Six Degrees of Information

Continuous Data Protection is as ineffective as backup in a ransomware scenario

Thu, 16 Apr 2026 14:53:47 GMT

Here is another of my posts about real cyber [data] resilience capabilities for those in charge of data protection to think about.

Continuous Data Protection (CDP) is just another name for a backup. It is excellent in its ability to automatically save a copy of every data change in real time (similar to Microsoft VSS), allowing for recovery to any previous point in time.

Providers of CDP profess its unlike scheduled backups as CDP minimizes data loss (near-zero RPO) and protects against ransomware, corruption, and accidental deletion by creating a continuous journal of data modifications.

Here are some key aspects of CDP and why Synergy Six Degrees (SSD) believe it does not deliver on its promises during a cyber malware attack. !!

Make a strong mental note that CDP vendors talk heavily about RPO but never RTO, a key measure when returning your business to operations and halting revenue bleed:

Benefits:

Data Resiliency: Drastically reduces data loss by continuously recording changes.

SSD Opinion - Nice, but when an attacker compromises your live data you have lost all production data - not just the last change.

Ransomware Protection: Allows rolling back systems to a "known-good" state just before an infection occurred.

SSD Opinion - Rolling back assumes that the malware didn't compromise your CDP copies. This is a common strategy against backups. So, you should assume any CDP copy on a network during the attack will be compromised. Also you don;t just roll back the last change, you have to roll back the entire data set.

Simplified Management: Eliminates the need to manage complex, scheduled backup jobs.

SSD Opinion - We are talking about a cyber attack roll back not going back 1 week, 1 month or 6 months. All data copy products must have a level of scheduling to ensure you keep what you need and dispose of that not wanted.

Tracking data changes: (deltas) and sending them to a separate storage location, either locally or in the cloud.

SSD Opinion - Excellent strategy as you are now following a variation of the industry 3-2-1 policy. Keep in mind when a cyber attack hits, one of the first things you do is - TAKE DOWN YOUR NETWORKS - protecting you business and supply chain. Any CDP copies that are offsite, are now inaccessible. No worries you have other CDP copies onsite, but these have already been compromised.

Storage: - data should be stored on high-speed, local network disks for rapid recovery.

SSD Opinion - High speed networks like 10GbE are excellent to record/copy the changes to its target storage location. When executing your Incident Response strategy you naturally become risk-averse, so only limited networks are opened, probably starting at 1 channel or 100mbps to restrict the ability for you to suffer from double extortion attacks or stop existing malware not cleaned as yet from moving laterally.

Remember, as mentioned previosuly, even though you have captured the data changes for every record. When you need to recover it'll be for the entire data set, not just the changes.

On-Site Target Storage (Fast Recovery): A local disk in the same network as the source, allowing immediate recovery of data.

SSD Opinion - LAN's as well as WAN's get taken down during a cyber attack. If the local disk is not immutable media (costly to store everything onsite on immutable) you cannot guarantee it'll be accessible. It could be encrypted or deleted.

Off-Site/Disaster Recovery Sites: Remote data centers or secondary locations that protect against total site failure.

SSD Opinion - A cyber incident isn't an act of god (earthquake, flood, or hurricane, etc.) or a scheduled DR test, so this is mute. Plus, in a cyber incident if you have no WANs it means you cannot get to this data. If the remote data is not immutable you cannot guarantee it'll be accessible. It could be encrypted or deleted.

Cloud-Based Storage: Utilized for hybrid or multi-cloud scenarios to provide scalable storage and simplified, automatic backups.

SSD Opinion - Same as above.

Encryption: When selecting storage, ensure it offers high encryption capabilities for security (e.g., AES-256) and adequate capacity for continuous change logs.

SSD Opinion - Love this one. Encryption is excellent technology to stop cyber criminals or anyone from reading / accessing / stealing your data without your private key. Unfortunately encrypted CDP data is not normally immutable, which means the attacker will either delete or encrypt (over your encryption) to compromise your operations.

Resolution

You know my answer to addressing these short comings: NeuShield Data Sentinel

Reality - Ransomware/Malware executing Data Deletion, Encryption and Exfiltration are wasted when NeuShield is installed.
Reality - Every piece of data on a protected device is guaranteed to be protected 24/7 without being moved or copied off device(s).
Reality - The OS/Apps and device settings can be restored if compromised without a backup or gold image. All from the same device no data transfer.
Reality - Data Reverts (not rebuilds) happens simultaneously across all your devices in secs/mins, not days/months.
Reality - This is NeuShield patented IP, not backup, snapshots or shadow copies and no need for networks to be operational.

Drop me an email kevin.bailey@synergysixd.com

LinkedIn message or and check out my web page for more information:

https://www.synergysixd.com/neushield-data-sentinel

What is Ransomware Data Protection?

Mon, 07 Oct 2024 14:23:45 GMT

How many vendors do you see and hear proclaiming to deliver ransomware protection, only to unveil that their solution comes with caveats.

Synergy Six believe that organisations need an explicit ransomware data protection solution to protect and recover active data, recovery data, and installed device OS and services during exceptional operations. These solutions should not replace existing security tools that are your primary detection and response to these types of cyber attacks.

Ransomware data protection solutions are not your current data backup and recovery tools, they can only protect a copy of your copied data not data that is active.

Synergy Six Degrees defines ransomware data protection as vendor-developed solutions that prevent the compromising (encryption, deletion, modification, or exfiltration) of active data on devices. These solutions operate in real-time, delivering their value when enterprise security tools fail to detect and mitigate ransomware/malware attacks. Ransomware data protection can be offered as SaaS-based, on-premises, hybrid and can be a combination of software and hardware.

Synergy Six Research - Ransomware Impact Map

The vendors included in the lower left quadrant of this report do not deliver any active primary data protection. The primary role of these solutions is to take periodic copies of data for future recovery. Their only value in a ransomware attack is achieved if they maintain a copy of data on an immutable/air-gapped technology. This choice of media ensures the backup data cannot be compromised and can be used for data recovery when the primary and secondary backup copies have been compromised. The NeuShield solutions (upper right quadrant) have been identified currently as the only solutions purposely developed for ransomware protection, prohibiting direct data modification that may compromise (encrypt, delete, modify and/or exfiltrate) active data, delivering instant recovery.

Want to read the rest of the report then click on this link.

Are Commvault on the SHIFT or merely shuffling along.

Thu, 29 Feb 2024 09:51:00 GMT

Read my review of Commvault's recent London SHIFT event.

Last week a spent some of my time getting out and pressing the flesh (not literally) with the folks from Commvault.

These guys have been visible to me since my days looking after the Veritas portfolio at Symantec.

So, let’s not look back, but forwards at a few of the topics that were discussed.

At 8:30am the networking area set up at BAFTA headquarters had a good turnout and provided me with confidence that the Commvault customers were expecting something different. Right from the outset of the session Richard Gadd, SVP EMEA, set the stage by announcing that Commvault see their announcements as their largest SHIFT in strategy for 27 years .

The original purpose of backup & recovery software was aligned to BC/DR events. Rightly so, the general product purpose seems to be relegated to a secondary role due to the immediate nature of recovering from cyber-attacks.

The ransomware effect was everywhere and, in your face, like it or not. A message that is replicated at other events I have attended recently.

Rather than hyping on about the $30Bn of business losses and commonly known dark cloud effects of ransomware, Richard focused on the operational effects with a cyber resilience approach.

Commvault’s position is the belief that their tools can rapidly and effectively recover their customers business continuance. Delivering effective business continuance via Commvault Cloud aims to provide their customers the ability to get closer to the data, rather than leaving a chasm between security and recovery.

The starring role for this SHIFT in strategy is the Commvault Metallic AI platform that has over the past 4 years, built Commvault a pipeline of $130m ARR and 4,000 customers. Commvault believes that it is the time to fold Metallic AI into Commvault’s platform strategy.

Richard stated that “this shift delivers their customers cyber resilience at the lowest TCO”.

The other major noise appeared to be coming from pushing ‘Clean Rooms’ .

It’s a well-known fact that IT teams find it difficult to find the time and resource to manage their recovery testing. Commvault stressed that their close partnership with Microsoft enables them to deliver a ‘clean room’ on demand. Near-instantly spinning up a replica environment to undertake business continuity testing and then spinning down again.

An excellent way to encourage better actual testing rather than tabletop exercises, while keeping costs under control.

“Need to think and deal with recovery in a different way” , was Darren Thomson’s opening remark.

Having recently joined Commvault as their EMEA Field CTO, anyone that knows what it is like to join an established vendor and the battles you will lose trying to convince them that their positioning needs to change. Darren’s opening confirmed that this was not his wish but confirmed that Commvault is trying to move in a different direction.

Bringing in a perspective from the cyber insurance industry, Darren took the audience through the four concerns that could expose an organisation to a cyber catastrophe:

Securing Active Directory - from malware compromise and inappropriate access
Identity and Access Management – the urgency of implementing a form of MFA
Patching – maintaining a proactive level of system and software updates
Cyber Recovery – develop, maintain and test your plans regularly

Many CIOs and their legal peers will recognise three of these areas when they are submitting their cyber insurance and warranty forms. The outlier that is not always raised to prominence was Commvault focusing on – Cyber Recovery .

This is a task that has always been elusive, not because CIOs/CISOs rank it any lower in their priorities, it’s the time and costs on top of normal operations that delay or cause the cessation with performing this tasks. Helping to minimise exposure to a cyber catastrophe can only help an organisations resilience maturity.

Summary

This report was never intended to be a pros and cons of Commvault Cloud and their SHIFT strategy. I believe they are undertaking a portfolio shift rather than a SHIFT in their overall business strategy. They are still focused on data backup & recovery, increasing their relevance with additional detection and recovery techniques .

I much prefer this approach than some of their peers that trying to extend their portfolio into the endpoint malware detection space. The latter is already well covered with experience in advanced AI/ML Malware engines.

Industry Challenges

The areas of concern that I have exist in the data protection & recovery category whoever the vendor.

Recovery of data

Commvault and their peers acknowledge that cyber actors will target the recovery data (backups, VSCs, snapshots, etc.) prior to performing any ransomware compromise. This means that any recovery will happen from a clean room or offsite data location. This is always a challenge when the first thing organisations will perform when aware of an attack is to remove all external network and internet access.

SSD Request - I’d like to see more activity bringing the recovery closer to the playing field and not relying on network connectivity to move clean data.

Data Identification

Knowing your data is critical when ensuring that you are backing up or creating VSCs/snapshots of the right data. Wasting storage, time, costs and resources when finding the right data to recover and immediately identifying any exfiltrated data is a sign of an effective data management strategy.

SSD Request – Don’t just focus data classification and management in the backup space, but bring it to the front, before you compute with the data and work with real-time data analytics.

Clean Rooms

A clean room strategy is a positive move to increase regular and scenario testing to increase an organisations cyber resilience.

SSD Request – Scenario testing should never be clean. Any clean room or internal infrastructure testing should mimic the reality of the things you don’t think will be missing or are compromised. Ensure you test the unthought of, as well as the known. Something your red teams could help you develop.

Thanks to the Commvault for hosting a well organised, attended and informative event.

Is a 3-2-1 backup strategy still fit for purpose?

Tue, 30 Jan 2024 09:41:28 GMT

How can you recover from three copies of data when two may have been compromised and recovery may cost you $100,000's of unbudgeted spend to meet your RTO.

Kevin Bailey, Chief Analyst and Founder at Synergy Six Degrees talks to Demetrius Malbrough about the evolving nature of data protection focusing on the 3-2-1 backup strategy and its relevance in modern cybersecurity.

Kevin challenges traditional data protection methods, emphasizing the increasing sophistication of cyber-attacks and the importance of protecting active data.

The discussion includes insights into backup vendors' roles, the effectiveness of recovery time objectives (RTO), and the impact of technological advancements like AI on cybersecurity.

Cyber predictions are cyclical, predictable

183:792006836 (Kevin Bailey) — Wed, 01 Nov 2023 14:52:30 GMT

But what new knowledge will be shared off the ride in 2023

Halloween is over and everybody is now ramping up or engaged with Diwali, Armistice Day, Thanksgiving, Bodhi, Advent, Feast of Immaculate Conception, Winter Solstice and Christmas Day. But not if you are a cyber technologist.

It's time to be inundated by those with the crystal balls, as its Prediction Season

Let's hope those who profess to know more than everyone else, come out and surprise us with something that no one has thought of yet and can force a change of heart into 2024 plans and budgets.

Maybe I'm a sceptic but I think I could hit at least 90% of the major bylines that vendors and analysts will be dishing out.

Why? .........because everything is cyclical

The cyber criminals are badder than last year.
Its a bit like washing powder being even whiter than the last products' whiteness.
New malware families will utilise AI to bypass security tools
Why is this a surprise. Commercial organisation's use AI to become better at what they do
Millions of cyber attacks will hit your organisation every day
It's like a marketing campaign, where a 2% return is very good. Send to 1 person and you've little chance of success, send to 1 million and you get <20,000
Millions of data will continue to be breached and a major hack will materialise in 2024
99.9% of attacks will be mitigated, but it's that 0.1% that catches everyone out and creates chaos. Major hacks, we had MGM, Sabre, Microsoft and MoveIT this year and lets not forget SolarWinds that is still making waves
Governments reaction to cyber attacks will be to introduce more regulations
Every country now has data privacy laws, many based on GDPR. Even the Whitehouse Executive Order wants the 'Bipartisan data privacy legislation' to get through congress.
MFA is a priority to mitigate the ease of account takeovers
This is so old and tired, its becoming laughable for any organisation not implementing. Most systems/Apps make the user deploy 2FA as a minimum.
Cloud security will be growing and promoted as more secure than on-premise architecture
Since when has cloud security providers had a bag of security tools that are not available to any individual organisation.
The insider continues to be a threat, even if they are just a WIMP ( W ell I ntentional & M eaningful P erson)
Log everything everyone does with data and you get pre-emptive visibility if they are bad or just ill-informed.
Everyone needs to trained on being security aware
Totally agree. If the governments want to put legalisation in place for cyber then do it for security awareness. My opinion.
Ransomware will continue to scare everyone, but only when it happens
It's like telling someone they cannot get access to their bank account. They'll only believe it when they try, then they'll shout very loudly.
Everyone will be told they need to know more about their data and profess to understand 100%, when the reality is 20-40% (at a push)
When organisations only appreciate data in a database as the Crown Jewels, that's all they need to know. Wait until they see what is floating around the company and being sent down social channels.
Cyber security needs to attract more budgets, but is still seen as a cost to the business
I think CISOs would love to be treated as a value to the business and given a greater share of stagnant operating budgets.
Cyber needs to be understood by the board
Its happening, but will only get better once technology can be spoken with a 'tone of voice' that senior management can digest.

Everyone of these statements, not predictions have been seen every year for at least the last 5 years.

All these statements need to be enacted, progressed or put into a plan, and many are probably in place and either factored in or out of a CIO/CISO's activities.

So, rather than circulating another set of cyclical predictions, just send out a reminder and let people know if anything has changed and how realistic the last 2-3 years of their predictions have materialised.

An Identity Digital-First Trust Model Increases Privacy and Protection

183:792006836 (Kevin Bailey) — Wed, 14 Dec 2022 11:07:15 GMT

The principles of decentralising one's information into their own ownership are completely related to, and contextualised by, privilege.

The World Economic Forum (WEF) released a report that promoted the opinion that freeing ourselves of passwords will actually make us safer and businesses more efficient. Cybercrime is a lucrative business and is currently costing the global economy $2.9 million every minute, ~ 80% of these attacks are password-related. Traditional, and now outdated authentication that relies on the user to remember PINs, passwords, passphrases, or whatever so called memorable combination of numbers and characters creates a headache for users, but it is also impacting business efficiency and costs. The WEF believes the average annual spend for companies is now at over $1 million for staffing cyber related management alone.

Our digitalised economy requires every user (employee, citizen, social) to embrace technology as a efficiency driver. We should also be expecting those that we trust with our identities and data to harness tools such as artificial intelligence and machine learning to increase our experience, protect us from cyber criminals and control 3rd party request to our PII, while optimising their cost base.

A passwordless economy is not just about the provision of access to authorised platforms and services and protecting against cybercrime. When designed effectively, digital identification can increase our privacy and reduce existing social inequalities. So privacy and equity must be foremost in discussions about how to design digital identification.

As outlined in the User Isolation Protection report I published previously, the authentication methods have the capability to exploit many of our personal characteristics; biometrics, pattern-based, geo-location and many more device controlled uniques. We can extend these examples and extended to our identities to include; degrees, morals, hobbies, schools, occupations, social status, personal expression, etc. Each of these can be applied depending on the context they are used.

In recent years, many governments, campaigners and commercial vendors have been discussing the idea of a “ self-sovereign identity (SSI) ” that lets you share your identity freely, confirm it digitally, and manage it independently—without the need of an intermediary between you and the world to confirm who you are.

Making this work we would need to transform all our physical documents (birth certificate, passport, driving licence etc) into a single, digital document or filing system stored by the person themselves rather than on a huge government database, giving a person control over how and when their personal data and/or identity is used. This would mean you would ‘sign in’ to websites with that information rather than creating username after username for each website. This is coming to be known as ‘self-sovereign identity’ (SSI), though the precise definition of this has not yet been agreed.

Such an identity is asynchronous, decentralised, portable, and most of all, in control of the identity holder. A distinct concept within SSI is “ decentralised identifier ,” which focuses more on the technical ecosystem where one controls their identity.

There has been a growing push for digital forms of identification. Proponents assert it is an easier and more streamlined way of proving one’s identity in different contexts, that it will lead to faster access to government services, and that it will make ID’s more inclusive.

Several technical specifications have been recently published that expand on this idea into real world applications. Summarised below are two of them, with a focus on the privacy and equity implications of such concepts, and how they are deployed in practice.

The Trust Model (not Zero-Trust!)

Major specifications that address digital identities place them in the “trust model” framework of the Issuer/Holder/Verifier relationship. This is often displayed in a triangle, and shows the flow of information between parties involving digital identification.

The question of who acts as the issuer and the verifier changes with context. For example, a web server (verifier) may ask a visitor (holder) for verification of their identity. In another case, a law enforcement officer (verifier) may ask a motorist (holder) for verification of their driver’s license. As in these two cases, the verifier might be a human or an automated technology.

Issuers are generally institutions that you already have an established relationship with and have issued you some sort of document, like a college degree or a career certification. Recognising these more authoritative relationships becomes important when discussing digital identities and how much individuals control them.

Verifiable Credentials

Now that we’ve established the framework of digital identity systems, let’s talk about what actually passes between issuers, holders, and verifiers: a verified credential. What is a verified credential? Simply put, it is a claim that is trusted between an issuer, a holder, and a verifier.

The World Wide Web Consortium (W3C) published an important standard, the Verified Credential Data Model .

This was built in the trust model format in a way that satisfies the principles of decentralised identity. The structure of a verified credential consists of three parts: a credential metadata, a claim, and a proof of that claim. The credential metadata can include information such as issue date, context, and type.

While these specifications provide structure, they do not guarantee integrity of the data.

“Digital First” Identities Could Lead to Privacy and Equity Last

These thorough specifications are a significant contribution to the development of digital identification. But the concept of “digital first” raises major concerns around privacy preservation, safety, and their impact on marginalised communities.

Both specifications recommend data minimisation, avoiding collection of personally identifiable information (PII), proper auditing, proper consent and choice, and transparency. However, unlike Europe that has GDPR, the United States requires a comprehensive federal data privacy law , otherwise these are just recommendations, not mandates.

Acknowledgements are given for additional content for this post from content taken from Alexis Hancock and World Economic Forum . For further information outline the technology, go take at look at Sedicii , Thales , EY , Evernym and Hyland .

Patching Shouts for Help from NDR!

183:792006836 (Kevin Bailey) — Thu, 14 Oct 2021 13:00:00 GMT

HP threat research shows attackers exploiting zero-day vulnerability before enterprises can patch. It's time to consider NDR that is fast to deploy, detect and [automatically] respond, before the malware can hit the endpoint. IDS and IPS just don't cut it anymore,

Patching against Zero day threats continues to be a reactive process requiring organisations such as HP Wolf Security to identify and notify new vulnerabilities, such as their latest catch, CVE-2021-40444.

HP Wolf Security threat research team are seeing cybercriminals using legitimate cloud providers to host malware, and switching up file and script types to evade detection tools.

New? No , but it's becoming more commonplace and increases the pressure on Cloud, MSP and MSS providers to shout for help to proactively identify, quarantine and destroy these malware intrusions as a first level of protection and not rely solely on patching. But please don't stop patching.

The HP Wolf Security threat research team found evidence that cybercriminals are mobilizing quickly to weaponize new zero-day vulnerabilities. Exploits of the zero-day CVE-2021-40444 – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8, a week before the patch was issued on September 14 .

By September 10 – just three days after the initial threat bulletin – the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction. It uses a malicious archive file, which deploys malware via an Office document. Users don’t have to open the file or enable any macros, viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.

Specific to providers:

The rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass whitelisting tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord.

“The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days , giving cybercriminals an opportunity to exploit this ‘window of vulnerability’. While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less knowledgeable and resourced threat actors," explains Alex Holland, Senior Malware Analyst, HP Wold Security

Patching is a critical exercise but we need to catch the attack before it gets to the user,

Security teams have a hard time as it is, especially as "74% of malware is undetectable to signature-based tools", Watchguard technologies, but help is available.

Upgrade your IDP, IPS, NTA tools and join the growth in deployments of Network, Detection & Response technology. Detecting these new anomalies is critical, but as important is the response capability, both automated or 'one-click'.

There are some strong players in this category of security tools, Vectra AI is one them that directly address the concerns around Cloud security, recognised recently, claiming the Globee 2021 Disruptor Company Award for Security Cloud/SaaS.

NDR is about detecting 'Attacks' not events. The security teams are already overwhelmed with 'Noise', so whichever NDR vendor you choose to evaluate, ensure they understand that size [of events] doesn't count, its all about the performance (identifying attacks).

[ 1 ] This data was gathered within HP Wolf Security customer virtual-machines from July - September 2021 .

[2] Microsoft credited security researchers Rick Cole (MSTIC), Dhanesh Kizhakkinan of Mandiant, Haifei Li of EXPMON, and Bryce Abdo of Mandiant for discovering the zero-day vulnerability.

If Zero Trust is so critical

183:792006836 (Kevin Bailey) — Wed, 10 Mar 2021 14:11:58 GMT

Why are you ignoring NIST, NSA and the NCSC?

Ikon Images / Getty Images

Between August 2020 and February 2021, “the agencies”, National Institute of Standards and Technology (NIST), National Security Agency (NSA) and National Cyber Security Centre (NCSC) have all published final or preliminary (beta) guidance for Zero Trust (ZT) that is applicable to all sizes of organisations. I would suggest to you that the agencies are experts in the field of cybersecurity. So why are vendors and influencers ignoring the agencies’ guidance when proposing to be an advocate of ZT?

Desk research of 26 security vendors (products & services) that I undertook shows that the majority are exploiting ZT positioning in the belief that they have a unique product or service recognised by alternative research group reports but only three (11%) vendors referenced one or more of the agencies. Rather than sticking to [the agencies’] ZT guiding principles and design concepts, it appears there is a belief that deriving new terminology for ZT (I found five) and simply aligning to what the agencies have provided will reap greater vendor ZT acceptance, rather than [possibly] being seen as just another outlier.

SynergySix Suggests

Security Leaders

Acknowledge that ZT is a journey of competency from basic to advanced capability and that you will be evolving your identity, access and authentication policies and processes every year.

Immediately recognise that the security product(s) you have or will implement are there to support your businesses ZT guiding principles and design concepts.
Resist approaching this from a product or lack of alignment to the agencies’ recommendations mind-set may hinder your guiding principles and design concepts.

So, ensure that you lead with a secure IT strategy mindset and then ensure your product(s) of choice can ride the journey to advanced capability with you.

Security Vendors

Whatever your belief, ZT has been developed as philosophy and a strategy that when evolved helps your clients’ IT strategy embrace a ‘security-first’ mentality.

Lead your engagement by acknowledging that ZT is advisory led (service/consultancy) not a product led engagement.
Identify how your offering advances successful processes, policies and the availability of data for the benefit of the client.
Immediately relate to the agencies’ guiding principles and design concepts so they will trigger the recognition of terminology/workflow/process/policy by the security leader, rather than having them having to find alternative definitions and material from across the industry.
Trust in the use of the agencies’ guidance of ZT as it clearly articulates all the use cases subsequently deemed of valued differentiation in other vendor/research group adaptations (ZTS, ZTNA, ZTXEP, ZTVDC, ZTDP).

Only once the advisory engagement is underway should you suggest that the client revert to challenging the security product(s) installed.

Establish a Baseline

A Zero Trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows - (NIST). Zero trust migration is a journey, and we think you can start yours by knowing your architecture, including users, devices, and services - (NCSC). Embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them [organisations] to secure sensitive data, systems, and services - (NSA).

Nowhere in the statements above do the agencies infer that organisations’ existing security products are inadequate or that ZT requires you to implement new products in order to adopt, embrace or migrate to ZT principles.

Everything evolves

I totally understand that architectures and frameworks evolve over time. Since John Kindervag first coined the phrase “Zero Trust” and published his first articles on the subject in 2010, it didn’t take long for those who believe they should be heard to throw in their opinions. The issue with the vast majority of these opinions over the last 5 years is that they have been taking the original essence of ZT out of context. Communicators of ZT believe it to be the next headline grabbing market positioning sensation, instilling doubt of functionality and capability of security leader’s previous product decisions.

Zero Trust yes or no?

Anyone that follows my blogs, posts or comments probably knows that I have never liked the term ‘Zero Trust’. In an industry full of fear, uncertainty and doubt, I feel it only adds fuel to the [existing] fire, as the term could imply that everyone and every ZT engagement is out to bring destruction and negativity. But this doesn’t mean I don’t wholeheartedly believe in the premise behind the term. If you have read my papers on User Isolation Protection , I continually encourage businesses to challenge and review their existing access, authentication and identity products and policies. I don’t know why John didn’t simply call it ‘ Always Verify ’ from the outset, or others change its name? Maybe it wasn’t catchy enough, impactful or marketable?

Pretty spectacularly lax

A strong example where the agencies’ ZT principles would have helped mitigate the effect of a cyber-incident was the [well publicised] SolarWinds incident. [Unfortunately] a great example where the principles behind ZT should have been a no brainer. Amongst all the commentary about the incident’s effects, it is now being blamed on a company intern by current and former execs for a critical lapse in password policy that apparently went undiagnosed for years. As Robin Oldham remarked in his weekly infosec newsletter “If true — and, hey, we have no reason to doubt [Kevin] Thompson’s testimony — then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax: because nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company, and then not checking what or how they did it". Keep in mind this wasn’t about the product being used, but the processes and policies.

Security leader first

In the first instance, if I was a security leader I would always listen and be guided by the clear ZT guiding principles and design concepts developed by the agencies above all others. Why? They are independent, have no commercial interest, use diverse panels of cybersecurity experts to formulate their deliverables and are trusted in their opinions by peer security leaders. As a security leader and following initial research into ZT, I would then look at my existing security processes, policies and solutions for alignment to the guiding principles and design concepts, reaching out to my [ZT aligned] product supplier for further capability knowledge. Only after this would I then seek alternative offerings that align to the agencies’ guidance.

Delving into my research

Embracing the agencies

As part of my work, I engage (talk) regularly with security leaders to understand their concerns, issues and challenges. So, I decided to spend some time reviewing how the vendors align their ZT positioning with the agencies to benefit security and IT leaders.

So, I approached this in the manner that I understand a security leader would and allocated [a rare] 30 minutes to search for the agencies key phrase ‘Zero Trust’.

An IT strategy done securely

The agencies didn’t show up in the 4 pages of 49 results that I managed to review. But as these organisations do not have the volume of search traffic as commercial vendors or invest in paid advertising this was not a surprise.

From the 49 results presented to me, 22 were from security vendors, 2 research groups and 2 consultancies. Although there was a lack of coverage from the agencies, this was a strong result for this key ‘phrase’.

Diving into the results, I came across two security vendors that nailed the basis of ZT as it aligns to the agencies’ principles.

“Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at [redacted], we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.” In-house CISO
"There are no Zero Trust products. There are products that work well in Zero Trust environments and those that don't." Vendor blog (Zero Trust Architecture overview)

In addition, I managed to find two security vendors that directly referenced NIST ZT and another that promoted the NSA ZT model. These three vendors were not those that provided the quotes above.

These mildly encouraging statements from five of the 26 security related providers was the high point of the research.

We know best

Very quickly it became clear that the majority of organisations presented in the search results believe that to highlight their expertise and leadership in ZT they needed to spin the guiding principles and design concepts and create new frameworks and terminology to sell their products and services.

I was confronted with new terms; Zero Trust Network Access, Zero Trust eXtended Ecosystem Platform, Zero Trust Security, Zero Trust Virtual Data Center, Zero Trust Data Protection . What was wrong with maintaining a common baseline by just using ZT? The alternatives didn’t provide anything new and failed to explain how their product, service or framework aligned to those already provided by the agencies.

We know how to say ZT

The agencies provide a comprehensive overview of the guiding principles and design concepts behind “Never Trust, Always Verify” (ZT). The security providers were obviously hampered by collateral or webpage constraints and the need to get quickly to what they believe is important (the sell). I found only four examples that aligned to at least one of the agencies’ baselines. The remainder provided no real detailed understanding apart from the notional use of “Never trust, always verify”.

How ZT value helps

The four providers that could explain ‘What is ZT?’, were joined by another two [additional] providers that were able to convey a narrative about the true value of ZT to a business (security leader). The remaining providers diverted away from any alignment to the agencies and immediately hit the sales cycle and started on the feeds and speeds and why “they are a leader in ZT”. Emphasis was more about how they could replace what may already be in situ to resolve their [target organisation] establishment of a ZT environment, rather than approaching this from a ‘customer-first’ purpose and providing advisory recommendations that the security leader would find helpful.

The power of a report

It appears everyone loves a report. Four providers afforded me links to reports I could access - one authored by the vendor and the other three to industry analyst content that would enlighten me about their [assumed] better proposition and terminology on ZT. Unfortunately, all required me to register my details, sign up for a contract or pay up to $3,000. Everyone is entitled to an opinion but whilst I was acting as a security leader whose time is limited and budgets tight, this is very unhelpful to convince me of your value. If your report is compelling enough, just let me read it and then I will contact you. Being hammered with continuous unwanted emails and phone calls or paying for a report that ends up being of no use, means that you [author] missed the point, not the reader.

But it appears that the mere mention of alignment or inclusion within an ZT industry report (not authored by the agencies) that ranks one provider against others (assuming you meet the inclusion criteria) has a greater value than clearly articulating how you align to the guiding principles and design concepts from the agencies. I conducted a recent qualitative CISO research study for a client, and the CISO's clearly value peer insights and solutions directly aligned to threats over [presumed] leaders referenced in reports when considering security offerings.

What interests me about these industry reports, especially when you consider the earlier comment “Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy” , is at least 60% of the scoring criteria is on product functionality, not the vendors ability to be considered a valued advisor for ZT. At what point does a mature security product (already measured in another report) turn into a ZT product? Does that mean that these [newly classed] ZT products will no longer be measured in prior industry reports? I’m also concerned that no where in these [leadership] reports do the authoring analysts score the vendor against their alignment to the agencies’ guidelines and design principles. Wouldn’t this help promote a more services or consultancy approach and negate the promotion of a product-first attitude?

Tilt the advantage to the business

When it gets down to the detail of why vendors, analysts and consultancies are referencing ZT, it’s clear. For commercial value. There is nothing wrong in this as the products and services being offered all assist in establishing the appropriate end game, a ZT architecture model that the agencies are encouraging for each unique business.

What is misplaced is the approach that is being taken. A ZT architecture model as defined by the agencies is to help tilt the advantage of security authorisation, access and policy protection in favour of the business rather than the cyber adversary. Wouldn’t it be helpful for the security leaders that consume this information to be presented with content that explicitly emphasises the vendor, analyst or influencers capability to meet these challenges, front and centre?

Recognise real value

Finally, it appears that the emotional commercial attitudes are overruling the agencies’ ZT principles. Product, marketing and sales leaders in the business believe that they need to be vocal in the [ZT] game as an alternative sales and marketing play, allowing them to stand out in the crowd. Ask yourself, how many times did the security leader accept your invitation for a Zoom/Teams/Skype call and open by saying “So tell me all about your Zero Trust products”, rather than the security leader reaching out to you so they could learn how you can assist with their objective of aligning to the Zero Trust guiding principles and design concepts.

Every security vendor or services provider should always believe that their offerings have a value. The litmus paper test to determine ZT value is to present clear and tangible value that drives the ZT principles as outlined by the agencies. As referenced previously “There are products that work well in Zero Trust environments and those that don't” . You don’t need to use speculative beliefs, alternative frameworks or perceptions to be appreciated as adding value in ZT.

Raising awareness and helping security leaders protect access, authentication and privacy of their business is a challenge, but NIST, NSA and the NCSC have provided the guidelines and design principles to evolve every size of business to achieve this aim. Don’t ignore them.

The CISOs New Dawn

183:792006836 (Kevin Bailey) — Wed, 17 Feb 2021 10:48:19 GMT

Authored by SynergySix, F-Secure publish the first two of four episodes (chapters) delving into the insights of 28 leading CISOs across US and Europe, conveying the challenges facing these leaders, how they are tackling them and examples of who is succeeding

Chapter One

An Effective Security Leader - the year that changed it all

The Chief Information Security Officer's (CISO's) role has grown and matured fast from a standing start less than 30 years ago. Lately, this progress has accelerated. Recent events have thrust information security – along with CISOs, their teams and suppliers – into the spotlight, and suddenly cyber professionals have started getting invites to all the right parties.

But this ascent to mainstream business relevance, trust and recognition comes with several burdens – not least changing priorities, a need to develop or refine soft skills, and a host of fresh responsibilities and accountabilities.

To maintain effectiveness as an operational CISO is, under current circumstances, one of the most challenging responsibilities they face. Recent events, it seems, have added further challenges: embracing and adapting to new pressures, requirements and requests that stretch the CISO's traditional roles in several directions at once. This brave new world is one littered with personal, political and human challenges, as well as the technical ones.

In this chapter, the panel outline how their roles have changed over the last 12-18 months:

Have your role´s responsibilities changed in the last 12-18 months, and have you been required to learn new skills?
Have you needed to upskill around cloud security, device sprawl, RPA, AI, ML, Analytics, Threat Intelligence, etc?
Have you had to increase your business skills and the impact you have on company achievements?
Do you believe that your role will become more critical to your business?
Do you believe your role has increased in EQ as well as IQ?
What do you believe you need to improve to excel in your role?
How could your peers and reporting line management help you succeed?

You can find the full report at the following link: https://www.f-secure.com/en/business/resources/an-effective-security-leader

You will be immediately notified as each of the following chapters is published.

Chapter Two - A Reality Check
Chapter Three - The Cyber Threat Surface
Chapter Four - Cyber Triggers Influence Change

Research Methodology and Contributors

As the author of this research, SynergySix worked closely with the team at F-Secure who funded the report while all interviewees contributed on a voluntary basis.The qualitative interviews for this research have been conducted independently from the sponsors of the work. All editorial control remained under the authority of SynergySix

Twenty-eight interviews were undertaken between July and September 2020. A total of 23 interviews were conducted one-on-one and five interviewees provided their responses via the qualitative questionnaire, all on a confidential basis. At no time was the sponsor aware of the full interviewee list. All call-out and respondent listing attributions were sought by the author following completion of all interviews. This approach was adopted to encourage candid contributions. The setup and questioning approach has been designed to avoid bias, and where there has been risk of bias, this has been explicitly discussed in the interviews. Only three of the interviewees were existing F-Secure customers at the time of the research.

Each interview lasted at least an hour, with most lasting around 90 minutes and many leading to follow-up conversations to discuss the conclusions of the research.

The cohort of interviewees were approached based on their depth of expertise and were selected to build a balanced set of inputs.

SynergySix or the author Kevin Bailey had no commercial connection with the interviewees.

The participants were assured that the report was not intended to directly, imply or intimate that they endorsed or validated any sponsor products or services. The roles covered in the cohort include CISOs (or equivalent title), Head of Cyber Security, Director of Information Security and Head of Threat Intelligence. Financial services is the most strongly represented cohort.

Your opinion although interesting is irrelevant

183:792006836 (Kevin Bailey) — Mon, 15 Feb 2021 14:53:39 GMT

I don’t apologise for bringing Simon Cowell into the world of cybersecurity. Any followers during the auditions of X-Factor will have experienced Simon’s rebuff for anyone that has a different opinion of their singing ability compared to that of his, receiving the customary “your opinion, although interesting is irrelevant”. This doesn’t mean that Simon is always right, it’s just his opinion.

Cybersecurity a decade ago was all about opinions. ‘Experts’ would attract a following by stating their opinions on the current and future activities of hackers based on belief, gut instinct and, if you were a vendor, using impressive acronyms, fear, uncertainty and doubt to sell your products.

Accelerate forward a decade and securing your business, employees and customers is now a critical obligation to maintain business stability and growth. Uncorroborated opinions are now just noise, reserved for building followers, creation of sensationalised headlines and badly constructed marketing materials.

Decades of research have shown that humans are so-called 'cognitive misers'. When we approach a problem, our natural default is to tap the least tiring cognitive process. Typically, this is what psychologists call type 1 thinking ; automatic, intuitive processes that are not very strenuous (Daniel Kahneman), in contrast to type 2 thinking , which is slower and involves processing more cues in the environment.

When you drill it down, our thoughts about success, failure and beliefs, related to work and anything personal to us is driven by data, regardless of whether it comes from automatic type 1 or slower type 2 thinking. It’s your choice how much effort you want to spend understanding the subject [opinion].

Voice of a Leader

Leaders are predominately at the forefront of trying new things, followers aren't. Many opinion creators' self-belief assumes that they develop their content under the auspices of a cybersecurity leader, believing that it will make a difference, establishing a new [angle] for cybersecurity yet to be uncovered. A follower always needs to have an opinion believing that this increases their standing across the company or industry. Content from followers will be pulled together with type1 thinking, automatic or spontaneous. Whereas true leaders know that if they can add value it will come from a well rounded and structured critical analysis (type 2 thinking) of the subject, with the audience, not the author in the starring role. One of the main reasons an individual becomes a leader is that they have taken the initiative to achieve the position they are in today. Irrespective of your opinion of Simon Cowell, if he wanted to be a follower, he wouldn’t have achieved the respect he has today in the record industry.

So, whose opinion really matters in cybersecurity? The cybersecurity leader’s (CISO, CSO, Directors of Infosec, etc.)

By security leaders I didn’t mean industry analysts, influencers, vendors, marketeers, academics, self-proclaimed experts (excluding a few such as Schneier, Krebs, etc.), thought leaders and the list goes on. Does this mean that those that are in the firing line should disregard what individuals in the list are saying? No. Information and intelligence shared should always be considered but they should be read using the slower type 2 thinking to rationalise what’s being said.

Cybersecurity is a critical obligation

So why have I raised this subject and added my discipline as a contributor within the list of opinions that should always be rationalised?

As I mentioned previously, cyber security is now a critical obligation for organisations to maintain business stability and growth. The opinions that are continuously being shared are not always helpful to cybersecurity leaders preparing themselves for existing and believed cyber-attacks. Demonstrating sound opinion and judgement is critical for both the security leader and the provider of security tools. Cyber-attacks are relentless and any resulting incidents where the efficacy of the security tool is called into question shines a light on the decision of the security leader and the verbal and written capabilities from the vendor. The liability for insecure software is already a reality. The question is whether governments will step in to give it shape and a coherent legal structure. Broadly speaking, governments could do this in one of two ways. They could create a legal framework for claims brought by private citizens or government attorneys. Or it could delegate the regulation of software security to agencies like the Federal Trade Commission (FTC), National Cyber Security Centre (NCSC) amongst others.

It’s never good to wait for regulations, especially as cyber criminals operate in the present and not any future timescale. Opinions have no place in the compliance of regulations and security leaders need opinion creators to collaborate more closely to ensure that they [all those in the opinion list] add value in their efforts, not distract a security leaders invaluable time.

Leading with a type 1 thinking approach

There are numerous examples of content used by opinion creators in their efforts to capture the attention of security leaders with type 1 thinking. Four examples are summarised in the following paragraphs, all of which may look innocent in isolation, but each contribute towards the recurring misuse, tweaking and tedious use of opinion instead of challenging the norm by using accurate and inspiring datum.

Repetitive waste

Tell them, tell them and tell them again. But please change the record.

The most recent example of repetitive waste is the cyber incident related to the SolarWinds attack. Every ‘specialist’ on my opinion list had something to say. I googled ‘SolarWinds Attack’ and it returned 4.8 million results. Unless the article was from the incident response team or security advisories, it was churned content, expressing speculative opinions of who was to blame, their intent and how this would ultimately result in cyber warfare. We are now seeing the same churn happening for the mitigated cyber hack at Oldsmar's water treatment system in Florida.

We could stop that!

And yes, what a great opportunity for vendors to tell everyone how it wouldn’t have happened on their shift. Under the guise of a supposed advisory or breakdown of the attack, the final paragraph is always reserved for the vendors call to action “contact us to learn how we would have stopped this happening”. Don’t vendors and content authors realise that if the opinion piece was informative, insightful and [really] helpful the reader understand something of real value and not a blatant sales tactic, readers would probably go check you out? You don’t need to lead the horse to water, its capable of walking there by itself.

I’m the leader, just choose me

A leader is normally recognised by the opinion of an individual or group of individuals via a report or publication at a given data point in time.

However it’s the report author that decides what should define a leader and the evidential criteria used to rank security providers, it’s not an inclusive process.

Ask yourself:

Have security leaders been asked to agree the combination of functionality into a category?
Have security leaders been asked to evaluate the priority and weighting of key criteria?
Have security leaders been asked if they only want to know about established vendors and not those that need another couple of years to meet the report inclusion criteria?

Ever thought of dismissing the opinion or decision of what’s in the leadership reports? Well, why not? I recently spoke (yes spoke) to a group (lots) of CISOs (that’s their business title) and as far as they were concerned, they are not dependent on the opinion or details of vendor assessment reports of leaders (and followers) to choose a specific vendor/security tool.

Security leaders who go against the advice of these reports, will approach their decisions based on relevant factual data . The security providers, who are not deemed as being a 'leader', should continue conveying a strategy of ‘client-purpose first' and leave the chest pumping to the gorillas . You don’t need to boil the ocean, just make some positive waves.

The CISO doesn’t know

Every CISO that I have spoken to over the years have been highly intelligent and well read, both technically and of their business. The letters that appear after their name are not there because they cannot spell. CISM, CISSP, CISA, CIPP-US, CISM, CDPSE, CRISC, etc, all have a common theme ‘Security’ . These are practitioners, not academics.

So why do opinion pieces and vendor collateral continue to tell security leaders that; they need to be more security aware; should not let this type of attack into their business; should prioritise one security tool over another or get a grip of shadow IT?

In simplified english this is the author of the content using type 1 thinking (when developing the material), without the maturity to know that they are trying to tell their target audience something they already know, or “teaching your grandma to suck eggs”. The majority of publications, whether the are in the media or via digital channels are used to gain awareness and consideration for the content author or the company, so consider this, ‘who is going to pay for the product or service you are trying to get them to buy’? The person that you just advised wasn’t doing their job correctly.

If you are one of the so-called security vendor 'leaders' from the section above, shouldn’t you be thinking about getting one of your own customers’ security leaders to contribute to your opinion piece, removing the marketecture and replacing it with a practitioner’s perspective. Security leaders listen to the opinions of their peers before they listen to anyone else.

Thousands of security leaders agree

No, they don’t. Security leaders like everyone have differing beliefs, due to their industry, size of company, background, personal disposition and budget amongst many other factors. A box ticked or a ranking score chosen does not provide a true understanding. Size only counts when it’s taken in context.

My approach as a cyber industry analyst and go-to-market specialist is always to ask ‘why?’ rather than ‘how?’. As a researcher for both the areas of my specialism I use well-grounded methodologies proven over a number of years, strengthened from my MSc academic learnings.

Research should be used to understand the [current] factual state of the subject you are analysing. It should be driven by either standalone or a mixture of qualitative and quantitative data. Acknowledging your favourite washing powder or the flavour of one apple variety over another is relatively simple, cybersecurity on the other hand cannot be simplified to a number or tick box . It is very complex and has many overlapping factors. So, I despair when I read unfounded, exaggerated and tweaked cybersecurity research findings.

Security leaders are very busy individuals, but when they identify value to themselves or their peers in a research study, they welcome the ability to contribute. But you need to have them allocate time to respond, so they tend not to respond to speculative lengthy quantitative research and it can take weeks for them to find time in their schedule to participation in a study. Stating in a publication that the study has been compiled with the contribution of 100's of security leaders in a month or two , well, let's not add the response I would use.

Finally, a well delivered research study would encourage the security leaders participating to provide you with attributed comments, so unless you are doing this under the 'Chatham House Rule', convincing and challenging statements should always be attributed to provide validity.

When you are being presented with a B2B cybersecurity research publication, think about the title, objective and respondent size and approach the consumption of the content with type 2 thinking:

Are the respondent figures exaggerated? You cannot survey hundreds let alone thousands of security leaders in a month or two (also see point 7 below)
Is the publication making author based qualitative claims from quantitative (only) data points?
Are the questions closed rather than seeking a respondent’s experience or opinion?
Are there restrictions of options to choose from in the available lists?
Would you have been encouraged to add anything to the ‘any other comments’ box in a quantitative study?
If the research topic is primed with a negative connotation, are you expecting the respondents to challenge the implied opinion or just fuel a topic that may already be exhausted? How many times do you get someone complaining about something rather than saying how good things are?
If the title says ‘Security Leaders’, has the methodology provided exclusion where the respondent’s primary responsibility is not security leadership

Understanding the issues that cyber security leaders are experiencing to enable vendors and academics to build new products and services, highlights that research studies are and will continue to be a valuable source of data points for the cybersecurity industry. It is essential that any research study whether it is quantitative or qualitative is undertaken with the contextualised views of security leaders and does not steer the end publication to say something that the author already knew or intended.

Conclusion

Opinions are constant, we will always have them. The change in focus of cybersecurity from an annoyance factor a decade ago to something that is now an obligation of businesses has meant that any opinion relayed needs to be underpinned with evidential facts that will increase the knowledge of security leaders. Providers of opinions and security tools would be wise to adjust their tone of content and focus on facts that have a consistent engagement with practitioners who are specialists and not theorists.

Every business needs to respond in real-time

183:792006836 (Kevin Bailey) — Mon, 08 Feb 2021 16:59:52 GMT

Every second counts to digital-first businesses. One in every two people you see around you is connected to the internet and one in three people shop online. If their experience is disrupted, then business productivity - as well as current and future revenues - can all be instantaneously impacted.

The Corero report takes you on a journey to show how Real-Time DDoS Mitigation helps you ensure that - Every Second Will [Not] Cost Your Business

We may not be quite yet zipping around with rockets on our backs, but life in 2020 is still remarkably different than it was even a decade ago. Of course, much of that is due to technology and the internet that touches and enables almost every corner of our lives.

Technology has also made many of us much less patient in more ways than one. With the world at our fingertips, we want to know answers right away. Why wait around for a conclusion when we can find it within a few taps and a swipe? With decreased exposure to waiting for results we may be more inclined than ever to complain, look for alternatives, or change opinions in an instant.

Everything we do in our business and social lives is about speed, convenience and accessibility. T echnology is delivering a real-time experience that modifies our behavio u rs when connecting, engaging, and expanding our knowledge. These experiences and behaviors are continually recognized by the industries that entice us to change our attitudes of acceptance, exploiting their research and development to accelerate the adoption of their technologies to modify our acceptance of ‘always on’ to meet individual needs.

It is essential, however, to first protect the technology that is transforming our behaviors and expectations of ‘always on in real-time’.

The Corero report "The need for Always-On in Real-Time DDoS security solutions" co-authored with SynergySix provides insights into the journey of consideration and reflection that CISOs, their teams and peers should undertake when protecting their networks, consumers and employees. Unlike other vendor reports, we focused our efforts on highlighting the causes of increased attacks and the real cost of not ensuring your DDoS solution meets the same "Always On" requirements we all expect in a digital economy.

The report content delves into :

The balance of value and risk with innovation
Network effect encourages dependencies across your community
How DDoS directly impacts the lives of individuals and businesses
Why we cannot tolerate anything less than 'Real-time' and 'Always-on'
What can you do now to help secure your future and contribute to a safer internet?

To access the full report, please go to either the Corero website: https://go.corero.com/wp-always-on-real-time-ddos-security-download or the SynergySix resources page: https://www.synergysixd.com/SynergySix-Reports-and-Documents

We hope you enjoy reading the report

Photo by Sean McAuliffe on Unsplash

Complicated Passwords are C***

183:792006836 (Kevin Bailey) — Wed, 13 Jan 2021 13:53:03 GMT

Its time to evolve and remove human creativity

We're probably all familiar with the advice about what makes a strong password, but the man who first suggested combining numbers and letters and adding special characters to our passwords now thinks a lot of his original advice was misguided.

David Neil wrote this piece in 2017 about Bill Burr who was working for the National Institute of Standards and Technology (NIST), part of the US government, when he wrote his original guidelines back in 2003. With the backing of NIST, they were widely adopted by other agencies and IT managers.

But telling people to come up with multiple, complicated passwords for every account has backfired, Burr says, because many of us now just use the same password for everything we log into – and that makes us more vulnerable to hackers, not less.

"Much of what I did I now regret," Burr, who is now retired, told Robert McMillan at the Wall Street Journal . "In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

Burr originally recommended mixing upper and lower case characters with numbers and special characters to make passwords harder to crack, and technically speaking that's sound advice – running through 52 or 78 possibilities for each character takes longer for a hacker than running through 26.

There are two problems with it though: first, people have tended to follow the same patterns (like replacing "S" with "5"), making it easier to predict passwords. Second, users have struggled to remember all these complicated combinations, instead falling back on using the same passwords for every account.

Burr also recommended people change their passwords regularly. Again, while this is a good idea in principle, it's led to people just changing one letter or number each time, making them vulnerable to clever hackers.

As th e h e a d l i n e x k c d comic image puts it: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

"The more often you ask someone to change their password, the weaker the passwords they typically choose," Alan Woodward, from the University of Surrey in the UK, told the BBC . " And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems."

Check out these sites from Troy Hunt an Australian security researcher and the man behind Have I Been Pwned to see if your email address or password have been compromised.

So, what should we be doing instead?

You could take the new advice from Burr, xkcd comics creator Randall Munroe, and other experts, and pick a long phrase only you can remember but which would take a huge amount of time for a computer to crunch through.

Something like "dodgebadgebigpanda" would do nicely. Don't use that, though, obviously.

To take the creativity away from the human, you could transition your IAM solution to adopt more advanced device and biometric authentication methods, ensuring that they all use and enforce multi-factor authentication policies.

Technical advisor Paul Grassi, who wrote up the latest NIST guidelines, says Burr shouldn't feel too bad about regretting his advice in hindsight. "He wrote a security document that held up for 10 to 15 years," Grassi told the WSJ . "I only hope to be able to have a document hold up that long."

The Always on Network

183:792006836 (Kevin Bailey) — Mon, 09 Nov 2020 18:36:52 GMT

BrightTalk panel discussing the Dangers of an Underperforming Network

When looking at consolidating an ‘Always-On Network’, security threats are a real concern for many enterprises. The dangers of an underperforming network seem to be never ending. However, with Citrix solutions, you gain consolidated access to SaaS, web and virtual applications, with end-to-end IT visibility and flexibility, with the ability to detect behavior analytics and prevent problems from becoming serious data breaches.

Click on the image above and watch the session, where we discussed :
- How to avoid risks while consolidating your network
- How Citrix solutions can help strengthen your security strategy
- The benefits of an on-demand, people centric approach to security

Panelists include d :
- Scott Fanning, Snr. Director, Product Management-Security/SDWAN, Citrix

- Kevin Bailey, Principal Analyst and Director, Synergy Six Degrees
- Andrew Scott, Senior Manager, Sales Engineering UK & Ireland at Citrix
- Ad Attias, Product Manager responsible for CloudGuard Connect, CloudGuard Edge, SASE and SD-WAN security, Check Point

Around Kevin Bailey from Synergy Six Degrees in 10 questions

183:792006836 (Kevin Bailey) — Mon, 02 Nov 2020 11:37:50 GMT

SynergySix engages with IIAR

It was a real pleasure to be asked by the team at the Institute of Industry Analyst Relations (IIAR) to be included in their world famous ‘Around in 10 Questions’ analyst interview series.

Every Analyst recognises the value that the IIAR brings to different industry's. The IIAR is a not-for-profit organisation established to raise awareness of analyst relations and the value of industry analysts, promote best practice amongst analyst relations professionals, enhance communication between analyst firms and vendors, and offer opportunities for AR practitioners to network with their industry peers.

Check out my responses that provide insights into SynergySix business focus, my thoughts about the marketplace I work in, peers that I recognise as being of value to their clients and a look into how I spend time outside working hours.

Link to the the IIAR’s ‘Around in 10 Questions’ series

Access is personal, but businesses need to help individuals help themselves

183:792006836 (Kevin Bailey) — Tue, 06 Oct 2020 15:52:30 GMT

Effective security takes the risk out of an individual’s behaviour, while not making security onerous

Our world is roughly divided into three types of people:

those that view sharing personal data as an invasion of privacy, believing that ‘Big Brother’ will use this for (presumed) illegal surveillance and data aggregating for purposes not originally intended
those that accept that their personal data provides value to them by allowing them to engage in business and social activities, widening their view of the world, and accumulating more knowledge and friends
cybersecurity criminals who see data as their route to success.

Whichever group you belong to, what’s certain is that our lives are increasingly driven by personal data located in multiple repositories across multiple locations.

The UK’s National Cyber Security Centre (NCSC) – the visible arm of GCHQ – which is part of the anglophone intelligence alliance Five Eyes , has highlighted that individuals don’t appear to appreciate the gravity of this situation and the woeful lack of strong online security. In a study it conducted in 2019 , over 89% of respondents said they used the internet for online purchases and 42% believed they would lose money from online fraud. Only 15% were confident they could protect themselves from harmful activity.

Not only does this reveal widespread concern amongst digital natives, but extrapolating the findings of NCSC’s survey to the ~4.5 billion worldwide internet connected individuals shows the huge scale of the problem.

But herein lies the problem.

Organisations are bound by regulations such as GDPR that are designed to ensure protection of personal data. We all expect that organisations that hold data will keep it safe and evolve the methods they use for doing so.

However, in the majority of cases, cyber criminals use individuals as access points to exact their attacks – either accumulating data or using the data they’ve already gained to plan their attacks.

The NCSC found that 70% of these individuals rely on PINs and passwords to secure their devices, trusting similar passcodes for all their activities.

Top 5 passwords used by individuals

Humans will always be the weakest link. And yet they will remain sensitive to how onerous security measures are – never having enough time to spend accessing a platform because they want to spend all the time they do have using it.

While the credentials that individuals use to legitimately gain access to various business and social platforms need to be strong, and users need to ensure that only they (or authorised individuals) can gain the appropriate access and authority, businesses need to help individuals help themselves.

This is why, in order to combat the threats individuals face, as well as the growth in sophisticated attacks, businesses need to change the way they allow access and authority to individuals’ chosen platforms. Businesses should stop relying on password systems or two-factor authentication based on sending the validation code/pins/tokens to the same device that the individual is attempting to gain access from.

Businesses should instead increase their use of ‘Diverse Multi-factor Authentication’, where the consumable combination of passwords, tokens, codes, pins, biometric, unique content, behavioural, geolocation and device complexity is used with the minimum of user interactions to minimise attitude bias and reduce the ‘air-gap’ between intent and access that cyber criminals exploit.

The capabilities to protect individuals and employees (and associated businesses) can cover the device, authentication and permissions (privileges) either singularly or in combination. What’s important is the capability to protect the individual from themselves, and to minimise the attack surface for cyber criminals to exploit.

Are you a industry cybersecurity leader?

183:792006836 (Kevin Bailey) — Fri, 02 Oct 2020 15:58:06 GMT

A recent Accenture ‘State of Cyber R esilience’ report researched the differences between Leaders and Non-Leaders in cyber security, with 17% of their 4,644 respondents falling into the leader definition and the remaining 83% defined as non-leaders.

Why does this research matter to enterprise level organisations? Well the demographics of this research focused on global organisations with revenues of more than $1 billion. These are the ~1% of organisations that account for over 76% of worldwide revenue.

I would be shocked if 83% of these global companies are still failing to recognise the dramatic impact that cyber-attacks can have on their businesses, employees, partners and consumers. The 17% of leaders will have the budget, resources and capability (technology and skills) available to address cyber attacks. But this doesn’t mean they are immune to being attacked. In fact, being a leader just means they’re 4x faster at stopping attacks and finding breaches faster, 3x better at fixing breaches and 2x better at reducing breach impact. So, they’re still being attacked, but are more efficient at dealing with the situation.

The 83% of non-leaders are characterised as being 4x slower at stopping attacks, 3x slower at fixing breaches and 2x worse at reducing the impact than the leaders of cyber resilience. That means that attackers can penetrate their business 3x more often, 78% of breaches take longer than a day to detect, 64% of breaches take more than 2 weeks to fix and 76% of breaches have a measurable impact on their business.

As with all research the questions that are asked of respondents go a long way to defining the data provided. Cyber resilience should span everything from the front door (access) to its foundations (program code) and everything in between. Why did none of the respondents list the access (identity and authentication) and program code (security hardening ) as areas that are not included when reviewing what the focus of cybersecurity performance is from the organisations?

Speed of detection, recovery and response is key when combatting cyber-attacks and cyber-incidents, but it’s also important to understand whether an organisation’s approach to cyber resilience is proactive, reactive or prescriptive.

For example:

Detection: How long it takes to detect an incident is reactive. Whether I have the visibility to identify if we are being targeted is pro-active and what could be targeted and how I’m at risk is prescriptive.
Recovery: Do I have the adequate recovery capability to respond to an attack is reactive; I have had my core systems tested for BC/DR in case of an attack is pro-active; are there moving ‘air-gaps’ in my supply chain that could be targeted and should be aligned and prepared in case of an attack is prescriptive.
Response: Do I have the capability to identify and respond to a cyber- i ncident is reactive; what cyber resilience do I have in place across my operating environment to stop, identify and respond to a cyber- attack is proactive; are there new attack scenarios that I need to factor into my resilience so attackers see me as difficult to target is prescriptive.

The research by Accenture provides a very good view of how large enterprises are challenging the evolving threat of cyber-attacks. These types of cyber resilience approaches are good for all organisations – immaterial of size – to look at and take away those aspects that apply to their environments and budgets.

The cybersecurity market is made up of thousands of different vendor offerings. Sometimes it’s hard to see the wood for the trees, and in such a complex operating environment it’s always easier to think about complexity over simplicity.

The research highlights a key take-away that everyone should take on board. Perform better at the basics and approach the basics from a data-centric security perspective. Every day we read about the latest data breach where thousands and potentially millions of records have been stolen. Each of those records represents an individual, who quite rightly is only interested if you’ve lost their data and what the impact will be on them.

SynergySix knows that every attack requires access to a system to find the targeted data. In the majority of cases this is via an individual (citizen, customer, employee, stakeholder, etc), providing the access intentionally (known as an insider attack) or innocently.

Going back to basics should prioritise the access protocols given or provided to those individuals. If you evolve your identity and authentication technology and adopt policies that no longer require single or dual passwords/codes and also minimise the interaction that the individual has to provide, by embracing dynamic multi-factor authentication, any personal attribute used to provide access would minimise and mitigate these regular attacks we see every day.

The necessity to security harden the entry point that cyber criminals use to start their attacks would not only protect personal data, but also have a cascading effect – such as reducing the number of phishing attacks (as they no longer have the credentials to start them) and eliminating SIM-Swap attacks, as you no longer use one-time passcodes to validate users.

Zero Abstraction - Advancing or Redefining Cybersecurity?

183:792006836 (Kevin Bailey) — Tue, 29 Sep 2020 11:10:56 GMT

Will this start-up be the answer to a CISO concerns?

Cybersecurity is about as competitive a market as you can get. Mature vendors pushing out their credentials from decades of [assumed] success that maintain their hundreds of millions of revenue, alongside new start-ups and up-starts claiming to have found the only answer for thei r niche focus, looking to repay the confidence of their backers. Nothing new here. So why would the emergence of another start-up cause me to put pen to paper, when their only visible field activity is a socially distanced coffee run?

btw the company in question is Zero Abstraction .

It's down to their claims

Not the bit they promote about "In this effort we wanted to make a major, positive, impact on the cyber security industry we love", as I'm hoping that all cybersecurity providers enjoy (maybe not love) what they do and want to make a positive impact, its the next statement "this is not about replacing an existing solution or out rivalling a current vendor." Again, we have all seen orchestration platforms and heard about collaboration or coopetition, but in a world where revenue, or as a previous CFO had a habit of telling me, "cash is king", if your offering is better than the one already installed surely you are a replacement technology?

When a CISO has no spare cash for 'nice to haves' your business case doesn't go down well if you are after something to make something you already acquired, work.

But do they have the credentials to make a difference?

Lets look at the founders:

Michael Fey at the helm who has leadership and technical authority with the likes of Symantec, McAfee and Blue Coat as well as numerous active board positions.
Dan Amiga as CTO looks compelling , especially as he developed one of the first Web Browser Isolation Technologies at Fireglass (acquired by Symantec), subsequently focusing on cyber startups.
Brian Kenyon is the strategy guy, nothing new for him as this echoes his past roles at McAfee and Symantec.

Not your normal make-up for a start up. Three heavyweights that have a wealth of cyber credentials and no doubt a black book of contacts that will help them over the those initial breakthrough challenges. Where start-ups go wrong is being 100% focused on the functionality or technology used to develop the product and not fully appreciating their m arkets willingness to recognise how it will resolve known issues and the challenges with evaluation and operationalisation. You would guess these guys are using their strong mix of commercial astuteness a nd technical expertise to recognise these challenges?

Who believes Zero Abstraction is viable?

There's only so far this start-up can spread the love of cyber, so where doe s tangible confidence come from?

Cyberstarts - Not a normal VC, this is a (cybersecurity) members only firm. Unlike the plethora of VC's and PE's that spread their bets across different industries, these guys do nothing other than cyber.
Sequoia - You don't get much bigger than Sequoia. We know that not all investments are successful, but the ethos behind Sequoia is about about creating successful 'Dentmakers'. Organisations that change the norm.

Focus appears to be plentiful; the people and the backing, but what about those claims for success; "this is is not about replacing an existing solution or out rivalling a current vendor."

The website soundbites intentionally leave visitors wanting more: Viable compliance; Agile networking; User freedom; Improved Productivity; Safe and productive BYOD; Privacy for all; Reduced expense; Unprecedented visibility; Attack surface reduction; Frictionless UX, Simplified DLP, Security by design.

They also believe they have a unique concept that is not competitive with the existing security landscape. Making statements about the future of compute, what people really want protecting, as well as the complexity and difficulty of delivering cyber security - can this be a security offering in its true sense as it doesn't appear to fit that model or is their nirvana something bigger that strives to change the way that we as users and individuals consume technology?

Why do they look interesting (I don't get excited that quickly):

They are a cybersecurity vendor not leading with the dark clouds of doom, they believe they add value not just mitigation
They talk about simplification, which is something that cybersecurity desperately needs
They focus on the individual, an area that many other vendors need to focus on to help protect the user from themselves
They intimate that this is not rip and replace. Have you ever asked a CISO about the effort it takes to remove an incumbent and then start from scratch?
As businesses evolve due to work place flexibility, cloud, edge computing etc, businesses need to increase their security posture across a wider landscape (flip side = a reduced attack surface).

In a world where the new normal is being redefined at a pace never anticipated, I'm hoping that Michael and his cohorts come out of stealth mode and the market is still receptive to their approach, or could the attack surface have moved on and everyone has gone to the beach after drinking another box of marketing Kool-Aid?

Ransomware increases the need for UIP, Isolation Browsing and Immutable Data Recovery

183:792006836 (Kevin Bailey) — Mon, 21 Sep 2020 16:06:43 GMT

How can organisations protect themselves from ransomware attacks and recover when they are attacked?

The Verizon Data Breach Incident Report (VDBIR) indicates that a lack of ransomware protection across all sizes of enterprise is increasing the damage from these type of attacks. But while many frameworks exist to provide organisations with procedures for dealing with a ransomware breach, what can organisations do to protect themselves from attacks or improve their cyber resilience to such attacks?

Stopping an Attack

The best way to respond to a ransomware attack is to avoid making yourself vulnerable to one in the first place. This is the Stop phase.

Most ransomware attacks begin with a user within the targeted organisation interacting with a compromised communication that has a downloader hidden within its structure (attachment or link) containing malware. The user is an unwilling contributor to the attack, so everything the organisation can do to remove this dependency is vital to the Stop phase. This can be achieved by taking what we call a User Isolation Protection (UIP) approach.

A UIP approach advocates enabling seamless digital engagement while proactively and unobtrusively securing the user and their data from cyber abuse. So how does such an approach help stop ransomware attacks?

Companies should first apply a UIP approach to the Access Layer – transforming it into an Access Isolation Layer that foils attacks before they can begin by protecting the user throughout their day-to-day activities.

Unlike traditional password and PIN identity and authentication solutions, utilising more advanced multi-factor and non-invasive solutions not only secures the user at the entry point (ie the device, system or application) but also throughout the flow of their daily tasks.

But cyber-criminals don’t give up easily and have multiple tactics in their kit bag. If they are prevented from directly stealing user credentials or downloading malware via a user’s initial engagement, they will move to targeting the digital platforms themselves. Users therefore need to be assured that the platforms they intend to engage upon are legitimate, and enable them to complete their tasks securely because they are free from malware that will misappropriate their data, redirect them to compromised websites or use access credentials to subsequently steal data or even money.

This is what we term the Execute Isolation Layer . The technologies used to deliver this include: secure browsing and realtime bot mitigation. Secure browsing provides users with a guaranteed safe engagement by transforming the required web pages and content into a unique format. Bot mitigation helps companies understand bot behaviours (what they are doing) and enables them to remove bots from website content.

Restarting your business

The ‘Access’ and ‘Execute’ isolation layers help prevent any new ransomware attacks. But what if you discover you have already been breached? Equally important is restoring your operations following or during an attack. This is the Start phase.

As soon as you discover criminals have locked access to your systems and data, you need to start initiating your procedures to get yourself out of this predicament and maintain business operations.

Much business value is held within a business’s data, which is why cyber-criminals target your data to cripple your business. So the first question to consider is: what could you have done during normal operations to secure and enable faster recovery of the data in the event of a ransomware attack?

To provide resilience against a ransomware attack, the performance of your data storage technology is critical. It needs to be able to operate at the same (if not higher) performance as your operational systems. This means that not only does the physical architecture need to be fast, but the interfaces that move the recoverable data to the system access location need to be highly elastic. Tape backups or HDD won’t cut it. You need to review whether ‘all-flash’ or SSD storage systems meet the recovery time objectives (RTO) you need.

Inevitably, the backups or copies of your data – even if they’re stored in near realtime – may be missing some of the latest data. This means that an appreciation of the recovery point objective (RPO) will need to be factored into any data recovery operation. Your operational data storage architecture also needs to have the capability to perform realtime synchronous or asynchronous snapshots or copies of the data and its metadata.

A key functional priority within these snapshots is the ability to create immutable/read-only versions of the data. These types of snapshots mitigate the attack’s initial capability to encrypt the data to stop the organisation from accessing it. They also stop the criminal from using a ‘Jigsaw’ threat during the attack – whereby the cybercriminal starts deleting files systematically and intermittently until the ransom is paid.

Cybercriminals utilise a range of tactics including short-term attacks that are targeted at immediate gain, to those playing the long-game and deploying malware weeks or months before an attack. This requires organisations to utilise threat-hunting technology to pinpoint any dormant malware before it can be woken up. In addition, storage analysts should evaluate how often they create snapshots and how long they retain these so they can decide upon the most efficient RPO for their organisation.

CISOs ignore exaggeration

183:792006836 (Kevin Bailey) — Tue, 15 Sep 2020 09:37:49 GMT

They only want to win the battle, they accept the war will take a little longer

Everyone understands that you have spent a lot of money developing your cyber security product or service and its capability has been aligned to a known issue that exists. So why do so many organisations position the product as the answer to everyones prayers with the capability to turn water into wine or find the pot of gold at the end of the rainbow?

Even if your management think you have created nervana, No product or integrated solution has the answer to every issue that a CISO needs to address today (a crystal ball is good for the future). You never originally set out to answer the call for utopia, so why have you gone so far off message?

If you have done your homework correctly as part of your GTM strategy, you'll know who your target market is, you'll have a good idea of the people that are in the decision making process and you'll understand the functional value of the product/service.

The goal of all messaging and positioning is to gain awareness of your company and product with future purchasers and have these new prospects and existing customers consider your company when the need for such a product or service is required. The only thing I can guarantee is that any seasoned client facing individual would never walk into a meeting and say "I'll guarantee our product is the answer to your prayers and will stop all threats", because the duration of the meeting will come 2nd to the time you spent walking from reception to the meeting room, or in current terms, the time it took you to logon to Zoom.

This may sound counter intuitive, but your messaging hierarchy that you convey as part of your outbound activities (media and people) is not from bottom up (product capability) but is top down. But top down does not mean exaggeration by using blue-sky statements or BHAG's (big hairy audacious goals) its about driving top down messaging based on your company or product PURPOSE.

Let's assume we are talking about the product here as no CISO intentionally goes out to buy your company.

Your product 'Purpose' is short, succinct and clear. It says what the product has been developed to achieve. No nirvana, utopia, bhag's or blue-sky. Why not, because you never had the engineering budget approved to build something that is intangible and cannot be measured.

Why is top down not based on Vision, Mission and Strategy?, because these are all internal measurements that CISOs have no interest in during the initial consideration stages of product evaluation and selection.

Whats the best way to understand what could be built into the 'Purpose' statement and subsequent layers of messaging, go talk to the CISO. Believe it or not they are not monsters and welcome being part of a process that helps them and their peers understand what your product or service can do to help them convey this to their management team and make their teams more effective.

Alternatively, talk to me as I talk to CISOs on a regular basis and have insights into their pains and pressures.

Trillions, billions, millions, thousands...Just headline makers

183:792006836 (Kevin Bailey) — Mon, 14 Sep 2020 15:39:33 GMT

Is the opportunity that big for security vendors?

One reason that marketing cybersecurity to potential clients is so difficult is because all companies expect that their vendors should and will be "taking care" of the problem themselves. As a result, businesses don't do a good job of managing the risks involved in sharing data with third-party vendors.

When marketing your cybersecurity services to prospects and clients, educate them about the risks involved in passing their data to vendors. One of the greatest challenges in crafting cybersecurity marketing strategies is educating potential customers that cyber risk is not just an IT problem, but actually a business problem.

Your marketing messages should educate prospects and help them understand that cybersecurity is not only a business problem, but also, more specifically, a vendor management problem.

The Importance of Vendor Security

We know cybersecurity firms understand the importance of vendor security, but do your prospects?

Especially when working with small-to - medium-sized businesses, don't assume that they know or understand all the intricacies that you do. Phrase it to them in a way they can visuali s e and easily see the impact it has on their business.

Example

No matter how kind and trusting of a person you are, you probably have certain limitations on who can borrow your car. For example, you almost definitely wouldn't lend your car to a stranger who asked to use it in the street one day, or your coworker who was just convicted of DUI.

If you have children who use your car, you likely required them to have driving lessons before they could get behind the wheel themselves. You might even only allow your most trusted, long-standing friends to borrow it. By placing limits on who can drive your car, you're limiting the risk that your car will be involved in an accident and the risk that you'll be responsible for paying the costs.

The same kind of vetting process should apply to companies who trust their data and cyber security credentials to external vendors. Every time that customers' information passes into the hands of a third party, the company needs to understand that it's taking on an additional risk by doing so.

Just like sharing a secret with another person increases the chance that it will be revealed, sharing sensitive information with a third-party vendor increases the chance that it will be exposed in a data breach. For example, the massive Target data breach in 2013, causing the theft of 40 million credit and debit card numbers, was ultimately linke d to the use of a third-party vendor's credentials.

Begin From Within

Are you helpi ng your prospects solve all cyber related issues in their business? One of the most commonly overlooked cybersecurity marketing strategies is to speak to all of the pain points of your buyer personas surrounding cyber risk, even if it isn't your primary product or service. So make content that talks to how the persona can address that pain point.

Example

Your clients should be aware that they're always accepting some degree of risk by giving third parties their sensitive data. Before agreeing to contract a vendor, companies concerned about cyber security risks should consider:

Why is there a need to outsource services or data?

What will happen in the event that the vendor experiences a breach?

You know that one of the best ways for companies to protect themselves from third-party data breaches is to take steps to safeguard their own IT systems.

Help your clients understand what they can do to protect themselves. Talk to them about how should implement encryption and multiple levels of authentication for all third-party requests to access their network and data and how employees should receive training about cybersecurity best practices at the company, including a well-defined policy for IT and data security.

Target Their Questions and Challenges

Reall y get into the mindset of a potential customer that is struggling with a vendor risk management problem. Maybe the don't know that is what their problem truly is. It is really easy to compare this with people who are searching for information about medical issues. They typically know their symptoms but have no idea what the true cause is.

For a vendor risk management problem, the questions a potential lead may ask about symptoms could be:

What do I do if a vendor or business partner suffers a breach?

How do I evaluate a potential vendor?

What should go into a vendor legal agreement?

What should my vendor assessment process look like?

Create content that will catch them when they are in the process making vendor agreements, educate them about cybersecurity implications and provide them value. Show your knowledge in the area and they will see you as a trusted source of information.

It Comes Down to Education

Depending on your target market, cybersecurity marketing to certain audiences often involves significant education. Because many prospects believe vendors are responsible for handling the problem, education around vendor management becomes increasingly important.

Knowing your target audience and educating them about the best practices surrounding vendor risk management, will pay off in the form of more informed, more proactive prospective clients.

What just happened!

183:792006836 (Kevin Bailey) — Mon, 14 Sep 2020 09:57:19 GMT

Did you just miss the next secular growth opportunity?

It doesn't take a rocket scientist to tell you that [digital] technology adoption in 2020 is moving faster than at any time previously experienced.

In the past, the evolution of technology was driven by vendors who developed inspiring enhancements that businesses and their clients welcomed, creating opportunities to diversify their markets. But with the events so far in 2020, the acceleration of technology (specifically digitalisation), everyone has recognised that our lives have been massively impacted by technology, because we expect it to help us – not necessarily because others tell us it’s good.

From a business standpoint, the ability to plan 2 years ahead to ensure stability has gone. As business paradigms transform, so too has traditional business planning.

Business planning is transforming

Organisations still rely on stable, predictable, cyclical growth. All of which is predicated on the customers and the category remaining the same, and power shuttling between various vendors. This type of growth reassures investors, vendors and customers that they have their finger on the pulse of their industry.

Technological advancement has changed this cosy situation, necessitating a new 'in-parallel' approach to business planning. Using cyclical patterns to plan is still possible, but this is essentially an inward-looking, ‘bunker’ mentality that misses the opportunity to recognise how the market has changed (which requires you to put your head outside the bunker).

In contrast, so-called secular growth represents a ‘not to be repeated’ expansion of the market that occurs whenever a new event or a new class of customer is brought on board. Think 'global pandemic here'.

Organisations that focus their business planning on cyclical growth allow for mistakes with plenty of time to adjust and re-establish their presence. Secular change comes whether you like it or not, and at a speed you may not be comfortable with. If you miss it then it’s a wasted opportunity that will never pass your way again. Missing out on secular growth can be a disaster.

Digitalisation underpinned with the acceleration of technologies such as 5G, edge computing, cloud (yes its always evolving), superfast broadband and connected-things are all set to disrupt every market – stimulating new secular growth opportunities for all providers that can align to them and stay relevant to their audience.

Meanwhile, the fourth industrial revolution is bringing a wide range of secular growth opportunities for B2B customers. While in the commercial market, the sheer amount of new technology and change resulting from customer-centric, experience-focused digital transformation strategies is presenting an exciting but baffling range of choices for many organisations that are having to rethink the way they do business.

New risks need to be navigated; new opportunities grasped. Established organisations that miss these opportunities to diversify will be outsmarted by nimbler competitors that have no historic [product] baggage to maintain.

All of which means B2B providers need to understand not only how their own business is changing, but also how their customers’ businesses are transforming.

All of this begs the question: how do you embrace secular growth markets?

Planning for secular growth

Planning for cyclical growth is an internally-focused process, where business unit leaders all plan for the future (the next fiscal period) based on growing reasonable percentage points and allocating existing resources to execute this growth. In many cases this has to be done along with a cut in budgets to make operational profitability more attractive.

Secular growth planning operates as an 'adjunct operation' thinking like a start-up, even though you may have a well-established market.

Think about Apple: they are well established and have a solid market-leading position in the communications market (phones and wearables). Their cyclical growth is understood – not only the purchasing behaviour of their customers but also the trends in this market for optimising the individual experience. Their 'secular growth' came as content streaming disrupted the market of conventional TV by accelerating ‘cord cutting’ and allowing users the flexibility to watch on-demand, anywhere and at any time. Apple identified this opportunity by looking outside their bunker of established communications devices, acknowledging what Netflix was establishing, and recognising that Disney and Warner were priming their services for availability in 2020. It recognised that if it didn’t diversify its existing Apple TV to align to the category change early, it would miss the opportunity and only be capable of delivering its existing Apple TV commodity offering, rather than having the ability to steer the direction of the category with Apple TV+.

What this tells us is that the ability to react to a new market opportunity requires companies not to be internally biased in their research as well as scrupulously honest when they answer the following:

Does our existing purpose align to that required by our market?
What would it take for us to be a competitive force in this new view of our market?
Do our specialist disciplines (business unit functions) have the capability to address this market (sales, product, people, etc)?

Once you have understood the possible opportunity, you are then able to make a clear judgement if this is something that your organisation wishes to pursue. Remember that some opportunities are not right for every organisation. Finding an opportunity is not a fait accompli . But if your planning incorporates secular growth opportunities then you know how to make the decision as to whether the opportunity is something you wish to pursue, and what the consequences are likely to be. You would also have scoped out the newly-understood customer need and resolution. Next, you would revisit your cyclical growth planning and integrate the new opportunity into resource allocations – evolving your business planning to appreciate the established with diversity.

This new approach to planning is about driving collaboration across your specialist disciplines, ensuring that each has the resources available to give your new strategy every opportunity to succeed.

Both types of growth have their place. While cyclical growth keeps the lights on. Secular growth strengthens innovation and enables the lights to glow a little more brightly.

SynergySix Opinion

At SynergySix our approach continues to provide our clients with growth strategies that appreciate their investment in technologies and people, but ensure that they are aware of the changing landscape that their buyers need to navigate.

We believe the traditional analyst and research group approach of forecasting your business’s future value is increasingly more blue sky than the reality of opportunity. Synergy Six cuts through the hype, identifying real opportunities that can influence your future product mix, based on actual client need, and helping you navigate towards and connect with real opportunities. We don’t just write the strategy, but also have the skills to help guide you through commercial, technological and business transformation, ensuring that you align all of your disciplines with the agreed outcome.

A great cybersecurity product alone does not create success

183:792006836 (Kevin Bailey) — Thu, 03 Sep 2020 09:17:08 GMT

Entering a market without a comprehensive and active Go-To-Market plan will leave you sitting on the edge, watching others succeed.

The United Kingdom and clusters such as Nordics, BeNeLux and UAE are major geographies in EMEA and often the first port of call for US vendors looking to commit to an international expansion for the first time or to grow horizontally have many factors that make them an attractive choice over other markets.

Perhaps the most obvious benefit is the language factor. Despite the often-repeated witticism that the UK and US are two countries separated by a common language, the fact that both markets conduct business in English (as do UAE, Nordics and BeneLux) saves a huge amount of time and effort.

The lack of a language barrier makes the job of assembling both in-house teams and third-party partners much easier and makes it much more viable to send over staff from the US office if that is your preferred route.

Sharing a common tongue also removes the mammoth task of having to translate your product architecture and marketing and sales assets. Translation can be extremely time consuming, especially if you have a large portfolio of products and services to launch. It’s also especially tricky in the cyber security market, with a long list of technical terms and phrases that have to be translated precisely and acknowledge their relevance or risk becoming nonsense. (You cannot wing-it with Google translate).

The UK is an extremely open market for cyber vendors, with a high level of demand for security solutions and services and watched by other EMEA countries to see how a vendor performs. The clusters work like a WhatsApp group, sharing experiencing that can make or break a vendors efforts.

In particular, the EU General Data Protection Regulation has spurred further growth in the market as organisations of all shapes and sizes seek to invest in solutions to help them become compliant. Although there are many vertical industry regulations that also need to be adhered too, the EU-GDPR provides a single regulation for conformation unlike US businesses and providers that have to consider hundreds of privacy laws and regulations at state level such as CCPA and the FTC’s privacy framework covering each of the 50 states,

However, it would be a critical mistake to assume you are the only security vendor planning a move to the UK or one of the clusters– as the vast majority of your competitors will have the same idea. Clear advantages for initial expansion into these countries, as well their own burgeoning local security community, means that these markets are flooded with vendors from around the world. This means that it’s more important than ever that your product/service offering aligns to the specific needs of these markets and the initial unveiling is adjusted to each markets' culture, maturity and preference for engagement. Speaking English alone does not acknowledge market acceptance.

The challenge of standing out (or at least side-by-side) from the crowd, combined with high cost of failure, means that it is imperative that a vendor is well prepared before entering these markets. There is a lot of groundwork that needs to be completed for a successful go-to-market strategy, and it is vital that it is data-led obtained with qualitative primary and secondary research combined with inclusive internal planning done in advance.

Patience is a virtue that needs to be heeded. A common mistake is for a vendor to enjoy a high degree of success in their home market and come in expecting to replicate the same success in short order. However, simply copying and pasting your existing strategy and applying it to a new country will rarely work out and not provide the longevity that you and the mothership expects.

Many vendors – particularly more successful ones – will enter these markets with an internal belief that they have the best product and expect to immediately begin seeing orders flooding in. The reality is that you will be seen as a new entrant (more up-start than start-up) but with the benefit of [assumed] reference customers. A genuine launch will generally need at least 12 to 18 months to build momentum. This requires budgeting, resources and operations to accept lower returns on expenditure and for senior management to hold their nerve and have faith in the plan.

Cybersecurity is a growth market globally, so it will be attractive to achieve a foothold in the $billion+ market. But, CISO's and their staff want products and services that meet their need and clear explanations outlining the real benefits to them. Marketecture that claims you'll save their world or stop every threat that exists, doesn't get their time, so leave those for the tabloids.

A clear Cybersecurity Go-To-Market strategy and executable plan needs to work in the field, in the office, in engineering, in support and continually informs senior management. Accept nothing less.

Halt the cyber criminals gateway to data, the user.

183:792006836 (Kevin Bailey) — Wed, 26 Aug 2020 16:04:15 GMT

Enrich Confidence with User Isolation Protection

Cybercriminals generally target two key areas: the individual and the computer. This provides access to the data they want to steal, alter, remove or use for illegal purposes. According to a well-known study by Clark School, hackers attempt to do this to internet-connected computers every 39 seconds on average, or 2,444 times a day.

Businesses know they have to take data security seriously and implement product, solution suites and frameworks to mitigate the possible damage from cyber attacks. Thousands of security product vendors and service providers believe that they have the answer to stopping cyber criminals, with the cybersecurity industry set to be worth $248 billion by 2023.

But despite all their efforts, things are not going according to plan.

The World Economic Forum, for example, produced a Top Ten Global Risk List in their yearly Global Risk Report. Cyber attacks featured at number five for likelihood and at number seven for impact; data fraud was number four for likelihood. This reflects the fact that each year millions, if not billions, of user’s data is compromised or stolen, as cyber attacks on both public and private institutions and businesses continue to rise.

With global cybercrime predicted to cost up to $6 trillion annually by 2021, every user or business is paying the cost – either directly or indirectly. In 2019 alone, ransomware cost businesses $11.5 billion and business e-mail compromise scams accounted for over $12 billion in losses. Most cybercrime is now targeting the mobile device, with over 60% of online fraud accomplished through mobile platforms. Additionally, 80% of mobile fraud is carried out through mobile apps.

Why is this happening? The World Economic Forum says it “reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life”.

The gateway to data, and the target of most of these attacks, is the user. 90% of data breaches come from phishing attacks, for example. Cybersecurity solutions spend most of their time and efforts detecting, isolating and mitigating the damage from malware and adversaries that have already gained access to the computing platform.

SynergySix Opinion

At SynergySix we believe that more attention should be placed on preventing malware and cybercriminals from gaining access to the platform. To do this more attention should be focused on the biggest vulnerability – the user. This is what we call User Isolation Protection (UIP) . We argue that by refocusing on the user, organisations can shift from mopping up breaches and firefighting to proactively preventing future incidents that critically damage data, systems and businesses. To do this they need to securely isolate the user, without compromising the user’s capability to engage.

To find out more download a free copy of our SynergySix report covering User Isolation Protection.

Tweet about this: #UIP #UserIsolationProtection

Security-conscious customers need more information from the companies they do business with

183:792006836 (Kevin Bailey) — Mon, 24 Aug 2020 15:42:55 GMT

Having the right product is now only half the battle. Unless customers and prospects are sure you’re secure they’ll go elsewhere – directly impacting your bottom line

If data is the ‘new oil’ of the global digital economy then, like oil, we have to accept it comes with some negative environmental impacts. The ‘pollution’ of the data world ranges from privacy concerns and data breaches to inaccurate data. Concern over this ‘data pollution’ is on the rise. According to Eurostat, the office for statistics in the European Commission, 25% of Europeans have avoided handing over personal information because of security concerns and 44% have limited their private internet activities in the last 12 months.

The upside of this wariness is that it’s creating a much stronger business case for investing in security. Until now, security investment has been perceived by businesses as something that has to be made – a cost of doing business rather than a profit-driving activity. This means the amount spent on security is continually constrained. With increasing evidence that customers won’t buy services unless they’re confident about the security of those services, security has become directly tied to the bottom line. In theory, at least, this should increase the flow of investment towards security products and initiatives.

Some commentators say this is too little too late. But Synergy believes that if you improve your security based on the needs and expectations of future security-conscious customers, you create a win-win.

While customers may previously have taken the view that a security breach wouldn’t happen to them, social channels have transformed this. In 2020, news of the latest breach or attack spreads like wildfire through social channels, online media and trade press, and customers spend far more time reading these sound bites than they did even five years ago.

This means that when they read that 43% of cyber attacks are on small businesses (Verizon DBIR), 34% of incidents are insider attacks, and no industry is off limits, they’re far more likely to sit up and take notice.

According to Eurostat, 1% of the EU population experienced financial loss resulting from identity theft, fraudulent messages or redirection to fake websites in 2019. That’s just over 5 million people who were financial impacted. This doesn’t include the impact on the businesses that held the data – operationally, financially, in terms of brand damage and, increasingly, the fines levied by regulators under GDPR

With increased awareness and increased consequences, it’s no wonder both businesses and consumers are paying ever more attention to security credentials.

What services did customers avoid using due to security concerns; Social or professional networking (25%), Public WiFi (19%), Downloading content (17%), e-commerce (16%), Internet banking (13%).

Source: Eurostat 2020

But herein lies an opportunity. To take advantage of it, the security industry needs to change focus, and address the issue of customer knowledge.

Historically, organisations have been resistant to revealing how secure they are and what security measures they have taken to ensure transactions and data are secure. Being too open about security arrangements was perceived as laying down the gauntlet to hackers to test resilience, or providing them with information they could utilise in attacks.

In the B2B world, a level of due diligence already exists to ensure that partners have the security needed to enter into business together. Which begs the question: why is the relationship between partners so fundamentally different to the relationship between the business and its customers?

Keeping everyone in the dark about security measures is an approach that assumes hackers can’t easily and systematically find out this information. SynergySix believes this is misguided: opaqueness is no longer a defence. Instead, organisations of all sizes should educate their customers on the following:

Data storage – providing more information about how data is stored to reassure customers
Data breaches – explaining how internal and external threats are managed in an easy-to-understand fashion. Also explaining what will happen if a data breach does occur: how will the customer be informed? what actions will be taken to limit the damage? will service continuity be affected? who/what will be the point of contact for concerned customers?
Data sharing – informing customers how their data is being used, even if it is only being shared within the company. Customers also want to know what will happen if someone/an organisation their data has been shared with has been breached.

According to anti-virus provider McAfee, over 480 new high-tech threats are introduced every minute. This is why customers need to know that organis ations have a strategy to learn, adapt and combat them. Businesses should treat this as a business strength, rather than as something that will scare the user. Companies that are able to steer clear of the privacy scandals and data breaches, and can clearly explain their security credentials to customers, should use their success as a differentiator in a market increasingly filled with security-conscious customers.

Cyber resilience can prioritise the user

183:792006836 (Kevin Bailey) — Mon, 10 Aug 2020 16:12:52 GMT

Kevin Bailey looks at how organisations can secure their operations in the new normal of remote and distributed workforces

The effects of the Covid-19 pandemic has fast-tracked everyone’s capability to be digitally competent, as organisations accelerate their ability to meet the needs of consumers while also transitioning their employees to working remotely. Remote working is not a new phenomenon, it’s simply the scale of homeworking that is different. (see Flexible working still a huge opportunity for B2B telcos )

In a 2019 survey ‘State of Remote Work’, Buffer found that 84% of respondents stated that their primary remote working location was ‘home’, with the remainder using co-working spaces, coffee shops and other locations. But only a third (31%) stated that all their fellow employees worked from home (assuming no office location was available).

In 2018, an Owl Labs study found that:

44% of global companies didn’t allow remote working
32% of employees never (or couldn’t) worked remotely
16% worked remotely just one day per month
13% worked remotely one day a week
21% worked remotely more than 1 day per week
18% always worked from home.

But while many organisations previously resisted an increase in homeworking, for a wide variety of reasons, they have had no choice but to allow it during the coronavirus crisis. The result has been a giant experiment that exposed many fears and objections to remote working as being unfounded. In fact, the benefits have been shown to be so wide-ranging and significant that many companies have decided to allow everyone who wants to work at home to do so even after the crisis is over.

All of this is set to have a major impact on how businesses are connected and how they protect themselves from cyber criminals. Cyber resilience – the practice of preparing for, responding to, and recovering from cyber-attacks – will need to re-align itself to the new mode of working. Much of the core infrastructure is already in place to do this, as most organisations had already moved to cloud-based security protection to enable mobile workers in the age of perimeterless operation. But now, even more employees will be connecting via home broadband or, when lockdown lifts, via public WiFi connections in coffee houses, libraries, pubs, hotels and so on rather than using approved office-based network connections to core applications.

One option for businesses is to switch home-based employees to an approved provider, although this goes against IT consumerisation trends such as bring-your-own-device, network and application (BYOD, BYON, BYOA). Another option is to use VPNs or other tunnelling applications to minimise the intrusion of unauthorised access to core systems.

We believe that consumerisation of IT, combined with business decentralisation, increases the need to focus cybersecurity efforts on protecting the weakest link in the security chain – the user. Unlike security systems or AIs, users get stressed, distracted and bored; they can be influenced by cybercriminals; and they can make mistakes. They also circumvent systems that get in the way of what they want to do. All of this creates ‘Air-Gaps’ that cybercriminals can exploit in order to gain access to data, systems, the wider organisation, as well as that of partners.

The 2020 Verizon Data Breach Investigations Report , highlighted 22% of data breaches are directly caused by simple human errors; while 58% of breaches targeted personal data – almost double the proportion of just a year ago. This is why securing the user is so critical to the new mode of working – something Omnisperience calls User Isolation Protection. (See our recent Synergy Report: User Isolation Protection )

Many cyber resilience strategies still focus on the macro-level components of the business, with the most fallible parts of the cyber resilience plan unfortunately deemed as ‘any other business’. Such organisations believe that having mobile, endpoint, firewall and other security solutions in place is sufficient; with any exceptions being the fault of the user or the inadequacy of the product to stop the attack.

In a recent article Simon Chassar, Chief Revenue Officer Security Division of NTT Ltd, highlighted the importance of running both offensive and defensive security exercises as “a great way of assessing the business”. He poses three key questions for organisations:

What data and capabilities are the most important for the business?
Which systems are involved in supporting this data and capabilities?
How will the organisation and its customers use the data and services provided?

We believe that if cybersecurity strategies are to get both senior management and user buy-in they cannot stand in the way of doing business, or dictate what can and can’t be done. Instead, they must support and enable the business. That is, they must provide unobtrusive protection. We’d therefore add an additional question to those proposed by NTT Ltd: How do we protect our users whatever they are doing, and wherever they are doing it, without this protection being overly intrusive into their day-to-day activities?

Matt Gyde, CEO of NTT Ltd’s Security division has emphasised that it is important that organisations should already have plans in place to ensure their employees are cybersecurity conscious. “Their IT infrastructure should be secure right from the start. In doing so, organisations will reduce their chances of being impacted by risks that can slow down their business,” he said. NTT Ltd call this being ‘secure by design’, with cybersecurity core to an organisation’s overall business strategy. This means implementing inherently secure solutions that provide the latest cyber threat protection required for them to maintain business continuity and minimise disruption.

Gyde recognises that the current crisis brings a new way of working and therefore new risks. In their ‘ GTIC Monthly Threat Report ’ they urge organisations to step up their efforts to protect people in this remote environment without interrupting business. ‘It’s good practice to provide a refresher on organisational security policies and procedures, especially as they relate to the management of organisational information. This includes proper classification, marking and handling, as well as guidance on good security hygiene and internet habits,’ the report says. NTT Ltd urges organisations to include reminders that non-employees should not have access to organisational information or systems, and emphasises that it is essential that users know how to report outages, system problems, and security issues or incidents.

Ensuring that users of all types are isolated and protected acknowledges that it is these individuals that shape the success of the business. Bill Conner, President and CEO at SonicWall, comments: “What we are seeing is a heroic undertaking by organisations to quickly and efficiently provide security for the unplanned rise in a remote, mobile workforce that will permanently change the way they operate.” He believes these changes will result in “increased pressure to execute and deliver proactive, always-on and data-centric security protection”.

Reflecting the operational reality from SonicWall’s engagements, Spencer Starkey, VP EMEA Channels, has noticed that during this unparalleled event, organisations were forced to quickly expand remote workforces to connect employees and keep critical functions operational, resulting in a distributed IT landscape that demands a perimeterless cybersecurity approach. “Because of the dramatic shift of budgets, resources and operations, these businesses must now properly secure and re-architect massively distributed networks with more modern, cost-effective models designed for the new business normal,” he comments.

User Isolation Protection (UIP) is an essential concept in securing the new normal. Using such an approach means users can only access data that is classified for their role – increasing efficiency and cyber resilience, while minimising exposure if the company is breached. We believe cyber resilience must balance protection from cyber criminals with the need of users to conduct legitimate activities without being encumbered by onerous and intrusive security policies that slow them down.

Phil Allen, VP EMEA at Ping Identity, believes that strong cyber security has to be tied to the identity of the individual that is seeking access. “As corporate boundaries change, shrink and eventually disappear, we encourage organisations to move towards a model of zero trust, where all access to applications and data is explicitly verified, based on the context and the risk of that interaction.” Allen believes that building such a model places the identity of the user at the centre of the security policy and, as such, organisations can make the right decisions regarding access without placing too much reliance on the physical location of the individual. Allen stresses that an ‘identity-centric’ security strategy makes location less relevant and can be a significant enabler for remote working.

As reported in the Verizon DBIR, 70% of the breaches discovered were caused by external actors exploiting compromised credentials, and over 90% of organisations that reported a hack attributed it to web applications. Isolating the user from these harmful exploits removes the pressure on the user to be a security expert. It means they no longer need to know if the link they are clicking is good or bad, because this is curated for them.

Henry Harrison, Co-founder and CSO at Garrison Technology, argues that organisations should not be reliant on the user to maintain the required levels of security awareness. “If you thought it wa s hard to promote security awareness when everyone was in the office, how much harder is it when people are at home?” he says. “With homeworking, we really have to recognise that phishing training, in particular, is not going to deliver the protection we need, and that we need to start deploying technologies that will protect the enterprise even when our employees have the inevitable inattentive moment and click on that malicious link.”

The change of working mode that has seen a huge increase in remote working and consumers interacting digitally rather than physically has emphasised the requirement for businesses to re-evaluate their cyber resilience and ensure their approach to cybersecurity is more user-centric. The intent of User Isolation Protection is to deliver a win-win scenario of secure digital business along with higher levels of satisfaction from employees who are free to get on with their jobs while also feeling safer.

For further information about UIP’s contribution to cyber resilience see our SynergySix Report ‘Requirements Selection for User Isolation Protection’ , which provides insight on how to implement a UIP approach.

5G & Wi-Fi 6 Primer – Six Key Features of CyberSecurity

183:792006836 (Kevin Bailey) — Thu, 30 Jul 2020 16:16:12 GMT

Find out in the complimentary NEW research paper on 5G cybersecurity with insights from technology leaders at Palo Alto Networks, Numerous Networks, IBM Security and F-Secure.

As we move out of the crisis phase of the COVID-19 pandemic, enterprises are rapidly shifting focus from business continuity to stabilising their operations and planning for a more digital future. Both business and consumer customers now want to use more data than ever, using an expanded range of applications, via an ever-growing number of devices, in more diverse locations, and at speeds that satisfy both their work and leisure needs. According to research, 75% of communications service providers (CSPs) say that COVID-19 has actually speeded up their digitalisation and network innovation programmes.

While CSPs have worked to keep their customers connected, cyber criminals haven’t been sitting on their hands but have quickly adapted their attacks to the new conditions. This means that providing better connections through 5G and Wi-Fi 6 isn’t enough. Customers also expect CSPs to protect them from harm.

Doing so requires both CSPs and their customers to urgently address security loopholes that have opened up during the crisis phase of the pandemic, auditing what has been bought and adjusting their strategies to accommodate new modes of working.

But protecting customers in the 5G and Wi-Fi 6 connected New Normal requires a fresh approach to security which is why I discussed the subject with F-Secure, IBM Security, Numerous Networks and Palo Alto Networks that emphasised the importance of six key features of cybersecurity in the New Normal.

Six key features of cybersecurity in the New Normal

Focus on the user – I continue to advocate the importance of User Isolation Protection (UIP) to focus resources on the most vulnerable point of attack. “Immaterial of the technology introduced to meet the needs of both consumers and businesses, organisations need to prioritise protecting the most vulnerable point of attack – the user.”
Greater visibility – Greg Day, VP and Regional CSO at Palo Alto Networks notes: “Visibility is critical to managing risk in the complex connected environments of the future. Without visibility you will never be in a position to protect the individual or business against the current and future threats that need to be mitigated.”
Automation – in order to accommodate the flexibility of 5G, automation is key according to F-Secure’s Senior Security Researcher and Head of Security Research Dr Mark Barnes: “As 5G is highly virtualised this allows for flexibility of network functions to be dynamically moved around network slices to ease Core demand, it is therefore essential that both monitoring and response are highly automated.”
Preparedness – the three major components of 5G present their own risks. According to Dr Sridhar Muppidi, IBM Fellow, VP & CTO at IBM Security, “The Edge poses a risk for consumers in relation to their data protection and application security. 5G’s core is at risk of malicious users and DDoS, while computing infrastructure presents infrastructure and application security risks.” While we can’t possibly prevent every potential attack, we can be proactive and properly prepare.
Co-operation – rather than competing, security vendors need to co-operate more according to F-Secure’s EVP MDR Tim Orchard: “Individual vendors should not seek to create competitive advantage through hoarding knowledge of attacker behaviour or ongoing campaigns,” he comments.
Support for distributed working – as businesses decrease their reliance on the office as the primary place of work, Ben Toner, CEO Numerous Networks says they need to recognise the new risks introduced by working from home: “Homes are built to house TVs and set-top boxes not enterprise-grade security appliances, so business need to look at the cloud to deliver the required levels of connectivity, security and service.”

Complimentary papers for you to download

5G & Wi-Fi 6 Primer – Six Key Features of CyberSecurity in the New Normal - This paper was developed by Kevin Bailey as an engagement on behalf of Omnisperience.

S ynergySix Paper discussing User Isolation Protection

Everyone Off. The Plan Doesn't Work Anymore

183:792006836 (Kevin Bailey) — Thu, 21 May 2020 17:48:49 GMT

But what did you expect? Everything is different

The media channels seem to be aghast at the news that our world will be different as we come out of the pandemic, they are sensationalising the financial leaders statements that we will all experience an economic downturn (recession), the likes of which have never been experienced before.

I can’t see into the future, but it doesn’t take an economist to work out that life for everyone will be different. Think about it, working practices have changed, production has halted, higher unemployment, tax revenues have been squeezed and governments around the world are pumping in trillions of pounds, dollars and euros into the economy and infrastructure to help everyone get through this pandemic. If you didn’t get it then you have been self-isolating somewhere more idyllic than the rest of us.

No one can exist the way we used to exist in February, because the people, businesses and the environment do not exist in the same context anymore. We have to look and execute things differently. For those who like a good quote, “you will be insane if you do the same thing and expect different results”.

Implement a new plan

I don't think so. Every business boardroom, meeting room, zoom conference or broom cupboard have those responsible to sustain the business all second guessing what the light at the end of the [pandemic] tunnel is going to deliver. Guess what? No one knows and if you think you do, then that’s called a punt.

Ask yourself some of the basics; Is my market still there? Are my existing clients still in business? Are my products still viable? What’s happened to my competitors? Is my pricing still competitive? Can I afford to keep my staff? Can I bring my staff back to the office? Do I need to keep all my offices? Can I afford to invest in new products? That’s just for starters.

Now think about the markets in your supply chain. Have they asked themselves the same questions? Then contemplate the wider demographics that effect your buyers, their buyers and all the decisions that affect a purchase and now the enormity of the challenge starts to materialise.

No one is in a position of strength to advise you about how to put a new plan in place, yet. To all of the supposed ‘experts’ making marketing noise across your news channels claiming from their crystal balls that they will show you how to address the new normal, I say, “Show me the money!”, because they can’t. Previous business models are as exact as the scientific models being used by leading healthcare professionals. Without real data, it’s a hypothesis. If they are that good, just ask for the lottery numbers, you’ll probably have a better chance of a win.

Plan for a new plan

Flexibility is the word in business for the next 18 months. You need to be able to adjust your plans like we change our clothes for the different seasons. But don’t buy the new sweater just yet as we don’t know when the temperatures will change yet.

I accept that uncertainty is not a good business model, but that is what many will have to deal with. You don’t want to plan for the artic to find everyone is on the beach.

Our current predicament highlights the need for businesses to recognise that a Go-To-Market plan is the combination of all disciplines in a business working together and not just the actions of the marketing discipline.

You should take the most tangible approach to a flexible and unpredictable future, start planning your new plan and operate each day as it comes until a more data driven and predictable future can be visualised.

It’s about tactics

You may know your business, but this is about developing a combined team effort, inside and outside the business.

As a summary:

Months 1-3

Start by bringing together all those that you believe can provide factual evidence of your position today
Openly challenge the evidence to prove its validity and contribution to a future plan
Set weekly measurements against each line of business based on beliefs and data. Record and publish these to highlight trends.
Adjust measurements every 2 weeks, either to accelerate or decelerate activities
Monitor your stakeholders and competition and learn from their behaviour
Is your GTM team engaging with each other? Are you missing skills? Do you have skills not required anymore? What can you do to tighten their efficiency?

Month 4-6

Start building your strategy plan for 2021/22
Implement the learnt behaviour from months 1-3 to help drive quarterly engagements
Look at your operations and structure the business for 2021/22
Establish monthly and quarterly measurements review for all GTM contributor teams

To plan for the future, you need to respect that everything has changed, and we will not know what that looks like well into 2021. Don’t make the mistake of second guessing the market. At best you’ll be lucky, at worst your business will fail.

A strong data driven GTM strategy should provide you with the flexibility to survive and grow after the pandemic has been calmed. It will also bring together all your teams, wherever they are located to feel part of the efforts to be successful.

How to Reduce the Risks of SIM-Swap Attacks

183:792006836 (Kevin Bailey) — Mon, 11 May 2020 15:48:12 GMT

SIM swapping is not a new problem. It’s long provided criminals with the ability to take over a mobile device and gain access to data and even funds.

SIM swapping is not a new problem. It’s long provided criminals with the ability to take over a mobile device and gain access to data and even funds. But you don’t need to be a cyber security expert to combat it – just four simple steps can substantially reduce the risk.

What is a SIM card?

SIM cards are what make mobile phones work. A SIM is a chip within the mobile phone that identifies the subscriber and enables them to connect their device to a mobile network.

Swapping SIM cards is a common and legitimate occurrence. A customer might have a new device, have lost or damaged their SIM, or may need to transfer the SIM to a backup handset because their phone ran out of charge or is faulty.

However, although the SIM is a stable and relatively secure platform in itself, the ability to change SIMs provides an opportunity for criminals.

What is a SIM swap attack?

There are various ways criminals can perform a SIM swap attack. They might, for example, have access to an ‘insider’ – someone who works for a phone store or in a service provider’s call centre – or they may be able to use information they’ve gleaned about you to impersonate you and trick a call centre representative into thinking they are you.

Once the criminal gets the mobile operator to give them control of a phone number, they can lock you out of your own account, change passwords, use your data plan and receive phone calls sent to you. They’ll also be able to access your new and previous text messages.

This is the holy grail for cyber criminals because two-factor authentication (2FA) – where a one-time password (OTP) is sent to your mobile device by the application owner – is now used for the majority of applications, especially those deemed critical.

But if a cyber criminal can hijack your mobile account via a SIM swap attack, they can request new OTPs, or potentially use ones already provided, giving them access to your other accounts (such as bank accounts). Once they’ve gained access to these they can change passwords, transfer funds or do anything a legitimate user could do.

How to protect yourself

The cyber criminal is actually targeting companies (the mobile operator, the bank etc) and the vulnerabilities in their systems to execute SIM swap attacks. But this doesn’t mean you can’t take steps to protect yourself. SynergySix know that the first two of the steps below can be done immediately.

Put a PIN on your SIM – most devices require a PIN or biometric authentication to gain access to the device, so why not add an additional (different) PIN for the SIM? Giving your SIM a PIN provides two layers of enhanced security. It means that each time the SIM is inserted into your phone or a new phone, or if the phone is restarted, a prompt will ask for the SIM’s PIN. Without this PIN, the user won’t be able to access the account the SIM is linked to. Giving your SIM a PIN means that anyone who steals your phone and has physical access to your SIM can’t access your mobile account and its text messages, even by removing it from your phone and sticking it into another phone.
Use an Account PIN with your mobile carrier. Some service providers will insist you set up an account PIN; others will leave the choice to you. It’s important that you make the effort to set one up to protect your data and associated valuables. If an Account PIN is set up, it makes it far more difficult for criminals – since the PIN will be required before a SIM swap can take place. You can set up an account PIN at any time, not just when you open your mobile account.
Use an authenticator app. Don’t disable 2FA, just find an alternative to get the OTP. For example, use an authenticator app rather than text messaging to get your 2FA OTP codes. 2FA authenticator apps work by keeping six-digit codes for compatible accounts in-sync on your phone and on the company’s servers. When you log into any one of these accounts with your login and password, you’ll be asked to enter the six-digit code from the authenticator app – there’s no need for the company to text you the code. Google, Microsoft, Amazon, Facebook, Twitter and other companies let you use their apps, or other authenticator apps, to help secure your accounts (check this link for other paid apps) . A single authenticator app can handle all your authentication codes, no matter how many different accounts you use.
If you can’t use an authenticator app use email. Although many of the larger service providers allow you to use authenticator apps, not all providers and businesses do. Where the use of authenticator apps is not supported, you should check to see if the account supports 2FA via email. Receiving 2FA codes via email protects you from SIM swapping scams, because even if crooks have access to your phone number and text messages, they won’t have access to the login credentials for your email account. If you go down this route, set up a dedicated email address for your OTPs and protect this account via an authenticator app – or the prompt-based authentication offered by Apple and Google – so that a SIM swapper can’t break into your email and copy any 2FA codes being sent there.

Cyber criminals and scammers use consistent methods to gain access to your credentials via SIM swapping attacks. There are now lots of new offerings on the market that service providers and other organisations can adopt to overcome the frailties of two-factor authentication and one time passwords. But don’t wait for them to adopt these methods, act today. The very simple but effective methods described above go a long way to making things more difficult for cyber criminals and scammers – helping to protect your SIM and account until organisations roll out more secure methods of authentication.

DCMS Cyber Security Breaches Survey 2020

183:792006836 (Kevin Bailey) — Fri, 08 May 2020 15:50:58 GMT

Half of UK businesses faced cyber security threats last year but many lack the skills to respond effectively

The UK Department for Culture, Media and Sport (DCMS) has revealed that nearly half the UK’s businesses (46%) were faced with cybersecurity attacks or breaches in the last 12 months.

The department’s Cyber Security Breaches Survey 2020 is an annual quantitative and qualitative study of 1,348 businesses and 337 registered charities across the UK. This year’s study revealed that cyber attacks have not only evolved but have become more frequent, with the highest number of reported incidents amongst medium-sized businesses (68%), large businesses (75%) and high-income charities (57%).

The DCMS said that while the results for businesses are in line with those reported in 2017, the results for charities showed an increase from 19% in 2018 to 22% in 2019. In the last year, a quarter of charities (26%) were attacked.

Since 2017, the nature of cyber-attacks has also been different. An increasing number of businesses have reported being hit with phishing attacks – up from 72% in 2017 to 86% today. But fewer businesses reported attacks in the form of viruses or other malware (down from 33% to 16%).

Encouragingly, UK organisations have become better at dealing with breaches and attacks according to the DCMS. It found that organisations are now less likely to report negative outcomes or impacts from cyber breaches, and are more able to make a quick recovery.

That said, another report by the DCMS revealed that 653,000 businesses (48%) lack sufficient technical, incident response and governance skills to handle the threats they’re faced with. These businesses are not confident they can perform even the basic tasks listed in the government-endorsed Cyber Essentials scheme. Nor are they currently getting support from external cyber security providers.

The most common skills gaps identified were in creating configured firewalls, detecting and removing malware, and storing or transferring personal data. But almost 408,000 businesses (30%) have more advanced skills gaps in areas such as penetration testing, security architecture and forensic analysis. A quarter (27%) said they don’t have sufficient skills when it comes to incident response.

Cybersecurity staffing and training remain key challenges for UK businesses, with almost two-thirds (62%) reporting they are recruiting staff who have, or are working towards, cyber security-related qualifications. Sixty-eight per cent of companies reported that they had tried to fill a cyber security role within the last three years, but 35% had found those vacancies difficult to fill.

SynergySix Opinion

These findings will not come as a surprise to many organisations. The issue of the cybersecurity skills shortage is ongoing and persistent – making the ability to bridge between evading current threats whilst hiring experienced cyber professionals a tough challenge.

The COVID-19 crisis has simply exacerbated things even more and has resulted in a dramatic uptick in cyber-attacks against organisations and individuals, as criminals seek to take advantage of the situation. However, it has proven easier to create a brand new 4,000-bed hospital in London’s ExCel from scratch than to recruit and train thousands of cyber professionals to help tackle the surge in attacks.

Businesses needing to access skills quickly, or supplement stretched internal teams, should consider engaging with managed security service providers (MSSPs), which have the capabilities to provide a much-needed breathing space while they focus their energies on pressing commercial issues and business continuity. With time both a luxury and a limiting factor, the cost of a phone call or video conference may provide a business with the insights needed to manage this vital area. As a result, Synergy Six expects MSSPs to see a substantial increase in demand for their services in the coming weeks and months.

Why telecoms firms should be wary of Eventbot

183:792006836 (Kevin Bailey) — Thu, 07 May 2020 16:00:21 GMT

EventBot targets banks, money transfer services and the wider business community

Security researchers at Cybereason have warned that a newly-created mobile banking Trojan, which has been named EventBot, can not only grab passwords, but also intercept two-factor authentication codes as well.

The Cybereason Nocturnus research team has been investigating the EventBot Android malware since it emerged in March 2020, and have now published a report into its findings.

Assaf Dahan, senior director for threat research at Cybereason said the EventBot code “seems to have been written from scratch, and it doesn’t look like it’s based on previous Android malware”. It’s also subject to what the researchers refer to as “constant iterative improvement”, and has the potential to cause huge financial damage.

Initially, EventBot is targeting 200+ financial applications from banks to cryptocurrency wallets and money transfer services from the likes of Barclays, Coinbase, HSBC UK, PayPal, Revolut, Santander UK and TransferWise. However, this type of attack is problematic for telecoms firms who not only offer financial services, but are part of the security value-chain and are also major billers – meaning that customers could be compromised while paying their phone bill and inadvertently open another back door.

The malware poses as a legitimate application such as a Flash update, installed from unauthorised or compromised sources, and relies upon the unsuspecting user to grant it permission to read external storage and SMS to create system alert windows that can be shown on top of other apps.

Because EventBot combines a banking Trojan with an infostealer, it means it can intercept text messages, used by many firms for two-factor authentication purposes, as well as passwords, allowing accounts to be easily compromised.

But EventBot isn’t just targeting consumers. There are serious implications for enterprises as well. Once it compromises a consumer account, this can be used to gain access to enterprise networks. Javvad Malik, security awareness advocate at KnowBe4, highlighted that Enterprise IT teams need to ensure that cyber-awareness programmes are being maintained, particularly during lockdown when additional distractions could lead to critical errors by users working from home.

SynergySix Opinion

We believe that the repetitive occurrence of mobile application attacks combined with the emergence of unique malware aimed at phishing, SIM swap and data thefts means organisations urgently need to look again at the protection levels they provide when accessing systems? We call this User Isolation Protection (UIP) and advocate that organisations should be focusing on the latest access and authentication offerings as a matter of priority – moving from their reliance on easily compromised SMS-based one-time-authentication or p asswords to wider multi-factor authorisation. (see Synergy Report User Isolation Protection )

Ensure your GTM team are secure

Mon, 20 Apr 2020 11:18:51 GMT

A good go-to-market team shares everything, make sure you protect their interactions

But despite all their efforts, things are not going according to plan.

Why is this happening? The World Economic Forum says it “reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life”.

The gateway to data, and the target of most of these attacks, is the user. GTM teams are encouraged to share their thoughts, ideas, content and progress, but if they are not protected they could be target of cyber criminals. 90% of data breaches come from phishing attacks, for example. Cybersecurity solutions spend most of their time and efforts detecting, isolating and mitigating the damage from malware and adversaries that have already gained access to the computing platform.

At SynergySix we believe that more attention should be placed on preventing malware and cybercriminals from gaining access to the platform. To do this more attention should be focused on the biggest vulnerability – the user. This is what we call User Isolation Protection (UIP). We argue that by refocusing on the user, organisations can shift from mopping up breaches and firefighting to proactively preventing future incidents that critically damage data, systems and businesses. To do this they need to securely isolate the user, without compromising the user’s capability to engage .

Enterprise Security in a Multi-Cloud Environment

183:792006836 (Kevin Bailey) — Tue, 24 Mar 2020 17:17:09 GMT

Kevin Bailey talks with Simon Ratcliffe and Martin McCloskey

I joined Simon Ratcliffe and Martin Mc Closkey to discuss enterprise security in a multi-cloud environment at Cloud Expo, as part of the BrightTALK summit series.

In the session, we talked about the need to extend everyone’s understanding of Enterprise Cloud beyond infrastructure providers such as AWS, Google and Microsoft, to all the application providers that utilise the cloud extensively to deliver a full operational offering.

We then discussed the need to choose an appropriate cloud provider and/or managed security service (MSS) provider based on the needs of the organisation, assuming that these needs can be met at the right cost, performance and operational level. This is essential to differentiate cloud and MSS providers based on their target customers, which may range in size from nanobusinesses to global accounts.

Following a question from the audience, we spent some time discussing the difference between responsibility and accountability of the services being provided, alongside the security of operations and protection of data.

For those of you who couldn’t be there, you can watch the session by clicking on this link:

Link to Video

PMA Panel: Demystifying Go-to-Market Strategy

183:792006836 (Kevin Bailey) — Wed, 19 Feb 2020 17:57:51 GMT

Go-to-Market Strategy: it's the bread and butter of product marketing and the inclusion of other specialists

Last week I privileged to be asked by the PMA organisers Richard King, Katherine Brittain and Phill Brougham to attend as a panelist at the London meet up.

Alongside Susan "Spark" Park from Facebook we exchanged ideas with a well attended audience based on our experience.

To ensure that the thousands of PMA members globally could understand what was discussed the organisers arranged for the session to be filmed. To keep things as short as possible I have included my session in the video below.

If Product Marketing or Go-To-Market is part or all of your responsibilities please take some time out to watch the video.

White Hat Ball 2020

183:792006836 (Kevin Bailey) — Tue, 04 Feb 2020 16:44:22 GMT

The security industry comes together to protect children

Along with 700 others from the cybersecurity and information security industry I attended the 15th White Hall Ball at London’s Lancaster Hotel (31 January 2020).

This annual fundraising even is about those that protect the world from cyber-attacks coming together to protect children. Each year it raises approximately £200,000 for charity which, along with the White Hat Marathon and White Hat Rally, amounts to almost £2 million raised over the 15 years it has been running – most notably for Childline services.

Childline, founded in 1986 by Dame Esther Rantzen, provides a free, private and confidential helpline for under 19s, becoming part of the services provided by the NSPCC in 2006.

At this year’s White Hat Ball, attendees were chaperoned by NSPCC volunteers who, along with hosts Peter Andre and Dame Esther Rantzen, gave up their Friday night to help raise money for the service. TV presenter Charlie Webster spoke movingly about her harrowing and ‘in-fear’ childhood to help attendees understand the importance of Childline to children at risk. Ms Webster has been candid about her own history of self-harming, which began due to family issues but intensified after she was sexually abused by her running coach as a teenager. She is now working to tighten up safeguarding laws in sport to protect future generations of children.

In simple terms, the annual White Hat Ball raises enough money each year to:

provide ‘Speak out, Stay Safe’ training to 66,600 childrern in 344 primary schools, giving them the skills to protect themselves from abuse
enable 50,000 trained volunteer counsellors to answer 400,000 calls to Childline, supporting and counselling children that need help
deliver 8,000 1-hour sessions of Pregnancy in Mind, which helps young parents with the ups and downs of having a baby
train 125 new Childline volunteers, including recruiting, training and supporting them.

A big thank you to all those organisations and individuls for the great conversations, as well as for sponsoring tables, pledging in the auctions or giving their time and support for this event. Including Admara, Alan Stockley, Barclay Simpson, BitSight, Blackthorn Trace, BP, Bridewell Consulting, BT, Mark Logsdon, Checkpoint, Childline, Crossword Cyber Security, Cybereason, Cybsafe, Cygenta, David Morgan, Deloitte, Eskenzi PR, Exonar, Extra Hop, EY, F-Secure, Garrison, Henderson Scott, HSBC, Huawei, Infosecurity Magazine, IronNet, White Hat Committee, KPMG, MSL, Nominet, Novacoast, Origin Comms, Protiviti, Prudential, Psybsec, Pulse Conferences, Qualys, RJMS Services, SDH Marketing, Sian John, Stephen Khan, Symantec, Telstra Purple, Via Resources, Women in Cyber, 1011vc and 2|Sec.

F-Secure’s EVP Tim Orchard kindly hosted me at his table this year. As the evening drew to a close he explained F-Secure’s involvement saying: “We’re honoured to support the NSPCC in their mission to safeguard some of the most vulnerable children in our society. We’re very pleased that this year’s White Hat ball was another success in fundraising for such an outstanding cause organised by the NSPCC for Childline.” A view no doubt echoed by all of us in the industry who participated.

Steve Jobs: Forget the product. Start With the Go-To-Market Strategy

Wed, 04 Dec 2019 11:45:34 GMT

You don't have to re-invent the wheel or look for new awe-inspiring sounds bites. Steve's philosophy is still relevant.

Having just finished my posts about the guidelines for a Go-To-Market Strategy , I thought I would reinforce my beliefs with a perspective from the someone who beat everyone to realising the right way to attract an audience of buyers. Steve Jobs.

Most people, when they think about innovation, start with the product. Instead, the innovator should start by figuring out an innovative method for getting products to customers. Starting with an effective Go-To-Market strategy better informs your selection of a specific idea – a product or service – that can be delivered and scaled.

Why start with the Go-To-Market strategy?

Among the plethora or electronics consumer product categories that Apple could have thought to enter, why has Apple chosen the categories that it has chosen? Why MP3 players, smart phones and tablets?

At the D8 conference in 2010, Steve Jobs explains that while the television market has been of great interest to Apple, they have thus far chosen to develop and release products in other categories. Why? Because there is no effective Go-To-Market strategy for a television product.

The insight from Steve Jobs is that the marketing and distribution of an innovative product has to be thought out upfront, before an innovator can even begin to develop the innovate product he or she has in mind. While Steve Jobs conveys this through the the television example, this line of thinking is visible in Apple’s strategic moves throughout Steve Job’s second tenure as CEO of Apple.

Laying a strong foundation: Apple Stores

Even prior to Jobs’ first hit product, the iPod, in May 2001 Apple started opening retail stores across the US. These retail stores acted as the foundation for Apple to get its future products into the hands of consumers, who could then use them, fall in love with them and then buy them. Apple Stores have since become more than just a Go-To-Market strategy. Apple Stores have become a core part of encouraging Apple’s cult following. Each store’s architecture and service to customers has strengthened the company’s brand.

A complete solution: iPod and iTunes

However, simply getting the hardware into customers’ hands is insufficient. A Go-To-Market strategy has to address key friction points that reduce the potential value the customer may obtains from the product. While the iPod was an innovative MP3 player, to actually put your music on it either meant burning your music collection from CDs to a MP3 format, or obtaining MP3s through obscure and illegal means. A key part of the iPod’s success was the introduction of the iTunes Music Store. Unlike other fee-based services at the time, the iTunes Music Store charged a flat fee of US$0.99 per song. When the iTunes Music Store was launched, 2 million songs were downloads in just the first 16 days – all via Macintosh computers, since a Windows version of the iTunes software was not yet available. All these songs easily sync’d to iPods, the portion of the value chain on which Apple really made its money.

Creating a new market: The iPad

How do you introduce a new product that may be received as completely foreign by prospective customers? Often the answer is by providing a point of reference that makes it easy to understand the new product. In the case of the iPad, many people exclaimed, “it’s just a big iPhone!” Apple had been working on the iPad long before the introduction of the iPhone. However, releasing much of the iPad technology in a smartphone format allowed Apple to educate prospective customers, so that when the iPad was released, the technology would seem familiar to them. The Go-To-Market strategy for creating a new market necessarily has to educate prospective customers on the new offering. Apple achieved this by first delivering iPad-like technology in the form of something customers already understood – smartphones.

Rebalancing industry power: The iPhone

Yet, it is perhaps the iPhone Go-To-Market strategy that was the cleverest. For decades, wireless carriers had treated phone manufacturers as second class citizens, using access to their networks as leverage to dictate which phones would get made, what features would be available and pricing. Carriers also restricted the content available. If Apple wanted to have the freedom to build the phone it wanted to build, Apple needed to switch the balance of power in the industry. It did so by first establishing an exclusive agreement with just one of the carriers – AT&T – before developing the iPhone. AT&T believed in Jobs’ vision for the iPhone, and its potential to increase the data usage of its users, and thus increase profits. AT&T also believed that exclusivity would allow it to steal customers from other carriers. AT&T probably did not foresee that ceding control on every aspect of the device would ultimately shift the power structure of the industry and turn the carriers into dumb pipes.

Start with the Go-To-Market strategy

As Steve Jobs explained at the D8 conference in 2010, and as Apple has demonstrated through its product launches, to be successful in launching a breakthrough product, it is not enough to simply develop an innovative product. The innovator must first and foremost develop a compelling Go-To-Market strategy that will allow the innovation to reach customers and thrive.

This is just one example why SynergySix believe that a compelling Go-To-Marketing strategy creates long term success.

Originally posted in 2013 by Dinesh Ganesarajah .

The Nine Guidelines of Go-To-Market - Guideline 9

Wed, 04 Dec 2019 10:31:56 GMT

Continuous measurements not inquests, address failures to meet key objectives.

What is a Go-To-Market Strategy?

Guideline 9:

A go-to-market strategy provides flexibility in execution, not inquests on the failure to meet key objectives.

Meaning:

When executing your GTM strategy, the implementation flow ensures that continuous measurements of progress allow operational adjustments to the plan. This process mitigates risk when objectives are not being achieved and removes any delays by not waiting until the end of the operational period to review and the business pain associated with that. Continuous measurements provide the visibility to accelerate success, increasing the opportunity to over achieve.

Follow on Reading:

Revisit the p revious "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

The Nine Guidelines of Go-To-Market - Guideline 8

Tue, 03 Dec 2019 11:27:13 GMT

Connecting with new markets provides strategic expansion; collaborative and aligned.

What is a Go-To-Market Strategy?

Guideline 8:

A go-to-market strategy inspires organisation growth and diversity and is not optimistically reliant on the improbable never-ending revenues of a cash cow.

Meaning:

Reliance on a single product/market increases the chances of your organisations becoming commoditised and marginalised and ultimately failing. A strong GTM strategy is always looking for product/market diversification to support a strong customer purpose, growth and diversity of revenue streams.

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also le arn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

Product Features are Like Film Credits

Mon, 02 Dec 2019 16:03:51 GMT

If the product is no good, no one cares

Have you ever sat in the cinema at the end of the film and watched everyone get up and leave once the credits start rolling? At best you may see a few that have been guessing [since the start of the film] who the actor is that played a certain role, and then you find out that it wasn’t the person you originally thought they were. But what about the mass of other industry specialists that have spent the past couple of years working on the numerous specialities that are needed to complete the film.

Even once you have listed the actors, credits can run for over 5 minutes, listing all those different non-acting contributors, such as: stunt actors, visual effects, costume designers, 2nd unit directors, lighting, sound & music, and many more. So, if cinema goer’s don’t see the value in appreciating who put the film together, are they really important?

Think about what the film would have been like if it had no:

Lighting - then you wouldn’t see the movie stars
Music - with only captions in ‘Bohemian Rhapsody’
Costume - dressing in jeans and t-shirts wouldn’t look so good in ‘The Favourite’
Visual Effects - seeing the wires holding up props and people in the backdrops for “First Man’
Animators - Jungle book would be more like Etch-a-sketch
Extras - A crowd scene would look more like a dentist waiting room
Script Prompters - fancy all your films flowing like “The Kings Speech’

Taking away the actors, there are hundreds of individuals or backroom staff that all add a valuable contribution to the finished product. A film director acknowledges that they need all of these disciplines and not just a cameraman to produce the final product. Do it right and you may get onto the red carpet at the Kodak Theatre, if not then you will end up being covered by ‘rotten tomatoes’

This is no different in the tech industry, every business needs to recognise that product features, once agreed of their value (to the customer), contribute to the success you are striving for. Features add to the product realisation or enhance an existing product, bit like lighting and sound enhancements add the the mood of a film.

Think about what happened with these:

Why produce a phone solely for twitter (Twitter Peek) and Facebook Phone
Who forgot about privacy and the cultural backlash (Google Glass)
Damaging a good pair of sunglasses with MP3 additions (Oakley Thump)

How about the Tech Market:

COPAN - $110 million invested. Copan was well differentiated. The weakness was their not understanding, focusing and exploiting its sweet spot. A consequence of an incomplete or erroneous market understanding and a sole reliance on the internal body of experience and knowledge.
NAVDY - $42 million invested. Navdy, which made an in-car heads-up display that projected info like navigation on to your windscreen, …the heads-up display market is very crowded and the jury was still out if it would be a distraction to the driver Together, all this makes for a tricky product/market fit.
Jawbone - $929 million!!. Jawbone became one of the most spectacular failures in the history of startups. Even after 17 years of business, not respecting how your market and customer needs are, resulted in Jawbone failing to hold on to significant market share for its line of headsets, fitness trackers, and wireless speakers.

Even the big boys get it wrong:

SKYPE - trying to find a home because of fit. eBay bought the Internet telephony upstart called Skype in 2005 for $2.6 billion hoping online buyers would prefer VoIP and video calls over e-mail. Wrong! E-mail is good enough for online buyers and sellers. eBay didn't asked their clients what they wanted, so this was a tough and expensive lesson for eBay. After four unfulfilling years eBay sold Skype at a loss to private investors for $1.9 billion. Skype was picked up by Microsoft (MSFT) in May 2011 for a cool $8.5 billion.
NOKIA - Consumers and Carriers were not wowed. In 2013, Microsoft CEO Steve Ballmer saw an opportunity in Nokia. Ballmer led Microsoft’s purchase of Nokia for over $7B in a deal finalised in 2014. But the Lumia phone line, didn’t garner the developer and carrier partnerships needed for the phone to catch on. Ballmer left that same year and new CEO Satya Nadella had to do significant restructuring and layoffs to streamline the company, including cutting 15,000 Nokia employees. In 2015, the acquisition was written down for $7.6B.

Its clear that your business strategy needs to include everyone in the company that can add value to the program. Size of company is immaterial as this effects everything from start-up to corporates.

See how SynergySix helps to create a collaborative approach to your product, features, markets and consumers with our SynergySix Flow Chains

The Nine Guidelines of Go-To-Market - Guideline 7

Mon, 02 Dec 2019 14:22:22 GMT

Patterns for growth are not consistent. Doing the same thing won't give you the same results, it'll get worse.

What is a Go-To-Market Strategy?

Guideline 7:

A go-to-market strategy is driven by visibility of your target markets’ secular growth and does not rely solely on the pull from your past cyclical growth.

Meaning:

The organisation should fully appreciate the impact of anticipated changes within your target market(s) and how these changes will influence your company purpose and not assume that your products and services will continue to be relevant to your market(s).

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

The Nine Guidelines of Go-To-Market - Guideline 6

Fri, 29 Nov 2019 10:42:48 GMT

Strength of Conviction

What is a Go-To-Market Strategy?

Guideline 6:

A go-to-market strategy reinforces the strength of conviction and focus within your business. It is not a series of tactical plans achieving limited success implemented to address unexpected business challenges.

Meaning:

All employees are fully committed and aligned to the integrated goals, objectives and strategies of the organisation as they have contributed, believed in and have ownership of the plan. They are not distracted by the implementation of tactical plans addressing individual projects.

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give u s a call or drop a mail so we can discuss your challenges and how we may be able to assist

Public sector focus: without a concrete GTM strategy, G-Cloud opportunity remains nebulous

Fri, 29 Nov 2019 10:33:09 GMT

As new statistics show, it’s not enough being on G-Cloud, you need to know how to make it work for you

The G-Cloud framework is the mechanism the UK government has set up to procure Cloud services. In mid-2019 the launch of G-Cloud 11 was announced, which enables 4,200 potential suppliers – 90% of which are small businesses – to bid for contracts worth £1.95 billion.

But is G-Cloud all it’s cracked up to be? Or is it a case of cloud-and-mirrors simply aimed at meeting the government’s own targets for engaging with SMEs? (Which state that by 2022 one-third of government business will be with SMEs.)

The government argues that since 2012, more than £4.79 billion of cloud and digital services have been procured through G-Cloud, and almost 45% of that spend (£1.8 billion since 2012) went to SMEs.

However, a study published this month by Tussell says that only 480 out of 3,474 suppliers (14%) on G-Cloud earnt any revenue through the framework. The report noted that large suppliers still got the lion’s share of the available budget, with software consultancy Equal Experts leading the charge at £137 million, followed by Capgemini (£136 million), Deloitte (£103 million), PA Consulting (£92 million) and UKCloud (£86 million).

Many suppliers – with smaller suppliers the most likely to be guilty of this – believe that simply being listed on G-Cloud is enough. It isn’t. Firms still have to make themselves relevant, explain clearly what they do, promote their offerings and identify opportunities.

Crown Commercial Service (CCS) said that Tussell’s figures were inaccurate as a further 965 suppliers were in the process of transacting during the period analysed, so a more accurate number is 72.5% of suppliers earnt no revenue. It also argued that 44% of total spend related to smaller businesses equating to £2.35 billion, with larger businesses winning £2.75 billion.

There may continue to be arguments over the figures, but a few things are clear:

G-Cloud has been successful in terms of offering a mechanism for smaller companies to sell to government

Being on G-Cloud is not enough – it’s just a procurement framework – firms have to have, and enact, a strategy to sell on G-Cloud.

Bigger businesses succeed because they have the sales and marketing resources and brand awareness that smaller firms lack. This means if smaller firms are going to go to the bother (cost, time etc) of joining the framework they need to also factor in the effort required to make a success out of it.

Selling to government customers is not the same as selling to commercial customers. If you’re not prepared for things like security accreditations and complex billing processes you are not going to get very much past the start line

Selling to government bodies is a long process – be prepared for lengthy timescales. Don’t be surprised if it takes a year (or more).

Partnering can be a great strategy – you don’t need to be on G-Cloud to sell on G-Cloud, because you can partner with someone who is and who knows how to sell on there. Incumbent suppliers are actually looking for innovative SMEs to work with and are mindful that the government is targeting 33% of spend going to SMEs. So adopting a channel strategy to G-Cloud may be more sustainable than trying to go it alone.

For those that are already on G-Cloud 11, SynergySix offers advice and support to help them increase their success, as part of our GTM consulting.

SynergySix Principal Kevin Bailey says: “This analysis highlights the danger of the ‘build it and they will come mindset’ that organisations of all sizes frequently fall into. The reality is that G-Cloud is no different to Salesforce, Google, Apple or Amazon, which all have application marketplaces. They enable you to establish a capability to be seen when someone wishes to procure a product, but the marketplace does nothing to highlight why you should be considered over another comparable offering. Choosing whether you wish to compete with the 4,200 suppliers on G-Cloud, or partner with an established G-Cloud provider, needs to align with your fiscal and longer term plans related to your business disciplines for marketing, sales, product, people, operations and financials. The value of G-Cloud comes as part of an overall GTM strategy, not in isolation”.

The Nine Guidelines of Go-To-Market - Guideline 5

Thu, 28 Nov 2019 11:49:16 GMT

Lack of skills diversity will inevitably attribute reasons for operational failings.

What is a Go-To-Market Strategy?

Guideline 5:

A go-to-market strategy is the collaboration and integration of skills from all of your specialist disciplines and does not just rely upon a single specialist discipline opinion.

Meaning:

Generally, when the execution of a plan fails, employees will inevitably attribute 'non-fault' reasons for any such failings. When all employee skills are engaged in the planning process, all specialist teams collaborate and contribute to share success and based on their many complimentary abilities and experiences, to anticipate any potential problem areas.

An eye for an eye only ends up making the whole world blind. - Mahatma Gandhi

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we ca n discuss your challenges and how we may be able to assist

The Nine Guidelines of Go-To-Market - Guideline 4

Wed, 27 Nov 2019 11:27:52 GMT

Does next years revenue forecast look like you have just opened a Russian nesting doll?...its getting smaller

What is a Go-To-Market Strategy?

Guideline 4:

A GTM strategy fully supports your organisations revenue objectives accounting for the current business environment and not an expectation based on past performance.

Meaning:

The organisation is fully focused on the target revenue achievements against your total available market (TAM), rather than assuming that past success will be repeated. TAM visibility ensures targets are achievable, but may also provide insights that create the opportunity to grow at a faster rate than planned, assuming that other disciplines are aligned to support the additional workloads.

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

The Nine Guidelines of Go-To-Market - Guideline 3

Tue, 26 Nov 2019 11:14:05 GMT

Consider "unreal' evidence, but do not implement as the dependency of a strategy.

What is a Go-To-Market Strategy?

Guideline 3:

A go-to-market strategy is data and insights driven, not by emotional opinion.

Meaning:

When implementing a GTM strategy and engaging all key stakeholders, it is essential that the GTM is based upon factual evidence that supports all key objectives. This is achieved by utilising data and informed insights. Both elements are data driven, including thin-slicing (the ability to apply real-life experiences to the facts). Contributions that are not supported by “real” evidence (data or insights) can be considered, but not implemented as a dependency of the strategy.

Follow on Reading:

Revisit the previous "Nine Guidelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

The Nine Guidelines of Go-To-Market - Guideline 2

Mon, 25 Nov 2019 14:01:13 GMT

The ‘Purpose’ is why your organisation exists.

What is a Go-To-Market Strategy?

Guideline 2:

A go-to-market strategy ensures you are always focused on your [customer] purpose and not distracted by internal drivers.

Meaning:

The ‘Purpose’ is why your organisation exists. This defines what, why and how you will be addressing your target customer and industry. This is key to the success with your targeted client base and in maintaining your existing customer base. Goals, Objectives and Strategies are all internal drivers used to reinforce and maintain the focus of employees and the success of all divisions within the organisation.

Follow on Reading:

Revisit the previous daily "Nine Gu idelines of Go-To-Market" on our blog site . You can also learn more about our beliefs and the content we have provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

The Nine Guidelines of Go To Market - Guideline 1

Sun, 24 Nov 2019 13:39:49 GMT

Why does everyone misunderstand Go-To-Market?

Over the next 9 days, Synergy Six Degrees will post its nine guidelines and meanings of what should be appreciated when you go to market.

Critical to your thinking is why you shouldn't switch off when someone says 'Go-To-Market' thinking its only about marketing and not critical to your business!

Do you and company want to feel like a contributor to success from the outset and not part of an emergency service reacting to a fire that they had no part of causing in the beginning.

What is a Go-To-Market Strategy?

Guideline 1:

A go-to-market strategy is the backbone to your success; As a company; As a portfolio; As Individuals.

It supports and balances your focus.

Meaning:

Synergy Six Degrees have proven that go-to-market (GTM) plans are strategic not tactical. A GTM strategy is the operational execution of your organisation’s strategies that support the achievement of your business key objectives. No single individual or team (specialist discipline) can create a GTM strategy in isolation. A collaboration involving all employees and key stakeholders is essential. Having completed, reviewed and agreed all key objectives and strategies these are then integrated to provide an aligned business plan for your organisation.

Follow on Reading:

Learn more about our beliefs and the content we ha ve provided by visiting our Home page or any of our other resources and then give us a call or drop a mail so we can discuss your challenges and how we may be able to assist

Targeting SME’s to address their Cyber Security Needs

183:792006836 (Kevin Bailey) — Fri, 22 Nov 2019 10:51:10 GMT

Identify, educate and support SME's

A recent report in Computer Weekly highlighted that SMEs in the Nordics cannot afford to protect themselves against cyber security risks. The Danish Business Authority says that cost is the biggest barrier to adoption; while a survey by YouGov found that SMEs in Norway haven’t prioritised IT security spending due to a false sense of security.

As worrying as this is, it is not just Nordic SMEs that are at risk. The 2019 Verizon Data Breach Investigations Report (DBIR) found that 43% of cyber-attacks targeted small businesses, while 63% of attacks against small businesses succeeded.

However, SMEs still lack the resources and know-how to secure themselves – often relying on consumer security software or, by default, their suppliers. For example, according to the Ecosystm Cybersecurity study, 54% of Australian SMEs rely on their cloud providers to secure their IT operations.

No matter how secure their Cloud provider is, this will not protect SMEs from the entire range of threats they are faced with. Another recent report from CybSafe, for example, found that 43% of SMEs in the UK had been targeted by phishing attacks in the previous year, as cyber criminals shift their attention to easier targets. Many could reduce their risk simply by training their own staff, as human error and phishing remain primary causes of breaches in the sector.

“SMEs are the workhorse of the European economy, representing 99% of all businesses in the EU. In the past five years, they have created around 85% of new jobs and provided two-thirds of the total private sector employment in the EU. Although many SMEs are digital natives, they are not security professionals. They need to be secured against hackers that are extremely adept in their approach to targeting their prey and diversifying their approach by using direct (DDoS, SQL injection, cross site scripting, etc) as well as indirect (spear phishing, drive-by attacks, eavesdropping attacks, etc) attacks.” Kevin Bailey, MD, Omnisperience

Even when SMEs take security seriously, they struggle to recruit IT security specialists, who can achieve far higher salaries working for enterprises. They also struggle to consume security technology which is often not designed to meet their needs, as it requires them to select, integrate, implement and manage a range of different and overlapping products. Smaller businesses in particular need fully managed, cost-effective solutions.

Matt Gyde, NTT’s CEO comments: “Businesses need their security to be holistic to their solutions and this means fully embedded, not just added on. Having security intrinsic to any infrastructure is the only way to predict, detect and respond intelligently to cybersecurity threats, ensuring they are beaten long before they become an issue”.

Adding pressure to the situation is the fact that not only do SMEs face increasing risks as they become ever-more connected to customers and business partners, and as cyber criminals go after the low-hanging fruit they represent, but they are also increasingly being forced to adopt enterprise-level security standards just to keep trading. This is because regulators are now demanding that entire supply chains are secured to achieve compliance with standards.

For example, the Australian banking regulator, APRA, recently introduced new prudential standard, CPS 234 (July 2019). To meet this standard, organisations must be able to not only demonstrate their own compliance, but that of their entire supply chain. Small businesses that have been selling to banks for years are now having to deal with their customers demanding they fill out questionnaires and comply with complex IT security processes that are beyond their knowledge or capabilities – even when the sale is offline and not IT related.

Maintaining a workable level of profitability is key to survival for SMEs, who do not have the cash resources of larger enterprises. The cost of a data breach – which according to the IBM Ponemon ‘Cost of a Data Breach‘ report 2019, is typically $4.88 million in the UK (£3.8 million), up nearly 11% in a year – plus fines and sanctions under the EU General Data Protection Regulation (GDPR), is sufficient to bankrupt smaller companies.

The opportunity for B2B service providers

Security vendors perceive B2B service providers to be good potential partners and channel into the SME sector, because of their existing billing relationship with small business customers. B2B service providers are also able to offer fully managed services and solutions configured to the SME sector and the individual needs of different types of SME.

However, in order to be successful, B2B service providers first need to know which of their customers are SMEs. This, in itself, can be challenging for service providers that have both consumer and business divisions. Many small and micro businesses opt for consumer packages and therefore are often not identified as business users by their service provider. This challenge is increasing as more people work from home, use their own devices, applications and networks for work (BYOD, BYON and BYOA), or become part of the gig economy.

Upselling security solutions into the sector therefore begins with better profiling and segmentation of the customer base, along with the melting of hard lines between consumer and business packages to allow for dual profile customers to be better served and targeted.

As this market continues to grow, service providers who make assumptions about their customers, and cannot identify micro & nano businesses and those who regularly work at home, will fail to maximise their opportunities and lose out to rivals.

This is not a mistake that NTT intends to make, with their reorganisation specifically aimed at upselling broader capabilities to their customers. NTT’s Gyde explains: “By bringing the NTT family closer together, we are better positioned than ever to enable our clients to do great things with technology – and, importantly, securely so they can concentrate on running their business. We know a secure-by-design approach is becoming a big focus for service providers, which we see as a great opportunity for us as a business. Ultimately, the integration now enables us to support clients at every stage of the digital transformation journey while helping them navigate the critical business issues and pressures that come with it.”

“Using effective SME targeting, B2B service providers can address this vast market opportunity by resolving two critical SME needs: (1) educate the SME around security solution best practices and (2) provide a security managed service so the SME can focus on growing their business.” Kevin Bailey, MD, Omnisperience

Wake up - Your Product is NOT Your Purpose

Mon, 11 Nov 2019 11:42:15 GMT

“Don’t protect your past”

Apple doesn’t just make iPhones; IBM doesn’t just make computers; Tesla doesn’t just make cars; BP doesn’t just make oils; Williams doesn’t just make F1 cars; GlaxoSmithKline doesn’t just make medicines. Their products (output) are driven by each company’s distinct ‘Purpose’ ;

Apple: to empower creative exploration and self-expression
IBM: Essential…to the world
Tesla: acceleration of sustainable energy and autonomy
BP: We deliver heat, light and mobility products and services to people all around the world in ways that will help to drive the transition to a lower carbon future
Williams: Inspired engineering that enables a sustainable future.
GSK: to help people do more, feel better, live longer.

In every walk of life, on every day of the year, across all genders and age groups, individuals come up with new ideas for products that will challenge any known or perceived issue.

Technologists and product entrepreneurs are wizards at convincing themselves that the next product they develop will change the world, show the world how competent they are, and create the most wanted product since the innovation of the iPod or The Cloud.

Unfortunately, things don’t always go to plan

Here’s a brief list of products where enthusiasm and belief were not enough to convince their audience that the developers dreams, were in fact just that, well intentioned dreams; Google Glass, Segway, Facebook Phone, Twitter Peek, LaserDisc, Disc4000 (Kodak), Smokeless Cigarettes, New Coke, Google+, Microsoft Vista, Astrocolor, and the list goes on and on…

Why didn’t these products become successful? Because emotion, the need to compete and self-belief to create the next great thing, overlooked the reason [if there was one] why they were put on the drawing board in the first place. The Purpose.

A Purpose - is ‘the reason for which something is done or created or for which something exists'.

Relate this definition to some widely used actions/products/functions and their purpose

Action/Product/Function Reason (Purpose)

Breathing Oxygenate our bodies
Television Watch media content that we like
Fire Extinguisher Stop a fire
Personal Trainer Stay healthy

The intention of innovation stems from entrepreneurs and developers who have the belief that they are able to challenge the list above and readdress the reason (purpose), enabling a more valued resolution.

Purpose Action/Product/Function

Oxygenate our bodies Ventilator Machine
Watch Media Content Streaming service to any device
Stop a Fire Alarm linked to Fire Station
Stay Healthy Fitness Application on mobile device

An Organisations Reason for Existing

Most businesses exist to sell a product or service to a target audience, why else exist? Once they are up and running, they instinctively move away from focusing on the company purpose and onto more of their internal drivers; Vision, Mission and Objectives.

Internal drivers are mandated by the leader, it’s what keeps the lights on, increases shareholder value, pays salaries, provides confidence that the product/service has value (because someone else has bought it) and allows the organisation to develop the company further, either through organic or acquisition growth.

But…..

When you take your eyes away from the company purpose and focus only on your internal measurements, you enter a dangerous area of losing visibility of your markets, being ignored, commoditised or worst of all complete failure.

Products are important. When established organisations mature, they create a back catalogue of products that have cost millions in sunk costs but return differing levels of revenue streams:

Products with stable or increasing revenues tell you that you are either meeting the customer need (purpose) and/or have healthy multi-year contracts (subscriptions).
Products that have static or declining revenues tell you that are becoming detached and not actively addressing the customer need (purpose).

Organisations that take their focus away from aligning their business strategy with their organisational purpose, create a desperation to continue extracting the maximum possible revenues from existing products /services to obtain returns for the time spent in research & development and cover the costs to sell and support the product/service.

Recognising that your organisation may have the opportunity to address a ‘purpose’ does not mean that you should.

Think about how investors decide to invest in a business, the product is not the deciding factor. Investors look for the reality of the 'Purpose' you are addressing with your product as this will determine the longevity and viability of your proposition . So whether you are an investor or the leader of a company, you will (should) be making the critical decision about the 'found' purpose and if it aligns to your business strategy and focus.

Every market has different revenue opportunities. You may choose to operate in a niche (smaller revenue and competitor) market or conversely to challenge a larger revenue market. Initially, this has nothing to do with the product/service you develop, this is about the desire of your market to purchase something in order to address the purpose, acknowledging that some ‘Purpose’s’ are restricted to certain market segments; countries, industries, genders, animals, sports etc.

Why ‘Purpose’ matters

Ensuring that you continually align your organisation to its purpose and not its products was clearly articulated by IBM’s Chairman, President & CEO Ginni Rometty during a recent Bloomberg interview in September*, where she clearly defined IBM’s purpose as being “Essential….to the world” . Think about the enormity of ‘Big Blue**’ when you try to rationalise to yourself Ginni's next statement, “Don’t protect your past”. Here is one of the largest companies in the world ($79 billion #38 Fortune 500) that have shareholders and investors to appease, but the CEO is focused on what is in front of her (secular growth) not what has gone before (cyclical growth).

In an adjacent technology category resides Apple, who have moved from 17th in 2012 ($108 billion) to 3rd in 2019 ($265 billion) in the Fortune 500 listings. Why? Because their purpose aligns to the consumer (buyer) “to empower creative exploration and self-expression” . They are not consciously trying to be the leader in a market or become the largest revenue company. It all happens because they focus on their purpose, meet the need of their target market(s), continually challenge the [changing] norm and not rely on a single or group of products from their past, even though the products are well architected to stand the test of time.

Synopsis

Being innovative and disrupting the norm is what has accelerated the development and adoption of technology that enriches all our lives. But with speed of innovation and ever-increasing consumer-led need comes commoditisation. When you were first to market, you had an advantage, but that period of leadership is declining and shorter.

Whatever your product or service offering there are more challengers entering the market either as start-ups, up-starts or corporates diversifying through acquisitions or collaboration, all looking to take your place and retire you as an onlooker.

Understanding your value to your market (now and in the future), needs a 360-degree appreciation of what is happening. Tradition would have you look backwards when planning forwards, using past achievements and challenges to prepare for the next fiscal.

Why not just stand still and see what is in front of you, rather than dismiss what is looking right in your face or being conveyed to you by your employees, advisors and partners. Take a leaf from Ginni Rometty, “Don’t protect your past”. At least, not until you have considered the future and seen if your past still aligns to your [organisation’s] Purpose (the future of your consumer).

At SynergySix our work focuses on the alignment of your organisations Go-To-Market strategy with your company purpose. Click her and take some time to read through our approach using the SynergySix Flow Chains™ framework.

*- https://www.bloomberg.com/news/videos/2019-09-20/ginni-rometty-on-ibm-s-purpose-video

** - During the mid-20th Century, IBM was known for its mainframe computers. They were pervasive. They were the standard of coolness in the business and scientific world. They were also big, like soda machines big, and th ey were blue. So, people started to tongue-in-cheek call them the big blue. To live up to the name IBM had a huge blue sign on its Manhattan building.

Ready or Not, Here I Come

Mon, 04 Nov 2019 14:20:50 GMT

Market transitions wait for no one

A nyone with an ounce of intelligence acknowledges that technology adoption is moving faster than at any time previously experienced. In the past, the evolution of technology was driven by the vendors who developed inspiring enhancements that businesses and their clients welcomed and created the opportunity to diversify their markets.

As we prepare to enter a new decade, everyone has recognised that our lives have been impacted by technology, because we expect it, not necessarily because others tell us it’s good.

From a business standpoint, the ability to plan 3-5 years out to ensure focus and stability has gone to the wall.

Many organisations still rely on cyclical growth , which is stable with predicted growth rates and one in which the customers and the categories remain the same as power shuttles here and there amongst various vendors, reassuring investors and customers that the business have their finger on the pulse of their industry.

The change in technological advancement has meant that a new approach to planning is required. Now, using cyclical patterns to plan for future years is still viable but viewed as essentially a ‘bunker’ mentality that is inward looking for planning, missing the opportunity to put your head over the bunker and recognise that the market is changing or has changed.

The opposite of cyclical growth patterns is secular growth , meaning a “not to be repeated” expansion of the market that occurs whenever a new category or a new class of customers is bought on board*.

Organisations that focus their business planning on cyclical growth allows for mistakes with plenty of time to adjust and re-establish your presence as these markets are predicted. Secular change comes whether you like it or not and is a missed opportunity that will never pass your way again. In short, missing out on secular growth is a disaster.

The fourth industrial revolution is not only about the technology, but also the growth in new start-ups and entrepreneurs who recognise and act on this secular change early. Established organisations missing the opportunity to diversify into secular markets, will be outsmarted by the nimbler competitors that have no historic [product] baggage to maintain.

How do you embrace secular growth markets?

It’s all about change, not radical change but evolutionary change.

Cyclical growth planning is an internal focused process, where business unit leaders all plan for the future (the next fiscal) based on growing reasonable percentage points, allocating existing resources to execute this growth and all of this in many cases with a cut in budgets to make the operational profitability more attractive.

Secular growth planning operates as if you are a start-up, even though you may have a well-established market.

Think about Apple , they are well established and have a solid market leading position in the communications market (phones and wearables). Their cyclical growth is understood, not only the purchasing behaviours of their customers but also the trends in this market for optimising the individual experience.

The content streaming market disrupted conventional TV by accelerating “cutting the cord**” and allowing users the flexibility to ‘watch on demand’ anywhere and at any time. This market aligns to secular growth as the recognised brands have the opportunity to attract new revenues but more significantly define how the market will evolve.

Apple saw this opportunity, by looking outside the bunker of their established communications strategy, acknowledging what Netflix had established and also recognising that Disney and Warner (HBO Max) are priming their services for availability in late 2019/2020. If they didn’t make the decision to diversify their existing Apple TV to align tightly to the category early, they would miss the opportunity and only be capable of delivering their existing Apple TV commodity offering, rather than have the ability to steer the direction of the category with Apple TV+ .

Your ability to react to a new market opportunity requires everyone to agree not to be internally biased in your research and honest when able to answer the following:

Does our existing purpose align to that required of our market?
What would it take for us to be a leader in this new view of our market?
Do our specialist disciplines (business unit functions) have the capability to address this market; sales, product, people, etc?

Once you have understood the possible opportunity available, you are then able to make a clear judgement if this is something that your organisation wishes to pursue. Remember that some opportunities are not right for your organisations. Finding a new opportunity is not a fait accompli, but you now have the data to make the decision if it is something your business wishes to pursue.

If agreed, you now have the newly understood customer need and resolution scoped out. You should now revisit your cyclical growth planning and integrate the new opportunity (secular growth) into the resource allocations, evolving your business planning to appreciate the established with diversity.

This new approach to planning is about driving collaboration across your specialist disciplines, ensuring that each have the resources available to give your new strategy

* - Escape velocity, free your company’s future from the pull of the past, Geoffrey A. Moore 2011

** - Cord cutting means that a TV viewer can cancel cable or satellite service and receive TV programs via a different option.

Sales People are Ineffective

183:792006836 (Kevin Bailey) — Mon, 28 Oct 2019 10:04:22 GMT

It doesn’t mean they are not skilled

Have you ever wondered why a sales person cannot convert everyone of the hundreds of sales leads that are put in front of them?

We could start with their competency; do they know how to sell; can they build relationships; no self discipline; can they articulate the value of their product; bad time management; do they dress appropriately; all of these are rather personal and considering most sales people are employed to do this role, the majority of competencies are not the reason.

This articles focus is not if they are a good sales person, as the real reasons make a good sales person as ineffective as a bad one.

Everyone in a profession has a kit bag; it’s what makes them good at what they do, it’s the combination of their physical, emotive and skill attributes.

When a sales person is given the responsibility to convince their target audience to purchase their products, ownership doesn’t just reside with the sales person, there is a higher responsibility on the organisation to ensure that they have added value to the sales persons ‘Kit Bag’.

Imagine the following:

A car salesperson without any demonstrator vehicles
A Pharmacist trying to sell drugs that have no dosage information on the packaging
An 5G salesperson trying to penetrate the market in France during 2019, prior to Arcep agreeing the rollout
Cashier’s knowing how much charge the customer, if there is no pricing system
An estate agent that has no details about a property to give to prospective buyers
Lack of value propositions when selling add-on equipment for audio specialists

It’s always easy to blame a sales person for not accelerating the movement of leads to opportunities and then to committed orders, when they are put into the field of battle without the ammunition in their kit bag.

A solid Go-To-Market strategy for existing, new and intended products and services has to ensure that the individuals working in the field, face to face with the customer are able to excel in their role.

As a critical part of your GTM planning, the sales team need to be integral to the creation of their sales tools, that will enable them to make every engagement positive (assuming you have pointed them in the right direction). Ensure that you acknowledge and action the need to equip your sales teams (both direct and partner organisations) with all the relevant sales tools before the product is released to the market, else you will see low conversion rates and damage the image that prospects and customers align to your organisation.

Click here to see how the SynergySix Flow Chains framework ensures that all the specialist disciplines including sales, ensure that everyone in your organisation are working together and helping to deliver all the intelligence and assets to drive a successful GTM strategy

Respect, Just a little Bit

183:792006836 (Kevin Bailey) — Thu, 17 Oct 2019 16:53:05 GMT

Everyone has different skills, learn to respect them

Aretha Franklin covered the song RESPECT as her challenge to get her man to respect the value that she bought to their relationship. In business we are seeing the growth of appreciation for the different and unique value that genders, individuals, and skills bring to organisations. That in the past may have been overlooked.

Individual's choose their career paths based on a number of intentional and unintended actions. Once on a career path, there are also many things that individuals will unfortunately encounter (culprit's) that restrict an individuals 'respect'. I suggest that the term " occupationism" (John Krumboltz, Professor Stanford University), is one of the culprits. Occupationism is a form of discrimination that Krumboltz claims is just as bad as sexism, racism, or ageism. "They are all forms of judging individuals on the basis of their membership in a group," he said.

"What's the harm of occupationism in regard to respect?" I believe that people are often dissuaded from challenging or being given a fair hearing from other specialist disciplines (with valid ideas and concerns) because the [challengers] have a belief, driven from past experience, that their discipline is not valued by others high enough in the prestige hierarchy of the organisation. The capability and respect of an individuals worth should always be two fold; their own belief and also the belief of those they work with, either as peers or in management positions.

A carpenter who is good with their hands has equal value as does a surgeon; A police recogniser who can physically identify criminals is equal to a software engineer that builds facial recognition software; A salesman that crafts relationships with prospects is on par with a postman that delivers letters; A bank teller that deposits your cash adds the same value as a financial accountant balancing your books

All the above and 1,000’s of more examples show that everyone contributes value to an activity, should be respected for their contribution and without them the flow of efficiency would be broken.

Thinking about occupationism, how many times have you heard these type of comments?:

“marketing just do collaterals and the colouring in”

“finance department are always looking to cut our budgets”

“HR just do hire and fire”

“sales just sign contracts and go on jollies for doing their job"

“product team just build what they think is cool, not what the market needs”

“operations don't understand how people buy and use our products”

These comments will, in most cases, come from individuals in an organisation that are not directly responsible for the specialist disciplines being questioned. These are based on ignorance, almost always, naive ignorance from afar i.e. they do not understand the real work being undertaken by the individuals, only what they (the commentator) see's or believes (opinion). This is where respect doesn't appreciate the value and skills of other peers and peer groups.

What about these comments:

“why doesn’t anyone listen to my advice, I’m the one in with the customer”
“Its not the product, its our customer support they have issues with”
“They don’t want a drop in price, they want to know what value we give them”
“whats wrong with using partners to sell our products”
"how am I supposed to do my quota, the market isn't that big!"

Banging your head off the wall, will get you no where. Frustration from these comments, tends to come from a lack of communication and inclusion with individuals that are at the sharp end of your industry or customer engagements. Respect here comes in two forms: Communication - ensure that if a decision has been made, then convey that decision to all disciplines in a manner that the recipients can consume and acknowledge; Inclusion - create the opportunity for all stakeholders in the different specialist disciplines (opposite of occupationism) to provide guidance and advice before you execute, whilst executing and also in post evaluation analysis.

Synergy Six Degrees vision is to "Drive Enterprise Collaboration", as part of your organisations Go-To-Market strategy planning. This requires all the specialist disciplines within an organisation to work closer together and utilise each other skills and knowledge to challenge outdated practices that will hinder strong and profitable growth in your chosen markets.

Click on the link within this sentence and take a look at our SynergySix Flow Chain content and see how this approach could benefit your organisation in a way that others have already acknowledged, delivering respect for your employees and specialist disciplines.

Be Curious. Find Out. Do Something. Never say 'If Only'.

183:792006836 (Kevin Bailey) — Sun, 13 Oct 2019 15:13:56 GMT

From outlier to starting my own business

A need for acceptance

Always wanting to be accepted, it took me until I joined the British Army at 16, determined to prove that I could make a difference and seen as someone that could be relied upon in challenging times. Everything was progressing well as I became the youngest physical training instructor in the Army at 17, had undertaken an 18 month active service tour and then experiencing life on the border (fence) as Chinese citizens tried to make their way into Hong Kong . Plus I didn't look to bad wearing a bearskin (I was in the Scots Guards). But things changed. Damage to my spine due to an incident whilst on active service, put me in and out of military hospitals for 18 months. Then I was told you're OUT! You don't (cannot) challenge this ruling.

I then realised it was back to basics and learn something new.

Computers were enormous (in size) in the mid 80's. To get on the first rung of ladder, I had to convince my first Manager that I may have been disabled out of the Army, but I had more commitment and ability to learn than any of the other applicants. I got the job as a trainee computer operator. I then spent the next 6 years using my experience and commitment moving into different roles, increasing my knowledge and value (not always for more money).

When you have value, you [start to] get noticed.

In the early 1990's I was asked to join StorageTek as a pre-sales engineer. This was the start of almost a decade at a company that valued its employees. I was able to travel around the world, expand my knowledge across data storage, work as a member of the teams that introduced disruptive technologies and spend time living in Colorado.

But once I had the big corner office, I kept asking myself, 'Can I do all this or am I just good at managing people who do it?'

Well the best place to prove myself was in a startup. Joining Njini and going from the big corner office to a desk the size of what I used at school, meant licking envelopes in the morning and setting the market strategy in the afternoon. It was great. The founders pushed my capability and taught me new skills. Launching this UK company in North America was really fulfilling.

Now I needed to use those skills elsewhere.

I had built my network and more regular offers to join other companies were coming in. Symantec was my next stop. A European role in product marketing, soon turned into running the team. Never tired of challenging the status quo, we introduced new planning models. That turned into a new role looking after all the insights and competitive intelligence worldwide. Being mentored by the CEO was the icing on the cake.

I'm perfect, but something was wrong, with me.

I have a trait about being a perfectionist. I'd always had the ups and downs of life, but there seemed to be more downs (mentally) due to my trait to strive for perfection and constantly doubting my capability.. I had to step away from the pressures and stress of work and get treatment. I learnt that talking about mental health concerns helped and having a network of friends who are there to help, was as important as having a network of business colleagues.

I'm damaged goods, would businesses [still] want me?

Mental health issues never go away, you just learn to live with and manage them. Following a very encouraging period as an industry analyst at IDC, I wanted to get back to an environment and grow another company. Clearswift recognised my value to help transition them to a new market and as a team we succeeded. The team worked well together and valued everyones contribution. I saw this as a clear example of leadership and collaboration from the top (CEO).

Why do it for one when you could do it for 14!

Following a rewarding time at Clearswift, the network effect reared its head again. Being asked to build the GTM strategy at BAE Systems Applied Intelligence , would prove if I had acquired the skills to bring together 14 [acquisitions] companies under a single brand and operate with synergy. This was challenging, I learnt about mis-communication, historical barriers to change, multi-generational views of success, individual brand loyalty as well as the need to change, willingness to collaborate, optimism to create and the enthusiasm to be part of a team. We (yes we) succeeded and delivered a GTM strategy to the Managing Director that had the majority of the different business units whole heartedly behind it.

Time out, to go small again.

Launching a new company is fun, but you have all your colleagues relying on you to get it right, its their future. At Berry Technologies (now Noble), the challenge was applying my GTM skills to a technology I had not had previous experience of. Have you ever tried to make sense of the math for a deep learning algorithm? Dealing with private investors was new (I had done VC's and PE's previously), but the willingness to learn ran through the company. Following a successful launch, I challenged myself again, this time with Blockchain.

Networks are forever, not just now

I joined Gospel Technology because of the confidence in me from two ex-colleagues and friends from StorageTek, that was over 25 years ago. Achieving recognition as one of only three ' Cool Vendors ' worldwide for blockchain, recognised not only my belief in the product but also the approach I took with their GTM strategy. It's also not bad when you are Salesforce.com's first investment in blockchain.

It was time to stop being an Outlier

Having always been risk-adverse, I decided it was time to extend my skills for the benefit of the many not the few, whilst also removing another "If Only" from my aspirations. Over the last couple of decades I have learnt a lot, experienced many do wns, been recognised for value from many people I can call friends and revelled in the success as part of many teams. Earlier this year I created ' Synergy Six Degrees ' to provide Go-To-Market services to those that believe in my approach, the way that others have over my career.

Notes

Even after being disabled out of the Army, I have continued being active and have completed 7 marathons, many half marathons, 10k and 5k runs, ultra runs like the Jurassic Coast Challenge including being an active Parkrun participant every Saturday. I still suffer from mental health issues, but with the increase in awareness and having a support network that starts with my family that help me when the dark clouds come over. Work experience is always priority, but education helps you and others. I have achieved a Postgraduate Diploma in Marketing (PDipM 2003) and a Masters of Science in Marketing Strategy (MSc distinction 2012). In addition I'm trying to give back to the leaders of the future as a STEM Ambassador helping increase careers in Science, Technology, Engineering and Math.

Synergy Six Degrees Launches to Optimise Go-To-Market Strategies

Thu, 10 Oct 2019 13:49:41 GMT

Driving Enterprise Collaboration

Synergy Six Degrees has been launched today by Kevin Bailey, a technology market and strategy specialist. With over 20 years hands on experience, his achievements in operational and staff roles across start-up and corporates have resulted in successful GTM implementations across specialist disciplines that make up the ‘SynergySix Flow Chains™ framework. Headquartered in the UK, our vision is to ‘Drive Enterprise Collaboration’, strengthened by our client purpose to ‘Optimise Your Go-To-Market Disciplines to Drive Business Growth’.

Organisations need to continually push the boundaries to identify and execute programs to establish new markets and meet new customer needs. This requires increased efficiencies across the time to market within an optimal cost base to grow market share and revenues.

Synergy Six Degrees challenges the engagement approach that other go-to-market (GTM) specialists believe is the most appropriate approach to achieve business success.

Many organisations and GTM specialists detach their GTM practices away from the organisation's business plan and focus their key deliverables on one or more individual disciplines, such as:

Marketing Led – where the outcome is focused on the marketing mix
Product Led – where the outcome is focused on product development
Sales Led – where the outcome is focused on client acquisition

None of the above are incorrect but we believe that all contribute towards a successful GTM strategy, plan and execution, and therefore need to reflect their effect on others.

At its core, Synergy Six Degrees delivers assignments against its chains of collaboration using its ‘SynergySix Flow Chains™’ framework. This has been developed to connect existing [and needed] structures for the success of a common business objective.

The Synergy Six Flow Chains™ framework utilises six layers of influence; data, external forces, adoptions curves, efficiency models, implementation and outcomes across six disciplines focused on; product, financials, sales, marketing, operations and people.

We believe organisations need to assimilate each teams’ contributions in order to drive successful growth.

Implementing this new approach to business operations, ensures that all employees appreciate their value in a company’s success , with the opportunity to enhance current skills and grow their long-term career aspirations.

If you would like to see more about Synergy Six Degrees please click on this link and visit our new website

Thanks for taking the time to read our 1st blog

Six Degrees of Information

Continuous Data Protection is as ineffective as backup in a ransomware scenario

What is Ransomware Data Protection?

How many vendors do you see and hear proclaiming to deliver ransomware protection, only to unveil that their solution comes with caveats.

Synergy Six Research - Ransomware Impact Map

Are Commvault on the SHIFT or merely shuffling along.

Read my review of Commvault's recent London SHIFT event.

Is a 3-2-1 backup strategy still fit for purpose?

How can you recover from three copies of data when two may have been compromised and recovery may cost you $100,000's of unbudgeted spend to meet your RTO.

Cyber predictions are cyclical, predictable

But what new knowledge will be shared off the ride in 2023

Let's hope those who profess to know more than everyone else, come out and surprise us with something that no one has thought of yet and can force a change of heart into 2024 plans and budgets.

Maybe I'm a sceptic but I think I could hit at least 90% of the major bylines that vendors and analysts will be dishing out.

Why? .........because everything is cyclical

An Identity Digital-First Trust Model Increases Privacy and Protection

The principles of decentralising one's information into their own ownership are completely related to, and contextualised by, privilege.

The Trust Model (not Zero-Trust!)

Verifiable Credentials

“Digital First” Identities Could Lead to Privacy and Equity Last

Patching Shouts for Help from NDR!

If Zero Trust is so critical

The CISOs New Dawn

Authored by SynergySix, F-Secure publish the first two ﻿ of four episodes (chapters) delving into the insights of 28 leading CISOs across US and Europe, conveying the challenges facing these leaders, how they are tackling them and examples of who is succeeding

Chapter One

An Effective Security Leader - the year that changed it all

Research Methodology and Contributors

Your opinion although interesting is irrelevant

Every business needs to respond in real-time

Complicated Passwords are C***

Its time to evolve and remove human creativity

The Always on Network

BrightTalk panel discussing the Dangers of an Underperforming Network

Around Kevin Bailey from Synergy Six Degrees in 10 questions

SynergySix engages with IIAR

Access is personal, but businesses need to help individuals help themselves

Effective security takes the risk out of an individual’s behaviour, while not making security onerous

Are you a industry cybersecurity leader?

A recent Accenture ‘State of Cyber R ﻿ esilience’ report researched the differences between Leaders and Non-Leaders in cyber security, with 17% of their 4,644 respondents falling into the leader definition and the remaining 83% defined as non-leaders.

Zero Abstraction - Advancing or Redefining Cybersecurity?

﻿ Will this start-up be the answer to a CISO concerns?

Ransomware increases the need for UIP, Isolation Browsing and Immutable Data Recovery

How can organisations protect themselves from ransomware attacks and recover when they are attacked?

Stopping an Attack

Restarting your business

CISOs ignore exaggeration

They only want to win the battle, they accept the war will take a little longer

Trillions, billions, millions, thousands...Just headline makers

Is the opportunity that big for security vendors?

What just happened!

Did you just miss the next secular growth opportunity?

A great cybersecurity product alone does not create success

Entering a market without a comprehensive and active Go-To-Market plan will leave you sitting on the edge, watching others succeed.

Halt the cyber criminals gateway to data, the user.

Enrich Confidence with User Isolation Protection

Security-conscious customers need more information from the companies they do business with

Having the right product is now only half the battle. Unless customers and prospects are sure you’re secure they’ll go elsewhere – directly impacting your bottom line

Cyber resilience can prioritise the user

Kevin Bailey looks at how organisations can secure their operations in the new normal of remote and distributed workforces

5G & Wi-Fi 6 Primer – Six Key Features of CyberSecurity

Find out in the complimentary NEW research paper on 5G cybersecurity with insights from technology leaders at Palo Alto Networks, Numerous Networks, IBM Security and F-Secure.

Everyone Off. The Plan Doesn't Work Anymore

But what did you expect? Everything is different

How to Reduce the Risks of SIM-Swap Attacks

SIM swapping is not a new problem. It’s long provided criminals with the ability to take over a mobile device and gain access to data and even funds.

DCMS Cyber Security Breaches Survey 2020

Half of UK businesses faced cyber security threats last year but many lack the skills to respond effectively

Why telecoms firms should be wary of Eventbot

EventBot targets banks, money transfer services and the wider business community

Ensure your GTM team are secure

A good go-to-market team shares everything, make sure you protect their interactions

Enterprise Security in a Multi-Cloud Environment

Kevin Bailey talks with Simon Ratcliffe and Martin McCloskey

PMA Panel: Demystifying Go-to-Market Strategy

Go-to-Market Strategy: it's the bread and butter of product marketing and the inclusion of other specialists

White Hat Ball 2020

The security industry comes together to protect children

Steve Jobs: Forget the product. Start With the Go-To-Market Strategy

You don't have to re-invent the wheel or look for new awe-inspiring sounds bites. Steve's philosophy is still relevant.

The Nine Guidelines of Go-To-Market - Guideline 9

Continuous measurements not inquests, address failures to meet key objectives.

Authored by SynergySix, F-Secure publish the first two of four episodes (chapters) delving into the insights of 28 leading CISOs across US and Europe, conveying the challenges facing these leaders, how they are tackling them and examples of who is succeeding

A recent Accenture ‘State of Cyber R esilience’ report researched the differences between Leaders and Non-Leaders in cyber security, with 17% of their 4,644 respondents falling into the leader definition and the remaining 83% defined as non-leaders.

Will this start-up be the answer to a CISO concerns?

As new statistics show, it’s not enough being on G-Cloud, you need to know how to make it work for you