Art of Information Security

The Art of Information Security has the great pleasure of interviewing Heather Deem. Heather  is the driving force behind Candesco Marketing, and has extensive experience developing and executing marketing programs for Information Security firms. Given the current economy, Art of Information Security felt that there might be broad interest in Heather’s ideas and insights in marketing Information Security products and services.

For more than ten years, Heather has supported marketing efforts, from framing the strategy to executing on the fine details, for a wide range of technology companies including Websense, Finjan, MarkMonitor, F-Secure, and others. I met her at last year’s RSA conference at one of the networking events, and really appreciate her taking the time for the interview. Let’s jump right in…

Erik: How much of a corporation’s resources and energy (capital, time, etc.) should be reserved for marketing?

Heather:  Many companies underestimate the hours and timelines required for campaigns and programs.  Timelines of course vary depending on a company’s goals, budget, the team’s availability, and turn-around times, but in general, it is advisable to allow the following timelines:

Collateral Development: 3-4 weeks to develop a new datasheet, 1-2 weeks for datasheet revision, 4 weeks to develop a new presentation, and 2-3 months to gain customer approval and develop a case study.

Tradeshows: Reserve booth space about a year in advance in order to acquire the best booth location.  Begin planning 4-6 months prior to the event date.  Start development of booth messaging, collateral, and demonstrations at least 3-4 months prior to the show.  Direct mail campaigns, exhibitor service orders, logo’d giveaways, and advanced shipments should be completed about one month prior to the event.

Online Demand Generation Programs: The first step in planning your demand generation program is to define the target market and the offer.  Is the call to action going to be a whitepaper, webinar, podcast or other?  Creation of a new whitepaper can take 2-4 months; 2 months if outsourcing, 4 or more if using internal sources to develop.  For a webinar, you need lead time to engage and schedule your guest speaker, usually an analyst or customer.  Once the target market has been determined and the development of the offer has started, you need to identify the right media company for promotions. Most media sites typically require insertion orders to be placed 2-3 months out.  While some advertising sites have availability 1-3 weeks out, sites with reputable performance typically sell out key promotional categories or banner spots several months out.

Direct Mail Campaigns: Similar to the online programs above, you need to identify your target audience and offer, but will also need to determine the direct mail list for your campaign.  You may have a solid customer and prospect database for your targeted mailing or you may opt to rent or purchase a 3rd party mailing list.  In both cases, you should take the time to segment the list to the specific contact titles, verticals, or geographic areas which are most relevant to your targeted audience.  It is also worthwhile, especially if utilizing a 3rd party list, to confirm the contact information and the mailing address of each recipient.  Depending on the size and quality of your list, the process of scrubbing the list may take days or several weeks. This step is less necessary if you are mailing an inexpensive post-card, but quite necessary if you have developed a higher quality mail piece or offer.

Depending on your offer and the complexity of your direct mail piece, it may take 2 weeks to 1 month to develop content, design the graphical layout, and print the direct mail piece. You will need to allocate another 2-3 weeks for mailing house services and delivery.

The above examples illustrate very rough timelines, but hopefully provide a baseline for planning typical marketing projects. While I’ve worked on and successfully delivered similar projects within shorter timeframes, it is advisable to integrate ample timelines into your project planning to avoid rush fees, team pressure, and depletion of resources which may be needed for other team projects/goals.

Erik: What are the top marketing activities that every organization should make happen?

Heather:  Development of a Marketing Strategy & Plan, and Development of Marketing Materials & Tools.

While this advice sounds almost too simplistic to relay, I cannot tell you how many companies tend to overlook or half-bake their marketing strategy or plan, yet have high expectations of marketing activities which have been based on undefined goals and limited budgets.

Strategy: Identify your target market and develop your positioning, messaging, go-to-market plan, and marketing goals as these elements will serve as a tool for making informed decisions and will be the foundation for your marketing plan and materials.  Ensure that key decision-makers from executives to sales are aligned on these areas.  For example, based on the revenue goals, how many raw leads does marketing need to produce each quarter to support sales, and conversely, does sales have enough resources to appropriately handle follow-up for this volume of leads?

Plan: Based off the marketing strategy and goals, develop the tactical plan to meet the marketing objectives. This plan should include an estimated timeline and campaign results.  Identify if the allocated budget and resources will sufficiently meet the marketing goals.  If not, additional investments in marketing may be required, or the marketing goals may need to be readjusted.

Some companies may feel overwhelmed, not know where to start, or feel that their limited marketing funds don’t justify a full-blown marketing strategy or plan; however, in start-ups, where ever dollar and hour counts, planning is even more crucial as there is less margin for error or waste. Advance planning will strengthen the management of marketing by helping you stay goal-focused, adequately allocate resources, avoid spikes and dips in lead generation, and reduce gaps in your marketing materials.

Marketing Materials: This is one area that deserves more scrutiny. Organizations tend to focus more on lead generation and creating awareness, overlooking or undervaluing the necessity of creating and maintaining a proper marketing library of collateral and tools.  Frequent development and updating of marketing materials is vital to supporting the sales team and channel partners, and for propelling your prospects and customers through the sales cycle.

Almost every company has a datasheet, sales presentation ,and whitepaper, but many overlook other essential marketing materials like positioning briefs for the sales and channel team, ROI calculators, customer case studies, flash demos, and frequent development of new industry whitepapers or webcasts. These tools are like the oil that keeps the sales and marketing engines running smoothly and helps transport prospects through the sales cycle.

Look for Part 2

The second part of this interview with Heather will be posted in a few days. Stay tuned…

Cheers, Erik

Kerckhoffs’ Principle is one of the keys to solid cryptographic security. Here is the definition I found on the Wikipedia:

“A Cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”

Kerckhoffs’ Principle does not require that we publish or disclose how things work. It does require that the security of the system must not be negatively impacted by such a disclosure. A sub-theme of this principle, is that if the system is not negativly impacted by disclosure, it may be enhanced. 

In the history of cryptographic systems, peer reviewed systems/algorithms/techniques have outperformed closed/proprietary ones. This has its roots in basic human nature and is demonstrated every day in basic quality controls used for software in general.

A coworker once pointed out, “I am very confident that I can build a system that I cannot break. I am not so confident that I can build a system that no one else can break.” Getting many “someone else” resources to look at things is the core of Kerckhoffs’ Principle in practice, even if not in original intent. An example of using Kerckhoffs’ Principle is the current effort by NIST to sponsor the development and adoption of the next generation of hash algorithms through their hash contest (wiki, NIST). 

If You Need to Keep the “How” Secret…

If you need to keep the “how” secret, then odds are it isn’t a very good approach to the problem (and you may know that). I am often shocked when probing people on password protection, at how often their not wanting to disclose this information (because it is a “secret” itself) correlates to a very poor practice. 

BTW: the most frequent bad practice that I encounter over and over again is that “Base64 Encoding” is being used to “protect” the password. If I built a system that did that, I too would want to keep it a secret…

(In this case, I think the reluctance to disclose the information aligns more with “cover up” than “system design secret”.)

It often seems odd to people that there are no secrets about how modern cryptographic algorithms are designed, operate, and are selected for broad usage.  Of course, I think many of these people don’t understand that this is no different from most security controls. Anyone can purchase a high-security lock, and then reverse engineer the lock. Take it apart, put it back together again, take it apart and examine (or replicate) each part, and so on. People’s trust in locks often greatly exceeds the actual “security” provided by the lock, but that has nothing to do with the fact that people have examined them. Most frequently it has more to do with people just purchasing cheap locks. 

Kerckhoffs’ Second Benefit: You Can Stand on The Shoulders of Giants

Back to passwords… Let’s say you are writing an application, and you need to store user account passwords. You are in luck – you can examine a broad body of work documenting the failures and redesigns of a number of password systems – and you can emulate what is working today without repeating old mistakes. The same can be said for a great number of security functions. 

It often amazes me how often people start with the blank page and reinvent the wheel. Personally, I don’t ever want to re-invent the wheel. If I do that, I will be lucky if I develop the wheel for a Roman ox cart, or bicycle. I would rather take what I can find out about the wheel and take it to the next level (maybe Formula 1 Ferrari Team Wheels…), or be done with that part of the system design quickly and focus on something more challenging. 

Kerckhoffs’ Third Benefit: Standards

Any time you are developing a solution to a problem and you can leverage a standards approach you are gaining numerous benefits. First, you are leveraging the “Standing on the Shoulders of Giants” concept by inheriting a body of work that has been tested, reviewed, etc. Second, it is easier to communicate it to others.

In the cryptographic world, there are a number of very helpful standards bodies. These include:

• NIST Computer Security Division 
• NSA Suite B
• OASIS
• ANSI and ISO

More soon…

Cheers, Erik

Probably this single most significant advantage to attending a conference, is the fact that it pulls so many people with a common interest into one place and time. If the interaction amongst participants wasn’t important, then it would be very difficult to make a compelling argument for in-person attendance.

Talk to People – Join in the Conversation

In the last year, I can think if 10 times where I was able to call (or I was called by) a colleague who I met at a past RSA. In the professional development series with Lee Kushner (link), ideas about developing, having, and being able to utilize your professional network are going to be a reoccurring theme.  If you are attending RSA (or any large event) don’t pass on the opportunity to meet and connect with new people. 

It can be Easy…

Don’t be mislead into thinking you need to “work the room” to meet people at RSA. 90% of the people who will be in Mascone Center are there because Information Security is important them, either as a practitioner or as a provider. (The other 10% are there to make sure everything runs smoothly.) 

So, you will be surrounded by people, who at least share that one item in common with you. Reaching out can be very easy. The people who you are in-line with, or waiting for a session to start with, etc. almost all do something connected to what you do. Just saying hello is all it takes. 

Leverage Events

There are a number of events that can make networking even more effective. The conference itself has roundtables session that are 100% focused on establishing peer to peer communication on targeted topics. Any vendor sponsored dinner or event also creates easy opportunities.

New to Networking? 

The RSA conference understands the value of the networking opportunity it is creating. As a result, there is a “Networking 101″ session on Monday evening at 5:15, immediately following the First-Time Delegate Orientation. Each year the conference brings in someone who has professional training experiencing in helping people network – helping people connect. This is always a great session to attend if you have the time, and are around the conference center on Monday evening.

Cheers, Erik

Given the current economic situation, professional development and job searching are on many people’s minds. As a result, I saw no better time to get perspective on these topics from a true industry insider.

Lee Kushner is the President of LJ Kushner and Associates, LLC, an executive search firm dedicated exclusively to the Information Security industry and its professionals.  For the past thirteen years, Lee has successfully represented Fortune 2000 companies, information security software companies, information security services organizations, and large technology firms in enabling them to locate, attract, hire, and retain top level information security talent.  Throughout his career, he has provided career management and career coaching to information security professionals at various stages of their professional development.  He is a regular speaker and industry contributor on topics that include career planning, interview preparation, and employee recruitment and retention.

Erik: With 13 years of recruiting Information Security professionals, how has your position as a recruiter changed and evolved?

Lee: When I began recruiting 13 years ago, not many people had ever heard of a recruiter who specialized in Information Security – so there was a great burden of proof on my part to demonstrate that I understood both the technology and the industry to candidates.  Information Security professionals are a skeptical bunch.  It was very important to establish credibility and earn trust, by only promising what I was able to deliver.

I believe that after 13 years, both my firm and I have established a solid reputation and credibility within the industry and among the professionals.   Most of the people that we have worked with, we have done so for quite a while, throughout their career development.    Many of those professionals have passed on their positive experiences to their peers – and our reach has expanded.

It is my hope that through the years of working in the industry we have been able to help elevate the recruitment profession and inspire a different response when people hear the terms “recruiter” or “head-hunter”.

Erik: I understand that Mike Murray and you are working on a podcasting series called “Career Incident Response”? What is that about?

Lee: Mike and I have been speaking on the topic of Career Management for quite some time at RSA Conferences, DefCon, and The Source Conference.  We came up with the idea for a “Career Incident Response” podcast series due to the fact that so many people were coming to us either because they were a victim of a layoff, felt that a layoff was imminent, or had witnessed bad things happening to their industry peers.

The Career Incident Response podcast series will be outlined like a training course.  It will provide a guideline to what people can expect – from items that include evaluating your work situation,  the personal and emotional impact of job loss, how to effectively search for a position,  how to prepare your resume, and some basic ways to address difficult interview questions.

Note: The Podcast Series is scheduled for release on or about May 15th, 2009 on  www.infosecleaders.com.  Art of Information Security will post an announcement when the release happens.

Erik: If someone is working with a recruiter, what should they be doing to get the most value out of that relationship?

Lee: I believe that the most important item is honesty, which is driven by trust.  People generally like to keep things close to the vest when they are engaged in a job search and become cryptic about things such as timetable, other opportunities, their current work situation, and compensation.  The more accurate information that a recruiter has, the better that they can help assist you.

The other thing is that people should work with recruiters that understand their profession and can provide them with something more than a job description.  It should be imperative that the recruiter has industry experience, no matter which industry you are in.

For example,  if I was a real estate attorney, I would want to work with recruiters that either placed attorneys, or ones that worked with real estate clients.

Erik: What are some signs that people are working with the wrong recruiter for them?

Lee: The biggest sign is when they do not add any value to your search process that goes beyond the current opportunity that they are working on.  Many recruiters comb job boards and social networking sites, looking for key words, without understanding how they fit in.

Information Security is not a “key word” business.  There are many different segments of our industry and it is comprised of many different skill sets.   If a recruiter cannot differentiate between these skills and how you fit, then you are probably working with the wrong one.

Erik: If you could communicate one thing to someone who is trying to manage their career, what would that be?

Lee: The one thing that I would stress would be to strive to differentiate from your peers.  The industry is going to become more and more competitive, and competition for the best positions is going to increase, being able to tell that story is going to be critical to achieving your long term career goals.

Erik: In your practice, what are some of the key differentiators that you are encouraging people to pursue?

Lee: I hate to be vague, but the best thing that I can tell anyone is to make consistent investments in their career and career development.  This can include certifications, training, personal development, career coaching, etc – but investing in yourself and your career is going to be critical to differentiating from your peers and competition.

Erik: You in fact have been working on a Career Investment and Differentiation presentation. What are some of the key points you are trying to communicate?

Lee: The key point of this concept is that it is up to you – the individual – to manage your career.  You are the one that has to seek out guidance, and plan for your future.   Do not expect your company to do it for you – you will reap the ultimate reward – so you should plan on making consistent sacrifices to attain these goals.

Erik: So, how much overlap should someone expect between their employer-driven professional development and their personal professional development?

Lee: Whatever you can gain from your employer’s personal development plan – by all means get.  However, you should understand why the employer is providing you with that stipend – it is so that it benefits them – not you.   If there is overlap – consider yourself fortunate.

There is a TON of stuff to do at RSA if you are going, and managing all of that can be quite difficult. One of the things that I find difficult to do every year is select the sessions that I am going to. There are a few tools that the conference provides to make this easier.

Let’s take a look at the Session Catalog.

See Who’s Speaking

I have my own personal list of folks who always have great presentations and really pack a lot of punch for me. But, the attendance at the conference is so diverse that my list would certainly not work for everyone. The conference itself measures and metrics speaker performance. You know those forms they hand you as you walk into the session? Turns out that they use that data, and they even share it with you. When using the Session Catalog and the printed materials, you may notice a star next to some of the names. These are the folks who have had the strongest feedback during past conferences.

If this is your first RSA, it may be worth your while to ask folks who have attended in the past and who have similar interests, which speakers stood out to them. If you are a member of the RSA Conference group on Linked In (link), you could even post a question about “Best Session for X”. (Which I have done…)

Preview The Slides

RSA has always made the slides available in advance. Usually this was on media (CD/USB) handed out at the conference. (So, “in advance” was day-before…) But now they are available for most sessions right in the Session Catalog. (Note, you need to be logged in to the site before you visit the page to see these.)

Post Session…

There is a lot of time and energy that goes into being a speaker. Please, help your speaker and the conference, and complete the evaluation forms. And, if a session clicks for you – don’t be shy – meet the speaker. Most of the speakers are presenting because they are committed to the mission and the profession. Participation and feedback are the biggest rewards any speaker can ask for from the audience – don’t hold back.

Hope this is helpful – see you in SFO.

Cheers, Erik