Friday, October 23, 2015

The Startup World

Fifteen (15) years after the .com bubble burst, the market is once again booming with the startups with some niche some traditional business ideas.  Its' not that the Startup market had dried up in between, but the intensity with which the Startups were being worked on has picked up good time once again. There were many mistakes that were made back in the days by the .com startups that compelled the entrepreneurs to shut down the shutters and be back to the regular / routine jobs.  However, with the ever increasing internet penetration and with more and more industry segments resorting to e-commerce ideas, startups in IT sector are walking all smiling to the banks.
However, there are some key aspects that would be extremely helpful for the entrepreneurs to be successful and not get bogged down by the various pressure points.  From what I learnt from the .com bubble burst and then researching the success stories of various startups can be called as “Wisdom to Drive a Startup to Success” .
 The points that need to be considered to Drive a Startup to Success can be listed as below -  
  1. Market Research – Don’t rely on your idea, back it up with tangible research
  2. Welcome Inputs / Feedback – Be open to remodel your business, being closed to criticism would not yield fruitful
  3. Focus – Use Horse-blinds to keep your focus on your core, after you achieve success once, there are many opportunities to expand and diversify
  4. Consumer Preference – Always remember the old marketing joke of what consumer actually wanted and what was envisaged by marketing team for product team to supply a dud. Ensure you understand the market need better and have a feel of Consumer needs
  5. Market Review – Don’t take positive feedback as revenue inflow. Praising the product is way different than actually buying it. 
  6. Planning – Define a roadmap and stick to plans, don’t overwhelm yourself with over-planning to out-plan from the market
  7. Hiring – Look for talent with experience. It is also important that a #startup ensures to hire mix & match of experience & fresh talent. Experience = Stability & Fresher = Enthusiasm
  8. Venture / Angel Capital – Ensure that the decision is based on a clear RACI of what you want and what Investor’s expectation is
  9. Scaling the Operations – Ensure to stay on top to regulate expansion at a gradual pace
  10. Be Flexible – Try to achieve perfection but not at the cost of impacting delivery
  11. Listen & Evaluate – Not every advice coming your way may be a good advice for your business, listen, evaluate, filter and implement the advice with thorough decision making process
  12. Partner v/s Solo – Define the motive and team up with like-minded individuals else you may choose to go solo
  13. Timing – Ensure that you are well prepared to hit the market with the product at the right time
  14. Money Management – Raise capital based on the projected revenue model to manage finances well. Always keep a buffer to ensure that the initial deficit from revenues could be addressed
  15. Know your money's worth. Spend judiciously not rigorously when you wish to own a #startup. Hold your horses before shelling out money
  16. Follow the #hypercare path for your #startup with passion and not obsession.  Obsession may lead to over enthusiasm leading to downfall
  17. Critical #startup point: Wear your Head above your Shoulders and let heart handle the blood flow. Use your brain to think and evaluate
  18. #startup shouldn't be used as a weapon to display ideation skills. It needs more than Ideation and acute Business Acumen needs to prevail
  19. #startups who target to get funded by the time they market their product are bound to fail faster than their peers who plan for contingency
  20. #startups with targets set for next two years have more chances to thrive and survive than those with less than 1 yr of expense forecast
I hope those who are planning for a startup or are already working on a startup would be benefitted by this compilation. 
I would welcome ideas that are different and that are derived from Experience of running a startup.  Please don't hesitate to write back a comment of sending me a message if you have inputs for me on this topic
Posted by at No comments:
Labels: , ,

Tuesday, October 13, 2015

Experian Hack

It has been almost a month that Experian reported a breach in which 15 million T-mobile customer accounts were said to be compromised. The information included names, addresses, email ids, social security numbers and few more details of the T-mobile customers in USA. Though Experian was quick to react before the information could have been misused to that effect, yet it was a scary news for those 15 million individuals and others who are T-mbile customers or those who have accounts with any of the service providers who use Experian as the Credit verification agency.  

For those who think they are not impacted, they need to rethink about not getting worried because Experian is one Credit Reporting Agency and if its systems can be compromised, then the other Credit Agencies  too can be. What does that mean to common man? Well, take control of your information that is stored, processed and transmitted by the Credit Reporting Agencies (TransUnion & Equifax included). 

As a reaction to the hack, Experian announced two year free Identity Theft protection service "ProtectMYID" for affected T-mobile customers.  Now, the big question that arises here is - "Why is it a reactive announcement and why is it that they otherwise are charging to monitor misuse of our information that they store/process/transmit?" Isn't it just logical to ensure that they or the service providers from whom we obtain the service should actually be providing this service as a complimentary service? Also, why should Experian provide us this service free only for 2 years? Is there a logical conclusion by them that the hackers will not misuse the data after two years?  Well, I guess they are just trying to shrug off their responsibility to protect our information available on their systems.  First of all they had their systems configured in a manner that got compromised and then they are offering something to show off to the world that they care.  Not something that I would buy with any sort of logic, though I would be the first person to avail immediate patch work offer from them to ensure data regarding myself and my family is not misused impacting my Credit Ratings.

So what does that mean for the Federal Regulators like FDIC should first look at amending the Fair Credit Reporting Act (FCRA) or State Regulations like Consumer Credit Reporting Agencies Act (as referred in California) need to be amended to ensure that the Credit Reporting Agencies are legally bound to secure Consumer Information.  At the same time, the Credit Rating Agencies must consider reviewing their current Security Architectures for access provisions and data flows to identify the possible loopholes that may leave enough space for data compromise like Experian. A composite review is the mandate of time and certainly the Audit reports by independent Auditors must be submitted to the regulators.  This needs to be a time bound activity to ensure that the Credit Reporting Agencies take required remedial measures to ensure that they step up the security provisions and ensure that such future breaches are thwarted right at the attempt level itself rather than letting it to be a news post breach.  It certainly is an important step to be proactive in securing the data and information rather than taking reactive measures that sometimes may result in an organization getting booted from business.

The Experian Breach should not be looked at just limited to T-mobile or Experian for that matter, the industry should take it as an alarm for the future attacks that hackers may be planning to gain more information and if they could get through the doors of Experian, they may get through the doors of other such agencies.  It is important that proactive measures and steps are taken to secure Consumer Data / Information for which these organizations are custodians, not the owners.  
____________________________________
Disclaimer: The views expressed above are solely of the Author and are not endorsed by any organization, individual or industry body for that matter.

Posted by at No comments:
Labels: , , ,

Friday, October 9, 2015

Compliance Management - Considerations

Many a times we encounter situations where we find that certain Information Security Policy requirements and considerations are not in line with the Global Security Best Practices and they actually are not in-line with the Global Standards to that effect. But, the major mistake that we make at such a point is to take into considerations the Business Requirements for that organization or for those who actually are the recipient of the overall results on those Business Requirements.

The issues are overwhelming for the Risk and Compliance Manager across the world as they try to bridge the gap between the Auditor's Expectation with the Real World Scenarios with all the practicalities.  This doesn't mean that Auditor's Expectations are not practical or not something that need not be entertained per say.  What is more important for the Risk and Compliance Managers as well as the Business Managers is to ensure that these expectations are well understood so that it would be easier to meet them by remediating the open issues.

More often than not Auditors as well as Risk & Compliance Managers are often misunderstood and seen as a "Red Flag Bearers" by the Business & Technology Managers. Though this perception can't be justified, but then they have their own reasons as they have to run the show.  There are many a times when Business as well as Technology Managers have to take quick decisions and at times they circumvent / bypass some critical security / compliance considerations to ensure that the "Show has to Go on."

However, though they say everything needs to be done to ensure that the Business as Usual must prevail, there are some checks and balances that must be applied and Compliance Considerations must be brought to the every day work life.  Though I had maintained for long that "what is compliant" is not always secure (for if it were secure we would not have as many breaches as we hear), I still maintain that Compliance provides for the baseline controls we must have in place.  How we convert them from Compliance Controls to Security Controls depends on how Security Focused we are.

The Compliance Considerations that I prefer Organizations should keep up to are -

  1. Following defined processes and procedures
  2. Documenting what is being done - meetings, notifications, trainings, approvals etc.
  3. Documenting the changes being introduced
  4. Resolving issues with Long Term strategies than short term remediations
  5. Following Risk Based Approach
  6. Adopting Return on Investment from Technology (ROIT) adoption rather than resorting to Cost  & Benefit Analysis (CBA) - This would always prove to be profitable approach in longer term
  7. Unified Compliance Approach rather than Project base Compliance Approach working in Silos - This would always help reduce duplication / redundancy in controls being managed and technology being deployed. There always is an overlap of requirements across various Industry standards and regulations impacting compliance posture of any organization
  8. Drive Enterprise-wide Compliance efforts rather than Business Segment Silos
There are few others that may be considered, but the basics of Compliance Management would seek solace in the ones mentioned above.
Posted by at No comments:
Labels: , , , ,

Thursday, October 8, 2015

EU-US Safe Harbor Treaty

Finally the fact has been said. 

Safe Harbor is an instrument for US companies to use at comfort and will to state compliance to EU DPD. I said instrument because it was tilted for the benefit of US companies with "Self signing to assert compliance" with absolutely no country level Privacy Law. Interesting point to note there, US does not have an Umbrella Privacy Act that would be equivalent to EU DPD (EC/95/46). Though state privacy laws prevail, but they are more of "Privacy & Disclosure acts" different for 48 (out of 50) states. With Massachusets Privacy Act being the most stringent.

Summation of situation, US would have to act swiftly and pass that pending Congress Bill that would provide for the US Data Privavy Act rather than banking on State Privacy Acts. 
Full on Impact - US companies would need to either follow Standard / Model Contractual Clauses route OR gear up to follow Binding Corporate Rules like the organizations from Third World Countries. 

Now it would be interesting to note HOW Federal Trade Commission would deal with this situation as the CJEU ruling actually puts it into a spot. Would they Negotiate for time OR would this lead to Penalties OR would we see different sort of Negotiations!!! The time for some big showdown!!!

For some other articles on this topic, please refer -
  1. Data Transfer Pact Between U.S. and Europe Is Ruled Invalid - NY Times
  2. How Will the Safe Harbor Ruling Affect Tech Giants? - Wall Street Journal
  3. What The EU's Safe Harbor Ruling Could Mean For Tech Startups - Forbes

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)