The Startup World

Fifteen (15) years after the .com bubble burst, the market is once again booming with the startups with some niche some traditional business ideas.  Its' not that the Startup market had dried up in between, but the intensity with which the Startups were being worked on has picked up good time once again. There were many mistakes that were made back in the days by the .com startups that compelled the entrepreneurs to shut down the shutters and be back to the regular / routine jobs.  However, with the ever increasing internet penetration and with more and more industry segments resorting to e-commerce ideas, startups in IT sector are walking all smiling to the banks.

However, there are some key aspects that would be extremely helpful for the entrepreneurs to be successful and not get bogged down by the various pressure points.  From what I learnt from the .com bubble burst and then researching the success stories of various startups can be called as “Wisdom to Drive a Startup to Success” .

 The points that need to be considered to Drive a Startup to Success can be listed as below -  

1. Market Research – Don’t rely on your idea, back it up with tangible research
2. Welcome Inputs / Feedback – Be open to remodel your business, being closed to criticism would not yield fruitful
3. Focus – Use Horse-blinds to keep your focus on your core, after you achieve success once, there are many opportunities to expand and diversify
4. Consumer Preference – Always remember the old marketing joke of what consumer actually wanted and what was envisaged by marketing team for product team to supply a dud. Ensure you understand the market need better and have a feel of Consumer needs
5. Market Review – Don’t take positive feedback as revenue inflow. Praising the product is way different than actually buying it. 
6. Planning – Define a roadmap and stick to plans, don’t overwhelm yourself with over-planning to out-plan from the market
7. Hiring – Look for talent with experience. It is also important that a #startup ensures to hire mix & match of experience & fresh talent. Experience = Stability & Fresher = Enthusiasm
8. Venture / Angel Capital – Ensure that the decision is based on a clear RACI of what you want and what Investor’s expectation is
9. Scaling the Operations – Ensure to stay on top to regulate expansion at a gradual pace
10. Be Flexible – Try to achieve perfection but not at the cost of impacting delivery
11. Listen & Evaluate – Not every advice coming your way may be a good advice for your business, listen, evaluate, filter and implement the advice with thorough decision making process
12. Partner v/s Solo – Define the motive and team up with like-minded individuals else you may choose to go solo
13. Timing – Ensure that you are well prepared to hit the market with the product at the right time
14. Money Management – Raise capital based on the projected revenue model to manage finances well. Always keep a buffer to ensure that the initial deficit from revenues could be addressed
15. Know your money's worth. Spend judiciously not rigorously when you wish to own a #startup. Hold your horses before shelling out money
16. Follow the #hypercare path for your #startup with passion and not obsession.  Obsession may lead to over enthusiasm leading to downfall
17. Critical #startup point: Wear your Head above your Shoulders and let heart handle the blood flow. Use your brain to think and evaluate
18. #startup shouldn't be used as a weapon to display ideation skills. It needs more than Ideation and acute Business Acumen needs to prevail
19. #startups who target to get funded by the time they market their product are bound to fail faster than their peers who plan for contingency
20. #startups with targets set for next two years have more chances to thrive and survive than those with less than 1 yr of expense forecast

I hope those who are planning for a startup or are already working on a startup would be benefitted by this compilation. 

I would welcome ideas that are different and that are derived from Experience of running a startup.  Please don't hesitate to write back a comment of sending me a message if you have inputs for me on this topic

Experian Hack

It has been almost a month that Experian reported a breach in which 15 million T-mobile customer accounts were said to be compromised. The information included names, addresses, email ids, social security numbers and few more details of the T-mobile customers in USA. Though Experian was quick to react before the information could have been misused to that effect, yet it was a scary news for those 15 million individuals and others who are T-mbile customers or those who have accounts with any of the service providers who use Experian as the Credit verification agency.  

For those who think they are not impacted, they need to rethink about not getting worried because Experian is one Credit Reporting Agency and if its systems can be compromised, then the other Credit Agencies  too can be. What does that mean to common man? Well, take control of your information that is stored, processed and transmitted by the Credit Reporting Agencies (TransUnion & Equifax included). 

As a reaction to the hack, Experian announced two year free Identity Theft protection service "ProtectMYID" for affected T-mobile customers.  Now, the big question that arises here is - "Why is it a reactive announcement and why is it that they otherwise are charging to monitor misuse of our information that they store/process/transmit?" Isn't it just logical to ensure that they or the service providers from whom we obtain the service should actually be providing this service as a complimentary service? Also, why should Experian provide us this service free only for 2 years? Is there a logical conclusion by them that the hackers will not misuse the data after two years?  Well, I guess they are just trying to shrug off their responsibility to protect our information available on their systems.  First of all they had their systems configured in a manner that got compromised and then they are offering something to show off to the world that they care.  Not something that I would buy with any sort of logic, though I would be the first person to avail immediate patch work offer from them to ensure data regarding myself and my family is not misused impacting my Credit Ratings.

So what does that mean for the Federal Regulators like FDIC should first look at amending the Fair Credit Reporting Act (FCRA) or State Regulations like Consumer Credit Reporting Agencies Act (as referred in California) need to be amended to ensure that the Credit Reporting Agencies are legally bound to secure Consumer Information.  At the same time, the Credit Rating Agencies must consider reviewing their current Security Architectures for access provisions and data flows to identify the possible loopholes that may leave enough space for data compromise like Experian. A composite review is the mandate of time and certainly the Audit reports by independent Auditors must be submitted to the regulators.  This needs to be a time bound activity to ensure that the Credit Reporting Agencies take required remedial measures to ensure that they step up the security provisions and ensure that such future breaches are thwarted right at the attempt level itself rather than letting it to be a news post breach.  It certainly is an important step to be proactive in securing the data and information rather than taking reactive measures that sometimes may result in an organization getting booted from business.

The Experian Breach should not be looked at just limited to T-mobile or Experian for that matter, the industry should take it as an alarm for the future attacks that hackers may be planning to gain more information and if they could get through the doors of Experian, they may get through the doors of other such agencies.  It is important that proactive measures and steps are taken to secure Consumer Data / Information for which these organizations are custodians, not the owners.  

____________________________________

Disclaimer: The views expressed above are solely of the Author and are not endorsed by any organization, individual or industry body for that matter.

Compliance Management - Considerations

Many a times we encounter situations where we find that certain Information Security Policy requirements and considerations are not in line with the Global Security Best Practices and they actually are not in-line with the Global Standards to that effect. But, the major mistake that we make at such a point is to take into considerations the Business Requirements for that organization or for those who actually are the recipient of the overall results on those Business Requirements.

The issues are overwhelming for the Risk and Compliance Manager across the world as they try to bridge the gap between the Auditor's Expectation with the Real World Scenarios with all the practicalities.  This doesn't mean that Auditor's Expectations are not practical or not something that need not be entertained per say.  What is more important for the Risk and Compliance Managers as well as the Business Managers is to ensure that these expectations are well understood so that it would be easier to meet them by remediating the open issues.

More often than not Auditors as well as Risk & Compliance Managers are often misunderstood and seen as a "Red Flag Bearers" by the Business & Technology Managers. Though this perception can't be justified, but then they have their own reasons as they have to run the show.  There are many a times when Business as well as Technology Managers have to take quick decisions and at times they circumvent / bypass some critical security / compliance considerations to ensure that the "Show has to Go on."

However, though they say everything needs to be done to ensure that the Business as Usual must prevail, there are some checks and balances that must be applied and Compliance Considerations must be brought to the every day work life.  Though I had maintained for long that "what is compliant" is not always secure (for if it were secure we would not have as many breaches as we hear), I still maintain that Compliance provides for the baseline controls we must have in place.  How we convert them from Compliance Controls to Security Controls depends on how Security Focused we are.

The Compliance Considerations that I prefer Organizations should keep up to are -

1. Following defined processes and procedures
2. Documenting what is being done - meetings, notifications, trainings, approvals etc.
3. Documenting the changes being introduced
4. Resolving issues with Long Term strategies than short term remediations
5. Following Risk Based Approach
6. Adopting Return on Investment from Technology (ROIT) adoption rather than resorting to Cost  & Benefit Analysis (CBA) - This would always prove to be profitable approach in longer term
7. Unified Compliance Approach rather than Project base Compliance Approach working in Silos - This would always help reduce duplication / redundancy in controls being managed and technology being deployed. There always is an overlap of requirements across various Industry standards and regulations impacting compliance posture of any organization
8. Drive Enterprise-wide Compliance efforts rather than Business Segment Silos

There are few others that may be considered, but the basics of Compliance Management would seek solace in the ones mentioned above.

EU-US Safe Harbor Treaty

Finally the fact has been said. 

Safe Harbor is an instrument for US companies to use at comfort and will to state compliance to EU DPD. I said instrument because it was tilted for the benefit of US companies with "Self signing to assert compliance" with absolutely no country level Privacy Law. Interesting point to note there, US does not have an Umbrella Privacy Act that would be equivalent to EU DPD (EC/95/46). Though state privacy laws prevail, but they are more of "Privacy & Disclosure acts" different for 48 (out of 50) states. With Massachusets Privacy Act being the most stringent.

Summation of situation, US would have to act swiftly and pass that pending Congress Bill that would provide for the US Data Privavy Act rather than banking on State Privacy Acts. 

Full on Impact - US companies would need to either follow Standard / Model Contractual Clauses route OR gear up to follow Binding Corporate Rules like the organizations from Third World Countries. 

Now it would be interesting to note HOW Federal Trade Commission would deal with this situation as the CJEU ruling actually puts it into a spot. Would they Negotiate for time OR would this lead to Penalties OR would we see different sort of Negotiations!!! The time for some big showdown!!!

For some other articles on this topic, please refer -

1. Data Transfer Pact Between U.S. and Europe Is Ruled Invalid - NY Times
2. How Will the Safe Harbor Ruling Affect Tech Giants? - Wall Street Journal
3. What The EU's Safe Harbor Ruling Could Mean For Tech Startups - Forbes

Indian National Encryption Policy

It is interesting to note that the Government of India's Department of Engineering and Information Technology has issued National Encryption Policy for public comment.  And today the first addendum for the same has been issued for the people to refer to.  However, when it comes to the overall policy, it has been left out pretty lopsided. When I say Lopsided, I mean from the subjectiveness & perspective dependence that has been maintained throughout the Policy.

I would not get into those micro level details where the industry's who's who is making some or other comment on the types of services that would be covered and the type of data user as well as business would need to be retained for 90 days.  That's a very low level speculative inference that would differ from person to person and from perspective to perspective. My initial view was same and I also took to twitter for that :)

What my assessment of the Policy is the lacuna that is maintained by not aligning it to the industry standards and not basing it on the prevailing trends.  For that matter, one of the key aspect that I find missing is the way the Committee should have taken cognizance of the "Heart Bleed" as well as "Poodle" vulnerabilities that led to the demise of SSL as an Encryption Standard. It should have been noted that the PCI-Council has declared that SSL is no more a supported standard for encryption and that TLS 1.2 is the deficto standard until next such notification. Indian National Encryption Policy has this void in it to align itself with the latest, thought he vision and mission state so.  The policy goes anywhere else than stay around the vision and mission.

I am surprised to actually read the reference of SSL in the Policy at the time the world is moving to TLS 1.2 and the bigwigs of industry have already moved to the other side of adopting TLS 1.2.  Moreover, TLS 1.3 is already being eyed as it is slated for release by next year. We have already seen the advent of SHA3 earlier this year and the Policy still sticks around to 3DES and RC4. It needs to be noted that RC4 already has been vulnerable to attacks and can be actually be used to get some hand on the information encrypted using the encryption standard (Read - Article on Security Week - Dated March 2015). Moving on to the 3DES, it is not at all considered strong enough to protect the data and when the Target Breach happened, it was identified that 3DES was deployed and there was a lot of scrutiny on that move as to when AES was available why 3DES was used?

So, when the industry is basing their opinion on the micro issues of what to store how to store, where to store and talking about the data security & integrity from a different angle, my real concern is the coverage of obsolete standards and technologies as part of the overall Policy and basing the policy on those obsolete standards and technologies.  I am not sure why the Trade Pundit's or the bloggers in social media have not raised this issue till now.

Certainly, in its current format the Policy itself would be obsolete in not more than 6 months and that would call for next round.  But would DeitY listen to the Gen Next or are we still going to hear from the "Experienced" folks who missed to evaluate the latest and greatest developments??

Would you hear the voice of Young India or would this also go the TRAI way???

Seamless & Transparent Compliance & Security operations

Information Security and IT operations generally do not go hand in hand or I rather make a not so controversial statement that IT Operations Folks generally don't like Information Security Folks for they see the Information security folks to be the Show Stoppers.  The way I have witnessed it in my career, I have had the Label of "Bad Man of IT" then they used to call me "Risky Guy of IT" and all other sorts. I have had worked with various organization on consulting assignments and every time there used to be the same story - Chief Security Officer / Chief Information Security Officer would have to literally wrestle with the IT Operations for getting the Budget and then getting the technologies implemented. 

As quoted by one Vice President of IT at one of the client - "Don't bother much about them, they are just running various Projects that go no where and just wastes the money." When I interacted with the CISO on job and a direct report of CIO, he stated - "We have been able to procure some best of the techniques for Security, Risk and Compliance Management, But we have not been able to integrate them with the rest of the IT Systems, for they would not give us time to test the APIs and Connectors."

In another case where my team was conducting an IT Audit to help them identify the improvement areas to align with ISO 27001, I have had another weird experience.  The IT Manager who was the contact point for my team was my audience for the observations presentation.  And to my surprise or should I say dismay, he told me - "You do your work and submit the report, I will see where do I take this?" I was shocked as my team was engaged in a full length consulting assignment to finally ensure that the client organization gets to the level of being awarded ISO 27001 certification for IT practices.  What happened next over the course of time was altogether a different story.

Sounds strange, but its pretty much true as this is not a heard story and I myself have been the witness to have them say what they said and that has lead to me thinking on the ways Information Security and Compliance Management can actually be integrated into Daily IT Ops.  I have been an advocate of Information Security Culture rather than Enforcing the Information Security to avoid any such negative traction as to create stiff work environment.

To this effect, I have always thought about Security with Transparency or say Transparent Security.  The way it works for me that if there is a problem then certainly there is something NOT working right and there is a Problem.  This very problem is the issue creator for the IT Security Function to be able to work the way they are required to. These problems can then be used as the base cases by the IT Ops to push every issue towards IT Security.  So, I opine to establish the control regime in such a fashion that the overall IT Security Function becomes transparent to the level it can.  

For an IT Security Operation to be transparent, the first few steps would certainly involve automation of certain controls and functions. A very good way to proceed on automation journey would be to start from Log Aggregation and Correlation using the SIEM tool and then integrating the same with a GRC tool to create Dashboards and Reports. The next steps then would be to integrate an enterprise level IAM tool and Two factor Authentication (Preferably Soft tokens to be used) with the LDAP and other Applications to enable seamless connectivity with lesser passwords to manage (we all hate passwords, but remember that the hackers love them and if we would have lesser passwords to manage, we would feel better. and the two factor authentication would as is cover up for the weak passwords...), the IAM tool can also be extended for the purpose of Federated Identity Management as well as Single Sign On (SSO) and User Self Help to reset the Passwords.

Once the initial steps are successfully taken, the next step that I would suggest would be to integrate the GRC tool with the various tools and technologies deployed across the IT Landscape to obtain direct feed using APIs and Connectors. This though may be cumbersome and initially the IT Ops may oppose, but in a long run even they would start loving the results.  The live feeds configured can be used to identify any anomalies or say unauthorized changes or similar other compliance issues that may jeopardize the security of the system and leave it vulnerable for compromise.  

The whole benefit that can be derived out from the Integration of GRC tool with SIEM tool as well as the other IT tools and technologies is to be able to create the Dashboards and Reports for various Management Levels to provide them runtime snapshot of the Enterprise Security and Compliance Posture.  Also, this would mean that the IT Ops is not being bugged or harassed (as IT Ops actually feels) by the IT Security, Compliance an Audit functions for various data and evidence requests, because the required data and evidence feed would already be available on the GRC tool or the connected EDMS (Electronic Data Management System) library.

Also, it needs to be noted that the misconception of the Security, Compliance, Risk and Audit being the Pain areas for IT Ops would not end so soon unless they understand the importance of what we all do in our space.  We can start with the various steps as summarized above, but the mindset would take time to arrive at a cordial relations between IT Ops and the Security, Compliance, Risk and Audit guys....

Cyber Security & Kids

With the advent of Mobile Platforms, the biggest challenge that parents face is to restrict the kids from accessing vulnerable sites or say malware that may be hosted on the "Malicious Sites." Though more or less the Kids face same kind of threats as the adults where they can be susceptible to malware, viruses, trojans etc. But these malicious sites that could be created as the "Fan Pages" or "Free Stuff" giving aways can be more enticing for the kids where they may end up sharing information more than what a legitimate site may require or ask for.  

So, where should we start? how much parental control and parental guidance is needed and how should we speak to our kids about the security?

Though it may not be simple with the kids, but then it is required.  We would need to educate them and talk to them on the requirement for practicing Security in their routine usage of internet specifically on the Mobile platforms.  What needs to be understood by the parents and teachers is that the kids for themselves wouldn't like to get tricked, cheated or exploited. They need to be made to understand why some apps are being locked on the Mobile Device or some sites are blocked for them on the Computers they use for Study purpose.

Parents need to actually sit across with the kids and tell them about the harmful sites and the impact that these sites can have by the way of stealing information about them.  Teachers on the contrary need to help understand the Students on the adequate use of Internet and the way those can be used for meaningful purpose say study research etc.

Both the Mobile Devices and the Computers can be configured with Security Features and some additional Security Software. Though there could be some expenses involved in the additional security software including Antivirus et al, it is worth it to put in rather than facing that breach and compromise of your personal information.

On the other side, it is high-time that the Mobile Platforms integrate parental controls and additional security measures as part of the Mobile O/S and ensure that those features are well communicated to the parents.  Workshops can be organized with help of the Educational Institutes for the Parents as part of the Parent -Teacher meet to educate parents on the additional features.

There is more to what we can actually do to this effect but the steps above can actually serve as the basic steps to secure kids from the Big Bad World of Cyber Crooks.

PCI-DSS and Risk Management

PCI-DSS and requirement of Risk Assessment have a very close relationship. In effect PCI-DSS has specified the requirement for an annual risk assessment as per the control 12.2 and has mentioned the requirement under guidance for requirement 10.6.2 and Testing Procedures for requirement 11.5.

PCI-DSS requirement 12.2 establishes the requirement for implementing a risk assessment process that:

• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
• Identifies critical assets, threats and vulnerabilities, and 
• Results in formal risk assessment

Guidance to PCI-DSS requirement 10.6.2 - Logs for all other system components should also be periodically reviewed to identify indications of potential issues or attempts to gain access to sensitive systems via less-sensitive systems. The frequency of the reviews should be determined by an entity’s annual risk assessment.

Testing Procedures for 11.5 - Additional critical files determined by entity (for example, through risk assessment or other means).

When we analyze the requirement 12.2, it has though established the need to conduct annual risk assessment per set standards including NIST 800-53 and others, but it has not covered the overall efficiency led requirement for a risk assessment. The requirement as cited above states setting up a process that results in a formal risk assessment by the way of identifying the critical assets, threats and vulnerabilities, but shies out to specify the continuous monitoring of Threats as well as Risk Spectrum.  

In the current scenario, if an organization has to pass a PCI audit, it would be easy to lay down the risk assessment process, conduct the risk assessment and then publish the risk assessment report. But in the real world, is that all that an organization would need to fend off the hackers? Certainly not!!

So what is needed for the organizations to step up to and for the PCI-DSS as a standard to emphasize? The answer is to extend the requirement 12.2 from a being a risk assessment requirement to a risk management program requirement. This would put emphasis on the requirement to cover the full circle from the time Threat and Risks are identified to the point that those are remediated / accepted.

PCI standards council should also look at introducing Risk based approach to select the Compensating Controls by the organizations. The completed ROC should be modified to include the outcome of Risk Management snapshot covering the reasons to not implement given control and selection of the Compensating control instead. 

In the prioritized approach also, PCI Standards Council should assert highest priority to Risk Management.  

On part of the organization impacted with the change in the requirements around Risk Assessment and Management, the focus should be on the composite Risk Management activities that they conduct at the organizational / enterprise level. The organizations need to understand that the silo approach to compliance never benefits their functioning, rather just increases the cost of managing compliances. If they would integrate the Risk Assessment as required by various standard and compliances, they would be able to harbor a better compliance assertion against each one of them with minimal set of controls and maximum cover.