All posts in “Entrepreneurship”

Closing the Enterprise Security Skills Gap

The security skills gap has become a topic of acute interest among practitioners responsible for building security teams for their organizations — and keeping them running smoothly. It impacts everything from how they staff, how they cultivate and develop their workforces, and how they train, to the operational controls they put in place, and potentially numerous other things about their security programs.

The term “skills gap,” in a nutshell, refers to specific challenges organizations have confronted over the past few years in finding and retaining competent, trained resources for security efforts. It is a measurable trend across the industry as a whole.

For example, it takes most organizations (54 percent) more than three months to fill open security positions, the recently released 2018 ISACA Global State of Cybersecurity Survey found. That figure is consistent with its prior year’s findings.

In terms of the skills in highest demand, technical skills are the most difficult to find, and the level of position being sought is individual contributor rather than managerial in nature, the ISACA data suggest.

While these data points are interesting in and of themselves — for example as a generic barometer of staffing considerations in security as a whole — they also are important in ways that may not be intuitive. At least, that’s true for savvy practitioners. That is, the report serves as an tool for security managers to benchmark their own staffing performances.

The fact that the skills gap exists and is being measured by numerous parties outside your organization means that the measurements you take about your own team can be compared directly to an objective, organization-agnostic benchmark. How often do opportunities to do that arise?

Say you’re planning your daughter’s birthday party and you’re thinking about serving ice cream. If your daughter doesn’t like vanilla, how much would it influence your decision making about which flavor to buy if I told you that vanilla was the most popular ice cream flavor in the world? Or that it was the most popular flavor in the U.S.? Both of those statements would be true, but would that matter? Not at all, right?

Are You Keeping Track?

The point is that both types of information can be useful. Understanding the broader trend is important because having that can help you plan more effectively. For example, knowing that it might be challenging to staff up certain skills (e.g., technical skills) might cause you to invest in strategies to maintain talent you already have in order to minimize attrition.

Further, that knowledge might prompt you to invest in strategies that let you creatively cultivate new team members in unconventional ways (e.g. through internships, “externships,” or other avenues), or invest in strategies that automate some processes.

There could be multiple viable options, but picking the one that is right for you is dependent on having some clue about what is going on in the first place.

However, understanding the broader trend in the context of how your team specifically performs is exponentially more valuable. Why? Because it lets you evaluate how the strategies you invest in are playing out. For example, if you decide to serve ice cream (vanilla or otherwise) every Friday to help make the workplace more fun, is it a useful talent retention strategy? Who can tell if you’re not measuring the outcome?

Benchmarking your own staffing efforts relative to peers, while valuable, does take a bit of legwork. It means, first of all, that you’re keeping track of performance metrics relative to staffing considerations (“temet nosce” — know yourself).

It likewise means that you’re keeping an eye on data sources available externally — that you have some degree of situational awareness of staffing issues.

Neither of these things are rocket science, but you’d be surprised how frequently security managers (even CISOs and CIOs) don’t track things like turnover, open headcount, time to fill positions, staff training goals/needs, and so forth.

It’s not that they don’t want to — it’s just that doing so is less of an operational priority than more tactical considerations — like dealing with the threat du jour, or deploying operational tools.

Remember the triad of people, process and technology? Each one is an important pillar in organizational performance. An advantage in any one of these areas means an advantage relative to peers overall. Those who can’t find staff, who have sub-par staff, or who otherwise have an ineffective or operationally deficient staffing strategy are at a disadvantage, while those who excel in these areas have an advantage.

Taking It Forward

As a practical measure, what can organizations do to make sure they’re developing their teams in a competitive way? There are a few things that can be helpful:

  1. It is a good idea to keep track of some metrics about staffing — both your organization’s ability to bring in new folks and to retain existing personnel. The few metrics I listed above are a useful starting point, but they are by no means the only possible options.

    You might want to track softer instrumentation, like staff perception about opportunities for advancement, fun in the workplace, and overall job satisfaction. These things can be correlated to harder values like turnover rate in a particular area, or other metrics that are more outcome-focused. The specific choice is up to you, of course, but the fact that you’re tracking something will give you data that can be honed and explored over time.

  2. Trending information can be valuable. In fact, it’s so important in terms of your ability to correlate measures you implement to specific goals and outcomes that it’s often better to have less specificity in terms of what you measure but a higher frequency of doing so.

    For example, if you’re experimenting with a new training regimen, you may find it more useful to assess the perceived value of the training more frequently (which allows you to get more real-time feedback and potentially pivot if you’re not getting what you want) vs. doing a more in-depth exploration of employee perceptions less frequently, perhaps once a year.

  3. It’s useful to solicit partners. HR organizations often do an employee satisfaction survey or engagement survey, for example, or use another measuring instrument (or combination of them) to benchmark employee perceptions of the organization at large.

    Leveraging this data where it already exists can provide useful data points that can help security leaders build the best teams and — maybe even more importantly — retain the resources that have proven so difficult to replace.


Ed Moyle is general manager and chief content officer at Prelude Institute. He has been an ECT News Network columnist since 2007. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as author, public speaker and analyst.

McAfee’s Upgraded Cloud Security Protects Containers

McAfee on Monday introduced its Cloud Workload Security v5.1, which represents the first solution for open source containers, at the RSA conference in San Francisco.

McAfee CWS v5.1 secures Docker workload and servers in public and private cloud environments by quarantining infected workloads and containers in a single click, the company said.

“McAfee Cloud Workload Security enables organizations to secure cloud workloads and containers across AWS, Azure, VMware, and their private cloud, addressing key security, compliance and governance requirements so that they can accelerate their business in the cloud,” said Rajiv Gupta, senior vice president of the cloud security business unit at McAfee.

CWS v5.1 will be available in the second quarter of 2018.

Expanded Capabilities

McAfee CWS is designed to help server security administrators on point for both private and public cloud data center environments, said Dave Bull, director of product marketing at McAfee.
Infrastructure as a Service has grown rapidly, he noted, with 65 percent of organizations having a cloud-first initiative.

“McAfee has provided strong server protection technology for years, especially for virtual environments, but as organizations transform their environments to lean on cloud platforms like AWS and Azure, our customers desired solutions tailored for the unique needs of the public cloud,” Bull told LinuxInsider.

The idea was to manage both on-premises and cloud workload security solutions within the same management console, which is what CWS was built to do, he said.

The threat of data loss is not unique to a cloud environment, but how you protect against that loss “when some or all of your sensitive information is in the cloud” requires a different approach, Bull added.

“Automated testing for configuration or compliance assessments become more important due to the sense of limited visibility in the cloud, and we have seen this with so many breaches over the past year due that exact problem,” he explained.

The situation is the same when it comes to other traditional threats, he said, such as denial-of-service, account hijacking, social engineering and operating system-based attacks.

Growing Market

The use of containers has grown rapidly in recent years, indicates McAfee’s report, “Navigating a Cloud Sky,” released Monday. Eighty percent of survey respondents said they either were experimenting with them or using them.

Despite that growth, only 66 percent had a strategy to apply security to containers, McAfee found.

“Introducing support for containers is truly table stakes at this point for any vendor in cloud security,” said Sam Bisbee, CSO at Threat Stack.

“Today, vendors with traditional on-premises security offerings have a steeper climb to meet the requirements of hybrid, multicloud and cloud-native enterprises — with parity to cloud-native security offerings,” he told LinuxInsider.

Ninety percent of participants in a recent Threat Stack survey said they would be using containers within the next year, Bisbee pointed out, noting that as containers continue to proliferate, so do the security and compliance isues that surround them.

McAfee’s new activity in the containers space follows Intel’s move to sell a majority stake in the operation to TPG, noted Paul Teich, principal analyst at Tirias Research. However Intel will retain a minority stake in the firm.

“McAfee Cloud Workload Security seems aimed at smaller managed service providers and at enterprise private clouds,” Teich told LinuxInsider. “These are the markets both Intel and McAfee are focused on retaining as new processor alternatives and new security models are adopted faster by the larger public cloud suppliers.”


David Jones has been an ECT News Network reporter since 2015. His areas of focus include cybersecurity, e-commerce, open source, gaming, artificial intelligence and autonomous vehicles. He has written for numerous media outlets, including Reuters, Bloomberg, Crain’s New York Business and The New York Times. Email David.

Zuora Takes It to the Big House

By now you’re likely familiar with the rough outlines of the story. After nearly a decade of company building, Zuora last week went public, valuing itself on the open market at roughly US$2 billion after gaining 43 percent on its first day of trading. Those outlines don’t reveal the importance of Zuora generally, and subscription billing systems in particular, to the rapid evolution of the subscription economy and CRM.

During Siebel’s heyday, Salesforce re-made CRM into a subscription service and stole the market. Siebel represented the last of the big on-premises enterprise software systems, and after nearly a decade of enterprise resource planning trials and tribulations, few organizations wanted much to do with another deployment that potentially could crater their business.

Hidden in the promise of what would become cloud computing — including easy installation, modification and upgrades — lurked a painful secret. With so much flexibility in the business model, running a subscription service at scale represented a major challenge.

Over the Hump

Vendor businesses adopting subscriptions had to accommodate new technology and billing models that stood for such a departure that subscription vendors almost couldn’t pull it off.

At the end of a month, small subscription companies had to marshal resources from every department to create accurate bills for customers — especially those that might have added or deleted users.

Incorrect bills didn’t get paid on time, and resources dedicated to billing weren’t available for building and maintaining products. Where billing was concerned, some subscription companies became victims of their own success.

Zuora led a revolution that changed that dynamic and enabled subscription vendors of all kinds to run their businesses with the billing function under control, which enabled subscription vendors and their unique economy to flourish.

Today, the subscription model is well understood and thriving. In addition to leasing cars and subscribing to phone services, which Zuora had less to do with, customers can subscribe to monthly deliveries of foods, clothing, software, and a good deal more.

Even hard core traditional businesses, such as earth moving, have begun selling subscriptions to moved earth rather than the bulldozers themselves.

Getting Better All the Time

Subscriptions represent a wave of commoditization and automation sweeping across all industries from the tech sector. They are a neat sidestep substituting the high cost of products for a much lower pay-as-you-go model. They are thus opening economies and expanding their addressable marketspace.

For vendors, subscriptions have made planning and forecasting easier and more reliable. Today’s subscription model might bank several years of revenue at once, only decrementing the total when it is used, typically monthly.

Terms like “annual recurring revenue” (ARR) have come into popular use. When planning the year ahead, managers must focus on ARR, customer retention, and the incremental increase needed for growth.

Finally, subscriptions, the data they generate, and the systems used to manage it, also have been a big part of rapidly improving customer outreach.

You can say what you want about analytics, machine learning, and multichannel connections in the sales and service processes for which CRM is justly famous. However, it’s also true that the attention we’ve all had to pay to monthly customer churn and attrition due to billing systems has spurred the development of CRM systems that make vendors better.

My Take

Zuora’s IPO is important for its own sake. Founders and venture capitalists have reaped justifiable rewards for a decade of hard work and risk taking. It’s not hyperbolic to say that without subscription billing, the world of CRM would be different, and so would our consumer society.

What’s next is interesting. Beyond organic growth, as the market for subscription services continues to expand, there are new areas and industries that will make use of subscriptions. Perhaps the greatest emerging area is the Internet of Things, or IoT. Conducting business in the IoT requires razor-thin margins, which means that human mediation of complex processes must be kept to an absolute minimum.

Today machines talk to machines, ordering supply replenishment and other things that effectively conduct business and make purchases without people. This trend will continue and expand, and we will find that all the learning from the early days of the subscription economy will come in handy as we grapple with marketplaces that contain more machines than humans.


Denis Pombriant is a well-known CRM industry researcher, strategist, writer and speaker. His new book, You Can’t Buy Customer Loyalty, But You Can Earn It, is now available on Amazon. His 2015 book, Solve for the Customer, is also available there.
Email Denis.

Facebook Peddles Future Behavior Data to Advertisers

By John P. Mello Jr.
Apr 17, 2018 10:14 AM PT

Facebook has developed a new advertising service designed to predict the future behavior of consumers, The Intercept reported Friday, after viewing a confidential document describing the offering.

The service uses FBLearner Flow, an artificial intelligence prediction engine the company introduced in 2016.

Facebook’s pitch to advertisers, according to The Intercept‘s report, is that the technology enables companies to target people based on decisions they haven’t yet made, with the goal of influencing them to change their minds.

For example, if Facebook can tell a company which customers have started to think about jumping ship, that company then can put together a package of perks to reinforce customer loyalty and keep those customers in the fold.

The data the new service taps is aggregated and anonymized to protect user privacy, according to the report.

More Signal, Less Noise

Consumers could benefit from the new service by receiving advertising that’s more relevant to them, suggested Beerud Sheth, CEO of Gupshup.

“They aren’t receiving a wide array of messages that might not concern them,” he told the E-Commerce Times. “Instead, the ads consumers are getting are tailored to their interests and benefits.”

Predictive advertising can have its drawbacks, though, observed Charles King, principal analyst at Pund-IT.

“The longstanding pitch for predictive advertising technologies is that they help consumers cut through the noise of virtually limitless choice and focus on items they may actually want or need,” he told the E-Commerce Times.

“There’s some truth in that,” King said, “though the process also tends to homogenize consumer choice by assuming that what you want today — and will want tomorrow — is similar to what you preferred yesterday.”

Advertising Revolution

Advertisers could benefit from Facebook’s AI-fired service in several ways.

“There’s no question that AI — when implemented correctly — has the potential to revolutionize advertising,” said Tod Loofbourrow, CEO of ViralGains.

“If brands know more about the tendencies of their target consumers, they can better tailor their ad campaigns to the people most likely to take action, optimizing their spend and improving their engagement rates,” he told the E-Commerce Times.

“They can even use this information to inform the development of their products and services in order to better fit the market,” Loofbourrow said.

The potential advantages to advertisers are “all to the good, but being associated with Facebook’s program may not be as attractive to advertisers today as it might have been a few weeks or month ago,” noted Pund-IT’s King. “Bottom line, this offering seems badly timed, at best.”

Facebook’s Fine Balance

Advertisers and data providers need to be careful about how they collect information about their customers, Loofbourrow warned.

“If consumers are willingly sharing their preferences with brands as part of a two-way dialogue, that’s one thing,” he told the E-Commerce Times.

However, “if data they thought was private is instead being shared — anonymously or not — with advertisers as part of ‘terms and conditions’ that are buried in fine print, ” Loofburrow said, “it continues the breach of trust that has already made itself apparent in the wake of the Cambridge Analytica scandal.”

Facebook needs to be careful about how it handles data following the improper sharing of information on 87 million users in the Cambridge Analytica episode, said Josh Crandall, CEO of NetPop Research.

“These are delicate times for Facebook. Use of any technologies to target Facebook users should be considered very carefully, especially right now,” he told the E-Commerce Times.

“Questions around where and how data are being used are front and center for influential, savvy users,” Crandall said.

“Rolling out AI at this point may be a short-term solution for quarterly earnings,” he continued, “but may be seen by some as another step towards long-term user distrust for the way Facebook respects user data and privacy.”


John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.

Reining In Data-Crazed Tech Companies

Facebook has been in seriously hot water for its data monetization model almost from the firm’s beginning. The Cambridge Analytica, election meddling and fake news scandals have turned up the heat.

Facebook’s problems aren’t limited to the public and government backlash that spans several countries; the firm faces potentially devastating legal threats too. On the surface, it appears to be a clear-cut issue: Social media and other tech companies must be reined in.

Certainly, the EU thinks so, as is evidenced by its new General Data Protection Regulation. However, despite the horrendous damages wreaked to date, the outlines of the social media problem aren’t quite clear, and neither is the fix.

When Data Is All You’ve Got

Chief among the most concerning worries resulting from a long line of recent scandals are election-fixing, or at least election meddling, in several democracies. Very few citizens of those countries would consider it a good thing for a foreign power to use social media to sway elections.

Several countries, including the U.S., France and Germany, have determined that Russia-backed election meddling is a continuing threat, and that social media is at the heart of its preferred tactics.

One would think that the need to curb or end attempts to unduly manipulate election outcomes by a nation state or other outside entity — such as UK-based Cambridge Analytica — would be irrefutable. Certainly, Facebook sees the writing on the wall.

CEO Mark Zuckerberg has announced several measures to address heightened anxiety over its role. Facebook publicly apologized for the Cambridge Analytica data-sharing scandal and promised it would notify users if they were among the 87 million people whose data was “improperly shared” with the firm.

Facebook also promised to increase transparency and impeove vetting of its political advertising and news providers.

Is that enough?

Promises, Profits and Patriotism

“Facebook and other technology firms are thus far proposing to fix the problem via self-regulation only — by setting up rules that they themselves would promise to follow, rather than being held accountable by some sort of legislative authority that would involve users having some sort of legal recourse,” said Jessica Baldwin-Philippi, assistant professor of communications and media studies at Fordham University.

“The problem with this is that, as we’ve seen, there is little accountability,” she told the E-Commerce Times.

In fact, Facebook did not act on the issues of election meddling and fake news until there was a massive public outcry, even though it was aware of the problems much earlier. The same is true of the illicit data sharing with third parties such as Cambridge Analytics.

Data monetization is Facebook’s business model. Facebook and some other tech firms exist solely to gather and sell everyone’s data, exposing users’ lives in increasingly more granular detail.

Facebook works hard to pull more intimate details about your life than what you voluntarily post on social media or release as exhaust while searching the Web. Among the most troubling data mining the company recently has done: its Child Predator Survey; and a secret effort to gather patient data from hospitals and other medical groups to add to what it knows about users.

Indeed, Facebook appears to respect no boundaries in its search to own an increasingly large hoard of personal data.

Facebook’s Usage Agreement “is 70 pages long,” noted Ronald Jones, a cybersecurity faculty member at Harrisburg University of Science and Technology.

The privacy and usage agreement from the Facebook company Masquerade specifies that it collects, mines and sells Facebook content, such as images of faces, he also pointed out.

“The Facebook agreements indemnify Facebook actions in selling/delivering/providing user related information to Cambridge Analytica, so their actions were legal. No US laws appear to be violated,” Jones told the E-Commerce Times. “Are tougher regulations needed for social networking? What about the first amendment? Also, who decides what is or is not acceptable for the social networking space?”

Freedom of speech means that it may be very difficult to curb the speech spewed by hostile nation states, or to stem the tide of fake news proliferating on the network, he added — and he isn’t the only one who thinks so.

“What is harmful content? Harmful in what way? To whom? And why? And what is fake news?” asked Richard Santalesa, founder of the Sm@rtEdgeLaw Group.

“News has been faked, or slanted, since the first stylus was put to a clay tablet,” he told the E-Commerce Times. “The Constitution and First Amendment don’t contain a right not to be offended, and there’s no such thing as a hate speech exemption to speech that’s otherwise protected by the First Amendment.”

Thus, regulating tech firms is a tough and perhaps unforgivable thing to do in the minds of many American patriots. Yet the traditional American claim that market forces will police bad behavior doesn’t hold true either.

What People Want

Take, for example, Facebook’s effort to gather patient data. The market had no knowledge of that until investigative reporters exposed it. Given that traditional news media outlets have been getting pounded as fake news, and actual fake news has been held up as truth by some others, how is the market to learn of such misdeeds or know whether a response is needed?

“What every person must understand is Facebook is not about people other than as its currency,” remarked Janice Taylor, CEO of Mazu.

“You, me, our children are tokens — data points that reinforce the money printing machine,” she told the E-Commerce Times.

“If we go away, Facebook loses its entire business,” Taylor continued. “Are Mark and Sheryl [Sandberg] really going to shut down the money printing machine? They may grease it, disguise it better, lie some more — but at the core root of Facebook/Instagram is [the desire] to print money for themselves and their shareholders.”

Even if Facebook has seen the light and truly sets out to self-regulate to an appreciable degree, there is nothing to hold it on that course over time.

“EU-style rules about data privacy would be a fine step,” suggested Fordham’s Baldwin-Philippi, “but again, Facebook could always change that policy in the future — as it has many times before. Relying on technology firms to regulate themselves strips users of recourse if and when something goes wrong.”

Actual laws spelling out data ownership could go a long way in solving this problem for users — but that might mean the end of Facebook and other social media companies, since their business model centers on their ownership of users’ personal information.

“In the U.S., the people do not own their personal information, while in the EU the people have undisputed ownership of the personal data,” explained Harrisburg University’s Jones.

While Americans presumably will be safer with protections in place, and so will democracy, many may not want that protection.

“People think that if I am not on Facebook I can’t build my business,” noted Mazu’s Taylor.

“What about my family memories? My calendar of events?” they might worry.

“We as people need to understand that Facebook was never about you or I or connecting people — it was about money and control,” Taylor emphasized. “Why do we think they care more about us now that they are getting caught? Does a drug dealer suddenly care about all the drug users once he is arrested? What if the drug dealer just makes better cocaine. Should we trust him then?”

Stay tuned for Part 2.


Pam Baker has been an ECT News Network reporter since 2007. Her main areas of focus are technology, business and finance. She has written hundreds of articles for leading publications including InformationWeek, Institutional Investor magazine, CIO.com and TechTarget. She has authored several analytical studies on technology, as well as eight books, the latest of which is Data Divination: Big Data Strategies. She also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club, Society of Professional Journalists and the Internet Press Guild. Email Pam.