Evolved Thinking

Friends, reader(s) and people who tolerate my rantings from time to time …

If you know anything about me, you’ll know that for better or worse, I’ve had my fair share of jobs. Trust me, it’s nothing I’ve ever wanted to be known for, but it’s an unfortunate truth borne out of a bad economy, bad choices or the dreaded “bad fit.”

So what the hell does all of this have to do with my headline?

My ability to feed my family and/or avoid crashing on one of your couches for any extended period of time is almost entirely due to social media engagement and networking … with a dash of reasonable skill in the areas of marketing strategy, social media engagement & content creation. And thus … the tie in to my headline.

Social Media Club PDX is bringing Social Stallion Joshua Waldman to town to show you how to discover those hidden job nuggets using social media tools and ways to pay it forward in true “You-Tweet-my-Back, I’ll-Tweet-Yours” fashion. Here’s the title and some eloquent prose from my social chum @unclenate, Prez of @SocialMediaPDX:

“Job Searching With Social Media For Dummies” author Joshua Waldman

“For anyone looking for a first job, exploring a career change, or just setting up for future success, social media is a proven platform for facilitating connections, demonstrating passions and interests, and ultimately landing the job. Joshua Waldman, author of “Job Searching with Social Media For Dummies” enables you to harness the power of the Internet to research and identify job opportunities, and create a strategy for securing a position.”

Other nuggets include:

• creating effective online profiles and resumes to sell your strengths
• maintaining your online reputation (and ensuring that employers who Google you like what they find)
• understanding electronic etiquette
• using the power of personal branding
• building your brand online
• avoiding common pitfalls, such as jumping into filling out a social media profile without a strategy
• getting to know Twitter, the only real-time job board with literally thousands of jobs posted daily
• using social media sites to uncover opportunities in the “hidden job market” ahead of the competition

This is your chance to meet some really cool and connected people as well as escape the job or the people you hate — for three whole hours! Just sign up already!

DETAILS
January 18, 2012 at 6:00 PM | $25 Online, $45 @Door | Limit: 100

Collective Agency
322 NW 6th Ave
#200
Portland, OR 97209

The Year of our Lord 2011 is a tough one to box in.

Is it the death or birth of innovation (Steve Jobs and the vision he left behind vs. the birth of Amazon’s Jeff Bezos as Steve Jobs Jr.)? Or, the year that the world woke up by laying down in parks across our great land, taking the occasional walk around to find a TV camera — that is until Christmas and the cold weather rolled in? OR … just more of the same good, bad and ugly. The words Sandusky, Casey Anthony, and  Republican Idiot Droids like Bachmann, Perry Overdrive and painfully vocal news readers who should find a new script like Megyn Kelly left a dent in my brain that will be hard to hammer out in the coming year.

Only the Lord himself knows for sure, but one thing I do know, 2011 did a lot to activate my senses in a good way. I’ll boil it down to my Top 5 — one for each of my senses collectively and individually overloaded.

Enjoy! Numbers 2 through 5 are actually safe to do yourself. #1, well, take a look. Happy New Year! I hope we actually connect in human form in 2012!
Cheers.

1. Sight. “I couldn’t believe my eyes.”
Garrett McNamara’s Monster Ride

2. Sound. “Pure Ear Candy.”
Blitzen Trapper — American Goldwing + Furr (yeah, I know only AG came out this year, but both were good to me in 2011)

Singles:

Lonely Boy – The Black Keys

Ain’t Fit to Live Here — Graveyard

Face to the Floor — Chevelle

The Ruminent Band — Fruit Bats

If I Had a Gun … Noel Gallagher’s High Flying Birds

Holocene – Bon Iver

Head is a Flame (Cool With It) — Portugal, The Man

The Suburbs — Arcade Fire

Get it Daddy — Sleeper Agent

Is And Is And Is — White Denim

Pumped Up Kicks — Foster the People

The Kooks — F*** the World off

Moves Like Jaggar — Maroon 5 (Admit it … this song is like crack on ecstasy!)

And … the Welcome back Award goes to Brian Jonestown Massacre after I finally heard them this year in the Boardwalk Empire intro with “Straight Up and Down.” Yes!

3. Smell. A Tie: Paul Mitchell Awapuhi Shampoo & Jonathan Antin’s Silky Dirt (R) hair product. These provide a complete Jedi Nose Trick at the start of every day that fools my brain momentarily into thinking I live somewhere warm and tropical.

4. Touch. The Kindle Fire — Finally! Something that responds well when I poke or swipe at it — and keeps coming back for more! It is worth every damn penny for that reason alone.

5. Taste: The Beef Brisket Flatbread w/ Onion Rings Tongue-gasm from Eat This! in Portland, Oregon 

EAT THIS! Even better now that it's loaded it with Onion Rings!

Seriously … no, SERIOUSLY … so good you make happy noises with every bite.

To an equally activating 2012.

Happy New Year!

Mark

For the last three years, our friends at Basex have marked October 20 on the calendar “Information Overload Awareness Day,” a day to draw attention to the the consequences — both financial and personal — of living in a world with more information than we can consume, assess and put into action.

I hazard to guess that you are all too aware of information overload in your personal and professional lives. What you may not be aware of, however, are the exorbitant business costs in time and money of information overload and the wasted efforts of the information workers who arm people with the most recent and relevant information to drive business results. What’s more, you should know that we now have the technology and proven processes to deal with this problem better than we ever have before. But first, let’s dive into the financial impact of accepting the status quo and resigning ourselves to live uncomfortably in a digital landfill.

In Overload! How Too Much Information Is Hazardous to Your Organization, Jonathan Spira, CEO and chief analyst at Basex, offers these staggering stats to illustrate the impact of what boils down to, in my humble opinion, inefficient communication practices and tools.

Fast Stats from Overload!

• A minimum of 28 billion hours is lost each year to Information Overload in the United States.
• Reading and processing just 100 e-mail messages can occupy over half of a worker’s day.
• It takes five minutes to get back on track after a 30-second interruption.
• For every 100 people who are unnecessarily copied on an e-mail, eight hours are lost.
• 58 percent of government workers spend half the workday filing, deleting, or sorting information, at an annual cost of almost $31 billion dollars.
• 66 percent of knowledge workers feel they don’t have enough time to get all of their work done.
• 94 percent of those surveyed have felt overwhelmed by information at some point to the point of incapacitation.

As you digest these data points, remember, there is actually something you can  do to reduce the personal and business impact of information overload. And it starts with giving yourself a moment to think before you act.

In addition to the Basex challenge to think before you send in an effort to get people to send 10% fewer e-mail messages, starting October 20th (or sooner!), I would also suggest taking a broader look at the problem beyond email to assess your ability to have an even greater impact.

In addition to the use, and some say overuse, of existing communication tools such as email, information overload also reflects a missing set of technology-enabled processes to organize, filter, and intelligently deliver relevant information and knowledge to the individuals who need it.

You can get greater context from Attensa here, and in the Attensa White paper Reducing Information Overload in the Enterprise, but the bottom line is: You can lessen the impact of information overload and at the same time take advantage of the plethora of information available on the topics you need to follow by using the right tools.

This week and in the weeks to follow, decide that information overload is a problem that you can no longer accept and seek out the people, processes and technologies that can help you do something about it.

Here’s what we are doing at Attensa. If you like what you see and want to learn more,  let me know.

Terry “Starbucker” St. Marie has been one of my favorite online socialites for the better part of 4 years now. The guy is a master motivator, perpetual optimist, a willing sounding board for anybody trying to solve a problem — no matter what it is, and an unabashed Music-aholic, just like me.

REGISTER FOR SOBCon Now!

Marketers! You are me. And I am you.

We fight the same fight for relevance and acceptance in a corporate setting by trying to blend the right message or narrative with the right piece of “engaging” content, wrapping it in a creative execution that entices people to act. An overly complex (by design?) cadre of strategies powered by tactics, bolstered by words and images and measured — for better or worse — by how our actions correlate to revenue.

At the end of the day, we will succeed or fail based on our answers to two simple questions: “Does what you do every day help sales teams close deals?” and  “Can you prove it?”

AN ENABLER BY ANY OTHER NAME
Perhaps, in an effort to not be judged so harshly or more directly tie our roles to $, someone, presumably in marketing, coined the term “sales enablement.” This term, by the way, used to make me feel a little like a bespeckled dweeb (see inset photo) who writes the quarterback’s term paper to avoid getting beat up.

I come from a land and time that was no friend to enablers. They were the parents who replaced discipline with a candy bar to avoid the meltdown in a supermarket. They were the boss who kept  his under-performing nephew on board as a favor to his single-parent sister. They were the spouse who didn’t put his or her foot down after the other spent one too many nights out on the town.

The enablers I know rewarded laziness or just plain bad behavior. This may come across like I’m picking a fight over a word. Maybe I am. But from where I sit as a marketer, words are everything.

Maybe Geoffrey Moore’s power words like Engagement and/or Empowerment are more palatable to me personally, but regardless of the sheen we put on it as marketers, we all need to deliver something that can be directly tied to someone else’s ability to sell something. Or else.

SALES ENABLEMENT/EMPOWERMENT/ENGAGEMENT =  PEOPLE HELPING PEOPLE
In the digital age of ubiquitous personal publishing and sharing — as well as the rapid proliferation of devices to consume and distribute this fire hose of knowledge that is always on — my view on enabling, or more specifically, sales enablement has softened a bit. Now it’s less an indictment of a person’s bad habits and more of a realization that helping people find what they need, streamlined by proven processes and fine-tuned by purpose-led technology may be our saving grace.

Whether you are in competitive intelligence, marketing communications, public relations, product or solution marketing or are responsible for driving the global marketing strategy for your company, you need to be a curator and distributor of actionable knowledge. Those who take the role lightly by sending sales reps one-size-fits-all newsletters or alerts, and content not aligned with the buyer’s journey are at risk of being viewed as expendable instead of indispensable.

With modern software applications it is now possible to arm sales and account people with the critical information they need at the point of prospect or customer engagement. Regardless of the type of information or where it lives, be it product information, hyper-relevant web news, customer order details, help desk activity and more can personalized and delivered in the the context of a prospect or customer record. Welcome to the age of automating the Troglodytic manual tasks of hunter, gather and filterer to simply deliver personally relevant knowledge that contributes to revenue.

HOW ATTENSA CAN HELP
A brief commercial, yet completely factual, interlude: For me personally, the Attensa StreamServer simplifies and speeds up my most time-consuming tasks by finding, filtering and delivering immediately valuable information to me that gets more targeted to my preferences, and therefore more immediately actionable, with every use.

For you, the sales enabling marketer, the Attensa StreamServer can do the same by making your marketing department the knowledge epicenter for your organization responsible for connecting people in your own department, in sales and throughout the company with the knowledge that drives business results and better relationships. What’s more, you’ll have the data to prove it.

To see how all of this works, take a look at the Attensa Solution Overview, or download our latest white paper A Framework for Reducing Information Overload in the Enterprise. Reach out to me directly if you want to learn more.

Until I interrupt you again, Viva La Enablement!

Mark

@MarkAEvertz

This post was enhanced from a previous Attensa post on May 23, 2011 ^ME

Looking for a job? Stop! That’s your first mistake.

Those who know me or follow my social media escapades are all too familiar with my recent prowess for landing coveted marketing positions in what I’m told is a bad job market in a state with one of the worst unemployment rates in the country.

What’s my secret? I stopped looking for a job. I look for people who work where I want to work.

How’s that workin’ out for ya?
Trust me, this isn’t something I wanted to be known for in the marketing world or among my friends and family. In fact, the joke has become, “Yeah, we know you can get a job. Now, let’s work on keeping one.” No office pools or stop watches, please.

Truth is (and this has been true for every job I’ve ever had), I hope my  most recent position — as the Director of Marketing and Engagement at Attensa -- will be the last job I will ever need.

Now that I am, at least for the moment, gainfully employed, I feel like it’s my duty to share with you some of the things I’ve done over the last two years to survive two gut-wrenching layoffs and a “thank you for playing” pat-on-the-back/kick-to-the-curb after a predecessor came back to grab his old job.

But let’s take a moment to grieve
Getting cut loose sucks. If you’re like me, you take it personally. As a sign of failure. You wallow. You plot against perceived enemies. You become a complete idiot who loses focus on the real problem at hand. Um, Mr. Bitterman/woman..You need to pay for stuff.

Even so, getting downsized, made me question everything about myself and my chosen profession. It led to a momentary lapse of reason where I was going sell scintillating haiku on a warm beach somewhere.

And then I just got pissed.

Mostly at myself for my pity party. Anger begat focus, which quickly led me to the people I trust. Today, more than any other time in my lifetime the trite“It’s not just what you know, it’s who you know” is an absolute truth.

No employer wants to sift through 800 resumes only to come up with a candidate that can sell himself or herself well in an interview. They want proof that you can do the job. And, in the age of social media, online recommendations and online fact checking to ferret out B.S., this is where you can and should plug in to not only serve your own interests but help others serve theirs. So, if I were in your shoes right now, or if I am ever again, here’s what I would do:

5 Tips for Landing the right Job in a Bad Economy

Tip 1: Be  good to people in good times and bad — Got a job? Help others find one. Got a skill, but out of work? Help someone in your network in need — even for free if asked. You will be seen as someone who is genuine, hardworking and willing to do whatever it takes. It gets remembered and reciprocated.

Tip 2: Search for a Company. Not a Job — Pretty basic advice. You know people who have jobs. Some of them want to see you succeed in life. Find them online, offline and in person to discuss how your skills could be of use to their company — if in fact you think you actually want to work there.

Tip 3: Look for people and organizations in your community (online or offline) that need your help – Let’s face it. You need some good juju. I’ve also found it reaffirming to have someone tell me they appreciate me and think I’m awesome after a recent career disembowelment.

Tip 4: Beat LinkedIn like a Rented Mule — If you are not on it, get on it. Fill out a profile right now. If you are on it, learn to use it. Check for updates, high-five people who announce new gigs and search for places you want to work and the people you know who work there.

Tip 5: Know your strengths and expose your weaknesses -- This is key to finding yourself a good professional home. Fudging your ability to meet expectations to land a job will get you back to the breadline in a hurry. I’ve gone so far as to ask people to rip me in recommendations to give future employers so they know exactly what they will be getting. Trust me. I don’t want a bad job anymore than the employer wants a bad hire.

For what it’s worth…the position you are in is brutal, but survivable. If I can help you, I will. Feel free to reach out to me on LinkedIn or Twitter to talk about it.

Keep your head up.
Mark

Here’s a “Director’s Cut” for a post of mine born on Feb. 16, 2011 at nonboxpdx. Viva la verbosity! -ME

Want to know what your company has in common with cultural powerhouses with iconic products  like Nike, Apple, Virgin Atlantic, Legos and Porsche?

As it turns out, not much.

That was my key takeaway from the latest book trumpeting design and deep customer analysis as the way to the promiseland of sustained revenue and consistently unleashing products that people crave.

Thankfully, former Business Week Seattle bureau chief Jay Greene uses Design is How it Works, as a platform for showing the uninspired that creating a product or a company that taps into the Id of people is as simple as embracing failure and financial losses, changing organizational processes to bring Design Thinking into every discipline in a company from the C-suite through R&D and on down through the ranks,  and doing deep ethnographic and psychographic research on probable users of your product before embarking on your next build.

Sound a bit daunting?

It is. which is why IDEO’s Tim Brown notes in the book, that when people tell him of their aspirations to be like Nike or Apple, he counters “You don’t have the nerve.” That is the greatest part of Greene’s book for me. The corporate moguls and design luminaries he interviews call a spade a spade. You can’t be Nike. You aren’t Steve Jobs or Jonathan Ive. You haven’t got the discipline, the reputation or, frankly, the balls.

The headline of this post is inspired by every client or boss who has uttered phrases like “We want to be known as the Apple of the (insert industry segment here).” Or…”Our products are best-of-breed innovations and we need to create the same experience and culture Nike does to drive demand and loyalty to their products”

Never mind that the industry segment is sewage treatment technology or the product is road salt. Make it pop, sucka! How many of you design professionals can relate to John Barratt, president and CEO of Teague in Seattle:

“I can’t tell you how many how many product briefs we get saying we want a product that’s as good or better than the iPhone,” he says. “That’s a five-alarm brief for me..those folks just don’t get it. An iPhone is not a product. It’s a manifestation of a culture.”

It’s that kind of no-bullshit take on the power of design to transform a company and an economy that makes Greene’s book so endearing, refreshing, and such a swift read.
For those of you who still think you’ve got what it takes to check your egos at the door, throw caution to the wind in the face of financial pressure, and actually find out what your customers want instead of what you can give them, here’s something you should know. Good design isn’t what you think it is.

• It’s not an emotive image with pithy text and a dope beat from a band named Mooseknuckle.
• It’s not a box made of hemp fiber in the shape of condor’s nest that was — be honest – an afterthought to hold your clever “Must-have” eco product.
• It’s not even the promise of a new piece of software that reports it will solve world hunger with a user interface you’re sure is so easy even a chimp can use it.

It’s how a product works in the hands of your customers. It may be easy to use or pleasing to look at, but if it doesn’t solve a pain it’s a waste of time and money. “If there’s no pet peeve, there’s no product,” says Alex Lee, president of OXO.

Thus, the title of the book absconds with the Steve Jobs quote: “It’s not just what it looks like and feels like. Design is how it works.”

Whether that’s the tried-(or trite?)and-true of form following function, an evolution of tired phrases like “out of the box thinking”or new fangled concepts like Design Thinking permeating all disciplines to foster organizational creativity — the bottom line is you need to know your customers better than they know themselves. The only way to do that is to get your hands dirty and actually engage with them where they will put your product to use. The book gives some great examples of how and where to do that in the profiles on OXO, REI, Nike and Lego.

So, for me, the book is a call to get your head out of the freaking clouds or at least out of your own building.  It’s time to stop aspiring and start perspiring. There’s plenty of work to be done learning about what your customers need to cure their pet peeves. Build those products and they will come.

And, instead of leaving you with a cheesy movie line platitude, here’s a more actionable treat from Jay  Greene himself when I swapped a note asking for him to clarify design thinking and discuss ways all companies can infuse their operations with the principles of design thinking:

“Like industrial designers, design thinkers use creativity and empathy to help them craft something that has an emotional connection with customers. They prototype concepts and collaborate with colleagues to test theories and come up with novel approaches to new products. The difference is that design thinkers apply those concepts to businesses, such as software-as-a-service, that people don’t typically think of as being design-focused. They use anthropology, sociology and psychology to study customers in order to understand their unstated and unmet needs. They prototype strategies and experiences much the same way that companies model early versions of physical products. So if you’re looking for strategies for companies to implement to create iconic products, design thinking would be a great place to start.”

Here, here!

This post is inspired by the word “Flow” — in all of its glory. Get your flow on with Queens of the Stone Age’s Go With the Flow while you meet your new marketing savant — ConBroChill.

Every five years or so, marketing gurus repackage the discipline of garnering influence, attention and brand loyalty into something that drives new ways to engage people to take action. Look no further than the growing allegiance to social media tools like Twitter, LinkedIn, Facebook, YouTube and Foursquare as a sign that Big Idea marketing from the mountaintop is giving way to crowdsourcing your way to a Compelling Idea.

My friends, we are on the cusp of another such evolution in marketing. For lack of a better term, I’ll float one for consideration – Bro-cial Media. The pillars of Bro-cial Media are simple:

• Don’t just know your audience. Be your audience.
• Feed your audience with content that makes them hungry for more
• Deliver content in a medium your audience likes to consume

The big brains at Nonbox, an integrated marketing firm in Portland, Ore., recently introduced me to a sports marketing client of theirs that is letting it flow in more ways than one: Connor Martin and his alter ego ConBroChill. Nonbox partners were quick to point out that Martin is responsible for creating a  strong  reverse-mentoring relationship with the agency on bootstrap digital marketing efforts that attract active followers.  Nonbox, in turn, is delivering its deep reservoir of sports marketing connections to Martin as they advise him on the opportunities his gregarious personality and sun-drenched good looks are bringing to the surface.

This former pro lacrosse star born and raised in the Northwest is more than a flowing mane (aka The Flow), with a penchant for the bombastic and a persona that’s part MTV’s Puck Rainey and part Jason Mewes of Jay and Silent Bob fame. This wholesome kid next door is a bonafide digital media sensation.

With YouTube creations constructed using his dad’s video camera, Connor Martin/ConBroChill brings as many as 500,000 like-minded sports enthusiasts to him with every  three- to five-minute dispatch. This popularity has created a product-pitching hotbed for CBro and his sponsors, as well as opened the door to him as an arena anthem creator…
and a current spate of possible television projects that could propel him into being a household name.

So what does this Bro-make-good story have to do with you, Mr./Mrs. CMO?

It’s time to quit looking for ways to make a Facebook profile relevant for your company or clients. It’s time to quit pushing Twitter messages out that trumpet how cool you are. Retire big idea thinking for a moment and go Bro-cial.

Here are five tips for integrating Bro-cial Media into your marketing mix as a company or for your clients:

1. Develop a persona for your brand. You may not be ConBroChill, but you are somebody. If you don’t know who you are — Ask your coveted audience.
2. Live where your prospects, fans, and competitors live. Is it YouTube? Is it LinkedIn? Is it in technology or industry forums or trade pubs? Don’t waste time building communities from scratch. Find out where your Bros are already hanging out.
3. Don’t be a witness. Be an activist! Participate. Engage with your bros and give them reasons to want to hang with you.
4. Be fresh – in attitude and in your content. Have an edge that reflects your persona  in everything you deliver and bring things to your bros that elicit action. Don’t just create for the sake of freshness.
5. Encourage frequent  interaction with your bros to stay current. Don’t pontificate in a vacuum. Unvalidated clever ideas from you or your marketing cohorts may make you laugh or feel empowered, but if they miss the mark you could end up with something like this flop:  Motrin Moms Mishap from Johnson & Johnson.

It’s time to welcome your new marketing muse to the table. His name is Connor Martin.

This post repurposed and amended from a recent dispatch on Infosec Island.

Coming soon, either “Social Media is my Job Pimp” or “The Mobile Security Arms Race” Feel free to vote in the comments below. And now, without further ado…More than 88 Lines:

For those of you without an insatiable addiction to 80s punk, goth and new wave, the title of this post is inspired by the ’80s classic by The Nails — 88 Lines about 44 Women.  This song was the first thing that came to mind when the folks at Infosec Island asked me to join their band of security crazies as a regular contributor.

Flattered to be sure, given that I’ve only begun to cut my baby teeth in this space as a former vendor marketing hack.

Now, before you stop reading, one thing you should know is that my background (visit me on LinkedIn) has trained me all too well to take the tangled mess of Cyber, rootkit detection and eradication, Application (In)Security, common exploits, etc. and turn it into something that end-users actually understand and want to avoid.

With that in mind…and with your indulgence…here are my observations after nine whole months in the IT security sector–  88 lines about less than 44 weeks in Infosec. Let’s start with my Top 5, which, given my tendency to drone on, may end up being 88 lines.

1. From Week 1 to present, you have all sufficiently scared the holy hell out of me with how real, lucrative and mostly unavoidable cybercrime/cyberwar/cyber espionage is for targeted companies and people. Good show!

Any thoughts on taking your act on the road to senior citizen homes, community-sponsored events on online safety, schools, etc? Layer 8 (aka people for the uninitiated) needs you! It’s time to take what you know to the street and quit telling each other what you already know.

I’ll offer myself up as your first community leader in my hometown of Portland, Oregon… I’ll just need your brains and a help with a curriculum that makes sense. Help me help you!

I know millions of people even more ignorant than I on the perils of Internet stupidity. And they need to be reminded daily, not once a year in a thin public service announcement or press release by DHS during Cyber Security Awareness Week.

2. Information security isn’t about you. It’s about protecting the weak from the valley of darkness. Be the Shepherd, not the self-congratulating rancher. You can be smart, revered and successful without being a prick.

Call up your alma mater and offer your skills or consulting advice for free. Help a newbie gain his stripes in the industry (thanks @falconsview @jackdaniel @BrianHonan @DeathwishDuck @Wh1t3Rabbit @TripwireInc @andrewsmhay @briankrebs and so many others!).

Celebrate the fact that somebody actually respects you enough to ask for your guidance. And then give it away…freely.

3. I love that people in the IT security community are so far out in front on the usage of social media tools like Twitter to not only engage with each other, but use it as a means of revealing new threats, testing theories and furthering the global #infosec community.

I know the medium is also used for evil on the social engineering front, but those leveraging it for good will prevail. Expose the shitheels at the speed of “Send.”

4. Cloud computing has got to be the dumbest, most innocuous name for something so vital and potentially dangerous.

Can we please call it what it is: A Digital Data Trailer Park susceptible to methed-out dudes breaking in to steal your valuables, with more-than-occasional, seemingly targeted, natural disasters that may put you in the bread line and delivering a nagging, persistent gut ache and brain traffic  that circles the unanswerable question “Is my valuable data secure?”

C’mon you’re doing this to save $. Is it worth it? Are you sure?

5. And this is probably the most crystal clear and personal observation over the last 40+ weeks in infosec.

Like security itself …it’s a never-ending journey that unearths painful truths, nerve-wracking challenges to your beliefs and confidence, and it keeps its clutches in you with the lure of fighting the good fight or making an obscene amount of money and wreaking a new kind of havoc on the world if you’re donning the black hat.

Damn you, Infosec. I’m hooked. A reluctant data security junky with a dangerous amount of semi-informed knowledge, eager to fight alongside you. I’m not going anywhere.

For better or worse. I’ll be taking what you know and sharing it with the computer users getting pummeled by their own laziness or uninformed mistakes… until further notice.

Until next time.

@MarkAEvertz

This blog post inspired by Welcome to the Machine by Pink Floyd. Refurbished from Dec. 21, 2010 post for @TripwireInc

Someone recently posed this question to me and a few cohorts here at Tripwire, the IT security company where I work:

What are your Top 5 IT Security Events for 2010?
At first, I responded with RSA, Blackhat, Infosecurity Europe,  B-Sides, etc., then realized the question attempted to get at incidents or interesting developments in the last year. That task proved to be much harder.

Any time I’ve been asked to cobble together a list of “Top anythings”,  it has always been  akin to “What are your Top 5 bands or movies?” By that, I mean,  they usually change George Costanza-style  on the drive home (video) (ohhhhh, I should’ve said < Insert obscure, uber-hip band name here>).

With that in mind, here are my Top 5 IT Security Stories/Incidents worthy of consideration in no particular order, with a detailed rationale for each of my choices. Agree? Disagree? Think of one on the drive home? Fire away in the comment section.-ME

The “Stuxnet Effect” on Cyber Security
In 2010, “Stuxnet”

1. Captured media and global governmental attention because it was the first high-profile case of a dramatic shifting of war from on-the-ground to the cyber world. While the republics of  Georgia and Estonia had illustrated this shift first in 2007, the Stuxnet attack in the Spring/Summer of 2010 brought the new battlefield home to the U.S. Government because it attacked Command and Control (SCADA) systems responsible for regulating the energy grid.
2. Showed, through its combination of four  Zero-day attacks  that very talented, coordinated and probably state-financed groups can wreak global havoc on really old equipment. Some energy grid systems are 50-80 years old and rife with vulnerabilities that are ripe for  current attack methods or modern advancements in  malware development.
3. Taught an important lesson: If you are a target of  this type of attack, it will happen and it is next to impossible to prevent.
4. The countermeasure for high profile targeted attacks such as these is to return to the basics of info and system security:
   1. Protect (monitor all systems around the clock for up-to-date patches and configurations across the entire IT infrastructure)
   2. Detect patterns of behavior that are suspicious using a correlation of suspect log events, system changes and near real-time alerting of configuration errors that attackers exploit
   3. Resolve compromises as fast as possible with the ability to find the breach and return systems to a secure state by combining a pre- and post-breach cyber forensics program and automating the system baselining process.
5. Another key lesson with Stuxnet that will hopefully have a lasting impact was the realization that an attack of this kind in one place is a global event that will require a global response and the cooperation of governments and businesses around the world.

Security & Compliance in The Cloud
Much like the concept of cyberwar in the Stuxnet example, “The Cloud” is here to stay. Your first clue is “The” in “The Cloud.” It’s kinda like Madonna, Cher, Prince or The Hoff. (No, not that “Hoff” ). Love ‘em or hate ‘em, once they’ve attained “The” status,  they’re not going anywhere. Why?

1. The Cloud  is largely perceived by business users as a lower cost, environmentally responsible alternative to cash- and energy-sucking server farms that are holding an exponentially growing deluge of data that exceeded the storage available in 2007 (See image).
2. Large cloud providers like Amazon have rushed to become PCI compliant in an effort to protect sensitive data, namely cardholder data, but the cautionary tale here is that providers, particularly small and medium businesses using The Cloud to cut corners and save money have to realize that they have a responsibility to secure their own systems and sensitive data as well or it can be compromised where it lives in their environment and on user systems
3. One other critical issue that security experts point to is that by storing sensitive data in one place, and sometimes in a shared environment with other companies, they have unintentionally created a very rich singular target for a patient, deliberate and well financed cyber crime organizations.
   
4. The key, and this is certainly true of where Tripwire is working to address security in the cloud, is to monitor the critical systems, infrastructure and sensitive data stored with cloud service providers, alert on high-risk behaviors in the public, private and hybrid cloud environments and resolve anomalies on demand to guard against cyber attacks of this kind.

Cyber forensics as an emerging industry

OK…I have to admit, I see a David Caruso spin-off here in our future, complete with aviator shades, IT-flavored one liners (“His Java Script didn’t have a happy ending”) and a screaming Who song (in my Top 5, btw).  Not sure if that’s a good thing or a bad thing,  but that digression aside, for me, the driving factors behind cyber forensics are:

1.    Rapid evolution of attack methods and malware have created the need to approach threat detection beyond the old signature-based model of known vulnerabilities to real-time behavioral analysis of anomalies  in an IT environment across systems, files and security controls already in place (firewalls, anti-virus, security policy frameworks like CIS, etc.).

2.    A desire to be proactive on IT security rather than reactive to breaches. Cyber forensics enables pre-breach analysis that can identify risks  and in most cases guard against a breach.  In addition, it improves incident response by delivering post-breach analysis for reporting purposes and identifies how sensitive data or systems were compromised to harden the environment against future attacks.

3.    Technology advancements that enable real-time, continuous monitoring, alerts based on suspicious occurrences and automated, intelligent resolution: Tripwire’s behavioral approach to detecting threats includes monitoring the IT ecosystem around the clock for incidents that weaken a company’s security posture, correlating suspicious log events and suspicious file changes in near real time to identify threats faster and on-demand remediation of any configuration errors in the environment that contributed to the breach.

SMBs taking a big-boy beating on the cyber attack front

1. Recent reports are pointing to a growing trend that cyber attackers are seeing the complex traps being set for them in the enterprise space with seven layers of security defense, complete with firewalls, IDS, IPS, Access management, threat behavior analysis via the correlation of file changes and suspicious log events, etc., and opting  to go for the easy pickings in the education, nonprofit and SMB sectors.
2. In complex DDoS attacks or  sophisticated botnets, these easier-to-access servers and machines are being used to attack larger targets en masse or providing simple, unfettered access to the sensitive data available and letting attackers collect data from a multitude of weakly guarded targets Examples include Zeus and its financial account access-stealing malware that continues to plague non-enterprise organizations.
3. While an IT budget vs. mission or security budget vs. headcount seesaw will always be at play in these cash-strapped and often technically challenged environments, it’s important to keep hammering on the fact that attackers see them as the path of least resistance for obtaining social security numbers, health records, financial accounts and/or an entire zombie army of machines poised to do their dirty work because  they are mostly likely  misconfigured  or poorly managed. All security do-gooders need to band together in the years to come to stem this rising tide.

Recent news feeding my fire on this trend:

Education sector most affected by malware

AmeriCorps Security Breach

SMB Cloud Is A Hacker’s Paradise

Cyber Criminals Now Target SMB Bank Accounts

Security industry consolidation
Point solutions like Arcsight (now a part of HP) and even larger security luminaries like McAfee (now a part of Intel) got gobbled up by larger mega corps to build out their portfolio in the white-hot security space.  In fact, according to my fingers and toes, in the last 5 years alone, 26 smaller companies Tripwire used to compete with head-t0-head are now part of the machine. In my view, this changes the landscape in two ways:

1. Security solution buyers will be tentative in buying yet another technology to throw into their security mix and seek out comprehensive security suites to address a multitude of their security and compliance challenges related to protecting sensitive data and critical systems.
2. Security solution providers, in their efforts to meet this buyer desire and address a complex threat landscape, will find themselves partnering with former adversaries to create super solutions in the security space built on providing better visibility into true threats, real-time detection and rapid resolution to avoid cataclysmic breaches with massive data losses.

I can hear you all now. What about Aurora? (Ohhhhh! Jerk Store!) What about WikiLeaks? What about…? Share your wisdom and defend it in the comments section below.

I hope you had an incident-free holiday. Welcome to 2011.