The latest in Dark Rhino Security news

What Is The Difference Between A Blue Ocean And A Red Ocean Company?

What Is The Difference Between A Blue Ocean And A Red Ocean Company?

When it comes to competition, not every company has the same amount. Some companies compete in what are called red ocean spaces — so called because the oceans are red with blood. Competitors attack each other in order to feed on a limited number of customers.

On the other hand, there are companies who compete in blue ocean spaces. A company that operates in a blue ocean space is a company that has plenty of customers to sell to and little competition which they must beat to do so.

Obviously, everyone wants to compete in a blue ocean space. The reason most companies don’t do so, however, is because moving to a blue ocean requires a whole new way of thinking about your business. Most businesses think in term of incremental value addition — shaving a few bucks off the price here, adding a feature there, redesigning their product every few years. This kind of thinking keeps businesses in red oceans. Blue oceans require a whole new way of thinking about your product; they require a business to think outside the box, creating products to fill needs customers are not aware they even have.

“Value innovation is the cornerstone of blue ocean strategy. We call it value innovation because instead of focusing on beating the competition, you focus on making the competition irrelevant by creating a leap in value for buyers and your company, thereby opening up new and uncontested market space.”
―W. Chan Kim, Blue Ocean Strategy, Expanded Edition: How to Create Uncontested Market Space and Make the Competition Irrelevant

When talking about blue ocean strategy, it’s best not to think in terms of companies, but in terms of products. And the best example of a blue ocean product is Apple’s iPhone.

At the time, most of Apple’s products were red ocean products. They sold desktops, laptops and computer accessories that competed with major companies like HP, Dell, and Lenovo. While they were doing well in these markets, they were fighting viciously for each percentage point of dominance in the market.

The iPhone, however, was blue ocean. When the iPhone was released, it had no competitors. Anyone who wanted one of the new “smartphones” had to buy an iPhone. The newly created “smartphone” market exploded to a billion-dollar-plus market within just a few years, with the iPhone capturing the lion’s share of it.

Another great example of a blue ocean product is the Cirque du Soleil, highlighted in the book Blue Ocean Strategy.

Cirque du Soleil took the world by storm. It created a blue ocean of new market space. Its blue ocean strategic move challenged the conventions of the circus industry. Cirque’s productions have been seen by more than 150 million spectators in more than 300 cities around the world. In less than twenty years since its creation, Cirque du Soleil achieved a level of revenues that took Ringling Bros. and Barnum & Bailey — the once global champion of the circus industry — more than one hundred years to attain.

What makes this rapid growth all the more remarkable is that it was not achieved in a declining industry in which traditional strategic analysis pointed to limited potential for growth. Supplier power on the part of star performers was strong. So was buyer power. Alternative forms of entertainment — ranging from various kinds of urban live entertainment to sporting events to home entertainment — cast an increasingly long shadow. Children cried out for video games rather than a visit to the travelling circus. Partially as a result, the industry was suffering from steadily decreasing audiences and, in turn, declining revenue and profits. There was also increasing sentiment against the use of animals in circuses by animal rights groups. Ringling Bros. and Barnum & Bailey set the standard, and competing smaller circuses essentially followed with scaled-down versions. From the perspective of competition-based strategy, the circus industry appeared unattractive.

Another compelling aspect of Cirque du Soleil’s success is that it did not win by taking customers from the already shrinking circus industry, which historically catered to children. Instead it created uncontested market space that made the competition irrelevant. It appealed to a whole new group of customers: adults and corporate clients prepared to pay a price several times as great as traditional circuses for an unprecedented entertainment experience. Significantly, one of the first Cirque productions was titled “We Reinvent the Circus.”

Cirque du Soleil succeeded because it realized that to win in the future, companies must stop competing in red oceans. Instead they should create blue oceans of uncontested market space and make the competition irrelevant.

— Blue Ocean Strategy Cirque du Soleil Case Study

If you run a company that is struggling and want to leap forward in your performance, research what it would take to pivot your products to a blue ocean strategy.

From the book Blue Ocean Strategy by W. Chan Kim and Renée Mauborgne

3 Ways To Keep Your Data Secure

3 Ways To Keep Your Data Secure

Avoid using social media messaging services

When you’re using a messaging service provided by a social media company, there is no such thing as privacy. That social media company can see everything you message. So, if you’re using Facebook Messenger, or WhatsApp, or Instagram, Facebook can see everything you message. If you’re using DMs on Twitter, Twitter can see everything you say.

Emails and regular texts, on the other hand, are protected by privacy laws, meaning that a private company can’t root around them at will. If you’ve got something to say to someone, you’re better off emailing or texting.

Generate & store your passwords securely

Good password security has two components:

  1. Generating unique passwords for every login you have
  2. Storing those passwords somewhere they won’t get stolen

The first part, generating unique passwords for every login, is critical. The websites you log in to sometimes get hacked, and those stolen passwords are sold on the black market and used to break into your other accounts. If you have the same password for every internet account, you are just one hack away from being completely vulnerable.

Want to know if your passwords have already been hacked? Check for free on

The second part, storing those passwords, is equally as important. It doesn’t matter how unique and secure your passwords are if your list of passwords can be easily stolen. And unfortunately the ways most people store their passwords, such as making a list in their notes app or writing them down in a notebook, are notoriously insecure.

In order to store your passwords properly, you want to use a password vault. Most major browsers come with their own password vault, but we recommend LastPass or 1Password.

Store your data on the cloud

Data loss doesn’t just come from hackers; data loss can come from natural disasters. If your data is stored locally on your laptop or on an external drive, flooding or a fire can wipe out your personal data just as quickly as a hacker can. Data that’s stored on the cloud, on the other hand, is impervious to these natural disasters.

Most major hardware providers have their own cloud storage solution. Google offers Google Drive, Apple offers iCloud Drive, and Microsoft offers OneDrive. There are also third-party solutions available, such as Dropbox or the encrypted alternative The best part is that most of these solutions are free — meaning there’s no excuse for you not to use them.

4 Common Misconceptions About CCPA Compliance

4 Common Misconceptions About CCPA Compliance

Correcting these misconceptions could save you thousands in fees

1. “We will be compliant once we update our privacy policies.”

A published privacy policy is great marketing for a company. It communicates to customers that you care about their privacy and security.

That being said, merely having a privacy policy is not enough. For a privacy policy to matter, you need to ensure that…

  1. The company privacy policy is up to date with what leadership wants. Many companies take a “set it and forget it” approach to their privacy policy. Having an out-of-date privacy policy published means customers are being scared away by privacy policies that do not take the current security climate into account. Having an out-of-date privacy policy published also means employees are not clear on the privacy target at which they should be aiming.
  2. The company privacy policy is actually being followed. In many companies, privacy policies are often ignored in favor of creating convenient employee workarounds (i.e. carrying flash drives of customer information around the office.) These workarounds may be convenient for employees, but they expose customer information to a lot of abuse, and the CCPA was written with this in mind.

2. “CCPA is IT’s problem.”

While technology is vital to CCPA compliance, it is not the only component of CCPA compliance. As mentioned above, many employees often create workarounds for their personal workflows that compromise customer information. These workflows are not an IT problem, these are an Operations problem, and so plugging these holes requires participation from Operations. Many customers also contact companies through their helpdesk and social media and provide personal information through these channels; CCPA requires companies have the processes in place to delete these sources of customer information as well. All of the holes in your company must be plugged in order to be CCPA compliant.

3. “We are already adding an Opt Out button on our privacy page.”

There are two misconceptions at play here. The first is that an opt-out button on the privacy page is adequate. It is not. The opt-out button must be on the home page for CCPA compliance. The second is the efficacy of the opt-out button:

  • Does the act of “opting out” trigger information removal from multiple systems?
  • Does it communicate this request to 3rd party affiliates?
  • Does this produce a report about what steps were taken to remove the information & send it back to the requesting party?

To be compliant with CCPA, the opt-out button on your home page must do all these things.

4. “We did this all for GDPR two years ago, so we are good!”

While GDPR and CCPA were both passed for similar political reasons and have many similar requirements, they are not the same. Relying on your GDPR compliance for your CCPA compliance will most likely result in your company not being CCPA compliant at all.

DLP Piper deep dives into the differences:

In some respects, however, the CCPA does not go as far as GDPR. Most crucially, the CCPA does not require businesses to have a “legal basis” (a justification set forth in GDPR) for collection and use of personal information. The CCPA also does not restrict the transfer of personal information outside the US, or require that businesses appoint a data protection officer and conduct impact assessments. In addition, California residents’ right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.

In other respects, the CCPA differs or goes beyond the scope of GDPR:

  • The CCPA’s definition of personal information specifically includes household information.
  • While both the CCPA and GDPR require detailed privacy notices, the required content of those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA’s requirements.
  • Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
  • Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
  • Finally, the GDPR and CCPA take different approaches to children’s privacy rights. GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment — but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children’s information — not all processing — and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13–15 can provide their own consent.
How To Configure Okta’s Flexible Security Policies For Your Environment

How To Configure Okta’s Flexible Security Policies For Your Environment

One of the nice things about working with Okta’s SSO platform is that even though they aren’t a tried and true security company, they have built a lot of security tools into their product. When leveraged correctly, these tools really help lock down employee access to enterprise applications and give the security folks at your company helpful insight into how employees access governed cloud services.

No matter how powerful the software, though, if it is configured incorrectly, it poses a security risk. The most secure system is one implemented by a competent system administrator.

This guide will explain the different security policies in Okta — and, hopefully, help you become competent with Okta yourself.

Sign On Policies

Okta allows admins to configure sign-on policies at two different points during the user experience. The first is initial sign-on to Okta, when a user tries to log in to Okta directly from the\">"); background-size: 1px 1px; background-position: 0px calc(1em + 1px); background-repeat: repeat no-repeat;"> URL, and the second is when they try to access an SSO application from their Okta end-user dashboard.

This means you have two places you could configure your MFA policies: at the front door, or prior to accessing specific applications. (I don’t recommend configuring your policies in both places, or doubling up, because there is nothing end users hate more.)

Let’s look at two scenarios and investigate how these different approaches might fit into your environment.

Scenario 1:

Company A

  • 500 Users
  • 2 Office locations with 200 employees apiece
  • 100 remote users (contractors & sales)
  • 5 mission critical applications in Okta, nothing else.

Company A has been configured by admins to only allow SSO into 5 big-ticket applications, O365, Salesforce, Box, Tableau & AWS. All of these application contain very sensitive information pertinent to the day-to-day operations of Company A, as well as a lot of valuable IP.

How would you configure security policies for Company A?
There are a few ways you could approach this, but I’ll explain the approach that is the simplest while still being secure.

First, I would whitelist the external IP’s users inside Company A’s offices that will be accessing Okta. This allows these IPs to skip being challenged for Okta if they are operating from inside the office. Some people would contest that this is not secure, but unless the company has compliance requirements they need to meet (like MFA for all content-sharing apps), I generally try to leave the Okta user-experience as simple and straightforward as possible.

This is especially helpful when introducing Okta to them for the first time. If users see Okta as a convenience, rather than a hindrance, Okta projects run much more smoothly.

The only other policy you would need to configure is the front-door policy for remote users. You can configure this under the “Security” > “Authentication” tab, and then under the “Sign-on” sub-tab. A front-door policy is the best policy here because configuring 5 separate policies for each app creates unnecessary overhead on the part of the user.

Lastly, I would configure a session timeout. This means that if someone‘s laptop were to get stolen, company information would still be secure.

Scenario 2:

Company B

  • 50 Users, 1 office
  • Startup company with a highly mobile workforce. Over half of the employees are remote
  • 2 Apps, Github & Dropbox
  • User self-service is active

Company B has been using Okta since it’s inception. It’s employees use Okta to access Company B’s Github and Dropbox environments via SAML, but they also use Okta as a store for whichever apps they see fit thanks to user self-service. In addition to Github and Dropbox, they have added personal accounts to various websites and disparate email services added to their end-user dashboards as well.

How would you configure security policies for Company B?
Since Company B is a startup and have yet to lock down which applications their employees use for official business purposes (outside of Github and Dropbox), I would recommend configuring MFA only for Dropbox and Github. These are the only applications which need secured from a company perspective, so it is more convenient to leave the sign-in to Okta free from MFA.

The central issue in this scenario is not really Okta security policies, but company policies themselves. Startups often use many different applications, most of which do not support sophisticated integration with Okta. Until Company B decides which services to officially support, they should just focus on putting MFA on their business critical applications and leave the rest untouched.

If you as an admin are concerned about users adding MFA to their personal accounts, a better way of enforcing it is setting it up app-side. Applications like Twitter and Facebook have their own MFA. If you know your users heavily use the self-service features of Okta, a company-wide email about setting up MFA individually in these applications is a smarter move, because I know from experience if you don’t have these applications configured with SAML and you put an MFA policy on it, end-users will just navigate to the site’s regular login in order to bypass MFA.

In Conclusion

That’s it for now, configuring security policies in Okta can only hold my attention for so long and I’m sure any readers feel similarly. Thanks and stay tuned for more.

What You Need To Know About CCPA Compliance

What You Need To Know About CCPA Compliance

June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law as a means to protect the data rights of California residents. While this act is monumental, most individuals are still unaware of the law and the impact it carries across the globe.

With the law going into effect on January 1st, 2020, businesses need to immediately understand the broad scope of the CCPA compliance umbrella, the risk of not being CCPA compliant, and the long-term effects of this law.

CCPA Compliance Qualifications:

You must be CCPA compliant if your business conducts operations involving the collection of data of California residents and meets one of the following criteria:

  • The company in question handles the data of a minimum of 50,000 clients
  • The company possesses an Annual Gross Revenue of more than $25 million
  • At least half of the company’s revenue is derived from the selling of personal information

Under these circumstances, CCPA not only applies to companies domestic to the US, but also all other companies around the world that have operations involving California residents. It is similar to the European Union’s GDPR guidelines; both do not discriminate based off of a company’s physical location.

What’s the risk to my business if I’m not CCPA compliant?

CCPA penalties and fines only apply to companies if a data breach has occurred after January 1st, 2020. Non-compliant companies aren’t punished until there is a breach incident (as opposed to GDPR, under which the EU can fine a business simply for being noncompliant).

Once a breach occurs, the CCPA fines are assigned to non-compliant companies on a per violation basis. The maximum fine a business can face is $7,500.00 for a single violation. However, the State of California can fine a company for an unlimited amount of violations.

Another important aspect of the CCPA is the ability for consumers to take legal action against a non-compliant business. A California resident is lawfully allowed to collect anywhere from $100.00 — $750.00 without needing to prove he or she was directly affected by the data breach. Given the size of California’s population, a company could face shelling out an immense sum of money if they are not in CCPA compliance.

What are the long-term effects of CCPA? How will CCPA affect me in the future?

If a company is hacked and is not CCPA compliant, it could owe the state and its residents an exceedingly large amount of money. Therefore, for financial reasons, it’s important for business leadership to take the protection of data seriously.

Because of the vast sums of money which may potentially be involved, the state of California could profit greatly from the CCPA. After other states see how California is profiting, they may begin to adapt similar privacy laws. While the motivation of these laws should be privacy protection, the real motivator for many states will likely be the potential profit from violations.

Since other states are likely to adopt similar legislation, it’s important that businesses become compliant now, before they face staggering fees from a data breach.

In Conclusion

Although CCPA might not directly affect you at the moment, data privacy laws will affect the majority of companies in the future. Everyone should prepare for CCPA and any other future legislation by implementing personal data security mechanisms as soon as possible.

If you need any assistance in choosing, implementing, or managing data security solutions (or a CCPA compliance audit, for that matter) please reach out to the Dark Rhino Security team.

How Can Organizations Attract and Retain Qualified Professionals?

How Can Organizations Attract and Retain Qualified Professionals?

How can organizations attract and retain qualified professionals?

It is a seller’s market right now when it comes to IT employment. Especially in the security and risk field. Consider this, information security has had 0% unemployment for the last three years running and ISACA projects a shortage of 2 million security practitioners next year. Cybersecurity Ventures believes that number will reach 3.5 million by 2021. That’s a lot of unfilled jobs! Not to mention, burnout for security professionals working in an enterprise environment is common to say the least. So, how can organizations attract and retain qualified professionals?

Having spent the last 6 years of my career in IT recruiting, I’ve seen my fair share of approaches.

Ping pong tables, video games, and kegs on premises for the fun and casual work environment.

Flexible schedules, discretionary paid time off, and remote work capabilities to help strike a strong work-life balance.

Clear growth paths and consistent advancement with continuing education. Etc.

These are all well and good, but in my experience, the companies who are offering high salaries and stable employment win out more often than not. Another route many companies take is to train less experienced IT employees into the security field, but this too comes with its own unique set of obstacles…

First, you need to already have at least some security and risk expertise within your organization, as well as the time and the resources available for them to train someone. This is a tall order in an industry that has 1 job vacancy for every 2 employees.

Second, this doesn’t directly address the challenge of balancing employee salaries and company budgets. Sure, you could pay a lower starting salary as one develops his or her skills, but what is to stop them from leaving for greener pastures once they are up to speed?

Unfortunately for employers, this means that the cost of full time employment is steadily rising, as is the prevalence of contracted and project-based hiring. Because of this, finding a balance between offering potential employees the salaries they want, while staying within the company’s budget is becoming more and more difficult.

Enter Dark Rhino Security. As a managed provider, we are separate from your organization, its people, and its politics. We leverage the best industry standards and practices to objectively assess, investigate, and manage your information’s security and risk. With a managed provider, you no longer have to concern yourself with where to find the right people or how to keep them in your organization. We have an expert team of highly dedicated security specialists, supported by strategic and emerging technology partners, who are laser focused on information security for our customers. Combine that with our focus on culture and personal growth, and you’ve found yourself a stable, go-to partner for risk and security.


Subscribe to Our Newsletter


Address (United States)

5695 Avery Road
Dublin, OH 43016

Address (United Kingdom)

31 Sapphire Rd
Bishop's Cleeve
Glos GL52 7YT

Talk to us

+1 (614)-401-3025


Need Any Help?
Contact Us