's position or opinion. 

What makes a good Chief Information Security Officer (CISO)

GeneralEdward Kiledjian

Only five years ago, the title of Chief Information Security Officer was likely awarded to an employee that had worked hard and was dedicated to the company. It was an honorific title often given as a reward. Times have changed and companies need a new breed of CISO.

The number, severity, and impacts of cyber threats are continually increasing. Companies now rely on complex highly integrated IT systems whose confidentiality, availability and integrity are paramount. 

The WannaCry ransomware was a good example of how poorly managed security can cripple an organization. The National Health Service in the United Kingdom had up to 70,000 infected devices and was forced to turn away non-emergency patients. (1)

The CISO is now a senior-level business executive who can directly impact the profitability and viability of an entire organization. Instead of being a technical specialist, the CISO must now be a seasoned business leader that can become a trusted advisor to other executives within the organization. 

CISOs can help maintain your brand value, help build relationships with various stakeholders, and are charged with protecting an organization's most important assets (the digital ones).

The job of a true modern CISO is getting harder by the day, and organizations need to ensure they have the best CISO they can find & afford, to guiding them. 

If we agree that the nature of the CISO's role has changed and that the modern CISO is a very different creature than his predecessor, what makes a good CISO?

1 - Problem solvers

A modern-day CISO can solve complex rapidly changing problems under stress and high pressure. A CISO must enjoy solving complex puzzles while being able to juggle day-to-day tasks and driving the organization's long-term vision. The CISO must understand that every decision made today can have dramatic repercussions tomorrow. 

2- The CISO must be a people person

The modern CISO is often a front-line representative of the organization to shareholders, customers, partners, and regulators. They must have the ability to build strong relationships based on trust and respect. The CISO must have the ability to communicate complex security issues to stakeholders that may not understand even basic IT. The modern CISO must be a people person. The modern CISO must lead his team with fervor and engender commitment from the security team. 

3 - The CISO is a citizen of the world

Information flows without respective national boundaries, but companies are being asked to navigate complex global regulations that sometimes contradict each other. The only way a CISO can manage this increasingly complex regulatory environment is with non-traditional skills (for an IT person) that include law, business, compliance and governmental relations. 

4 - The CISO must be business minded

The CISO must make security decisions based on how it impacts the organization or enables the organization to perform its primary business functions. The CISO must weight security decisions against profitability, efficiency and must build a competitive advantage for the organization. A CISO must be obsessed with efficiency and must be resource conscious (people, time and money). Gone are the days when a CISO makes purely technical decisions based on technical need. 

5- CISOs tend to be workaholics

Even if work-life balance is all the rage, a CISO is always on call. Unfortunately, the bad guys never take a break and often neither does the CISO. It is common for a CISO to work long hours and weekends while guiding the organization to where it needs to go. The modern CISO is humble and respects the capabilities of his/her adversaries. A CISO must always be vigilant. A CISO is continually thinking about how he/she will keep the organization one step ahead of threat actors.

6 - Strong team building skills

CISOs work long and hard but so do their teams. A CISO must be self-confident enough to hire the highly skilled professionals the organization needs to succeed. I have met many CISOs who refused to hire employees that were more technically competent than them for fear of being replaced. This is the reflex of a "bad" CISO that doesn't understand his/her new role. A good CISO will hire the best resources he/she can find and them coach them to grow and become exceptional. The stronger the team, the better the CISO.

7 - Your CISO doesn't need to be certified 

Full disclosure, I do not currently hold any security certifications but I believe I can challenge anyone that does. The CISO is a business professional with security experience, not a security professional with business experience. 

You should rely on the proven track record.

Conclusion

The role of CISO is constantly changing, and the ideal candidate must also be constantly evolving.  I have been a security executive since 2001 and have seen the role of CISO morph from a backroom function performed by geeks, to a font of the house leader that can communicate with clients and regulators. The right CISO can drive business growth while the wrong one can sink your entire organization. 

Invest the time, energy and resources required to hire the right CISO for your company. If you have a CISO already, make sure he/she is the right one your organization needs right now. 

---------------------------------------------

(1) Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). "Cyber-attack guides promoted on YouTube"The Sunday Times. Retrieved 14 May2017.

Canadians can find out what data a company stores about them

GeneralEdward Kiledjian

The average consumer is starting to realize how much personal data companies collect about them. 

RELATEDHow Target knows you are pregnant through data analytics

Consumers should be concerned about what data is collected, how is is used and who it is shared with. 

Canadian privacy laws ( like Personal Information Protection and Electronic Documents Act) allow consumers to access their information (aka companies must respond to a request for personal information held by the company).

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
— PIPEDA

PIPEDA section 4.9 mandates that companies respond to Data Access Requests within 30 days of receipt. The information must be made available for free or at a reasonable cost.

Principle 4.9.4: An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.
— PIPEDA

Some companies use legally complex wording and vague statements in their privacy policies to hide the level of detail collected and to obfuscate how it is used. The Data Access Request allows any individual to understand (and see) what has been collected and what is being done with their information. 

What is a Data Access Request?

Toronto based Citizen Lab has created and operated a site called Access My Info. The site was created to simplify how Canadian's create and submit Data Access Requests using templates. 

Testing it

I will submit a couple of test requests and see how companies respond. If you are a Canadian, I encourage you to try this as well.

OPSEC : Backup Strategy for the Security Conscious

GeneralEdward Kiledjian

RELATED: The best way to protect your data - images, music, documents

Even with all of the technological advancements we have made, backups are usually overlooked by the "average Joe" until something significant occurs (causing a massive shift in paradigm). 

Why backup

Traditionally we backed up our information in case the physical media we used (hard drive, DVD, ZIP Drive cartridge, Bernoulli Box, etc.) had a catastrophic incident. 

Modern headaches that we add to the justification list now include malware and cryptoware data modification, seizure at a border crossing or shutdown of a cloud service. 

When thinking about backups (as a security conscious individual), you are concerned about:

  • Recovering your files in their original format (not some compressed low-quality version of your precious originals)
  • Ensuring that only YOU can access your backed up information 

Know thyself

Before we can discuss how to protect your information, we need to know what and where that information is

Inventorying your information is not as simple as it first appears... Think of everywhere you have stored digital data. 

  • You have one or more email accounts possibly with various providers (Hotmail, Outlook, GMAIL, Yahoo Mail, your ISP, etc)
  • You could have contact information on Google, iCloud, Samsung Contacts, etc
  • You may have documents in Dropbox, Google Drive, Microsoft OneDrive, various 3rd party apps (diaries, note taking apps, etc)
  • You may have information (sometimes even forgotten) on USB keys, SD cards, CD/DVD disks, etc
  • This blog has information (articles) going back 7+ years

You get the picture. What first seems like a basic easy to answer question could quickly turn into a monstrous inventory activity. 

Once you know what you have, you then need to figure out which of these sources is the "master" copy. It is not uncommon for people to knowingly or unknowingly load duplicate information across multiple different storage mediums. This of the master as the version that you are likely to keep the most up to date. 

As an example, I recently did a photo duplicate cleanup and realized 15% of my total 1.5TB photo storage was duplicate files I had accumulated over the years. 

RELATED: OPSEC - How to securely delete files

It's time to strategize

In a previous article, I talked about the 3-2-1 backup strategy. The exact entry from my previous article was:

This is a simple way to remember the right way to backup and protect your data. 

  • You should always have 3 copies of your important data. This means one primary (aka the one you use on a daily basis) and 2 copies as backups.
  • You should always have your backups on 2 different types of media (one of your backups can be to an external hard disk while the other one should be to another type of media like DVD disk or to an online service).
  • You should always store 1 copy of your data to "somewhere else". This is to ensure recoverability in case your house or business experience a natural disaster. Now in most cases, this can be one of the popular online backup services or it can simply be you manually storing the media in another location like your office, a bank vault or leaving it in a friends house. To be extra careful, it is recommended to built-in some distance between you and the offsite backup in case a natural disaster eats a good part of your city. 

The reason we create the information inventory in the previous step is so that you can also backup your application datasets. As an example, if you use Google contacts, maybe export the file monthly in CSV format and make sure it is backed up (don't rely on the goodwill of the provider since they always cap their liability in the event of a catastrophic incident). If you use a journaling application, maybe export your entries in PDF and back that up. If you have pictures sitting on your smartphone, make sure a copy is taken and added to your backup strategy (Google Photos is good but it stored an "optimized" version which is not original). 

People often forget to back up basic information like their emails. To do this, you may need to install a "fat" email client on your computer and pull all the emails (or copies of them) from your mail provider then backup the local program database. Google isn't going away but there have been countless tales of users "losing" access to their accounts for months because Google made an arbitrary decision. Unless you are running your own infrastructure, assume the provider can stop your service and hijack your data at any time. 

A couple of years ago, I spent weeks scanning all my paper documents so that I could have digital easy to move, easy to backup versions. You will likely have to do the same.

Where to store your backups

Back to my 3-2-1 backup model, you should have 2 copies of the data you physically control and one up in the heavens we call "the cloud".

The size of your backup will dictate what kind of physical media you store it on. When backups were small, many users could get away with storing them on CD/DVD/Tape drives but these aren't practical for most modern users.

Most of you will likely store your local copies on some type of large local storage medium such as a USB key and/or hard-drive. If possible, store your local copies on 2 different mediums (USB key AND hard drive) or Spinning hard drive and SSD drives. 

You need one copy in the cloud. Local copies are great because you can restore access almost instantly, but if a major incident occurs, you may lose both of your physical copies. That is when your backup of last resort comes in (aka cloud backup). Remember to protect your cloud backups. You can do this by pre-encrypting the information before uploading it (which works if your backup is small and you are uploading to a service like Google Drive, Microsoft OneDrive or Dropbox). The other option is to use a backup service that lets you hold on to the encryption/decryption keys like Carbonite and Backblaze.

Make sure your backup provider has version control enabled. This means they store multiple versions of files. This is useful if you are infected with cryptolocker like malware that encrypts your files, you can go back to a version pre-encryption. This is also useful if you delete a file by mistake and want to go back in time and bring it back.

It's a process

Once you figure out what your backup strategy will be, you need to ensure it is "run" regularly. Nothing is worse than having a plan and then losing six months of data because you forgot to backup. Most cloud services offer near-line backups which is a nice set it and forget it model. 

You will have to ensure your local copies are regularly updated also. On my mac, I use the built-in and free RSYNC command in the terminal to synchronize via a scheduled task. There are also a tone of reasonably priced on device backup apps (if you don't want to fiddle with the terminal). These are examples but not endorsements:

Review of the Tom Bihn Synapse 25 EDC backpack

GeneralEdward Kiledjian

If you have been reading my blog for a while, you know I evangelize the benefits of one bag travel. My go-to bag for the last ten years has been the RedOxx AirBoss, but I regularly get questions about Tom Bihn bags.

My 5-11 Rush 24 work backpack was starting to fall apart, and in my quest to find the "best" bag for me, I spend three months reviewing various bags. Here is my review of the Tom Bihn Synapse 25 backpack. 

The Tom Bihn Synapse 25 should be considered an Every day Carry (EDC) type of bag. While reviewing the bag, I wanted to evaluate :

  • the capacity
  • will it last
  • the look
  • daily use experience

The bag

I own many RedOxx products, and they are all made from a super durable canvas like material. RedOxx bags have a particular look and are designed for adventure first and foremost. This comes through immediately when you see the bag's metal clips, crazy strong claw strap, YKK number 10 zippers and the incredible stitching. 

Although the Tom Bihn looks more "conventional", the materials are all high quality, and you see this immediately with the zippers. The main section uses strong YKK #10 zippers Aquaguard, which are water resistant. The other compartments use YKK #8 Aquaguard.  You immediately notice that every component was purposefully chosen for looks, use, and durability. 

Color matched rubbery coating on the inside of the zippers.

Whereas my RedOxx bag zippers' chunkiness is immediately visible, the Tom Bihn Synapse 25 design blends them into the overall bag. 

Most backpack manufacturers throw two external size bottle holders, and the Synapse 25 only holds one bottle, but you realize why. The designers created a special bottle holder pocket in the middle of the backpack (it expands outward, so you don't lose packing space). At first, I found this strange until I realized this was done to maintain the proper balance of your backpack. As you use this bag, you realize a lot of thought has gone into every aspect of it. 

Right underneath the water bottle pocket is a smaller throw anything type pocket. When traveling, this is a great place to throw keys, your wallet, passport, small bud style headphones at the security checkpoint. When you realize how many personal items people forget at security checkpoints, you stop throwing your stuff in those plastic bins, and you want to shove them in these types of pockets. During daily use, I have a small personal first aid kit I carry here. 

Each side has a medium sized longish pocket where I store my beloved Julbo sunglasses. The right-hand pocket has a small organizational sinch pocket. The left one has storage for pens and a small/medium multitool. 

There is a bottom pocket that can be used to store (while traveling) packing cubes, small shoes, snacks, a jacket, toiletry bag or other items you may want quick access to. During my day to day use, I store my laptop power adapter and sizeable OmniCharge battery here with an assortment of cables. 

Loops, loops, and more loops (aka O rings). All Tom Bihn products are made to work together, and these loops are the key. You can use the countless loops to attack their cubes, caches or organizer bags inside any of the pockets. The Tom Bihn laptop sleeve allows me to pull out the sleeve at a security checkpoint for review, without the risk of forgetting my precious laptop at the TSA checkpoint.

The Freudian Slip

First, you have to laugh at the name and acknowledge these designers have a sense of humor. The Synapse 25 was designed to go from an EDC office bag to a travel system but how do you organize your office knick-knacks without permanently sacrificing space when traveling? You make the office organizer removable. 
The Freudian Slip 25 is designed to fit perfectly in your Synapse 25 and has 15 organizational pockets to store all of your stuff. It has two folder pockets, four open top pockets for small electronics, two mesh pockets, two pen pockets and of course a business card pocket. 

It costs $50 but can be a real organizational dream for Every day Carry. I use mine every day to carry papers, a notebook, my Skyroam Global Wifi hotspot and more. There are so many pockets most of mine are empty but still a wonderful add-on I highly recommend.

The lighting

They sell an Action Lights Guardian light on a strap you can hang on the inside of your bag (so you can find your items even at night). I already own a couple of guardian lights and love them for their durability, but I think they chose the wrong light for internal illumination. Don't get me wrong, the Guardian light is good for internal illumination but the GloTube is much better. There is free advice to your Tom Bihn designers. 

The bag also comes with an external strap that blends in and is invisible when not used, but allows you to strap an external Guardian light for visibility at night (walking, bicycling, etc.)

The details

Tom Bihn offers dozens of pouches, organizers, and straps that you can add to the Synapse 25 to customize it and make it your own. Evey accessory has a strap, hook or locking system that allows you to use it with every one of their products. These hooks are always robust and easy to use. 


It is only after a couple of weeks of use that I started to realize how much thought and care was given to every aspect of the backpack. As you use the bag and realize all of the design decisions they have made to make your life a little bit better, you can't help but fall in love with the product. 

The durability

In addition to very carefully thought out design, this bag is built durable without looking like it came from an Army Surplus store. I carried this bag into executive meetings and never felt out of place. This is especially surprising when you realize the quality of the components they have used. 

Tom Bihn advertises the shell material as 400d Halcyon which is a 420 denier ultra-high-molecular polyethylene ripstop material coated with a light urethane to make it water resistant. 

It feels like a soft high-quality nylon that can withstand being overstuffed and force zipped. The stitching is hidden where possible and where you can see it, it is high quality and you know it is going to be durable.  

The straps are basic and nicely padded. It feels solid and is comfortable for extended use. Many of the tactical bags have more padding but even when loaded, the Synapse never felt uncomfortable. 

This is the type of bag that will probably last for20 years without any issues.

The look

This is a bag designed for techies and not for ultra-modern style conscious turtleneck wearing millennials. Bags like the Minaal are much appropriate for those looking for stylish minimalist bags that can blend into the snobbish New York design scene. 

The Synapse 25 isn't "sexy" because it doesn't have a "modern" look. It doesn't have any waxed canvas or leather accents. 

The Synapse 25 is an ultra-utilitarian functionality first bag. Now to be clear. I carried the 5-11 Rush 24 tactical bag, so I am more concerned with usability than looks. 

Regardless of the "lacking" looks, the bag is so wonderfully designed and put together that I am convinced you will fall in love with it. But look at the pictures and judge it for yourself. You will either love it or hate it. 

When using this bag, you realize all of the small carefully thought out design decisions the Tom Bihn team made aligned with their design philosophy. This doesn't just feel like a $40 bag quickly put together to sell in bulk at Costco. 


Every time I use this bag, it is like having a conversation with the designers and learning how to use it better. As you use it, you will change your carry model and realize they thought of optimizations you may not realize until you've carried this for a couple of weeks.

Daily use

To truly rate the usability of a bag, you have to carry it for at least a month. After a month of daily use, I can tell you that the Tom Bihn Synapse 25 is a delight to use. 

Even when carrying it for hours across busy airports, it was comfortable.

The external organization pockets mean you can easily store and find your items without having to dig into a cavernous deep main pocket. 

The bag is packed with innovation that will make travel and daily use a joy, all packed in a deceptively simple looking bag. 
 

Recommendations

Handles on bags are important when you travel, and although the belt-like carry strap is durable, I wish it was a little more padded. For a bag that is so well designed, this top carry strap felt a little underwhelming. 

Like the carry strap, the belt strap (which is removable) is a thin strap of webbing material IT will definitely last but isn't very comfortable to use. Luckily it isn't something I use often, and I disconnect it and leave it at home

As mentioned above, I would replace the internal light (which is back ordered as I write this) to a GloTube instead.

I bought the chest strap upgrade that includes a whistle but it is a pretty useless whistle. They should have made something that sounds more like a JetScreem whistle than a quacking duck.

Conclusions

Using this bag for a month convinced me that this is my new every day carry backpack (and not just something I test, review and forget about). 

Every couple of days I slightly optimize my storage strategy and realize that this bag was conceived by incredibly talented designers, with strong knowledge of bag design, and that everything was done with intention. 

Using this bag is like having a conversation with the designers. This is the best way I can describe it. 

As long as the look pleases you, you will be delighted with this bag. Over the coming year, I hope to get my hands on more Tom Bihn products so I can review them for you. 

When I bought my first RedOxx product, I felt like I started a relationship with the company because they had a design philosophy I agreed with and subscribed to. 

Most bags since (even the Minaal, Tortuga, AER, etc. ) didn't have this special feeling. They felt like products. 

Having used the Synapse 25 for over a month now, I feel the same attraction to Tom Bihn as I did (and do) for RedOxx. These are companies with strong design principles that permeate throughout their entire product line. If you agree with those principles (and you really should), the Synapse 25 may be the gateway drug that draws you deep into the Tom Bihn line.

So do I recommend it? Absolutely without any reservation.