By Alan Zeichick, Principal Analyst, Camden Associates
The Chief Information Security Officer’s job is to protect the business. How? By knowing technology, understanding risk – and being a good politician who can persuade others and justify the return on the technology investment. Here’s what two experienced CISOs have to say about the challenges and opportunities.
An organization’s Chief Information Security Officer’s job isn’t ones and zeros. It’s not about unmasking cybercriminals. It’s about reducing risk for the organization, for enabling executives and line-of-business managers to innovate and compete safely and securely. While the CISO is often seen as the person who loves to say “No,” in reality, the CISO wants to say “Yes” – the job, after all, is to make the company thrive.
Meanwhile, the CISO has a small staff, tight budget, and the need to demonstrate performance metrics and ROI. What’s it like in the real world? What are the biggest challenges? We asked two former CISOs (it’s hard to get current CISOs to speak on the record), both of whom workedin the trenches and are now advise CISOs on a daily basis.
Things Move Too Fast for the CISO to See
To Jack Miller, a huge challenge is the speed of decision-making in today’s hypercompetitive world. Miller, currently Executive in Residence at Norwest Venture Partners, conducts due diligence and provides expertise on companies in the cyber security space. Most recently he served as chief security strategy officer at ZitoVault Software, a startup focused on safeguarding the Internet of Things. Before his time at ZitoVault, Miller was the head of information protection for Auto Club Enterprises, the largest AAA conglomerate with 15 million members in 22 states. Previously, he served as the CISO of the 5th and 11th largest counties in the United States, and as a security executive for Pacific Life Insurance.
“Big decisions are made in the blink of an eye,” says Miller. “Executives know security is important, but don’t understand how any business change can introduce security risks to the environment. As a CISO, you try to get in front of those changes – but more often, you have to clean up the mess afterwards.”
As an example, Miller described a corporate marketing department decides to partner with an external vendor for a mobile app that provides end customers with access to their accounts and purchase history. However, he says, “There are a lot of moving pieces needed to set partnerships like this up structurally. If the app and access aren’t done properly, it opens up a hole in the environment.”
Unfortunately, Miller says, in many organizations, the CISO has not been in the loop – doesn’t know about the project, doesn’t help vet the third-party vendor, doesn’t write or review requirements, and doesn’t validate that such requirements are followed. “Too often, the CISO isn’t involved until after the contract is signed,” he says, and even then, it may not be until the app is deployed… possibly introducing security flaws.
Justify the Expense for Minimizing Risk
Another CISO, Ed Amoroso, is frustrated by the business challenge of justifying a security ROI. Amoroso is the CEO of TAG Cyber LLC, which provides advanced cybersecurity training and consulting for global enterprise and U.S. Federal government CISO teams. Previously, he was Senior Vice President and Chief Security Officer for AT&T, and managed computer and network security for AT&T Bell Laboratories. Amoroso is also an Adjunct Professor of Computer Science at the Stevens Institute of Technology.
Amoroso explains, “Security is an invisible thing. I say that I’m going to spend money to prevent something bad from happening. After spending the money, I say, ta-da, look, I prevented that bad thing from happening. There’s no demonstration. There’s no way to prove that the investment actually prevented anything. It’s like putting a “This House is Guarded by a Security Company” sign in front of your house. Maybe a serial killer came up the street, saw the sign, and moved on. Maybe not. You can’t put in security and say, here’s what didn’t happen. If you ask, 10 out of 10 CISOs will say demonstrating ROI is a huge problem.”
Contributing to that is the relative immaturity of the cybersecurity field – unlike with, say, marketing or research & development, there’s no standard for how much a company should spend on information security, Amoroso says. “Manufacturers know how much to spend on supply chain. How much should you spend on security, on sustainability? Nobody knows. This is a new field, only 20-30 years old. Sometimes you can justify that the security budget should be 5 times bigger – maybe it should be5 times smaller. The industry is arriving at metrics, but there’s no agreed-upon rule of thumb” that you can present to the CEO or CFO.
Jack Miller’s take: “The ROI conversation most often comes up with a business unit with a new project. So, just calculate the costs for security for that new project, and roll those expenses into the project budget. After all, the business unit must justify the full costs for that project, which includes security.”
His advice: Embed security costs into projects, rather than look at security as a separate issue. ““Security is part of the cost of doing business. If a project’s budget can’t justify its security costs, then executive management needs to fully understand the risks the project brings and be willing to accept those risks before letting the project move forward.”
False Positives – Both Good and Bad
Sometimes the security team gets told about an alert – and that alert turns out to be nothing to worry about. That’s a false positive; it’s a nuisance, and if there are too many, the staff might stop paying attention. It’s like a smoke detector that sounds the ear-splitting horn every time someone has a shower or makes a piece of toast. On the other hand, there are false negatives: Times when the security system examines an email attachment or an attempt to authenticate traffic through the firewall and determines that it’s safe… but it’s not safe, but is rather malware or a hacking attempt.
Ed Amoroso thinks that the oft-discussed flood of false positives from a Security Information and Event Management (SIEM) is “a totally bogus issue.” At home, if someone walks up your driveway and peers in your window, he says, you might get alarmed. At the public library, it’s curious, but no big deal. At a retail store during the day, it’s window shopping and a good thing. If it’s a nuclear power plant, bring out the Dobermans and guards, he says. “If you’re the CISO for a nuke plant, you should have a gigantic false positive rate and investigate every anomaly. If you’re the CISO for a public library, you can relax. It’s a business decision. A high false-positive rate might be exactly the right thing for your business.”
Meanwhile, Jack Miller is more worried about false negatives – that is, missing actual attacks. “From a security perspective, we want to be better safe than sorry. Err on the side of protection. Work to minimize the false negatives, so you don’t miss an incident. Unfortunately, this approach can create a high number false positives and while a false positive is not an incident, too much noise makes it hard to identify and respond to the real events and often results in a small event, which could have easily been contained, turning into actual security incidents because they weren’t responded to quickly enough.”
Miller continues: “However, if you tune your security systems in order to minimize false positives, your false negatives will usually increase resulting in too much bad stuff getting through or not being alerted on. We need better tools, ones that have both low false negative and low false positive rates. Remember, alerts don’t resolve problems. The response resolves the problem. If you can’t address the alerts, you haven’t solved the problems.”
Really huge organizations, and service providers, must have a very diligent approach: They obviously has the wherewithal to make a fuss about every little thing, and thoroughly investigate every single alert. An enterprise can’t.
For his part, Miller advocates for organizations using managed security service providers as part of their security setup. “Most businesses are better served letting a service provider do it for you – hire an MSSP, you just need to watch them closely to ensure they are actually providing the level of service you bought.”
The Need for New Security Products and Technology
Both Miller and Amoroso see the need for enterprises to adopt new security technologies to stay ahead of the game. To Miller, the huge threat is the Internet – and what happens when ordinary employees, that is end users, access the Internet.
Two security platforms have caught Miller’s eye. The first is from Menlo Security, an which offers an isolation platform where end users’ browser sessions are executed remotely, but securely, in a cloud platform. If the website, plug-in or advertisement are malicious, the cloud isolation platform stops it from doing any harm. And if the website attempts to gather personal information, such as banking records, the Menlo Security platform will detect if the website is genuine – and if not, block the user from divulging critical data.
“If you look at the job of a CISO as managing risk, the most effective way to manage risk is to eliminate the risk.” Explains Miller. “That’s what I love about Menlo Security, their web isolation solution takes this approach. Instead of trying to identify good from bad, they simply eliminate the risk. It’s like in a bank: Why worry about trying to identify which people entering the bank want to rob it if you can put bullet-proof glass between the people entering the bank and the tellers, eliminating the risk to the tellers of someone walking up to the them and threatening with a gun? That’s what Menlo has done for browsing the Internet Its like bullet-proof glass for surfing the web.”
The other company that impressed Miller is SlashNext, which is used in situations where it’s impractical or infeasible to work through an isolation platform. In those cases, SlashNext creates a secure sandbox for websites and applications to run in – but one which is more secure, and which detects and blocks what signatures, next-gen firewalls, anti-virus and even other sandboxes miss.
Miller explains, “SlashNext’s founder had developed sandboxes at another company, and saw that while bad guys have learned how to circumvent sandboxes, human security researchers could still spot the malicious activity. He then built software that does what that human expert would do. Their system is like having your own army of security researchers working for you in the cloud, at wire speed.”
How is SlashNext different? According to Miller, unlike other network-based security solutions, not only will SlashNext identify zero-day malware and exploit code attacks, it will also identify and block social engineering attacks like credential theft as well as data exfiltration attacks and call backs, with no false positives. “While isolation is a great approach, there are situations where you can’t or don’t want to isolate, so you can use SlashNext to protect those types of sessions.”
Prepare to Get Fired
“I tell every CISO is that if you’re going to take a security job, you have to be willing to get fired,” advises Ed Amoroso. Don’t play it safe, he says. “Retention of your job can’t be a primary goal — you’re there to make substantive risk decisions. If you’re the person who has to provide security guidelines, there’s no option for saying that it’s optional. You can’t think, ‘I want to keep my job so I won’t make waves.’ ”
Don’t back off your zeal for risk management, Amoroso insists. “Be the noisiest voice in the room. If you’re a little timid and don’t want to go toe-to-toe with an exec, you’re in the wrong business. You can’t be a CISO if you’re unwilling to accept conflict.” Or create conflict, in some cases.
Jack Miller agrees. “CISOs need two qualities. They need to understand technology since cybersecurity is a tech problem. They also need to be a politician. You have to motivate those people to do what you need them to do.”
How? Miller explains, “Learn what’s important to the other execs, and let them see that you’re not hindering them from reaching their goals. Instead, you are trying to help them be successful. If you can’t show that, if you don’t know how to motivate people, you will be seen as a roadblock. You will never be successful.”
Get the Job Done
It’s not easy being the CISO. You need to be a politician, be willing to be the loudest voice in the room, try to build security into every decision – while being seen as someone who wants the business to be nimble and successful. It’s a management job, a business job, but as Ed Amoroso and Jack Miller explained, it’s also a technical job that requires knowing about the latest technologies for isolating users from the Internet, or actively protecting them when isolation is not practical, and also knowing how to safeguard virtual loads running in the cloud. It’s a hard job, especially with a tight budget, worries about demonstrating ROI, and a small staff. But it’s arguably the most important C-level job in the modern business.
Alan served as Editor-in-Chief of LAN Magazine and was the founding editor of Network Magazine, which later merged with CMP’s Network Computing. He also founded BZ Media’s SD Times, the world’s leading publication for software development managers. Today, Alan is President and Principal Analyst of Camden Associates, a bespoke analyst firm in Phoenix, Arizona, that focuses on enterprise IT. Alan is a regular contributor to Network World and other online publications.
Success beyond voice: Contact centres supporting retail shift online
As the nation continues to overcome the challenges presented by COVID-19, customers have shifted their channel preferences, and contact centres have demonstrated typical resourcefulness in adapting rapidly and maintaining uptime. It has been a steep learning curve, as they not only learn to operate digitally, but also build an understanding of consumers’ new shopping behaviours.
The closure of stores meant demand for customer service escalated, resulting in long telephone wait times, and consumers quickly realised that they could switch to online channels to fulfil their customer service needs. As a response to this change in channel preference, some providers quickly ramped up chatbots, social channels and private messaging apps. For example, recent research conducted by the CCMA (Call Centre Management Association), in partnership with Puzzel, revealed that some brands opened up their direct messaging channels on social media for the very first time, in a bid to ensure support across popular channels such as Facebook and Twitter. For others, the pandemic underscored the value of migrating customer interactions to self-service channels to manage demand and ensure customer service advisors’ time is directed to problems that customers cannot solve themselves.
Faced with severe constraints in many aspects of their everyday lives, the fact that contact centres remained open for business has been gratefully received by consumers. Even despite longer wait times, many contact centres reported skyrocketing customer satisfaction ratings due to lowered customer expectations. As the new normal starts to take hold, and customer expectations revert back, now is the time for contact centres to implement the right strategies to ensure customer satisfaction
ratings are maintained.
Jonathan Allan, Chief Marketing Officer, Puzzel, comments, “The short term reduction in customer expectations, which is driving increased customer satisfaction scores, will return to previous levels once we’ve all adapted to a new way of living. The accelerated move to online services and digital channels is, however, here to stay. Now, there is an increased expectation from consumers to receive support on social media, or to initiate a web to chat to receive immediate consultation or to book an appointment.
Allan continues, “Adapting to this multi-channel environment has become a necessity, not a nice to have, and relying on voice or email alone is no longer tenable. Customers expect to be able to initiate contact through their channel of choice, and to be able to start a conversation in one channel and seamlessly move between others. As customer’s expectations continue to rise, orchestrating these interactions is essential to ensure the most positive customer experiences, and enable the optimal selection of channels to drive efficiency and satisfaction. As customer behaviour changes for the long term, it is no longer viable to rely on only one channel for customer service as seamless customer experience becomes key to ensuring customer retention.”
7 Ways to Grow a Profitable Hospitality Business
The hospitality industry is a multibillion-dollar industry with lots of career opportunities in hotels, theme parks, restaurants, country clubs, etc. It is one of the fastest-growing sectors as a lot of industries are involved in it.
Though it can be very profitable for aspiring and established entrepreneurs, it can get challenging as it requires charisma, drive, and innovation to ensure you can meet your customers’ demands. Growing a hospitality business for profit requires a lot of thought and innovation. In this article, we’ll look at some practical ways to grow a profitable hospitality business.
1. Yield Management
Yield management refers to anticipating, understanding, and influencing your customers’ behavior to increase your business revenue to the max. This principle was first used in the hospitality industry in the late 80s. The main objective of yield management is not just to increase your rates or occupancy; instead, it involves forecasting your business’ supply and demand through different key factors to maximize your revenue. Let us consider some yield management examples. If you have a hotel, yield management will allow you to maximize the profit you can make from a specific number of rooms that must be sold on a deadline.
Another example is if you have a hotel located next to an event center or stadium, you will charge more for rooms than you do on a typical weekday or weekend during a conference or sporting event. Yield management involves targeting the right customer at the right time and selling for the right price.
It involves using gathered data to understand your customers and their sensitivity to pricing and combining that with seasonal demand. High demand, seasonality, and special events can allow you to alter your rates to increase revenue. Though the idea isn’t to increase rates only, it also involves attracting the right customer at the right time.
Yield management allows you to make more profit from your existing inventory.
2. Create a Website
Your hospitality business should have a well-maintained website as it adds to the first impression prospective customers have when they check out your business. For example, if you have a vacation rental, you can hire a competent web designer or a web design company to help you build a vacation rental website. Also, customers can make bookings through your website if you have one, and this will help you save more money as you will not have to rely on listing channels to gain customers.
Though listing channels can help you get bookings, you’d have to pay a commission and follow the transaction terms, which you will not det. When you have your website, you’ll have more control over how you present your business to customers. You can display a photo slideshow with high-resolution images of the property or add other enticing features that will help you gain more customers. A professional website helps to give your business a professional image while making it more visible online.
3. Maintain and Improve the Quality of Your Service
The hospitality industry is a highly competitive one, so it is important to stay on top of your game to gain more revenue. If your business is reputable for providing quality service, then you should maintain that standard. You can check out your competitors to get ideas on how to improve your service and set your business apart. This is very important as the reputation of your hospitality business is primarily determined and affected by your quality of service.
If your customers are satisfied with your quality of service, they are more likely to recommend you to prospective clients. To get more ideas on how to improve your service, you can check the online reviews about your business. Check what your past clients have said about their experience, what they like, what they dislike, and any improvement they might suggest. Once you improve your service quality, new and old customers will be willing to pay more even if you increase your rates as they will get enough value for their money. To grow a profitable hospitality business, you should be ready to offer more value than your competitors.
4. Have an Active Social Media Presence
This is a great way of making your hospitality business more visible online. It is also a means of reaching prospective clients. Apart from creating and maintaining a website, you should have an active presence on Facebook, Twitter, and Instagram.
These are where a bulk of your prospective clients are, and most brands take advantage of this. Nowadays, brands and businesses employ social media handlers that stay in charge of their social media pages. They are responsible for creating content and interacting with customers and prospective clients on social media.
You can post images and videos of your property on social media to attract new customers. Another way you can grow your business on social media is through sponsored ads. Most social media platforms offer various forms of advertisements at a reasonable price.
With sponsored ads, you have a higher chance of getting new customers or driving traffic to your website as you’d be able to reach a wider audience.
5. Create a Rental Agreement
If you are fully managing your business, then oral agreements with customers may not be enough. Your clients may have some assumptions about the terms and conditions or interpret the rules and regulations differently.
Sites like Airbnb can take care of this for you if you are not fully managing your rentals. For example, you can easily create an Airbnb house manual visible to prospective clients once they click on your property.
To avoid misconceptions and misunderstandings, you should create an agreement that will be visible on your website or any booking medium you prefer. Your guests will sign this agreement and protect both you and the guest if there is a dispute.
Though the terms and conditions may vary depending on the type of hospitality business, you can consult a business attorney for verification before using the agreement for your business.
A rental agreement should include information about the property, rental party details, occupancy limitations, the minimum stay requirements, house rules, rates and additional fees, cancellation policy, payment details, and the customer’s signature.
You can add other details and terms depending on your type of business. Creating a rental agreement is an excellent way to ensure your hospitality business runs smoothly as it makes it easier to prevent and resolve disputes between you and your customers.
6. Make the Booking Process Easy
A complicated or strenuous booking process is likely to discourage new clients from patronizing your business. Firstly, your hospitality business should have an online booking and buying platform.
A large percentage of people prefer to make bookings online. If your business does not have an online booking platform, you are bound to lose a lot of customers. If you choose to use listing sites or booking platforms, make sure the platform is reputable and offer good customer service.
If you use your website for reservations, then customers should be able to make a booking with simple steps. The required information boxes should not be excessive.
The less time your guests spend booking, the better. You should include additional informational text to help your guests through the booking process. Before your booking system goes live, ensure you pre-test it to make sure it’s hitch-free. Also, you can create a mobile app that allows your guests to make bookings and other transactions.
7. Keep in Touch with Your Customers
Apart from gaining new customers, a good way to grow a profitable hospitality business is retaining valuable customers. Guests will value a company that can offer a personalized experience.
If your guests can get a personalized experience, they are more likely to make more bookings or refer your business to others. Always interact with your guests on a personal basis. You can send emails or appreciation messages after a successful booking.
You can also refer your customers to your social media pages or ask them to sign up for your newsletter if they prefer to. Though you shouldn’t spam your customers with ads or emails, ensure you send information periodically about new offers, promotions, or other relevant details.
This will help keep your business on your customers’ minds, thereby increasing the chances of having repeat bookings. Once you identify your most valuable customers, you should try to keep the communication lines open. Also, you can ask for referrals or recommendations from your long-term customers.
As we have previously stated, the hospitality industry is very competitive. You need to come up with creative ways to market your business. To ensure you get a steady flow of revenue from your hospitality business, ensure you follow these tips we have given above. Apart from these, always be on the lookout for new trends and innovations in the hospitality industry to help you stay on top of your game.
This is a Sponsored Feature.
Finding and following your website’s ‘North Star Metric’
By Andy Woods, Design Director of Rouge Media
The ‘North Star Metric’ (NSM) is one of many seemingly confusing terms to come out of Silicon Valley but its message is simple and universal.
It refers to the single metric businesses use to guide activity, drive key decisions and measure success. And while it may seem naïve on the surface, to boil business success down to a single metric, there is a method to the apparent madness.
It doesn’t mean businesses simply ignore all other performance data but instead measure it against the overarching goal they’re working towards.
Here’s how businesses can create their own North Star Metric and follow it to website success.
What is a North Star Metric?
The idea of a North Star Metric is to focus on the goal which delivers the most value for the business and its customers.
It’s a popular strategy adopted by successful business around the world. For example, Spotify set its North Star Metric as ‘time spent listening’, while Amazon focused on ‘purchases per month’. Every business decision was then geared towards increasing these metrics.
For the business, this increase means greater advertising revenue and sales, while for users, spending more time using the service or making more purchases shows the platform is meeting their needs.
Chasing this North Star Metric sees businesses align their efforts towards a single goal. For ecommerce businesses, this means sales and marketing activity is aimed at taking users to the website, where service experts provide relevant content and information and website designers add natural calls to action.
Finding the North Star Metric for your website project, whether it be sign-ups, purchases or more time spent on site, allows the whole team – plus your agency, if you work with one – to move in the same direction.
What does a successful NSM look like?
Nominating your NSM before undertaking a website project allows you to focus all your efforts in design, functionality and content on delivering your goal.
However, some businesses may have been operating for years with a North Star Metric that isn’t quite right. If you’ve been focusing your efforts towards a goal which isn’t driving value for the business or customers, and for which you struggle to measure impact, you may need to switch focus.
Key considerations for making sure your NSM delivers a positive impact for your business include:
Generating engagement: the internet is full of businesses fighting for custom and users don’t owe them anything. If a website doesn’t give them what they need, they can find one that does within minutes.
Solving consumer challenges: Customers want a product or service that solves their problems and they want it now. Does your website contain information that answers their questions? Does it call out the key features of your product or service that makes their life easier?
Building trust: The chances are, many businesses offer a similar product or service to you. Customers need to know your business is trustworthy if they’re to part with their cash. Case studies, awards and user reviews are examples of content which can improve your brand authority.
Finding your website’s NSM
Identifying your NSM doesn’t mean picking a goal that sounds good in the boardroom. It needs to be a targeted, realistic and measurable goal.
Dial-in on your NSM by answering these three questions:
What is the single most important thing your website should deliver? The answer to this should be simple and obvious – more sales, sign-ups, downloads or leads.
What do users want from the site? You’re likely to have many users, so try to identify your main three here. What are they looking for when they enter your site? Advice, a product, a follow-up from an employee?
Which metrics tie together the above? You need to be able to measure your performance in answering these questions. If you’re after more leads, monitoring on-site user data – like time spent on site and number of pages visited – gives you an indication of what users want and how well you’re meeting their needs.
There are many questions to answer when finding your NSM. A useful way to arrange the information is in a visual hierarchy. Place your NSM at the top, with the answers to these key questions as branches.
Breaking it down into a visual flow chart like this also helps with gaining crucial buy-in from the whole business, with teams visualising how their role fits into the wider goal.
As your business grows and industry and user demands change, you may need to adapt your NSM.
If you’ve been working towards an appropriate NSM, it may only need tweaking slightly. For example, as a start-up, your NSM may have been building awareness by generating more leads. After a few successful years, the business may decide to switch the focus from leads to online sales.
While the metric changes slightly, the original strategy has already laid the foundations for the new goal, with your website designed to drive traffic and provide helpful content to inform users’ buying decisions.
Using analytics data, businesses can make changes to their website to align with their changing goals. Look at how users are behaving on your site. Are there ways you can encourage them to convert or sign-up?
This data helps you understand where to add calls to action or how to improve website design and functionality, so completing a form becomes a natural part of navigating the site and accessing content.
Mastercard Delivers Greater Transparency in Digital Banking Applications
Mastercard collaborates with merchants and financial institutions to include logos in digital banking applications Research shows that ~25% of disputes...
Success beyond voice: Contact centres supporting retail shift online
As the nation continues to overcome the challenges presented by COVID-19, customers have shifted their channel preferences, and contact centres have demonstrated...
7 Ways to Grow a Profitable Hospitality Business
Hospitality requires charisma and innovation The hospitality industry is a multibillion-dollar industry with lots of career opportunities in hotels, theme...
AML and the FINCEN files: Do banks have the tools to do enough?
By Gudmundur Kristjansson, CEO of Lucinity and former compliance technology officer Says AML systems are outdated and compliance teams need better...
Finding and following your website’s ‘North Star Metric’
By Andy Woods, Design Director of Rouge Media The ‘North Star Metric’ (NSM) is one of many seemingly confusing terms...
Taking control of compliance: how FS institutions can keep up with the ever-changing regulatory landscape
By Charles Southwood, Regional VP – Northern Europe and MEA at Denodo The wide-spread digital transformation that has swept the financial...
Risk assessment: How to plan and execute a security audit as a small business
By Izzy Schulman, Director at Keys 4 U Despite the current global coronavirus pandemic and the uncertainty it has placed...
Buying enterprise professional services: Five considerations for business leaders in turbulent times
By James Sandoval, Founder and CEO, MeasureMatch The platformization of professional services provides businesses with direct, seamless access to the skills...
Wireless Connectivity Lights the Path to Bank Branch Innovation
By Graham Brooks, Strategic Account Director, Cradlepoint EMEA As consumers cautiously return to the UK high street in the past...
Financial Regulations: How do they impact your cloud strategy?
By Michael Chalmers, MD EMEA at Contino How exactly do financial regulations affect your cloud strategy? It’s a question many of...