Insights For Success

Strategy, Innovation, Leadership and Security

leader

Who was Pierre Yves Elliott Trudeau

GeneralEdward Kiledjian

Joseph Philippe Pierre Yves Elliott Trudeau was born in Montreal, Quebec, on October 18, 1919. His father, Charles-Émile Trudeau, was a successful businessman and his mother, Grace Elliott, was an heiress. The Trudeau family got their money from Montreal's timber and fur trade businesses.

Trudeau was educated at the prestigious Collège Jean-de-Brébeuf. He then studied law at the Université de Montréal and political science at Harvard University.

Trudeau's relationship with Lester B Pearson began when they were both young men working in Ottawa. Trudeau was a civil servant, and Pearson was a diplomat. They bonded over their love of politics and hatred of the day's Conservative government.

In 1965, Pearson was elected leader of the Liberal Party of Canada and became prime minister. Trudeau became his close adviser and friend.

Trudeau became the party's leader in 1968; he won on the third ballot and became the Prime Minister of Canada in 1968.

As a minister, Trudeau was responsible for sweeping changes to Canada's criminal code, including decriminalizing homosexuality and abortion.

During his time as Prime Minister, Trudeau helped to solidify Canada's status as an independent nation. He also put forth policies that aimed to improve the lives of all Canadians, regardless of their background or station in life.

Some of Trudeau's significant achievements include the creation of the Canadian Charter of Rights and Freedoms, the official recognition of both English and French as Canada's official languages, and the implementation of a universal healthcare system.

Trudeau was also embroiled in several controversies during his time as Prime Minister. These include the 1970 October Crisis, in which he invoked the War Measures Act to deal with a separatist terrorist group, and the 1980 National Energy Program, which aimed to increase government control over the energy sector but ended up alienating many Western Canadians.

Despite these controversies, Trudeau is considered one of the most influential Prime Ministers in Canadian history. He served for over 15 years, and his legacy continues to shape the country today.

CISOs are stressed and I can prove it

GeneralEdward Kiledjian
face-1013520.jpg

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

hooded-man-2580085.jpg

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

digital-marketing-1725340.jpg

Some Interesting conclusions

  • 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

  • Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

  • This equates to extra time worth $30,319 per annum

  • 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

  • 83% of CISOs spend at least half of their evenings and weekends thinking about work

  • Only 2% say they are able to switch off once they’ve left the office

  • Over a third have failed to take all entitled annual leave

  • 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

darts-102919.jpg

What are the most stress inducing elements?

  • 44% being responsible for securing the organization and preventing breaches

  • 40% the need to stay ahead of threat intelligence

  • 39% the long hours worked

  • 65% of those surveyed had suffered a breach in the past 12 months

  • 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

  • A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

leaf-1082118.jpg

What are the effects of the stress?

  • Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

  • 35% also reported that their stress had impacted their physical health

  • 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

  • 31% said the stress affected their ability to fully perform at their job

pencil-2878764.jpg

How are CISOs coping with the stress?

  • A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

  • A fifth have taken a leave of absence due to stress (21%)

  • 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

  • 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

grass-455753.jpg

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

Your cloud provider is making you a target

GeneralEdward Kiledjian

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

 

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

Body language secrets of top negotiators

GeneralEdward Kiledjian
Image by US department of agriculture used under creative commons license

Image by US department of agriculture used under creative commons license

Communication isn’t only about carefully crafted words. Negotiations aren’t about arguments and leverage. A good experienced negotiator will marry strong arguments & leverage to carefully practised body language.

There have been dozens of studies and research papers on the power of body language during negotiations. An MIT one measured a negotiator’s ability to convince a jury (body language was accurately measured using a body worn device). It turns out that the right body language can significantly improve the negotiators chances of closing a deal (or convincing a jury in this case). The key takeaways were standing upright, facing the jury and speaking in a lower tone.

So clearly there is something to this body language mumbo-jumbo and it is worth studying and practising. To get you started, here are some tips:

  • While your partner is talking, don’t look down, shuffle papers or mentally start thinking about your next argument. Actively listen to what your partner is saying. Show genuine interest.
  • Try to measure your partner’s general modality and body responses. How do they typically sit. How do they talk (modality). How much eye contact do they typically make. How much do they move around. Do your homework and prepare. Know the baseline body language cues of your partner and you will be able to spot variations. You can also use this information to mirror them and more easily build rapport.
  • Look for gesture clusters. Some movements are nothing too complex but sometimes a person will exhibit a series of body gestures together that happen during specific situations. As an example, maybe your partner crosses his arms regularly and you shouldn’t read too much into this. But if he crosses his arms, taps his foot and does XYZ then it means ABC. Look for these cluster gestures, try to figure out what they mean and record it for future negotiations.
  • Last but not least, feet. Look at the feet. They can show impatience, boredom, etc. If you want to come across as strong and trustworthy, feet your feet still.