The same with sharing data between your local applications. Moving one of your most important applications to the cloud may eliminate the ability to share data with your other applications.

It may be expensive to convert your systems to run in the cloud.

Using a cloud service just adds one more entity to the finger pointing game of “the hardware guy blames the software guy, who blames the cloud provider, who blames the Internet Service Provider” etc.

In the past, it was easy to define the perimeter of your network as existing at your firewall. Everything outside your firewall is “out there” and everything inside your firewall is “in here.” Utilizing cloud services for your private data blurs the delineation.

In the next blog post I’ll focus on the dangers of the cloud.

Please post your comments on this blog.

Sometimes it is even better to have a buffer zone in-between your local network and the DMZ. In other words, for traffic to get into your network, the traffic will have to get past at least three firewalls.

Since this blog post is directed towards an executive level audience, I’ll invite IT professionals to contact me for more details. And, for any of you who are interested, click here to download a diagram that provides both a clear visual and also the details you will find helpful.

Please post your comments on this blog.

• Live “in person” presentations by a qualified presenter capture attendees’ attention and will improve their security awareness dramatically more than attending a web meeting.
• It is easy for a qualified presenter to keep attendees’ undivided attention for 90 minutes and increase their security awareness significantly.
• Qualified presenters know how to “read” the audience to know when to speed up or slow down, to use specific people’s names if that person starts to doze off since they were up all night with their newborn baby, etc.
• Require your qualified presenter to use live demonstrations. Nothing can replace “seeing the process in action.”
• Live presentations provide a unique opportunity for attendees to experience the reactions of their peers—and especially the reactions of the mangers they report to.
• Live presentations make it easier for attendees to ask questions and have them answered immediately. Usually when one person asks a question, several other people had the question too, so they benefit from the answer as well.

I’ve presented both online and in person many times. Experience has shown that in almost every case you will have a higher ROI with live training. ROI is measured based on feedback from my clients who say the live presentations dramatically increase user retention and they feel that retention provides the organization with increased protection against social engineering attacks.

Please post your comments on this blog.

• Provide 60 minutes maximum to help avoid losing attention.
• You can lose attendees’ attention before the meeting even starts.
• Attendees may choose to multi-task during the presentation anyway.
• If you have a qualified presenter, then videotaping a live presentation is generally better than recording a web meeting. Viewers often feel the presenter’s recorded presentation is more interesting than a web meeting.
• Experience with other organizations strongly suggests that your ROI will be better via a live presentation. Users “get it.”
• If you do choose to present a web meeting and/or video recorded live presentation, I suggest you notify the remote attendees ahead of time that they will be required to fill out an answer form (basically a test) afterwards. This may encourage them to pay even more attention during the presentation.

Next time I will focus on using a live presenter as the delivery method.

Please post your comments on this blog.

1. Insecure providing wide open access to whoever wanted to attach and
2. unknown to the IT professionals at the facility.

There are many problems with WiFi security.

I’ve discovered access points that were set up by a previous IT professional that new IT professionals had no idea existed. Sometimes, when large new equipment is purchased, the installers set up WiFi access points without notifying your IT professionals. Once I even encountered a WiFi access point that an employee set up under their desk so they didn’t have to look at “that ugly blue Ethernet cable!”

Beware of unknown data leaks to the outside world.

Please post your comments on this blog.

• Use bulleted lists instead of paragraphs
• Do not tell the story, just the ending
• Keep messages to 4 lines or less

Please post your comments on this blog.

For example, an IT professional called me recently about the senior managers choosing to allow their users to plug into customer networks. This practice is an IT security risk for a number of reasons. Still, if the executives understand the risks and say to do it anyway, then IT needs to follow their direction.

As mentioned last week, the process works like this:

1. IT makes suggestions to senior executives, making sure the executives understand the benefits, drawbacks, risks, likelihood, and the extent of possible damages.
2. Then, the executives reflect a summary back to IT so the executives are certain they completely understand.
3. The executives make a decision and written policies are produced or adjusted as required.
4. IT will enforce the policies and act on them accordingly.

The key is that the senior executives make an informed decision and truly understand the risk.

And yes, in case you are wondering, it is often the CEO’s computer that is the biggest security risk in most organizations because of all the “special treatment” and “exceptions to the rule” that CEO’s demand from IT.

Please post your comments on this blog.

When asked, it turns out that IT professionals have the attitude, “Well, they asked me to do it, so I did it. Why should I have to tell them it is done? Why can’t they just trust me?”

This is indeed a trust issue. IT expects the user or executive to trust that it is done, and the executive or user trusts IT to tell them when it is done. For an IT professional not to report back reduces or even destroys the trust the executives have in them.

When the user or executive has to ask if the task was complete, the IT professional feels untrusted.

I hope you have the IT professionals who always report back that a task is complete. If so, then they clearly understand trust is something you earn. If they have a habit of not getting back to people to tell them a task is completed, instruct them to do everyone a favor and start saying when they finish! You will break the cycle and start increasing trust right away. This will help you and your organization as much as it helps them!

Please post your comments on this blog.

This company, like many, had separate networks for e-commerce and for administration. The IT professional had been telling his CEO that the organization was “compliant” based on the security of the office administration network—not the IT systems that actually process, store, and transmit credit card information.  He pretended to be shocked that he needed to secure the computers and network that actually handle the credit card data.

As IT professionals, it is important to know what we are talking about when we answer a CEO’s question. Especially if a wrong answer could lead to the CEO facing fines, lawsuits, and even the failure of a business. If we don’t know, the proper response is, “I do not know but I will find out.”

As a C-level executive, business owner, and as a manager, it is important to understand that, unfortunately, some IT professionals will tell you that you are compliant with specific regulations when they really don’t know.

I want to extend my gratitude to the IT professionals who do act responsibly!

Please post your comments on this blog.

Fortunately for the CEO, after our conversation, he decided not to terminate the IT professional and keep him on board. The CEO will arrange management training for the IT professional.

In my experience, not all of the very best IT professionals are also excellent leaders and managers. Expecting all IT professionals to also be good at management reminds me a little bit of the flying cars, or amphibious vehicles. Those vehicles are pretty good at both, but not excellent at either.

Although I have met a few, should we expect IT professionals to be good managers? Many of the C-level executives I speak to feel this is a reasonable expectation. Please post your comments on this blog.