Friday Books and Talks 02/27/2015

Archive for February, 2015

Friday Books and Talks 02/27/2015

Posted by

by Douglas Conant, Mette Norgaard

A fresh, effective, and enduring way to lead—starting with your next interaction. Most leaders feel the inevitable interruptions in their jam-packed days are troublesome. But in TouchPoints, Conant and Norgaard argue that these—and every point of contact with other people—are overlooked opportunities for leaders to increase their impact and promote their organization’s strategy and values. Through previously untold stories from Conant’s tenure as CEO of Campbell Soup Company and Norgaard’s vast consulting experience, the authors show that a leader’s impact and legacy are built through hundreds, even thousands, of interactive moments in time. The good news is that anyone can develop “TouchPoint” mastery by focusing on three essential components: head, heart, and hands.

TouchPoints speaks to the theory and craft of leadership, promoting a balanced presence of rational, authentic, active, and wise leadership practices. Leadership mastery in the smallest and otherwise ordinary moments can transform aimless activity in individuals and entropy in organizations into focused energy—one magical moment at a time.

Friday Books and Talks 02/20/2015

Posted by

Talent is Never Enough
by John C. Maxwell

Read the headlines, watch the highlights, or just step out your front door: Some talented people reach their full potential, while others self-destruct or remain trapped in mediocrity. What makes the difference? Maxwell, the go-to guru for business professionals across the globe, insists that the choices people make-not merely the skills they inherit-propel them onto greatness. Among other truths, successful people know that:

  • Belief lifts your talent.
  • Initiative activates your talent.
  • Focus directs your talent.
  • Preparation positions your talent.
  • Practice sharpens your talent.
  • Perseverance sustains your talent.
  • Character protects your talent.

It’s what you add to your talent that makes the greatest difference. With authentic examples and time-tested wisdom, Maxwell shares thirteen attributes you need to maximize your potential and live the life of your dreams. You can have talent alone and fall short of your potential. Or you can have talent plus, and really stand out.



Low-Hanging Fruit
by Jeremy Eden, Terri Long

How can anyone, from the shop floor up to the C-suite, make their companies better? Despite years of corporate initiatives and implementing big fixes, are there really more simple and smart ways to improve productivity? In Low-Hanging Fruit, co-authors Jeremy Eden and Terri Long not only answer that question, they show how to get it. Low-Hanging Fruit is a fast-paced, fun read with 77 different ways to make a difference at your company. Eden, a former McKinsey consultant and Long, a former bank executive use many great examples from working with teams at Fortune 1000 companies helping them cut through the complexity, the politics and the waste. Low-Hanging Fruit gives you the best ideas culled from their experience such as how to deal with the “unintentional squelch” “zombie projects” and why mom was wrong about always doing your best.

This isn’t a theoretical business tome. This is an indispensable guide that should sit on every career-minded person’s desk to be referenced regularly. Often contrarian, always passionate, Low-Hanging Fruit has the power to change your career and your organization.

Action-Oriented IT Risk Management

Posted by


Last week at Chicago’s Camp IT, I presented on IT risk management and concluded with focusing on the intersection of risk and action. This is a CIO Centric Approach that reprioritizes risks based on an organization’s constraints and IT capabilities. My Chicago talk led to several good discussions, and this article quickly summarizes the method and how you can apply it to your risk management program.

First, let’s briefly recap risk rating by impact and likelihood. This qualitative IT risk management approach enumerates concerns and then assigns a 1-5 score for impact to the organization and the likelihood of the threat being realized. The practicality of such an exercise depends in large part on how the values are derived, with more mature programs using a weighted approach that includes the organization’s mission, objectives, and mandates. Once completed, a risk rating table is generated that compares to the one below.


The advantage, for a security owner, is in immediately seeing which concerns, once mitigated, would produce the largest reduction in the organization’s overall risk. We can then produce the annual audit phonebook with a long laundry list of recommendations.

The disadvantage, for the IT owner, is in not factoring in effort. For example, suppose one risk rated 15 takes 12 months to resolve and another takes 3 months. Yet both are listed side-by-side and prioritized equally by the security owner. The trouble stems from the risk rating exercise not bubbling up quick wins and prioritized actions.

Let’s revisit the risks by looking at constraints and capabilities. First, we brainstorm a list of two or three constraints that would slow the risk treatment process. The list will vary from time to time, and from organization to organization. For the purpose of this article, let’s go with:

  • Culture – the current team and organizational culture accepts the change
  • Budget – the budget is available to implement the change

Next, let’s list the capabilities. Again, this list will vary. A good starting point is:

  • Available staff – the people implementing the change are available and skilled
  • Available tech – the technology needed to address the risk is available
  • Compliance – the compliance team is engaged in assisting with the change

With this list, we can now weight the impact of each constraint and capability to execute. The weighting is typically developed in a roundtable discussion with the stakeholders. For example, we may decide:

  • Culture = 20%
  • Budget = 10%
  • Available Staff = 35%
  • Available Tech = 25%
  • Compliance = 10%

With the factors and weights decided, we can talk through each risk treatment. Ranking each one at 1 (difficult), 3 (moderate), or 5 (achievable). The risk treatment score then becomes the weighted average and reflects how actionable the control is. For example:

DSS05.07) Monitor infrastructure for security events

  • Culture = 20% = 3
  • Budget = 10% = 5
  • Available Staff = 35% = 3
  • Available Tech = 25% = 5
  • Compliance = 10% = 3

3.7 = (20%*3) + (10%*5) + (35%*3) + (25%*5) + (10%*3)

Having reviewed the mitigations, we can plot the risk treatment options along one axis of a chart. We can plot the previously defined risk ratings along the other axis (impact * likelihood / 5). The completed table, shown below, aligns the risks that CISO is concerned about with the areas the CIO has capabilities to address.


Action-oriented IT risk management is a straightforward extension to an assessment that can greatly improve the resulting mitigations. By being CIO Centric and prioritizing based on an organization’s constraints and IT capabilities, we accelerate time-to-value and risk reduction. It’s one more simple way to bridge the gap between audits and results.

Cross posted at CBI:

Configuring trusted keys and certificates (PCI-DSS)

Posted by

PCI-DSS 3 requires that in-scope devices, like cash register computers or payment processing servers, accept only trusted certificates. Specifically, it states:

Protect Cardholder Data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1(b) Are only trusted keys and/or certificates accepted?

Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection.

So, how do you do this in Windows?

First, view the certificates of all payment processing services and document the trusted root certificate. Add to this list of trusted root certificates those that are required for Microsoft Windows to function. (This list is documented here: Create one master list of all certificates that should be accepted.

Second, open the local computer’s certificate store. (Control Panel > All Tasks > Administrative Tools > Manage computer certificates.) Under Trusted Root Certification Authorities, expand Certificates. Delete all certificate authorities not on the previously created master list.

Third, configure the computer’s Web browser to not allow the user to continue to Websites with untrusted certificates. This setting varies from browser to browser. In Internet Explorer, the settings are in Local Security Policy under:

Windows Components\Internet Explorer\Internet Control Panel
Prevent ignoring certificate errors

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on warn about certificate address mismatch
Check for server certificate revocation

The computer will now accept only those certificates accepted for business purposes. Any invalid certificates will stop the transaction and not allow the user to inadvertently continue. This configuration reduces the likelihood of Man-in-the-middle (MITM) attacks, signed malware, and other attacks against certificate infrastructure. In addition, the computer’s configuration is now in compliance with PCI-DSS 3’s 4.1.b requirement.

Some additional thoughts:

Biggest Mistakes Companies Make with Data & Information Security

Posted by

The fundamental mistake companies make with data security is…

Neglecting data governance.

Many companies lack the processes, policies, and standards for protecting data throughout its life-cycle. How is new data added and classified? How are people given access, and how often is that access reviewed? Are the backups and redundancies sufficient given the type of data? How is data access monitored and reported on? Is sufficient data loss prevention in place to protect the company? And, once the data reaches its end-of-life, how is the data gracefully retired? The companies which fail to think through the long term implications of data leave themselves open to security incidents and breaches.


Read the rest of the insights here:

Data Security Experts Reveal the Biggest Mistakes Companies Make with Data & Information Security

Guest on PVC Security

Posted by

PVC is short for Passion, Vision, Communication (& Execution) and is a leadership podcast hosted by Ed Rojas (@EdgarR0jas) and Paul Jorgensen (@prjorgensen). I am a fan of both of their leadership styles, and was pleased that they joined us at BSides Detroit 14. (The talk Ed gave, for example, landed one guy a job and helped another guy launch his own city sec group.) Ed and Paul had me on the podcast to discuss leadership, grandparenting, my strange love of Excel, and the adhocracy that is MiSec.


They also got me singing the intro. So, there’s that. Listen to the episode on iTunes or catch it here: