Becoming a Thought Leader in 2012 – Now you can do it too

Being a thought leader is a really hard job. I’ve been doing it for so long it’s second nature.  But for those of you who wish to know the secrets of thought leadership, check out this video by Chris Eng, and maybe you can become as cool as me.

 

Smart phone / Tablet gift guide for the security-aware

My colleague, fellow Neohapsis researcher Michael Pearce, wrote a great article about smart phone platforms (iPhone, Android, Blackberry). He argues that you should give the platform appropriate for the security-savvy-ness of the recipient. I love that.

He writes, “Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.”

See the rest of his comments about Blackberry and iPhone and Android in the full article.

This week’s SecurityDreamer activities

Hey everyone.

I hope you can catch me this week (September 19-23). Either attend a webinar on secure uses of the Cloud, or grab my lapel as I walk the show floor at ASIS in Orlando.

Here’s info on the webinar. Wednesday, Sept 22, 1-hour Webinar titled “Xerox and Cisco: Partnering in the Cloud”. I’ll be speaking along with Bill McGee from Cisco, and RG Conlee from ACS, a Xerox Company. I’ll explore the true benefits of using the cloud, understanding and mitigating the risks of the cloud, and how to best prepare for using the cloud. I hope you can join me.

At ASIS – the largest physical security professional conference in Orlando – this week I will be speaking at several private company events, but you can still find me on the floor. I’ll be excited to tell you the developments of the first venture-funded convergence consultancy I’m now heading.

Secure the Business!

Neohapsis shares the dream

I’m so excited to announce that Neohapsis has asked me to lead their expansion into the physical security and IT convergence domains.  For 15 years, Neohapsis has been one of the most advanced IT security consulting firms, providing geeky services like penetration testing, “white hat” product hacking, vulnerability assessments and governance and risk management consulting.

In recent years the company has been doing more in the physical security arena, such as assessing the security robustness and durability of physical security products, like electronic locks, IP video cameras and other physical security devices.

Now, my team will be able to do much more, including coordinated physical logical attack simulations, physical and logical penetration testing of facilities and networks, and hacking and durability assessments of many more products.  We still evaluate products and give best practice guidance on security operations and enterprise risk management.

The name Neohapsis means “New Combination.”  I like to think that it now refers to the new combination of physical and cyber security.  Please drop me a note if you would like to chat about Neohapsis services, the security industry, or my sailing adventures on Lake Michigan.  steve dot hunt at neohapsis dot com

Great food and conversation in New York

SecurityDreamer New York was exciting, with a room full of “A-listers” from the security community.  The room was filled to capacity with executives and industry influencers from the New York Metro area who enjoyed some amazing food and wine supplied by Casellula (http://www.casellula.com/).  Discussions ranged from PSIM at the port authority, to biometrics on ATMs, to data protection & hackers, to border control & oil pipeline security.

I spoke briefly about techniques for measuring the value of security projects in business terms and thanked the sponsors.  BRSLabs and Inovonics showed their leadership again in New York by sponsoring the event.  They were joined by VidSys and Neohapsis. 

The next morning I spoke at a Department of Homeland Security event hosted at 26 Federal Plaza.  I met so many interesting, talented people on that trip, I can’t wait to go back!

Thank you to all the attendees and sponsors. 

 

More Pics HERE

 

 

 

 

Kevin Mitnick’s story will give new meaning to your understanding of security & business – Book Review

Ghost in the Wires: My Adventures As the World’s Most Wanted Hacker, By Kevin Mitnick

Book Review by Steve Hunt July 2011

Kevin Mitnick taught me how to play blackjack in Las Vegas. He sat next to me at the Golden Nugget and coached me while I played. I won several times and walked away $400 ahead. He lost about that much. He just didn’t know when to quit. As I read his memoir, I would sometimes shout out loud at the pages. “Kevin, what are you DOing?! It’s time to quit!”

Ghost in the Wires: My adventures as the world’s most wanted hacker is the complete story from Kevin’s point of view about his life of hacking and running from the law.

In the book, Kevin speaks with disarming frankness about his parents, his home life, his girlfriends and friends. He makes no excuses – leaving the reader free to assume root causes of his’ behavior. Maybe it was the parents’ messy divorce, Kevin’s strained relationship with his father, the abuse he suffered from Mom’s boyfriends, betrayal by his friends. However, one thing shows Kevin’s character more than any other. He does not blame anyone. He takes full responsibility for his actions and obviously sees things from others’ points of view.

That clarity and ability to connect with people is doubtless one of the reasons he was so successful deceiving people using a technique known as social engineering. Law enforcement and the press absurdly painted him as a monster with magical, diabolical skills. But ultimately it was his humanity that allowed him to connect to people and get what he wanted. He deceived people, to be sure. It was his stock and trade as a hacker, but also yielded many insights he shared with us in his best-selling book The Art of Deception.

When I met Kevin Mitnick for the first time, he struck me as nervous, humble and self-deprecating. He had just been released from prison and was still under very tight probation in Las Vegas. I was hosting a conference on behalf of my employer, Giga Information Group. Kevin was our keynote speaker – his first speech in public ever. As I got to know him, I saw he was very bright, funny and forever playful.

A year or two later, I arrived in Athens Greece to speak at a conference where Kevin was the keynote speaker. I checked into my hotel that evening, exhausted from a full day of traveling, and fell right to sleep. At about 2 am my room phone rang. I grabbed it and mumble, “hullo?” The voice at the other end said “This is the front desk. There is a problem with your credit card. You need to come down right now and see the manager.” I said, “It’s the middle of the night! I’ll come down in the morning.” The voice said very firmly, “Sir, you must come right now and re-process your card. The hotel is very full and if you cannot pay we have to make the room available for others waiting in line.” “That’s outrageous!” I said, now finally waking up and getting mad. Softening a bit, the voice said, “I understand sir, perhaps you could just read your card number over the phone.” I grunted, grabbed my wallet and started reading the number, “3715 4118 6…KEVIN!!!!!” That’s when he broke character and busted out giggling.

His skill at manipulating people and computer systems made him a great hacker. By that, I mean “hacker” in the original sense of someone seeking the limits of a system. His inability to stop made him a great criminal. By that I mean his crimes became a great challenge to a law enforcement infrastructure, including the FBI, poorly prepared to understand his crimes. His years as a fugitive made him a great story. Meaning he became both a folk hero to legions of computer experts and hackers who understood him and an arch villain in newspaper articles, in the New York times and elsewhere, determined to sensationalize him and his crimes.

The story of Kevin Mitnick as the world’s most wanted hacker is funny, exciting, sad, and sometimes horrifying – especially as we read how the courts so grossly misunderstood his crimes and thereby punished him in some ways worse than the most heinous mass murderers of recent memory. Here lies the critical aspect of Kevin Mitnick’s story. Computers, networks and the Internet were so mysterious to people outside of the geek or IT subculture when Kevin was hacking that people were afraid of the unknown and needed someone or something to take their fear away. Kevin was a sacrificial lamb to his accusers, many of whom needed to defend their pride, and to the public, who loved seeing a villain take a fall.

Like other sacrificial lambs, Kevin Mitnick also became a symbol. To the hacking underground he was a freedom fighter. To us in the security profession, he was a manifestation of the enemy, the “threat.” To law enforcement he was a catalyst for changes in law and improvements in technological savvy. For all of us, though, he elevated the conversation about risk management. Before Kevin, data security was all about control. If we ever lost “control” of data, we felt as though we “lost” it altogether. That mentality still exists and is common in discussions of data leakage, today. The lessons we learned since Kevin’s adventures on the wires, however, bring us to a much more useful and business-oriented view of security and risk management. Security — control — is not the point. No business executive wants security. He or she wants business to run efficiently and effectively, no matter what else is going on. This idea of robust business process is the new view of security and one built firmly on the foundation of Kevin Mitnick’s hacking. Kevin proved to us that “control” of data is not the point. “Securing” the network is not the point. Resilency is the point. Securing the “business” is the point.

The myth of Kevin still haunts many people in technology, business and law enforcement. But the myth is all we’ve had till now. This memoir gives us finally the man, Kevin Mitnick, whose adventures as the worlds most wanted hacker, bring us to a very human view of the intersection of technology, business, law and security.

SecurityDreamer New York July 18

Here is my invitation for SecurityDreamer New York.  Wanna try to squeeze in?

You are invited by Steve Hunt, noted industry analyst, to attend a special reception in midtown Manhattan on Monday, July 18, 2011 4:30-7:15 pm.

Food, Fun and Giveaways – Better Metrics, Best Practices and New Technologies

The most successful security directors have evolved into business executives. They do that by mastering one important principle: Understanding that the “stuff” of security is data. Event logs, alarms, video streams, door and network access, identities and privileges are all data that may be organized into information and then put to use as business intelligence.  A security executive becomes a business executive when he or she successfully measures and communicates the value of security initiatives.

SecurityDreamer events are your opportunity to learn the newest and most successful methods for running a security program like a business unit.  Steve Hunt’s techniques, developed over many years as one of the world’s top technology consultants, will transform how any CSO, CISO or security director manages IT or physical security up the ladder and down.

Enjoy wine and hors d’oeuvres while networking with your peers.  Steve will share his recent research gleaned from hundreds of end user interviews. You will have an opportunity to learn about new techniques for calculating and communicating the true value of a security project, and ways to motivate your employees to optimal performance.

If you’d like an invitation, tell me a bit about yourself in an email to steve.hunt@huntbi.com

Space is very limited, so you’ll have to hurry.

About Steve Hunt

Steve Hunt, CPP CISSP, is an industry adviser, futurist and consultant whose career has spanned the breadth of the security industry: physical, homeland, corporate and data.  He was inducted into the ISSA Hall of Fame in 2009 for his achievements in IT security, and named one of the 25 most influential people in the physical security industry (Security Magazine). Steve Hunt ran the security and risk management think tanks at Giga Information Group and Forrester Research. As a recognized expert on best practices, security trends, and emerging technologies, Steve has advised hundreds of the world’s largest organizations,

Steve is a frequent speaker at business and security conferences around the world. His analysis has appeared on CNBC, Fox News, CNN and in the Wall Street Journal, Financial Times, The New York Times, Business Week, and other global publications.  Steve’s diverse background in security lends a fresh perspective on the industry.

Steve authors the popular blog SecurityDreamer.com

Follow Steve at www.twitter.com/steve_hunt

 

SecurityDreamer Chicago

What a successful SecurityDreamer Chicago Event last week! Thirty men and women from a cross section of Chicago’s IT and physical security communities, end users and service providers, gathered for a fun evening of information sharing, new research, fine art, yummy wine and stimulating conversation.

The event was held at the exquisite David Weinberg Gallery in the art district of Chicago near downtown.  David Weinberg was on hand to talk about his art.  The photographs lining the walls of the the three room gallery were provocative and powerful. David said his art was inspired by his childhood and colored by his years owning a technology company that he sold some years ago.

We were able to afford a beautiful and unusual venue because of our visionary sponsors, BRS Labs and Inovonics.  I’ve mentioned BRS Labs in the past.  I have such appreciation as a technologist for innovative companies, and BRS Labs is one of them.  The company re-thinks video analytics and approaches the challenge in an entirely new way.  While the “video analytics 1.0″ vendors battle it out, BRS Labs quietly amazes it’s customers and confounds its competitors with a “2.0″ solution.  Thank you to BRS Labs for sponsoring SecurityDreamer Chicago.

Rethinking solutions was the theme of the event. I shared some research Hunt Business Intelligence recently completed on trends in critical infrastructure technology adoptions by the largest companies in the world.  It turns out that non-security executives, like CEOs and CFOs, are steadily losing confidence in security executives.

Part of the reason for that loss of confidence is that security executives continue to think like security wonks and do a poor job running security like a regular business unit. A security professional should be able to analyze, measure and create value, and not merely avoid risks.

Inovonics helps its customers create value. Its line of wireless life safety technologies, led by its flagship RADIUS product, leverages existing network infrastructures to provide superior service.  Imagine integrating a wide variety of sensors, including people-location, around your facility built around a single architecture of standard wireless networking. It is life safety information management at its finest.  Thank you to Inovonics for sponsoring SecurityDreamer Chicago.

We are now planning SecurityDreamer New York, SecurityDreamer Houston and SecurityDreamer Orlando (at ASIS).  Drop me a note and tell me a bit about yourself if you want one of the limited invitations.

Security Magazine features my CEO Research

Thanks to the editors at Security Magazine who featured an excerpt from my recent research CEOs’ perceptions of security executives.  You can find the analysis on page 20 of the May 2011 issue.

Among the findings, I report that CEOs are frustrated by the lack of business acumen of most security and IT directors.  Misuse of ROI is one of the most common failings of technology managers.  ROI is designed to measure the delta between apparent costs and apparent benefits, but is unsatisfactory at measuring the degree to which a specific investment achieves a specified goal.  In other words, you can buy the product with the biggest ROI and still not solve the problem you hoped to solve with it.

If this rings a bell, let me know and I’ll direct you to some better methods for measuring the value of a technology investment.

Still Time to Register for the SecurityDreamer Event in Chicago

Hey everybody, we’ve moved the venue to a larger space to accommodate the growing numbers of attendees.  You still have time to register.  But hurry, the event is just one week away!

Wine reception, near downtown Chicago, Wednesday May 25, 2011.  5-7:30p

Enjoy wine and hors d’oeuvres while networking with your peers.  You will have an opportunity to learn about new techniques for calculating the true value of a security project, and ways to produce to optimal performance from your security program.

“Steve Hunt’s techniques, developed over many years as one of the world’s top technology consultants, will transform how any CSO, CISO or security director manages security up the ladder and down.”

RSVP for the free reception to steve.hunt@huntbi.com for further details.  Space is very a bit less limited.