Success: Independence key to IT fix-it firm

Industry veterans rely on selling their expertise, not hardware or software.

The stunning view from Clayton Wakefield's lower Queen St office takes in the high-rises that house Auckland's "big end of town". It's these tower dwellers - the likes of ANZ, Fonterra, Vodafone and the IRD - that are the core clients of the boutique IT consultancy Wakefield created five years ago with fellow technology veteran Mike Prebble.

Both left senior corporate IT jobs - Wakefield was head of technology, operations and cards at ASB and Prebble was at IBM - to form independent IT advisory firm Techspace.

The business was born out of a gap Wakefield and Prebble could see in providing impartial technology advice.

Techspace sells nothing other than its expertise, says Wakefield.

"If you contract a large IT vendor, then they have relationships around hardware and networks and software that actually, one could argue, they [have an incentive] to sell," he says.

"This is where we saw a great opportunity in the market and that's proved to be true over the five years.

"In fact it's going from strength to strength around that ability to have an organisation you can rely on for advice."

Within six weeks of kick-starting Techspace in November 2007, the pair, who were at that point running the business from the tables of Sheinkin Cafe on Lorne St, had landed their first contract.

The $90 million IT project for a financial services client saw them roll up their sleeves and get back out on the open-plan office floor.

"It was quite refreshing being on the other side of the desk from where we had both been.

"You can empathise with and understand the other guys, the people you are dealing with, the boards, the executive teams, so you can get to conclusions very quickly and help out very quickly."

He describes the firm as "advisers and doers".

"We love doing things but that always comes with advice."

Techspace was on hand to advise Air New Zealand and IBM when a massive IT meltdown in 2009 resulted in 10,000 passengers being stranded on the last day of the school holidays, prompting Air NZ chief executive Rob Fyfe to deliver a very public dressing down to the IT supplier.

Yes, Wakefield admits, he does know all the dirty IT secrets around town but he's too discreet to reveal more than that.

He says the business Techspace has created is built on trust and the independence that gives them the ability to call it like it is. "Sometimes it is hard delivering tough news to clients who have one perception when the reality is quite different from that," he says.

"I'm on a number of boards and I continue to be concerned by the lack of understanding of IT around the board table and at executive team level and it tends to fall to the CIO (chief information officer), so you have to have pretty broad shoulders in that regard.

"But it's fundamental to everyone's business these days. It's either a competitive advantage or it's a big millstone around your neck and the time has come for people to get more educated around information technology - or use a Techspace."

Wakefield says they don't write reports (although they are sometimes called on to interpret lengthy IT reports written for a chief executive), preferring instead to provide a roadmap to get results.

The practice has grown to between 30 and 40 people - the staff tally fluctuates as many contract to Techspace - but its low-key approach has seen it fly under the radar despite being a sizeable company in New Zealand terms.

David Graham, who came on board as the Auckland general manager early last year, says the majority of work comes from referrals, as do new staff.

"In the year and a half I've been here I don't go looking for people; the phone quite often rings."

Graham says he'd like to see Techspace grow to a much bigger version of what it now is.

"We've got some targets and how we might achieve that. We're looking at opportunities as and when they arise, which is a nice place to be in," he says.

Even though Techspace can count some multinationals as clients, doing work as far afield as Asia and Britain, expanding overseas isn't on the radar at the moment.

"I think there is a lot more value to be added in New Zealand first and I think that will happen by natural evolution.

"So no, we're probably not going to dash across to Sydney and start in a coffee bar in George St like we did in Auckland. I think that's highly unlikely."

By Helen Twose Email Helen

Ways to Reduce Your Sales Stress 

Every customer hates the feeling of being pressured into buying something â€" you can hear the urgent neediness in a sales person's voice when they're desperately trying to close a deal, whether or not you're receptive to the offer. Sales neediness comes from a place of stress. When a sales person feels like every customer is a make-or-break moment, they're going to act accordingly.

Your challenge as a sales leader is to help your sales team avoid driving away customers with this kind of neediness by reducing their sales stress.

stress

To reduce your sales stress, you need to focus on all the activities that lead up to closing a deal, and build a strong pipeline that protects you against the loss of a big account or the last-minute collapse of a promising deal.

Here are 5 ways to reduce sales stress for you and your sales team:

Maintain A Full Calendar of New Business Development

If your sales team is busy managing existing accounts and closing deals with repeat customers, it can be hard to persuade them to spend more time on prospecting. But the truth is, unless your sales people are regularly meeting with new business prospects, they are vulnerable to suddenly having the rug swept out from under them when their “busy” times come to a stop.

Being a sales person is like being a juggler â€" you have to keep multiple balls in the air at the same time; keeping your existing clients happy while also introducing a steady amount of new business prospects into your daily mix of activities. By always maintaining a pipeline of new sales opportunities on the horizon, your sales team can stay busier, happier and more profitable.

How does this reduce your sales stress? If you know that you always have multiple opportunities on the horizon, you'll be less likely to “overdo it” in pursuing any of your current prospects. It takes the pressure off to know that even if one promising prospect doesn't pan out, you still have many other people waiting to hear from you.

Take It One Day At A Time

Make prospecting into a daily habit. Do a little bit of prospecting work every single day you are at your desk. Even if you only have time for 30 minutes of calls, make sure you dial them. Depending on your sales conversion rates, a certain number of dials will lead to a certain number of appointments, which leads to a certain number of sales â€" but you can't get the sales without making the dials.

Breaking up your prospecting into a daily repeatable routine helps reduce sales stress by lowering the stakes for every prospecting call. If prospecting is something you do every day, automatically, it becomes a low-stress, low-pressure activity â€" just part of your regular routine; nothing to get worked up about.

Instead of procrastinating and suddenly having to make a long list of high-stakes prospecting calls, daily prospecting helps you build a better pipeline that lowers the pressure for any individual sales call.

Be Prepared

Every sales call requires you to do your homework. Have a plan for the call. Know why you are calling, know who you will be talking to, and know what you want to say to them. More importantly, be prepared to listen attentively to the prospect and uncover additional needs based on what the prospect is saying.

Understand what you are hoping to accomplish with each call, whether it's getting a sales appointment, offering a sales proposal, or finalizing a time to meet to discuss closing the deal. Being prepared will reduce your sales stress because you will feel more in control of the situation, ready for any questions or objections that the prospect might raise.

It's the difference between being a kid in school who didn't do his homework and is trying to fake his way through the final exam, and a kid who came prepared and aces the exam with confidence. Who would you rather be?

Don't Assume Too Much

Many sales people make the mistake of assuming that every so-called “qualified” sales lead is completely ready to buy. Unfortunately, different sales prospects have different standards of “ready to buy.” Some prospects might have indicated an interest in your solution just as a way of getting off the phone with whoever was making the lead generation calls. Other prospects might be interested in getting more information from you, but are not yet actively in the market for your solution.

Approach your list of “qualified” sales prospects with the expectation that you're still going to have to do some work to build relationships, uncover customer needs, and align your solution with those specific needs. Managing your assumptions helps reduce your sales stress because it makes it easier to go with the flow.

If you go into a conversation expecting to have to build relationships, you'll be better able to handle questions and objections along the way.

Keep Following Up

Many sales people make the mistake of only focusing on the highest-potential short-term sales leads because these are often more likely to buy now. But as part of building a strong sales pipeline, you also need to nurture your long-term sales leads.

Keep following up every few months with sales leads that had expressed an interest, or even the ones that initially said they were “not interested.” Circumstances can change at every company, and even a “not interested” prospect can become interested as their business needs evolve. Keeping up the daily, weekly and monthly routines of following up with sales leads can reduce your sales stress by uncovering unexpected opportunities, even from sales leads that your competitors might have overlooked.

Regular sales lead nurturing also helps reduce sales stress by making these activities part of the standard sales routine. Instead of a high-stakes, high-pressure, do-or-die sales pitch, your conversations can take on more of a friendly air of a trusted industry peer and colleague just checking in. Which conversation would you most like to be part of?

Sales can be a stressful job, but true sales professionals find a way to take control of the situation and reduce their stress levels by doing the incremental work every day of setting appointments, following up with sales leads, and dialing the phone.

If you approach the sales process as a long-term endeavor instead of a high-stakes last-minute do-or-die conversation, you can significantly reduce your sales stress and increase your sales conversion rate.

Stress Photo via Shutterstock




Security 7 Award 2012: Seven Outstanding Information Security Pros

Information security pros arguably have the hardest job in IT. Not only do they have to keep up with rapidly changing technology trends, but also the relentless pace of new threats. They defend their organizations against adversaries that are often organized with more funds and resources at their disposal.

In many organizations, security pros have to fight hard to be heard by the C-suite and win funding for security projects. When they get the spotlight, it's usually because something bad has happened-the company's network has been hacked or it suffered some type of data loss. Good grief, who would want this job?

Fortunately, the information security field is filled with strong, talented and dedicated people who are up to the challenge. Each year, we honor seven of them with our Security 7 Award. This is the eighth year we've handed out the award, which recognizes outstanding information security professionals in seven vertical markets. Some of the industry leaders and luminaries we've honored include Gene Spafford, Dorothy Denning, Dave Dittrich, Mark Weatherford, Melissa Hathaway and Chris Hoff.

This year, we're pleased to add to our Security 7 honor roll Wade Baker of Verizon, Krishnan Chellakarai of Genentech/Roche Pharma, Doug Powell of British Columbia Hydro & Power Authority, David Seidl of Notre Dame, John Streufert of the Department of Homeland Security's National Cyber Security Division and Preston Wood of Zions Bancorporation.

These winners represent diverse interests, from emerging critical infrastructure protection issues and protecting federal networks, to information sharing and big data security analytics. While they have different focuses, all share a tireless devotion to cybersecurity.

We're continuing our five-year tradition of having our Security 7 winners write an essay on an information security topic they feel deeply about. The idea is you get to hear from security leaders in their own words, unfiltered. Each year, we learn a lot from what the winners have to say, and I think you'll find their essays valuable too.

Our seventh award goes to Ron Knode of CSC, who sadly passed away in May. If you didn't know Ron Knode, you should read Jim Reavis' essay on the man, his achievements and his character. As Reavis-executive director of the Cloud Security Alliance-describes him, Ron was a true security warrior. He was multi-talented with an indefatigable dedication to advancing cybersecurity. Ron's most recent contributions were in the area of cloud security; he led the charge in demanding transparency around cloud provider security controls. His passing is a tremendous loss to the industry. Ron's passion and energy-like that of our other Security 7 winners-is truly inspiring.

I've covered the security industry for the past 12 years, and have been impressed by all the super smart and enthusiastic people I've met. Information security pros have a job that is oftentimes thankless, but they are driven regardless. I'm moving on from Information Security magazine and TechTarget but am grateful for the experience of reporting about such a dynamic industry filled with so many incredible people.

Marcia Savage is editor of Information Security. Send comments on this column to feedback@infosecuritymag.com.

This was first published in October 2012



Security Warrior for Cloud Transparency

The information security industry has always attracted unique personalities with eclectic skill sets. Information security is not simply about solving mathematical problems, focusing on bandwidth, maximizing storage capacity or answering other questions with objective certainties. Information security is art and science, technology and strategy, thoughtful design, quick reflexes, and matching wits with a skilled adversary. From software programming and finance to marketing and heavy doses of the Art of War, the typical information security skill sets are in fact atypical in the IT industry.

Ron Knode represented the prototypical information security professional of the future: He accomplished much in his career to advance the cause of the industry while relying upon a diverse skill set. Ron's background as a military officer, scientist and professor allowed him to design sophisticated security systems, advocate for key structural changes in IT, and mentor many experts. Ron conducted himself with great energy and an even greater sense of humor.

A graduate of the U.S. Naval Academy, Ron developed security systems for the U.S. Department of Defense and the intelligence agencies, many of which are still in use today. Ron variously held roles as a chief scientist and systems architect before capping his career as consulting director for security and trust architectures and service for Computer Sciences Corporation (CSC). Ron was most passionate about his role as an educator as an associate professor at Towson University.

Ron's impact upon the Cloud Security Alliance was significant. While at CSC, Ron invented a technical specification called Cloud Trust Protocol (CTP) for cloud transparency. CTP is a specification to automate the capability to query any type of cloud provider in order to understand the provider's ability to meet customer requirements, including but not limited to security, governance, risk and compliance. The requirements to be evaluated are based on a concept of elements of transparency.

CSA discovered Ron and his CTP project and prevailed upon him and his employer to let CSA take over the development of CTP and incorporate it into the CSA Governance, Risk and Compliance (GRC) Stack. Ron joined CSA as part of the GRC leadership team and took an active role in the development of our research roadmap and GRC training. Ron's fervent evangelism around the necessity of transparency on the part of providers was ahead of its time and quite influential in CSA's strategy around GRC, including the development of the CSA Security, Trust and Assurance Registry (STAR). CSA volunteers will be working over the course of the next two years to fulfill Ron's vision of robust security requirements, continuous monitoring and accountability on the part of cloud providers via transparency.

Beyond Ron's tremendous technical prowess and business savvy, he was one of the most genuine and likeable people in our industry. Quick with a joke, caring about his co-workers, and dedicated to his family, Ron Knode was a one-of-a-kind security warrior who influenced many and left the world a better place.

Jim Reavis is co-founder and executive director of the Cloud Security Alliance.


This was first published in October 2012



Gary McGraw: Proactive defense prudent alternative to cyberwarfare

In cyberwar, having a good offense is not the same as having a good defense. It is much more dangerous. The current call to cyber-arms permeating Washington is a serious problem. The purveyors of cyber-offense and "active defense" seem to not understand the role that proactive defense through security engineering can play in averting cyberwar.

Cyber-information systems control many important aspects of modern society, from power grids, to transportation systems, to essential financial services. They sample air quality, spy on people, track movement of fissile materials, enable remote-controlled bombing, manage hardware and software supply chains, facilitate billions of dollars in fraud each year, form the core of massive botnets that can take giant corporations offline, predict weather events, and allow split-second financial trades that move world markets. Our dependence on these systems and their inherent complexity and interrelated nature is not well-understood by the "non-geeks" who make both policy and business decisions. This makes for a real and present danger of cyber-exploit. That's because a majority of these essential systems are riddled with security vulnerabilities.

As such, our reliance on these vulnerable systems is a major factor making cyberwar inevitable. The cyber-environment is target-rich and easy to attack, and even weak actors can have a major asymmetric impact. Billions invested in detective and reactive controls do not seem to have measurably improved our national application portfolio or hardened our national attack surface. The only viable solution to this problem is to improve our cyber-defenses proactively by greatly increasing our appetite for, and ability to design and implement secure software.

Offense masquerading as 'active defense'

When the Washington Post publishes a story hyping an ill-considered notion of cyber-retaliation misleadingly called "active defense" as a rational idea, we should all worry.

Active defense is normally a fairly innocuous and well-understood military term that refers to efforts to thwart an attack by attacking the attackers. In this nomenclature, "passive defense" would be protection through proactive security engineering. Strangely, this notion of passive defense (or protection) is completely ignored in the cyberwar debate. This is surprising, because proactive defense can serve as a differentiator and a serious deterrent to war.

Protection can make you stronger. In some sense, U.S. cyber-strategists are like the ancient Greeks who went into battles without any protective shields. Why would anybody do that when from a survivability point of view it seems so absurd?

National security reporter Ellen Nakashima's story on Sept. 16 described recently retired FBI cyber-lawyer Steven Chabinsky's frustration with government's overly bureaucratic approach to cybersecurity through checklists (think FISMA). Unfortunately, Chabinsky's misguided answer is to "enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who's penetrating their systems and to take more aggressive action to defend themselves." Worse yet, Nakashima reported that former CIA director Michael Hayden "has said that given the limits of the government in protecting companies in cyberspace, he expects to see the emergence of a 'digital Blackwater,' or firms that hire themselves out to strike back at online intruders." For the record, firms like this already exist and are active.

Secretary of Defense Leon Panetta's recent October 2012 speech about cyberwar added a new and even more dangerous twist to the notion of active defense. Panetta specifically extended the notion of offensive action to include preemptive attacks (though he did not specify whether such attacks would be exclusively cyber) when he said, "We need to have the option to take action against those who would attack us."

The implications of Panetta's thinking are even more dangerous than the original active defense concept floated by Chabinsky in Nakashima's article. Knowing where this thinking is all coming from is entirely relevant. Chabinsky works for a new "cybersecurity" company called CrowdStrike, founded by former McAfee CTO George Kurtz. They describe themselves as a "team of visionaries, rebels who believe the current state of security is fundamentally broken and want to do something about it. More importantly, these are the patriots who are tired of seeing our intellectual property and competitive advantage wiped away under the thinly veiled cover of an Internet address."

The hairy, unsolved problem in the room here is attribution. Simply put, it's difficult to know with any certainty where a cyberattack may have originated.

Bilbo Baggins, attribution and cyber-escalation

In a famous scene from Tolkien's book The Hobbit, the protagonist Bilbo Baggins, his dwarf travelling companions, and Gandalf the wizard are confronted by three trolls. The scene unfolds as follows:

Bilbo, in an ill-fated robbery attempt (his first act as "burglar"), is captured by three trolls. The dwarves are attracted to the same clearing by the noise of a fight between the trolls over what to do about Bilbo. The trolls stop fighting long enough to capture the dwarves in sacks as they approach. The trolls plan to cook the dwarves immediately, but a voice -- which sounds exactly like one of the trolls -- starts an argument and the trolls begin fighting again. The trolls fight long enough that the sun rises and the trolls immediately turn to stone. Gandalf had been throwing his voice to keep the fighting and arguing among the trolls going until the sun came up.

The question at hand is how the trolls might have determined that it was Gandalf and not each other (and the dwarves) that was causing and then prolonging their fight? The answer, of course, is that the trolls had no way of figuring that out.

We have exactly the same problem on the Internet today. The source of an attack is often very difficult to determine. This is called the problem of attribution, and it has been carefully studied.

Given an active defense position such as the one championed by Steven Chabinsky, it is easy to see how a "Gandalf" could cause no end of trouble by keeping the trolls (nation states) engaged in a fight.

Kurtz and company think about solving the attribution problem in this way: "By identifying the adversary and revealing their unique TTPs (i.e., modus operandi), we can hit them where it counts -- at the human dependent -- and not easily scalable parts of their operations." Are we witnessing the emergence of a cyber-Oliver North?

Cyber-offense technically easy (and environment target-rich)

Perhaps the real purpose behind active defense is to act as deterrence. But is a strong offense a real deterrent? What is critical to understand is that developing offensive capabilities does nothing to prevent others from doing so. Empowering the military to launch a cyberattack (either reactive or preemptive) doesn't prevent cyberwar nor does it disincentivize other countries from being first movers in a cyberwar. Even in the case of verifiable attribution and controlled proliferation, it is not clear how a purely cyber preemptive or retaliatory strike would incapacitate the target's offensive cyber-capabilities.

In the United States, our cyber-weapons are just as advanced as our war-fighting drones. Operation Olympic Games, which deployed Stuxnet against the Iranian nuclear refinement program, showed just how far cyber-offense capability has come. The real question is, "Who else can develop this kind of capability?"

From a technical perspective, Stuxnet provides a prime example of a cyberweapon and is interesting not only because of its impact, but because of the relative simplicity of its attack payload. The problem is that Stuxnet hype oversold the capabilities required to create an effective cyberweapon. Hyperbole about Stuxnet may lead non-technical policy makers to assume that relatively weak actors will not be able to participate in offensive cyberwar. That is wrong.

Unfortunately, modern systems are so riddled with security vulnerabilities that carrying out a spectacular attack is relatively easy. Studies show that on average every day there are thousands of exploitable vulnerabilities not yet made public or patched. These so-called zero-day vulnerabilities are actively exploited every day by attackers around the world.

Some technical background information about Stuxnet can help make this clear. Stuxnet is in essence a stealthy control system that can be used to disrupt a physical process under the control of a particular Siemens process-control system. Stuxnet does most of its real dirty work (after installing itself and hiding itself from detection) by injecting some code into the running system (a DLL called s7otbxdx.dll). This classic "DLL injection/interposition attack" is used to manipulate data flow between the programmable logic controller (PLC) and the SIMATIC control systems. Think of this as an "attacker in the middle" scenario where the injected code sees and can manipulate all traffic passed between the PLC and the control systems. German analyst Ralph Langner explained what the rogue DLL does by referencing its decompiled code. See Langner's book Robust Control Systems Networks. Basically, the code ensures it is running on a valid PLC target (making various probes of specific words in memory, checking CPU type and control process type, and identifying individual targeted controllers). If it has acquired a target, it injects code directly into the PLC's Ladder Logic (LL). This is the code that directly impacts a physical process. In a personal communication, Langner said, "There are actually two distinct payloads, and only the smaller, less-complex one manipulates the centrifuge drive speed and uses OB35 (it also uses OB1). The code injection in OB35 simply was the first hard forensic evidence we gathered in decompiling wire traffic sent from the dropper to the controller."

In essence, the LL code can be used to disrupt a physical process.In another personal communication, Langner said: "In a nutshell, the attackers manipulate the centrifuge drive system and the cascade protection system in ways that cause rotor trouble, which the Iranian operators then attribute to mechanical failure or incompetence. In order to do that, the attackers used in-depth knowledge about those IR-1 gas centrifuges and a complete mockup for destructive testing. According to our recent analysis, they most likely even had their mockup filled with real uranium hexafluoride because two of the three distinct attacks involved process gas. The big thing that most people don't understand is that all this sophistication is not required for copycat attacks because it was only used to disguise the cyberattack [emphasis mine]. When an attacker is not interested in disguise, they don't need to put in all that sophistication. Now imagine you're a terrorist or a criminal who intends to extort a power utility; disguise would actually be counterproductive in such scenarios. They want the target to know they are under cyberattack, and they don't even intend to hide the origin of the attack."

To bring this all home, imagine the timer controlling the spin velocity of a centrifuge working incorrectly. Centrifuge systems require careful balance and exacting technical control when used to enrich uranium. Stuxnet intentionally sabotaged this control, resulting in the destruction or disabling of thousands of centrifuge units. Though the delivery mechanism for Stuxnet involved a number of previously unknown zero-day vulnerabilities, stolen crypto credentials, and other arcana, the action part of the payload itself was not very technically sophisticated. DLL inter-positioning of the type explained above was well known in 1997, is easy to carry out, and is so elementary that it does not even work as an attack against today's online gaming systems.

Put another way, most modern control systems are so poorly designed from a security perspective that they are vulnerable to attacks devised over fifteen years ago. Creating a cyber-payload is not rocket science. Unfortunately, neither is getting that payload to an intended target as evidenced by the myriad reports of USB stick misuse, connecting personal devices to corporate and even classified networks, and so on.

Cyber-rocks are cheap and everyone can buy them

Compounding the "ease of exploit" problem is the fact that developing a cyber-offense capability is fairly cheap. Listing some relative costs can help make this clear. (All of these estimates are provided by Ralph Langner in his talk, Cyber Warfare: Preparing for the Inevitable.) A nuclear sub fleet costs on the order of $90 billion to develop. A stealth fighter program costs $40 billion. The Eurojet fighter and the Leopard II tank fleet run $10 billion. Contrast these price tags with the costs associated with cyberwarfare systems. A cyberweapons program aimed at hardened military targets may cost $1 billion (an order of magnitude less than the weapons systems listed above). But more telling is the relatively tiny $100 million price tag for a cyberweapons program targeting essential civilian systems. Even more worrisome is the estimated $5 million it might cost to craft a single-use attack against critical infrastructure to use in terrorism.

Put simply, the relatively small costs of cyberweaponry puts them well within reach of the 70 countries with defense budgets over $1 billion, not to mention the 20 countries who spend over $10 billion. Even loosely affiliated terrorist groups can raise $5 million.

Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an insider, cyber-rocks may in fact be free of charge, but that is a topic for another time.

Given these price tags, it is safe to assume that some nations have already developed a collection of cyber-rocks, and that many other nations will develop a handful of specialized cyber-rocks (e.g., as an extension of many-year-old regional conflicts). If we follow the advice of Hayden and Chabinsky, we may even distribute cyber-rocks to private corporations.

Obviously, active defense is folly if all it means is unleashing the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks. Even worse, unlike very high explosives, or nuclear materials, or other easily trackable munitions (part of whose deterrence value lies in others knowing about them), no one will ever know just how many or what kind of cyber-rocks a particular group actually has.

Offense is sexier than defense

Now that we have established that cyber-offense is relatively easy and can be accomplished on the cheap, we can see why reliance on offense alone is inadvisable. What are we going to do to stop cyberwar from starting in the first place? The good news is that war has both defensive and offensive aspects, and understanding this fundamental dynamic is central to understanding cyberwar and deterrence.

The kind of defense I advocate (called "passive defense" or "protection" above) involves security engineering -- building security in as we create our systems, knowing full well that they will be attacked in the future. One of the problems to overcome is that exploits are sexy and engineering is, well, not so sexy.

I've experienced this first hand with my own books. The black hat "bad guy" books, such as Exploiting Software, outsell the white hat "good guy" books like Software Security by a ratio of 3:1. I attribute this to the NASCAR effect. The NASCAR effect causes shortsighted pundits to focus on offense, which is sexy, to the detriment of defense, which is engineering. Nobody watches NASCAR racing to see cars driving around in circles. The people in the stands (as opposed to drivers, owners and insurance companies) watch for the crashes. People prefer to see, film, and talk about crashes more than to learn about building safer cars. There is a reason why there is no Volvo car safety channel on television, even when there are so many NASCAR-like channels.

This same phenomenon happens in cybersecurity. In my experience, people would rather talk about cyberwar, software exploit, digital catastrophe and shadowy cyber-warriors than talk about security engineering, proper coding, protecting supply chains and building security in. It's much sexier to talk about cyber-offense and its impacts than to focus on defense and building things right in the first place.

To be fair, it takes real engineering to build good, robust, targeted, reliable offensive cyberweapons. Part of my point is that no such rocket science is required given the state of software security today.

Proactive defense versus reactive defense

We've established that offense, even in the guise of active defense is a poor deterrent. If everyone has cyber-rocks and attribution is difficult, a cyber-troublemaker can start a real war using Gandalf's trick. What are we to turn to as a deterrent or a power differentiator?

The answer is clear: cyber-defense.

Sadly, all cyber-defense is not created equal. A misunderstanding about different kinds of defense can lead to an incorrect approach and a false sense of security. As I established above, the U.S. has developed formidable cyber-offenses. Yet its cyber-defenses remain weak. What passes for cyber-defense today -- actively watching for intrusions, blocking attacks with network technologies such as firewalls, law enforcement activities, and protecting against malicious software with antivirus technology -- is little more than a cardboard shield. This reactive defense relies on monitoring our broken systems and keeping an eagle eye out for attacks to respond to. When Defense Secretary Leon Panetta said: "Through the innovative efforts of our cyber-operators, we are enhancing the department's cyber-defense programs. These systems rely on sensors and software to hunt down malicious code before it harms our systems. We actively share our own experience defending our systems with those running the nation's critical private-sector networks," he is talking about the wrong kind of defense.

Simply put, the U.S. has neglected its proactive cyber-defenses because strengthening them is a painstaking and unglamorous task. Because of the NASCAR effect, emphasizing cyber-offense and reactive defense attracts more attention and funding than a more prosaic focus on proactive defense and building security into software at the outset. Ultimately, a balanced approach to cybersecurity requires offense, reactive defense, and proactive defense in more equal measures.

Software security is a relatively new discipline that takes on the challenge of building security in, and has seen real success among actively engaged and forward thinking corporations. In general, software security progress is more advanced among private corporations (including multi-national banks and independent software vendors) than in the public sector, which lags years behind. For real data, see the BSIMM.

The only way to address the cybersecurity problem and slow the accelerating slide into cyberwar is to build security into our modern systems when they are created.

Proactive defense as a differentiator

Assuming that cyberwar is inevitable, or even desirable, the case for building security in can also be presented as a means to achieving "superiority" in cyberspace. This is relevant because in the cyber-domain, the advantage of striking first is not exactly clear. It is evident that whoever strikes first can expect retaliation, since it is exceptionally difficult to incapacitate another country's offensive cyber-capabilities permanently (and it is neither difficult nor expensive to conduct a retaliatory strike, even if it is only symbolic, and even if it must be done from some other country's networks). Therefore, no matter how much is spent on cyber-offense, cyber-defense must be addressed anyway. The conclusion to this line of thinking also leads directly to building security in.

Interestingly, the U.S. is in a good position to outspend its adversaries on proactive defense. Proactive defense can be our differentiator and a serious deterrent to war.

Cybersecurity policy must focus on solving the software security problem -- fixing our broken systems first. We must refocus our energy on addressing the glass house problem instead of focusing on building faster, more accurate rocks to throw. We must identify, understand and mitigate computer-related risks. We must begin to solve the software security problem.

Acknowledgements

Thanks to Sammy Migues (Cigital), Ralph Langner (Langner Communications), Ivan Arce (Fundacion Sadosky) and Thomas Rid (King's College London) for insightful comments on an early draft.

About the author
Gary McGraw, Ph.D., is CTO of Cigital Inc. a software security consulting firm. He is a globally recognized authority on software security and the author of eight bestselling books on this topic. Send feedback on this column to editor@searchsecurity.com.




Cloud adoption prompts secure data management, access control issues

Cloud Computing options offer companies the advantage of significant savings by eliminating the need for expensive hardware purchases and the additional staff required to maintain in-house data centers, but the benefits realized are tempered by logistical nightmares regarding keeping track of sensitive information, ensuring secure access control, and dealing with data destruction.

Moving data to the cloud is like looking for a ninja, you know it is there but you can't find it.

Ben Rothke, information security manager

A study released back in June by data management provider Varonis Systems revealed that 67% of senior management have little or no idea where their company's data actually resides, and few have procedures in place to keep track of it once it is placed in the cloud. The New York-based firm distributed the survey to attendees at EMC World in 2012 and received responses from individuals from more than 400 companies.

The survey results supported a common theme: Many firms fail to undertake a comprehensive data assessment to know where data resides, said Alan Shimel, managing partner at The CISO Group. “Except in the case of those with strategic considerations, most companies don't pay much attention to where their data is stored,” Shimel said.

In addition, company policies concerning which file sharing services are allowed and what is permissible to be placed in them are still coalescing, Shimel said.

"One shudders to think what is stored on services like Dropbox or Box. In the end though, these are just cloud growing pains," Shimel said. "Data ingress and egress, as well as data storage, are going to have to be better managed in a cloud world."

Ben Rothke, an information security manager for a worldwide hospitality firm, agrees with Shimel in noting that one of the major hurdles to managing data in the cloud is that many firms do not have up-to-date network diagrams and lack mapping of their data stores.

Previously, when Rothke was working as a Payment Card Industry Qualified Security Assessor  at BT Global Services, he observed that most firms could more readily tell you how many laser toner cartridges they had locked in the storeroom than account for where their merchant data resided, creating the potential for compliance liabilities.

“Moving data to the cloud is like looking for a ninja, you know it is there but you can't find it. The good news is that quality cloud providers have management tools that can be used to track data and files. But if a firm does not have a technical staff in place that is doing this already, it is unlikely they will magically be able to do it with an outsourced cloud solution,” Rothke said.

Secure access control and BYOD

The Varonis study also revealed that less than 10% of the companies surveyed currently have procedures in place to control access to data stored in the cloud, and only 23% acknowledged that they were in the process of developing access control policies.

Complicating secure access issues is the increasing popularity of Bring Your Own Device (BOYD) options, another strategy that offers an alternative to costly hardware outlays for companies who allow employees to use personal devices like smartphones and tablets for business activities. Over half of the respondents in the study said they would allow BOYD if secure access to the cloud did not inhibit employee collaboration and productivity.

“Adding BYOD to this mix makes it exponentially harder for IT management. Employees using their own devices, which have even less visibility for the IT department, creates more ways that confidential data can make its way out of the control of the organization,” Shimel said.

Data destruction in the cloud

Another important cloud computing issue which was not addressed in the Varonis study is the complicated nature of effective data destruction measures, especially when the information is of a particularly sensitive nature or governed by regulatory compliance mandates.

“As for data destruction in the cloud, there are no easy answers. The best thing to do is ensure that all data is encrypted. But for organizations that won't do that, data destruction is not an easy endeavor in the cloud,” Rothke said.

Rothke noted that security guidance from the Cloud Security Alliance (CSA) indicates that data destruction is extremely difficult in a multi-tenant environment, and the cloud provider should be using strong storage encryption that renders data unreadable when the storage is recycled, data is disposed of, or when accessed by any means outside of an authorized application, process, or entity.

Further guidance for the secure disposal of data in the cloud was provided by David Navetta, one of the partners at the Information Law Group, when he drafted the Cloud Customers' Bill of Rights (.pdf). “Article VII states that cloud service providers shall reveal their data destruction practices and develop destruction capabilities in order to allow their customers to implement their own programs,” Rothke said.

“Also, if the cloud provider touts their ability to destroy your data, require them to prove it. The challenge is that cloud data is often copied and replicated, so it is hard to know where it is and you must work very closely with the cloud provider to ensure that data destruction is complete,” advises Rothke.

In the end, the adoption of cloud computing does not simply absolve an organization of their responsibilities by making due diligence the sole task of the service provider, and careful attention to the design of Service Level Agreements (SLAs) can work to lessen the potential impact for an enterprise arising from these issues.

“The cold reality of outsourcing anything and especially the cloud is that if a firm does something poorly and hands it off to an outsourcer, odds are the outsourcing provider will inherit a bad process. If a firm has good processes in place and makes a business decision to move to the cloud, and creates SLA's and processes for the cloud provider to follow, then the move to the cloud will likely be successful,” Rothke said.




CrowdStrike advocates offensive security, proactive defense approach

A noted security expert is advocating the need for the federal government and some private-sector firms to go on the offensive against sophisticated cybercriminals, hunting down and disabling their systems in an attempt to make their activities cost-prohibitive.

We want to get adversary to think that if we launch an attack against a victim, there will be costs to pay.

Dmitri Alperovitch,
co-founder and CTO, CrowdStrike

Going on the offensive could deter nation states from conducting offensive cyberstrikes against critical infrastructure, and force financially motivated cybercriminals from targeting certain private-sector companies, said Dmitri Alperovitch, co-founder and CTO of security firm CrowdStrike. Alperovitch spoke to reporters during a conference call about proactive defense on Wednesday. The event was coordinated by organizers of the RSA Conference, one of the security industry's largest annual events.

"Active defense is a euphemism for going outside of your network and taking some action to disrupt, degrade or take down your adversary's infrastructure," Alperovitch said. "It's about taking actions to disrupt them in a business sense as well."

Taking an offensive security approach is emerging as a controversial issue, with some experts calling it potentially dangerous, fanning the flames on terrorist groups, nation-states and other organizations that have the resources to invest in attack tools, new malware and skilled hackers. Experts say it is costly and potentially illegal to go on the offensive because in most cases it is difficult to pinpoint the location and source of many cyberattacks.

"There's a huge difference between striking back through the net and striking back through the courts," said Pete Lindstrom, research director at security research firm Spire Security. "It's intriguing but very dangerous. It's one thing to probe someone and another thing to somehow disable someone or develop a presence on their systems."

CrowdStrike, hopes to assist organizations in tracing, disrupting and unveiling cybercriminal operations. The organization is being led by George Kurtz, the former CEO of Foundstone and CTO of McAfee, and has built up a cadre of high-profile names, including Shawn Henry, who spent 24 years with the FBI, and most recently Steven Chabinsky, a 17-year FBI veteran who served as the FBI's top cyber-lawyer.

"We want to get adversary to think that if [we] launch [an] attack against a victim, there will be costs to pay," said Alperovitch, who admitted that a fully offensive approach hasn't been broadly tested. He said organizations like Microsoft have found some success with the legal system in getting spam botnets shut down. But many cybercriminals keep returning to their nefarious activities, despite having their operations repeatedly disrupted.

An offensive tactic was put to use more recently by the Georgian Computer Emergency Response Team CERT. In a report (.pdf) issued by that country, the computer forensics teams pinpointed the location of an attacker based on his ISP by luring them with a fictitious document titled "Georgian-Nato Agreement," which contained malware. Georgian officials indicated that the malware enabled them to capture video of a Russian hacker.

"A determined adversary will always get in," Alperovitch admitted, adding that today most offensive security tactics are illegal. "It's conceivable that they will spend $100,000 -- or even a million dollars -- because there is nothing that compares to the return that you will get."

For example, Alperovitch said the private sector has the authority under limited circumstances to go into a server being used for stolen data storage and get the data back. Security teams can use the exact same credentials used by the attacker, taken from network captures, and only access and remove the stolen data. "There are constraints on that," Alperovitch said. "If you can call the FBI or police to take that action, then you do not have authority to take law into your own hands and should follow the normal process."

Spire Security's Lindstrom doesn't completely dismiss a more active approach to cybersecurity. Enterprises could seek court approval to shut down malicious command-and-control servers, as Microsoft has done. Taking out malicious servers is somewhat of a game of "Whac-A-Mole," but over time, it can have a desirable impact, he said.

"We're trained now as security professionals to always say we can't stop someone who has a million dollars to spend on resources," Lindstrom said. "It's prudent to believe that, but not everyone is going to have a million dollars. If you can invade their territory, what would it do to their morale and confidence?"




Hurricane Sandy tests business continuity, disaster recovery

In the aftermath of Hurricane Sandy, which disrupted power, internet, phone and numerous other technical services for millions along the east coast of the US, organisations are in an ideal mode to check the efficiency or shortcomings of their 'in-case-of-disaster' plans.

One factor companies should consider for their business continuity (BC) plans are additional measures to keep their web presence alive during a natural disaster.

On Monday, New York-based internet service provider Datagram lost power due to the storm, effectively knocking out several high-traffic websites hosted by its data centre, including The Huffington Post, Buzzfeed and Gawker.

Doug Madory, a senior research engineer at Renesys, which provides resources for organisations to manage internet-based critical processes, told SCMagazine.com that companies should always have a back-up option for their websites.

“We would advise a business to have redundancy in how they reach the internet,” Madory said. “They should have multiple physical paths to the internet, in case one internet service provider drops out.”

Organisations can also consider using a content delivery network (CDN) to ensure their website is hosted in numerous locations.

“[CDNs] have data centres all around the world, and they make sure that if any centre goes down, your users won't be affected,” Madory said.

In addition to preparing for the actual disaster, management should also train employees to fend off disruptive occurrences that could appear after the fact. Scammers looking to take advantage of crisis response efforts, for instance, are another likely threat.

The Federal Trade Commission posted a warning on Wednesday about scammers, who could email individuals at work or at home to encourage them to donate to disaster relief groups.

Identity Theft 911 published a blog post on Tuesday on additional scams to watch out for, including Hurricane Sandy related-photos or videos on social networking sites, which actually download malware when clicked. Users should also be wary of phishing attempts that guide victims to illegitimate sites, designed to look like charities.

“Double check the legitimacy of the site you're clicking to from your email, Facebook or elsewhere,” said the post. “When in doubt, check your local American Red Cross or the national [Federal Emergency Management Agency] FEMA site to find local help.”



Communications data will be \'honeypot for hackers\' says peer

Serious criminals and nation states will increase attacks on communications providers with UK customers if a controversial draft communications law is enacted, according to a Liberal Democrat peer.

The draft law, styled by critics as the 'Snooper's Carter', seeks to force communications service providers (CSPs) to retain valuable personal data for scrutiny by law enforcement.

Lord Strasburger, who sits on a joint parliamentary committee that is scrutinising the bill, said in a committee meeting with home secretary Theresa May on Wednesday that the data would be "a honeypot for hackers".

"If this bill were enacted, there would be a massive increase in the data being held about every citizen who uses the internet," said Lord Strasburger. "This data would be a honeypot for casual hackers, blackmailers, criminals large and small all over the world, and foreign states."

Under the draft Communications Data Bill, CSPs will be required to hold metadata on all UK citizens' web communications, including social media and instant messaging. Data such as who is speaking to whom, when and where will be collected. This data will be valuable, and will provide more of a motive for hackers to attack CSPs, said the peer.

Public and private sector organisations have a "woeful record" in protecting data they hold from loss or theft, Strasburger said.

"Why should the public have any confidence that their private and financially valuable data will remain secure?" said Strasburger.

Organisations including Nasa, Microsoft, Yahoo, Bank of America, CitiGroup and Apple have all suffered data breaches, the peer added, and LinkedIn recently had 6.5 million passwords stolen.

Not only will attacks be more serious, but they will be more likely to succeed, said Strasburger.

"We've heard from experts, including some of the CSPs, that they actually have concerns about their ability to withstand attacks given the increased amount of data and the increased attractiveness of this data," said Strasburger. "They are all vulnerable. Some of the experts have told us: this data will get out."

The government's position is that the mass of data will not be held by the public sector, and private sector organisations will face legal penalties for communications data breaches, said May.

"This is data that will be held by the private sector, by the CSPs," said May. "Obviously we've been talking to them about the security of that data, there will be, as you know, some sanctions in the bill in terms of any breaches in relation to the security of that data."

May said that CSPs are already holding significant amounts of data about people's communications, and that holding different types of data did not alter their security position or risk of attack.

"They will be holding more data, they will be retaining it for 12 months," said May. "That's what they do on some of the data anyway today, so the concept of the private sector holding data, and whether or not that is secure for individuals, is not changed by the nature of this bill."

May added that the government has to decide whether law enforcement agencies should be able to "carry on bringing people to justice and saving lives" by enacting the bill.

The joint committee has taken evidence on the Communications Data Bill from a number of organisations, including the police and CSPs.



Data law update \'could cause confusion\' say MPs

The European Commission needs to go 'back to the drawing board' over proposals to amend European data law, according to a UK parliamentary committee.

The proposals risk dividing UK data laws in two, leading to confusion for organisations that must comply with those laws, the Commons Justice Committee said on Thursday.

The Commission has proposed the introduction of two legal instruments â€" a regulation and a directive, each of which would need to be transposed into UK law. The committee said that this approach risks causing confusion for organisations.

In addition, the proposals are rigid and do not give enough autonomy to data regulators in individual member states, the committee said.

"We believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive," said committee chairman Sir Alan Beith.

Data protection authorities should be free to handle factors associated with compliance, such as the level of fees or when the authority should be informed about a data protection impact assessment, said the committee.

The committee found some positives in the proposed legislation, saying that data protection needed to be harmonised across European member states.

The Commission rejected the committee's criticism about having two legal instruments. Justice spokeswoman Mina Andreeva told SC Magazine UK on Thursday that the legislation "strikes the right balance".

"The regulation, for the private sector, gives companies much needed legal certainty, and saves costs (up to "2.3 billion per year)," said Andreeva. "The directive gives law enforcement authorities the needed flexibility, as we are talking about internal security. The regulation does not need implementation, but will be directly applicable, and therefore it is hard to see where confusion could arise."

Data protection authority (DPA) powers will be harmonised by the legislation, and regulators will have discretion to set the level of fines, said Andreeva.

"The data protection reform gives all national data protection authorities the same tools so that they can enforce the rules properly in their country," said Andreeva. "Currently powers vary very much and some DPAs cannot even levy fines. Our reform will equip them with the necessary 'teeth', including the possibility to levy fines.

"Nevertheless DPAs will still have the necessary discretion in their choice of sanctions and regarding the level of fines - depending on the circumstances of each individual case. Therefore also on this point we believe that the proposal strikes a good balance."

The European Commission wants to reach political agreement on the incoming data rules by July 2013, Andreeva added.

"The UK recognises that companies and citizens will best benefit from uniform and strong data protection rules which apply equally throughout the entire EU," said Andreeva. "The Commission will continue working closely with the European Parliament and member states to meet the objective of the incoming Irish EU presidency of reaching political agreement of the reform by July 2013."



Vupen offers Windows 8 zero-day for sale

French security company Vupen claims to have defeated Windows 8 security just days after the official launch of the operating system, and has offered a zero-day exploit for Windows 8 and Internet Explorer 10 (IE10) for sale.

Vupen offers a number of services, including government-grade exploits for intelligence-service hackers and law enforcement.

The zero-day overcomes security measures such as address space layout randomisation (ASLR), and data execution protection (DEP) Vupen said in a Tweet on Wednesday.

"Our first zero-day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8", said the Twitter message.

Address space layout randomisation helps curb memory-based attacks, and DEP can mitigate applications executing data in certain memory locations, security vendor Kaspersky Lab said in a blog post on Thursday. Return-oriented programming (ROP) techniques help attackers bypass ASLR and DEP, said Kaspersky Lab, in reference to Vupen's anti-ROP bypass claim.

Vupen used a number of zero-days to bypass the Windows 8 and Internet Explorer 10 threat mitigations, Vupen chief executive Chaouki Bekrar said in a Tweet on Wednesday.

"We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations. Congrats to our mitigation mitigator @n_joly", said Bekrar.

Windows 8 launched on Thursday 25 October with a number of low-level security features. For example, Secure Boot uses unified extensible firmware interface (UEFI) instead of BIOS, and early launch anti-malware (ELAM) is a driver that examines other drivers for infection. Kaspersky Lab said that by claiming a successful zero-day, Vupen also claimed to have cracked these security features.

Microsoft had not responded to a request for comment at the time of writing.



DigiNotar hack details revealed by Dutch government

Details of the hack that lead to man-in-the-middle attacks on hundreds of thousands of Iranians' Google accounts and ultimately the liquidation of certificate authority DigiNotar have been released by the Dutch government.

The 'Black Tulip' report by security company Fox-IT charts how a hacker, believed to have been based in Iran, gained access to internal DigiNotar systems. The hacker, who claimed responsibility for a hack on certificate authority Comodo, first gained access to web servers in DigiNotar's external Demilitarised Zone (DMZ-ext-net) on 17 June 2011.

From the DMZ, the hacker traversed office systems, and managed to tunnel into DigiNotar's Secure-net on 1 July 2011. The Secure-net contained the company's eight certificate authority servers. Specialised tools were used to create tunnels for a non-direct connection to the internet for remote access to the servers.

The hacker successfully issued the first rogue certificate on 10 July 2011. All of DigiNotar's certificate servers were compromised, including a server used to generate certificates for Dutch e-government services. In all, 531 rogue certificates were detected as having been created.

One rouge certificate for Google.com was used to perform a massive man-in-the-middle (MITM) attack on Iranian Google users. Users who tried to reach legitimate Google sites were redirected to fake versions of those sites. A total of 298,140 unique IP addresses were victimised during the MITM attack.

After an investigation into the DigiNotar hack attack, the Dutch government completely revoked trust in DigiNotar-issued certificates, forcing the company's bankruptcy in September 2011.

The 'Black Tulip' final report was published on 13 August 2012, and made public by the Dutch Ministry of the Interior on Monday. An interim report was published on 5 September 2011.



RBS faces £175 million bill for IT meltdown

RBS has said it could cost up to £175 million for it to redress the effects of an IT failure that hit balance updates at RBS, NatWest and Ulster Bank this summer.

The £175 million charge, detailed in RBS' Q3 results, has been set aside to include compensation for the incident.

RBS has revised the figure up by £50 million from a Q2 estimate due to the length of time Ulster Bank customers suffered problems, RBS said on Friday.

In June a maintenance error traced to one of the banking group's Edinburgh data centres caused a batch-processing glitch.

Customer balances could not be updated, creating a backlog of work at the banking group. The huge backlog itself then added to the confusion.



The media is your message

Should you use social marketing for your business â€" and when is it time to call in the experts? Business owners and advisers share their experiences with Diana Clement

Business owners face pressure to master social media. They hear that XYZ Ltd has boosted traffic to its website thanks to its social media strategy. And ABC Co has become a household name.

For businesses that haven't caught the bug yet, it is easy to dismiss social media as a fad. Yet a website isn't enough these days. It's flat and little more than a brochure. Social media pages can be like having websites on steroids.

The number of potential customers a business can reach through Facebook and other social media sites such as Twitter and Google+ is huge.

Lara Bancroft, head of interactive marketing at Yellow, says some businesses have made a real success of their social media strategy.

She cites Auckland restaurant Mexicali Fresh, which has 5454 "likes" on its Facebook page. Every time the restaurant posts an offer it shows in the newsfeed of those 5454 people. If they like or share the posting, it could reach 100,000 people.

While small and large businesses are doing social media well, medium-sized enterprises have struggled with their social media marketing. There are success stories such as Whittaker's chocolates and Rialto cinemas.

However, many medium-sized companies dismiss social media as a marketing platform and put a blanket ban on it, says Craig Garner, portfolio manager at the Employers & Manufacturers Association Northern. "Yet (businesses) are all about communication," he says.

Businesses in this category should be ensuring that they maintain their website, blog, and be on a range of social media sites, says Garner. The exact choice of sites depends on the type of business. "If you are a cake shop, for example, Pinterest might be a very powerful tool," he says.

Social media marketing is about making your business three-dimensional, says Alex Radford, interactive and digital media director at Starcom. Instead of seeing a brochure of what the restaurant offers, for example, they see pictures of what's happening, the chef, customers, and receive offers.

It's not just Facebook that matters. Businesses can reach and engage with customers on Twitter, Pinterest, Instagram, Foursquare, and many other social media marketing sites.

Foursquare is particularly useful for some businesses, says Bancroft. Users "check-in" to Foursquare at the business with their smartphones. Or if they're looking for a certain type of business in a locality, they can search to find the ones most checked into.

Pinterest is one where users pin and re-pin images to their online "board". Businesses such as clothes designer Annah Stretton can use Pinterest to market their latest catalogue.

TripAdvisor, Menus.co.nz and many other websites where members can post reviews are also social media sites.

Whatever your business, says Radford, there is an awful lot of competition out there. A good social media strategy can push your business ahead of the competitors - even if you're a plumber - thanks to the power of recommendation.

As well as engaging with existing and potential customers, businesses can be very astute about how they use social media. For example, a business which is on TripAdvisor might give a flier to customers as they leave, asking them to post a review. Or a video store might offer a two-for-one offer for customers who check-in on Foursquare while in the shop.

Radford cites the example of Bethells Farmstay for Dogs as a business that has harnessed social media in a clever way.

Owner Sandra Darcy uploads pictures of dogs in her care to Facebook every couple of days. The dogs' owners can then see their canine friends having fun on holiday and "like" the page so that friends and family can take a look too. "Facebook is a huge selling point for us," says Darcy.

Being a success at social media is an art. Radford recommends that businesses "test and learn" rather than ignoring it.

Bancroft adds that businesses should be monitoring their social media activity to see how beneficial it is. The international trend, he says, is to use monitoring software that can record whenever your business has been viewed, liked, rated, checked-in or any other relevant measurement metrics.

It's too easy, otherwise, to spend hours and hours on something with no return on investment.

Tips for socialising
- Have a purpose and goals
- Know your audience
- Put time aside for social media marketing
- Be knowledgeable about your subject
- Follow others
- Measure your success
- Respond to posts in a timely manner
- Don't over promote your business. Engage in a conversation

By Diana Clement Email Diana

Independence key to IT fix-it firm

Industry veterans rely on selling their expertise, not hardware or software

The stunning view from Clayton Wakefield's lower Queen St office takes in the high-rises that house Auckland's "big end of town". It's these tower dwellers - the likes of ANZ, Fonterra, Vodafone and the IRD - that are the core clients of the boutique IT consultancy Wakefield created five years ago with fellow technology veteran Mike Prebble.

Both left senior corporate IT jobs - Wakefield was head of technology, operations and cards at ASB and Prebble was at IBM - to form independent IT advisory firm Techspace.

The business was born out of a gap Wakefield and Prebble could see in providing impartial technology advice.

Techspace sells nothing other than its expertise, says Wakefield.

"If you contract a large IT vendor, then they have relationships around hardware and networks and software that actually, one could argue, they [have an incentive] to sell," he says.

"This is where we saw a great opportunity in the market and that's proved to be true over the five years.

"In fact it's going from strength to strength around that ability to have an organisation you can rely on for advice."

Within six weeks of kick-starting Techspace in November 2007, the pair, who were at that point running the business from the tables of Sheinkin Cafe on Lorne St, had landed their first contract.

The $90 million IT project for a financial services client saw them roll up their sleeves and get back out on the open-plan office floor.

"It was quite refreshing being on the other side of the desk from where we had both been.

"You can empathise with and understand the other guys, the people you are dealing with, the boards, the executive teams, so you can get to conclusions very quickly and help out very quickly."

He describes the firm as "advisers and doers".

"We love doing things but that always comes with advice."

Techspace was on hand to advise Air New Zealand and IBM when a massive IT meltdown in 2009 resulted in 10,000 passengers being stranded on the last day of the school holidays, prompting Air NZ chief executive Rob Fyfe to deliver a very public dressing down to the IT supplier.

Yes, Wakefield admits, he does know all the dirty IT secrets around town but he's too discreet to reveal more than that.

He says the business Techspace has created is built on trust and the independence that gives them the ability to call it like it is. "Sometimes it is hard delivering tough news to clients who have one perception when the reality is quite different from that," he says.

"I'm on a number of boards and I continue to be concerned by the lack of understanding of IT around the board table and at executive team level and it tends to fall to the CIO (chief information officer), so you have to have pretty broad shoulders in that regard.

"But it's fundamental to everyone's business these days. It's either a competitive advantage or it's a big millstone around your neck and the time has come for people to get more educated around information technology - or use a Techspace."

Wakefield says they don't write reports (although they are sometimes called on to interpret lengthy IT reports written for a chief executive), preferring instead to provide a roadmap to get results.

The practice has grown to between 30 and 40 people - the staff tally fluctuates as many contract to Techspace - but its low-key approach has seen it fly under the radar despite being a sizeable company in New Zealand terms.

David Graham, who came on board as the Auckland general manager early last year, says the majority of work comes from referrals, as do new staff.

"In the year and a half I've been here I don't go looking for people; the phone quite often rings."

Graham says he'd like to see Techspace grow to a much bigger version of what it now is.

"We've got some targets and how we might achieve that. We're looking at opportunities as and when they arise, which is a nice place to be in," he says.

Even though Techspace can count some multinationals as clients, doing work as far afield as Asia and Britain, expanding overseas isn't on the radar at the moment.

"I think there is a lot more value to be added in New Zealand first and I think that will happen by natural evolution.

"So no, we're probably not going to dash across to Sydney and start in a coffee bar in George St like we did in Auckland. I think that's highly unlikely."

By Helen Twose Email Helen

Invisible Capital Reveals The Resources That Builds Success

Invisible CapitalAppropriate can be a funny word.  The word suggests knowing something before tacking action.  And in business, appropriate decisions are needed to be successful. 

If you're in business and seeking perspective on how to build a business properly, reading the book Invisible Capital: How Unseen Forces Shape Entrepreneurial Opportunity by Chris Rabb is very appropriate.

Even Rabb's background is appropriate, for this book's theme. Currently on assignment at Temple University, Rabb is a writer, consultant, and speaker on numerous topics related to entrepreneurship, media, civic en­gagement, and social identity.  He's been highlighted on programs such MSNBC's Up with Chris Hayes.  Note: You can watch the program featuring Rabb alongside JJ Ramberg at the end of this review (also read Ivana Taylor's great review of JJ's book It's Your Business).

Rabb's management of entrepreneurial programs for a business assistance program in an underserved neighborhood, along with research from sources such as the Kauffman Firm Survey and the Panel on the Study of Entrepreneurial Development (PSED), forged his examination of the resources that make or break business success.

I spoke with the author via phone after a friend's Facebook connection, and I connected with the values he presents whether on news programs or in print: Entrepreneurs must constantly assess their regular connections and how those connections are deployed as capital necessary to success.

Why Knowing “Who Did It” Is Important

If you followed the controversy about President Barrack Obama's “You Didn't Do It” comment regarding business owners, you'll appreciate what this book sets out to explain.  Written well before the debate, the book notes that many concepts of entrepreneurship are overemphasized.

Rabb feels that the U.S. is facing “entrepreneurial illiteracy”-a lack of meaningful insight among ordinary people becoming entrepreneurs as well as the leaders who promote entrepreneurship.

“Too many think tanks and business books act as if all it takes to achieve entrepreneurial success is to follow the Yellow Brick Road of hard work. Make it to Oz and, like Dorothy, you will get what you want….It's time to pull the curtain aside and see how invisible capital really works. Entrepreneurs need this knowledge to build their own success. Moreover, our communities need this knowledge to understand how our fragile economy actually works-and what can help where we need help the most…”

Invisible capital is defined as a set of tactical assets that works for a given organization.  The book details those assets, the:

“. . .influences the quality of entrepreneurship experienced by new and prospective practitioners who may have the necessary passion and perseverance, but lack the insight and perspective to adequately gauge the terrain they must navigate as entrepreneurs and business owners.”

Rabb reviews these influences, highlighted by data and studies.

Chapter 2 gives a brief overview of the composition and performance of U.S. businesses. Chapters 3 and 4 connects and contrasts how invisible capital operates with American society's appreciation for “striking out on our own in search of greater independence and good fortune.”

For example, the way minority and women owned businesses are defined by federal programs can blur how invisible capital access remains lopsided for many of these businesses.

Develop An Economy That Creates True Strategy For Entrepreneurial Growth

Rabb's belief “to inventory what you already have, and to learn what you need” manifests in the solutions and support suggested in Chapters 5 and 6. Rabb makes clear that policies should discern beneficial economic development from simple adoption of individual beliefs that do not leverage resources and encourages the entrepreneurial illiteracy about developing resources.

Rabb supports Druckers' differentiation of an entrepreneur vs small business, and from there the text expands the thesis.  For example, Rabb shows a figure that notes the diminishing chances of a U.S. start up existing 10 years and achieving over $100,000 net per year:

“But the statistics tell a more sobering story, which means that some large percentage of new entrepreneurs are not just overly optimistic, they're absolutely clueless, and thus inordinately ill-prepared for their journey. They literally don't have a clue because few people in the average entrepreneur's sphere are in a position to alert them to the unseen forces that shape entrepreneurial opportunity-in particular, those things that will significantly boost their chances of achieving even modest success in business.”

Now this sounds like a fall-of-the-American-way-of-life tone, but Rabb's true belief in a person's capability in acquiring invisible capital balances that tone.  The capacity to collectively make better choices about our capital is achievable, and Rabb speaks loud and clear to that objective:

“First, we can help prospective and nascent entrepreneurs build invisible capital-particularly those who are drawn to commonwealth entrepreneurship. Second, we can shed light on those aspects of invisible capital that promote enduring inequities that are not born of anything within any individual entrepreneur's control.”

Answers for each economic segment are not detailed, but Invisible Capital does enlighten many books in which detailed solutions are presented, such as that in David Gladstone's Venture Capital Investing.  The ideas about capital combined with the historical aspects makes the investment questions raised in Gladstone's book more poignant.

Reading Invisible Capital will challenge you to examine your own resources more critically and appreciate the appropriate steps to build resources for success.

Bonus: Below is an MSNBC segment of the show “Up” with Chris Hayes which features JJ Ramberg and Chris Rabb. Check it out: