C-Suite Network™

Categories
Marketing Personal Development Technology

Are You Missing the Third Kind of Search Marketing?

Most marketing teams know about Search Engine Optimization (SEO) and Pay-Per-Click (PPC). You have teams devoted to getting searchers to your site from Google and other search engines. But what happens after they get there? Do you focus just as strongly at getting them to convert? Do you focus on the third kind of search marketing–site search?

Site search–that box in the upper corner of your website–finds pages on your own site. It’s a critical way to convert those searchers who find your site into customers. Here’s why–the folks who search on your site are your most qualified visitors. Think about it. If you land on a website and don’t find what you are looking for, you probably bounce back to Google and search again. But what if you really want to buy from that company? What if you really think that company has what you are looking for? You stick around and perform a site search.

That’s why reports show that site searchers have conversion rates anywhere between 43% and 600% more than other site visitors. So, the question becomes, “What would they find with your site search?” Would they find their answer? If you’ve been ignoring site search, probably not.

If you’re spending precious resources on attracting searchers to your site because you know your customers use search, why would you ignore site search once they get to your site? But most companies do.

Get ahead of your competition by focusing on the third kind of search marketing, site search. Instead of just attracting searchers to your site, you will turn searchers into customers.

 

Categories
Best Practices Growth Management Personal Development Technology

Culture of Security

After a decade as an information security (a.k.a. cybersecurity) consultant, I had seen too many people who were just hanging in there or counting down the days till Friday. I started to take a great interest in company culture and employee engagement and I wanted to figure out how to solve this problem, especially as it related to the security professional.

Just like company culture and employee engagement can make or break an organization, as in, are employees happy to come to work and engaged or are looking for their next opportunity, the culture of security or lack thereof can make or break an organization in terms of whether they stay in business or lose everything to a hacker, security breach, or internal error.

One unpatched desktop or one phishing email is all it takes for the hacker to get started in successfully breaching an organization. How easy or difficult this is has to do with the culture of security. The intent of this article is not a scare tactic, it is purely a reminder or maybe a new way to think about the importance of having a culture of security.

There is an old Chinese proverb that I believe really says a lot about culture (of any kind), “the fish rots from the head.” If the top leaders in an organization are not serious about security or do not understand its importance, how can anyone else in the organization take it seriously?

Here are three questions you can start with to determine whether you have a culture of security, if you can answer yes you have started the process towards creating a culture of security and if you say no, well then you know where to start if you want to create this culture.

  1. Have you set and regularly communicate clear expectations that security is a priority and non-negotiable?
  2. Do you expect your executives to stop projects, even the important ones, if security is not implemented?
  3. Do your employees at all levels, know what to do in different scenarios, such as how to recognize a possible breach, attack, or error and how to report it?

I have seen projects implemented without security because the project was a high priority initiative from the C-Suite or the board. I’ve seen the business side win over the security side again and again where the security side had to compromise because the business was not going to budge. The fact that I’m even putting these two groups on sides shows that in many organizations there is no culture of security, because if there were, they would be working together to ensure that the business had what it needed while at the same time doing it in a way that is secure.

Part of a culture of security is having the best team possible, showing the organization that this is important by bringing in the best and not understaffing the department. It is also having a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) that reports to the CEO and not to the Chief Information Officer (CIO).  Too many organizations still have the CISO reporting to the CIO, and if the CISO does not have the same importance as the CIO, what message is that sending? Plus, if the CIO does not like what the CISO is saying because it could negatively impact a project, how easy is it to stop the security concern from going further up the chain of command?

The culture also includes a way to report security incidents or suspicions without repercussion. If someone thinks there is an insider threat, they need to have a way to communicate that for follow-up. If someone clicked on the wrong link and thinks they are the victim of a Phishing attack they need to be able to report that without fear of reprisal.

Does the CISO have the team he or she needs to offensively and defensively protect the network? How about the team outside of security; are the developers trained in secure coding and do project managers have enough information to know when to get help from security and who to talk to? Are there enough resources for the security team to do their job properly? This is an ever changing landscape and the hackers have unlimited resources while organizations do not. However, there has to be some budget for the security team to stay sharp and up on the latest trends.

Hiring great security people is a challenge because there are more security positions than qualified people right now and it is a field filled with adversity. Security professionals only get recognized when there is a problem; and that recognition is not positive. When the Security team does its job well, which means there has been no security violation or breach no one notices, it seems like “business as usual”  to everyone else. As a result, Security professionals often don’t get any praise or recognition for what they are doing well and only get the spotlight when something has gone wrong.

That is not a great frame of mind for most people to work in, and after time, after putting out fires, racing against the clock, and doing everything to protect the network, there is no recognition. Security professionals are getting burned out and they are ready to move on when they do not feel that there is a strong culture of security. That combined with the current gap in qualified professionals and number of positions available makes it even harder to maintain security for organizations.

Culture, any type of culture, starts at the top. If you are responsible at any level for the success of your organization and have not given the culture of security much thought before that’s OK, it’s not too late. And if you need help or want to discuss your specific situation or you are looking for additional resources email sharon@c-suiteresults.com.

 

Categories
Growth Management Personal Development Technology

Whose Side Are You On? The Cyberwar Question

In every war there are two sides, whether we are talking about military action, a football game, or the fight against cybercrime. What all these scenarios there have in common is there are some people on defense and those who are on the offensive side of the line. You are either the predator or the prey.

Since I am not writing for the Army generals or the New England Patriots, let’s talk about cyber attacks and which side you are on.

You are probably thinking I’m on the good side, the side that is defensively protecting my network, the side that is always under attack even though I never did anything to provoke it. And I’m here to say that might only be partially true.

If you are not fully committed to doing everything possible to stop the cyber attackers, you might actually be unwittingly helping the them more than you realize.

If you are not keeping your network secure, you are inviting hackers to use your network as a playground. A place where they can find vulnerabilities and practice exploiting them. A place where they can see what works and what doesn’t, what goes undetected and what gets noticed. If you are not creating secure websites and applications, you are giving the hackers more to learn from so they can then use it against other organizations.

Once inside your network you are also giving them a place from which they can launch their next attack. If the breach goes undetected in your network, which they most often do, they can launch an attack on someone else and make it appear to investigators that  you are the perpetrator, not them. And if you are connected to another organization’s network you might have just opened the doors for the attacker to gain access to them as we saw happen with the Target breach.

The attackers are fully vested in finding new ways to attack and get what they want, and if you are not equally fully vested in a security program, you are letting them win without putting up much of a fight. Just as you wouldn’t expect the US military to show up without a battle plan or for your favorite football team to show up without a game plan, it makes as little sense for a company or organization to show up without a security plan solidly in place.

If you are the CEO of an organization, you are responsible for what happens under your care. That means you are responsible for security and any breach that might occur. I’m not saying you personally have to be the one to figure out how to protect your network and the data that has been entrusted to you. You don’t personally have to monitor the network and know exactly what is happening at all times, but what I am saying is that you are responsible for ensuring you have the right people to do this, that they have the resources they need, the best strategy, and that a culture of security is in place.

Stay tuned for the next three articles in this series that will discuss culture of security, ensuring you have a security strategy, and having the right security resources.

As a 12-year veteran of the information security and compliance space, I invite you to send me an email at sharon@c-suiteresults.com or reach out via LinkedIn https://www.linkedin.com/in/smithsharonj/ to ask any questions you might have on this topic or other security topics that might (or should!) be keeping you up at night.

Categories
Management Marketing Skills Technology

The Social Devolution of Business

Since the mainstream takeover of the social networks in 2008, every small business owner has been nudged, persuaded and cajoled into adopting a presence on all major platforms, and for many the results are perhaps not what you may expect.

We all hear and read of the massive success achieved from the small independent business that blew up from their inspiring Instagram account or the personality-led business that became an overnight success with their viral YouTube channel. These meteoric results create a desire that you must heavily invest in your presence on social media to have any success in a modern business landscape. The reality is, many small businesses are performing mass self-sabotage from their current efforts and their involvement in social media marketing is causing their business to go backwards.

Before I get into the dangers I want to make a very clear and simple point. I am a HUGE supporter of how digital marketing and social networking can have a MASSIVE positive impact. It is just the practices that I see adopted by the masses are quite frankly embarrassing.

The primary problem is that the “dark-arts” and “ninja tactics” orchestrated by some of the world’s most creative marketers have delivered results beyond expectation and suggested to the masses that these tools provide the answer, missing ingredients or short cut to success. So much so that they now have forgotten many of the core principles of building a business.

In all of my experience to date, the one thing that has been the single driver of every single successful venture, project or campaign has been the following of my personal mantra for success.

“Do the basics, to a high standard, consistently.” 

What is happening in thousands of businesses right now is that the core principles of sales are being forgotten in favor of rolling the dice with the next magic campaign, social post or viral video attempt looking for short-term success.

In the real world, there are no short cuts and developing a sustainable customer base is created over time and built on trust.

Business developers know that questions lead to conversations, conversations create relationships, relationships create opportunities and opportunities result in sales.

Slowing the process down often speeds the outcome up. I often draw comparison here as looking for a partner for life as opposed to sex on the first date.

Back to the self-sabotaging behaviours that are costing businesses a fortune.

1. Pissing in the Wind

I do not understand why thousands of independent business owners rush to build their social platforms, invite a handful of friends to like or follow their page and then never plan anything else to build their audience. Worse than this they spend fortunes on creating graphics and then invest bucket loads of time into collating and creating content to post regularly and nobody is listening! They are just pouring productive time and effort down the drain and could have gained more success by opening their front door and shouting their offers into the street!

2. SPAM

We are all in the “people” business and to gain true influence it is important that both visibility and credibility are established before any opportunity to do business ever exists. Yet daily the prior trend of spamming people’s email inbox has been replaced with sending 500 word messages with links to videos or squeeze pages via Facebook messenger, direct messages or as an auto-response to a new follower. Please, please pretty please can people put a stop to this blindly unsophisticated intrusion of privacy and if you have something that may benefit me – please get to know me a little first.

3. IDGAF

I am pretty certain that most people do not want to read some of the mindless drivel that people are sharing on their social streams. Ask yourself before you hit the “post” button, will this represent me and my brand well? Can people engage with it? Does it serve others? Everybody now has the ability to be a full media production unit – great that you can be the journalist, please do not forget that you need to hold the role of editor too! In this age of information we are awash with content to consume – if you want yours to stand out then please make it good enough.

4. Egocentric Results

Yes, you are the most important person in your life – I get it! Unless you are Kim Kardashian, Donald Trump or Selena Gomez then the likelihood of people being that concerned about what is happening in your world is slim to none. Make your contact about your audience, understand them and provide them with things that serve their life, make their day easier, and things they love to talk about.

5. Aimless Distraction

Whether it is the thumb on your iPhone, the index finger on your mouse wheel or two fingers on the trackpad, the action of mindlessly scrolling through the sea of nonsense on your social walls is causing a tragedy in lost productivity. For many a homebased worker, high pay off activity such as prospecting, serving customers and planning marketing campaigns has been replaced with the vacant distraction of the soap opera of social media.

This article is delivered with the purpose of holding up a huge STOP sign and helping you to re-evaluate your activity and ask yourself if it is really working and genuinely driving results or is it simply draining from your limited resource and standing in your way of building a solid business foundation.

Perhaps the shift could move back to understanding the biggest value in these tools is how they can increase productivity, reduce geographic constraints and accelerate the building of new relationships.

Build your audience, serve your audience, engage with your audience and be prepared to bring the conversation “offline” and work the old fashioned way if you would like to see some true returns.

And if you can’t wrap your head around it to make it pay for you, stop it and get back to delivering the basics, to a high standard consistently.

Categories
Growth Management Personal Development Technology

Right of Boom – Planning for Post Breach

At this year’s (2017), International Information System Security Certification Consortium (ISC2) Security Congress, we heard a keynote from Juliette Kayyem. She is the former Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security under the Obama administration. She not only talked about the importance of being prepared in order to stop attacks, but also being prepared for what she called “Right of Boom.”

Right of Boom is what you do after an event (attack or mistake) has occurred, whether it be a bombing like the Boston Marathon, a mass casualty event caused by system malfunction like the BP oil spill, or a cyber incident. The event is the Boom and what comes next is Right of Boom (picture a timeline).

This article is focused on Right of Boom planning for cyber security and whether you are an executive responsible for security and/or IT or an executive outside of this area (CEO, COO, CFO, CMO, etc.) this matters to you because at the end of the day it could mean the survival of your business.

You can plan all day long to stop a cyber attack or incident through vulnerability and risk management, good secure coding practices, and security awareness training, but you can’t stop it all. There will always be an attacker one step ahead at some point in your journey, whether because they just have more resources and time than you do, or one of your employees simply makes a really big mistake.

Since you can’t stop it all, you must plan for Right of Boom, what you do after the attack, which will be the difference between staying in business and maintaining a good business reputation, or going out of business. Even if you don’t go out of business, the way you handle Right of Boom could be the difference between a few million dollars spent in recovery and notifications and a few billion dollars spent.

Planning for Right of Boom means that you don’t just focus on a defensive approach to stopping attacks, misuse, and errors, all of which can have a catastrophic effect. You also ensure that there is proactive planning, testing, and more planning on what you do after something goes wrong. It’s not a matter of if something goes wrong; it is a matter of when.

Too many organizations are notified of a breach by a third party and oftentimes months after the breach happened. That means months have gone by with an attacker in your network doing what they want, collecting the data, and using it for their own benefit. It’s never good news when you are told by a third party that you have been hacked and that you have been leaking company and customer data for months. And with the average cost per stolen record of $141 based on the 2017 IBM Cost of Data Breach Study, imagine how much that can cost your organization not to mention the loss of customers and reputational trust.

The cost of that cleanup is much less for an organization that can detect a breach in near real time especially if they know what to do upon identification of the incident, i.e. if they have a  Right of Boom plan. It means less data loss (if any) and more time to properly clean up the incident, as in get the servers working again with the vulnerability fixed and bad guy out of the network with minimal disruption to the business.

The only way that proper Right of Boom planning and response is possible is if your organization takes it seriously. Do you have a security team that is empowered to create Right of Boom response scenarios and test them? Do you have a security team that has the resources to identify a suspicious event, whether it be malicious or accidental? Do you provide training for your IT and user community to understand their role in Right of Boom? Do you have third parties on retainer or whom you can call that are specifically trained to help you contain and investigate an incident?

These are just a few critical questions to ask your security team. If you have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) they should be part of the C-Suite discussion on Right of Boom. They should have the resources they need and be tasked with and empowered to help ensure a Boom does not put your organization at great risk… or even worse, out of business.

If you do not have a CISO or CSO it’s time to either hire one or find a virtual resource that can help you on an as-needed basis with strategy planning around topics like Right of Boom. If you have questions about this or about finding a resource email sharon@c-suiteresults.com to discuss your specific situation and needs because security is what I do and I want to see your organization prepared.

 

 

 

 

 

 

Categories
Best Practices Growth Management Personal Development Technology

The Escape Artist – How to Stop the Data Thief

When you watch Ocean’s Eleven you know that breaking in is only half the battle; you also have to get out unnoticed or undetected. The same thing that is true for bank robbers and cat burglars also holds true for hackers.

If you are a business owner or executive responsible for keeping your customers or your corporate data secure and you think it’s all about stopping the bad guys (and gals) from accessing your data, you are missing what might be the biggest point of failure: their escape.

Over the years we have seen that many breaches are not noticed or identified for months and sometimes even years, which means not only did the bad guy get away with it, he (or she) was then able to unload their loot or start using the data without worry that they would be noticed. That’s good news for them, but not so good for you.

In order to fully discuss the escape portion of the breach, the part that most people forget to talk about or protect against, let’s look at the three main players or threat actors in this scenario. Going forward I will use the common term “hacker” to mean any of these threat actors.

  1. The external hacker with no authorized access to your network: These are the people who sit behind their computers anywhere in the world and try to find networks that are open or system vulnerabilities just waiting to be exploited. Open networks are typically those that do not have good firewall rules, have publicly facing systems that should not be publicly accessible, or have exploitable web application vulnerabilities. It only takes one bad line of code, one misconfigured firewall rule, or one forgotten system on the perimeter to leave your organization exposed.  Once you are exposed and they are in your network, that is where their fun begins.
  2. The third party vendor or partner who has direct access to your network (usually via VPN): These are the organizations outside of yours that you do business with and need access to your network. They might provide you data or receive data from you, they might monitor another system that you manage, or do a number of legitimate activities. However if you don’t know how secure their networks are, which you never truly will, or you don’t know who they employ, you have opened up your network to their network and their people. If they are hacked and that hacker finds the access to your network – boom, they are in.
  3. The trusted employee: Your employees are not going to harm you right? Most of them will not and even the ones that do are often not trying to harm you. But even those employees who mean no harm cause errors or misuse their credentials, which lead to breaches and data loss.

Once the data has been gathered by the hacker they need to get it out of your network and into their control, the escape. Allowing the escape is where many organizations fail by making this too easy or allowing the hacker to get out undetected. You must know all your outbound connections, they must all have a legitimate business need, they must be reviewed on a regular frequency to ensure they are still needed, and they must be monitored.

You may think this sounds like a lot of work, but if setup properly with the right tools and processes it does not have to be cumbersome going forward. If not built right the first time, it can take some time to put in place, but honestly the pain of discipline in this scenario is going to be much better than the pain of regret later.

If you are reading this and thinking, “I have no idea if data can get out of my network unnoticed,” start asking these questions to the people who work for you that manage your infrastructure. Here is the question you can ask, the answer you want to hear, and the next step if the answer is not what you are looking for. The Next Steps are high level and might require outside assistance or third party tools and vendors.

Question Answer Next Step
Do we have all our outbound firewall rules documented with business justifications?

You want the answer to be yes

Implement a plan to have the network team spend the next few months documenting all firewall rules. This will mean working with business owners to understand what traffic is necessary and where it has to go.
How often do we review the rules to ensure they are still needed? You want the answer to be at least every six months

 

Implement a plan, either manually or with automated tools to start reviewing rule sets at least every six months to ensure they are still needed, still use secure protocols, and are going to the correct destination outside your network.
What are we doing to monitor outbound traffic? You want someone to be able to give you specifics and have incident response plans that explain what they do if they see malicious or anomalous traffic. Document an incident response plan, determine what third party resources might be needed in the event of an incident, and put processes in place to monitor traffic for anomalies or suspicious behavior.
How would we know if sensitive data left the network? You want a specific answer that should be easy to find if it’s being done. Research data loss prevention solutions or other network detection tools.
Do we allow encrypted data out of the network?

The answer should be no – we only send encrypted data to organizations that we have vetted and only to specific IP addresses they have given us.

This is important because malicious users and hackers will actually steal your data and encrypt it with their encryption keys so that it is undetectable by Data Loss Prevention (DLP) software and so that no one can steal it from them. Yes they are often more aware of security than you are.

If no one can answer these questions or you are not happy with the answers, take a deep breath and start a new conversation. No finger pointing and no yelling, but an open and honest conversation with your staff about why this is important and how things are going to have to change in order to keep the data secure.

Lastly remember that tools do not solve all problems and only work when implemented correctly. There is no silver bullet no matter what a vendor tells you. Ensure you have the right people asking the right questions of the vendors if you are bringing in a tool or managed service offering to monitor your network.

This is of course just the start of the conversation and the beginning of what needs to be done. If this is overwhelming and you don’t know where to start or what to do next, I can answer your questions. Email sharon@c-suiteresults.com to discuss your questions or concerns on this topic. I am a 12-year security veteran and have seen 100s of different networks and situations and I am happy to discuss your situation with you.

Categories
Best Practices Growth Management Personal Development Technology

Belle’s World – Security

Has your personal information ever been hacked?

There are towns across the world, where people still leave their keys in their car and keep their houses unlocked. However, for many of us in urban or suburban areas that would be unheard of. If we were to do that the likelihood of having our car or having items from our house stolen would increase or has happened. Until people felt the effects of these robberies they continued to leave things unlocked and didn’t prepare with cameras and security systems which became the norm after these types of attacks happened. It wasn’t until individuals experienced it that they felt they should do something about it.

In today’s world we have another growing issue that is similar to the past but different in how its done – cyber security. Many of us have received phishing emails and the stats say that almost 30% of them get opened1. These phishing emails can come in both personal and professional emails. Therefore, as a company the risk is increased because the data is expansive and includes more

than just an individuals information. Why does it take an attack for a leader to realize they need to spend the money before to prevent these attacks versus after. Mostly, it about the human element of feeling too powerful and big that anything would happen to their company. Secondly, they are not truly understanding the power of cyber security to actually keep their companies safe.

One of the stories I heard recently was how the Boomer generation is still all about interacting with humans and the millennials are about interacting with technology. There is a little truth in this statement but it is after all a generalization. As I work with folks who have experience and have been very successful, it is hard for them to wrap their head around how far technology has come and the fact that people who be stealing data. They get the concept but not the enormity of the issue. Unless they get hacked personally they really don’t understand the need for their companies. Large companies are still getting hacked and many times its because the leadership has decided that it won’t happen to them and the financials at the moment are more important than a potential risk. However, the potential risk is much larger than what they can truly understand. The younger folks on the other hard are unable to influence their leaders to make the change and connect with them from the human element and therein sometimes lies the issue.

Even when it comes to cybersecurity, it is all about people. The hackers are people who are preying on companies and individuals. They put phishing emails or hack into systems through individuals. Individuals who are part of companies that house lots of personally identifiable information for employees and customers. Each of our devices are becoming smarter and connect to each other in many ways that we may not even comprehend. These devices are going from our homes to work to public areas. In our home, each person that has a different device is being connected and will be able to “talk” even more. There are so many channels from which a hacker can now infiltrate and do what they need to do. It is a real problem and the leaders who think it won’t happen to them need to spend some time truly understanding what cybersecurity is all about and get the right products and safeguards in place for the benefit of their own career and their companies.

There are too many leaders sitting on their previous knowledge and not moving with the times. In our lifetimes, technology is changing at an exponential pace. If we want to be successful for 50, 60, 70 years (due to us living longer) we will have multiple lifetimes and will have to continue to learn and grow at each step. It’s not easy when you have been the best at what you do for years and now the world is changing around us. It takes times, motivation and the right guidance to change your mindset to be able to handle the new things happening in the world.

How are you protecting your personal and company security information?

Welcome to Belle’s world. Everything in this world is based on a bell curve. Our media concentrates on giving advice to make everyone be a part of the masses.

This is a weekly series of Urvi’s insights on her perception of the world. They say perception is reality and she lives in her own fantasy world. This allows her to delve into the human element of our lives, helping individuals decipher their own souls, to understand, who they are and what they want, in the journey of life.

Belle’s world explores the extremes and goes beyond the surface. Ready to read about some of the “elephants in the room?”

Contact urvi, to discover your self-awareness that will unleash the innovation mindset within you and help you become both emotionally and financially wealthy. https://www.radicalroamer.com/ belle-s-world #thehumanelement

Categories
Marketing Personal Development Technology

Are You Using the Right Content Marketing Metrics?

Years ago, I took my three year-old to her second dentist appointment. I wasn’t expecting any problems because she had dealt with her first appointment like a champ and I had assumed that the first one would be scarier than the second one. And the second appointment went swimmingly–in fact, she seemed uncommonly cheerful when I told her where we were going. Then. when we got home, she asked, “When do we go to the party?”

She hadn’t been invited to any party, so I had no idea why she was asking that. After some back and forth and some head-scratching conversation with her mom, we realized that she had indeed attended a friend’s birthday party following her first dental appointment, so she had put those events together into one firm (and happy) memory and now was expecting the other shoe to drop after seeing the tooth doctor again.

We were able to explain to her that there was no party for her today, and she understood, but it caused me to recognize something all of us human beings do–and not just when we are three years old. We tend to impute meaning to coincidences. This is deadly when making data-driven marketing decisions.

I heard a story–don’t know if it is true–that back in the summer of 2012, the Sprint social media team was happy when their positive mentions starting increasing dramatically. At least at first. A little digging showed them that the mentions were about the Olympics and that the happy conversations around the word “sprint” in that context was not something they should take personally.

Another time, I showed a set of results to a client and told them we had tested them and that they were 90% accurate. The client took a quick look at the first 10 results on the screen and insisted, “That can’t be true–look, the first one is wrong!” The other nine were correct, which is what 90% means, but he distrusted the system anyway.

These examples probably seem silly to you–because they are mistakes you didn’t make. But I see clients performing unnatural acts with numbers all the time just because no one is really thinking about what they mean.

One former client told me that they use their web analytics to see the conversions related to every piece of content in their system so they know what the best content is. Unfailingly, the “best” content was for their best-selling products. Maybe you think that products are best sellers due to marketing content alone, but I have my doubts.

Instead of using simple correlations of which pages lead to conversions, perhaps they need to dig deeper, as the Sprint team did, to really understand their numbers. If you are ready to dig deeper–to think in a new way–you can use AI analysis to remove a lot of spurious correlations to get to the underlying causes of what is going on. Once you do that, you can really work on improving the right things.

But if you keep thinking the same old way, someone might have to tell you that there is no party for you today.

 

 

Categories
Best Practices Growth Management Personal Development Technology

Security is Not Insurance – Debunking the Myth

Since 2005 I have been in the Information Security consultant and today I consult and coach security executives on strategy, compliance, messaging, and teams, so today I am going to talk about something that is critical to any organizational leader: information security. More specifically, the myth that security equates to insurance.

Many people in the security industry have used the security analogy for a very long time to explain the importance of security to an executive or client who has said,  “Why do I need security? It’s expensive and nothing has happened to my network; my company’s data is fine.”

The response often provided has been “for the same reason you need car insurance or medical insurance, you never know when there will be a problem.” Using a real-world situation to help explain something that is not always clear makes sense, but this analogy is not correct.

The reason it’s not a good analogy is because security is not insurance. Insurance attempts to make you whole again. It is there to replace your car, rebuild your house, allow you to replace lost or stolen items, or help you regain your health. Security on the other hand does not make you whole; once your data is stolen, your network breached, or your systems locked up with Ransomware it is not security that will make you whole again. There is insurance you can purchase to use when the hacker on the other end of the phone says we want 20 Million Dollars to unlock your systems, but that really is insurance.

If we are going to use analogies, then security is your force protection, it is proactive. You know the guys (or gals) at the perimeter with the big guns that are going to keep the bad guys (or gals) out in the first place. When I used to work at the Pentagon, there were armed guards with very big guns making sure only the people with the proper access could enter the building. Then there were locked doors within the building that could only be accessed by another select group of people. That is security! We don’t call them insurance guards we call them security guards (or in this case military police).

The same is true for access to your computer systems, network, and data. Your Information Security or Cyber Security (if you are using that term) team is the armed guards; it is their responsibility to keep the bad people out, to monitor for intrusions, and to react if or when a breach is observed. If you are treating this group as insurance you are not giving them the level of importance they deserve, the funding they need, or the authority they require.

For small organizations, you might think, “Who wants my data? I’m good till we get bigger; the hackers are out there looking for the big guys to steal from.” But that is not true at all. It’s like the burglar who will just move on to the next house when they see the ADT sign in your neighbors yard. If your neighbors are the bigger companies with the fancy security and armed guards it is your network the hackers are after because they know it will be easier.

But you want to say “I don’t have anything worth taking” and that might be true at the data level, but you do have something worth taking. It is your resources, your connection to other networks, and it is the fertile playground you are giving them to practice their craft. By allowing your network to go unprotected, you are allowing hackers to practice, to find vulnerabilities they can use against other networks, and to potentially use your network to launch an attack on another organization.

I am writing this so that we can stop equating security with insurance. Stop looking at this as a cost and start looking at is as a responsibility. You are not only protecting your data, your employees, and your customers; you are also protecting other organizations by putting the guards up around yours.

If you do not have a security team or strategy, don’t worry. It’s not too late and it does not have to be scary. There are lots of great consultants out there who can help. As a 12-year veteran of the information security and compliance space,  I invite you to send me an email at sharon@c-suiteresults.com or reach out via LinkedIn https://www.linkedin.com/in/smithsharonj/ to ask any questions you might have on this topic.

 

Categories
Best Practices Growth Management Personal Development Technology

Is Your Marketing a Business or a Religion?

That might seem like an odd question to pose, but I have run into one too many B2B clients lately who have convinced themselves over the years that marketing is just a waste of money. Often, these executives cut their teeth in the 1980s and 1990s when B2B Marketing was truly not terribly important. No B2B companies had CMOs back then because there was nothing C-level about the job. It doesn’t take a high executive to decide what the brochure should say that we bring to our booth at the trade show. And that’s all that B2B marketing was.

Fast forward to today. Those same executives that grew up in the era of unimportant B2B marketing have not realized that times have changed. Digital marketing has made B2B marketing expenditures hugely important. Prospects don’t even have you on the list if they can’t find you. And even if you were referred to them, they check out your website before they even call.

But I have run into a spate of B2B execs over the last few weeks that look me in the eye and say, “Yeah, well. I just don’t believe that more marketing will bring us any more sales.” Folks, that is a religious statement. Nobody is asking you to believe. We’re asking you to experiment. We’re asking you to give it a try. Make a bet. See what happens. We’re asking you to treat marketing the same way you treat every other decision. You don’t invest in new products because you believe in them. You know that most of them will fail. You invest in them because you know you have no choice because you won’t find the ones that work if you don’t invest in all of them. That’s business, not religion.

 The problem is that you can’t teach anyone something that they think they already know. And if you take the attitude that you already know that marketing is a waste of money, then you can’t learn how digital marketing is a new way to play. So, you can stick to your religion and operate like it’s still the 1980s. Or you can recognize that the browser on your computer and the phone in your pocket and the iPad by your bed are the new way to reach your audience in an efficient and effective way, and if you are missing in action, they will just find your competitors.

You don’t need to believe in it. You just have to give it a chance to prove it to you. Just like you do with the rest of your business.