Informational Blog

Capital One Data Breach…Who’s protecting your wallet?

As I was reading my Wall Street Journal online this evening. I can see that Data Breach concerns are becoming louder this year than anytime in the past. In a article “Capital One Cyber Staff Raised Concerns Before Hack” (1) the authors shared indications that before the Capital One Data Breach, there were a number of concerns voiced by staff and others. Issues such as high staff turnover, even at the top levels of the organization. Also, improper or possibly negligent configurations of security related software were slow to be implemented. Capital One’s slogan is “What in your wallet?” It’s catchy! However, I think we all wished that the data in our wallet’s should stay in our wallet!

At Ascension, we find new clients sharing similar issues or concerns. CyberSecurity is not easy nor is it sexy. However, in today’s world, CyberSecurity and Privacy are now a cost of doing business for almost any endeavor. Leadership and technical staff alike, need to focus reasonable and consistant energy on CyberSecurity for the security of their respective customers. Security Assessments are essential to understanding the problem.

Assessment is the first step in understand how your company fairs with regard to CyberSecurity and Privacy. Feel free to comment whether you believe assessments are helpful?

Good Day, Paul


(1) Andriotis , AnnaMaria, and Rachel Louise Ensign. “Capital One Cyber Staff Raised Concerns Before Hack.” Capital One Cyber Staff Raised Concerns Before Hack, Wall Street Journel, Aug. 2019,

The plot thickens — Not just Capital One Breached, possibly 30 more companies breached.

It appears that prosecutors have stated that the Seattle Employee arrested for the Capital One 106 Million User Breach, also “include(s) not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities. “

Geekwire, which has done a stellar job of coverage, uploading a copy of a UNITED STATES’ MEMORANDUM IN SUPPORT OF MOTION FOR DETENTION filed on the 13th of this month. See

As I stated last week, “Estimating the cost to the company is typically, at least $100 to $150 per user, it would be easy to estimate the initial cost to Capital One will be well over $100M, and most likely upward of $200M, when you factor in all the internal remediations and legel cost that are never recovered by any company.” Now with 30 possible other companies breached, the businesses may be forced to pay over 500 Million or more.

Seattle employee at the center of major Data Breach

Copy of Compliant Header filed July 27, 2019

This morning over a cup of coffee, I gazing at the front page of my Wall Street Journal. Casually scanning the stories. Something caught my eye; the Wall Street Journal stated that a Seattleite is at the center of a Major Data Breach. Here from Seattle, a former Amazon employee has been arrested, in connection with the Capital One Breach affecting 106 Million Card Applicants. Wow

Estimating the cost to the company is typically, at least $100 to $150 per user, it would be easy to estimate the initial cost to Capital One will be well over $100M, and most likely upward of $200M, when you factor in all the internal remediations and legel cost that are never recovered by any company.

CyberSecurity seems like an impossible task. I will grant you that it is not an easy task; but I will say that focus and diligence is our best tactic so far. We cannot hide our faces in the sand anymore. We must confront these issues and do our best to protect both our companies information as well as our customer’s data. I believe we should all ponder how to become more secure and act accordingly in an expeditious fashion. This wordgram may help you ponder and reflect on this issue.

At Ascension, we are working to insure ourselves and our clients are protecting both corporate and individual data. Again, I think we need to ask ourselves, are we doing enough to protect customer and/or business information? Ponder this question and free free to comment. Thank you

Are you responsible…

 Are we really protecting our company's and customer data?
Are we really protecting our company’s and customer data?

A movie was just released on Netflix, called The Great Hack“, which was directed by Noujaim & Amer. This movie describing how Cambridge Analytica was able to change the outcomes of elections here and abroad. As I watched the movie, I was first taken by the right vs. left political commentary–finding myself riled up, like most of us concerned with the devisive nature of politics in America today.

However, as I listened to the journalist from the UK publication, The Guardian. I began to recognize the deeper and far more insidious consequence. The real issue is protecting personal data from nafarious uses against the person themselves. What companies like Cambridge Analytica did and do, is exploit user data against the person’s themselves. Brittany Kaiser of Cambridge Analytica, spoke plainly, stating that firms like her’s, used People’s personal data, targeted against that person to change their personal views without their knowledge, understanding or consent. She called it “Weapons Grade Communications.” Wow!

This movie, coupled with the recent $5 Billion Dollar fine levied against FaceBook, has many of us asking the important question: I’m I really protecting my company’s customers data appropriately?

At Ascension, we are working daily to make sure ourselves and our clients are protecting both corporate and individual data in an appropriate manner. Lately, many of our new clients are asking themselves, “Are we really protecting our company’s and customer’s data?”

I would ask you: “Are you responsible….and if so, what are you going do about it?”

Thank you for listening to my opinions. Paul Scott

CyberSecurity – The next 9/11?

We see many new clients that have to deal with cybersecurity breaches and/or issues of non-compliance with security standards. Today, I was reading about CEO’s concerns over cybersecurity may be the “biggest Threat to the world’s economy.” I believe they are correct. CNBC article: Cybersecurity is the biggest threat to the world economy over the next decade, CEOs say

Unforunately, many firms still have not realized the benefits of CyberSecurity Standards. These standards are not a fullproof remedy for breaches; however, it is the best defense for companies to protect themselves. To summarize, companies need to consider standards and procedures for:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk Management
  • Identity Management, Authentication and Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes
  • Response & Analysis
  • Mitigation
  • Improvements
  • Recovery Planning
  • Improvements
  • Communications

Paul Scott, CEO Ascension


Now that the 2018 elections are over (well except Florida), leaders in both political parties are looking for legislation they can pass to show their constituents positive accomplishments.  Setting aside rancor between Democrats and Republicans, the two topics where both sides agree something can and must be done are infrastructure and the opioid crisis.  Improving our nation’s infrastructure is sorely needed.  The American Society of Civil Engineers (ASCE) 2017 Report Card gives the United States an overall grade of D+.  Repairing transportation, water systems, and schools should be at the top of the list, but upgrading our infrastructure is also an investment in the future.  The Dwight D. Eisenhower National System of Interstate and Defense Highways (AKA Interstate Highway System) is the most famous example of this type of infrastructure investment project.

What type of project can we invest our infrastructure dollars to improve connectivity in the United States, like the Interstate Highway System?

The program that immediately comes to mind is Connected Cities (AKA Smart Cities).  The parallels between the Interstate Highway System and Connected Cities are obvious, which makes this an ideal infrastructure project.  The Interstate Highway System brought together a disparate and inefficient road system and built an interconnected network.  This is exactly the same goal as Connected Cities, bringing together disparate and inefficient networks to function together.  The highway system also brought people together by facilitating travel across the country, which is the purpose of Connected Cities, to connect people.

How can Connected Cities infrastructure projects improve safety, commerce, and quality of life?

Another parallel between the two projects are public safety and security.  The Interstate Highway System was also designed as a Strategic Highway Network to facilitate troop mobility to air and sea ports.  Connected Cities contributes to public safety and security by providing early warning for disasters.  The California Department of Forestry and Fire Protection determined at least 17 of the 21 recent major fire in Northern California were caused by power lines, poles and other equipment.  (CAL FIRE)  One of the features of Connected Cities is placing sensors on light fixtures to detect fires and seismic activity, which would immediately alert firefighters and enabled them to suppress forest fires much quicker and easier.

Connected Cities can also make everyday life easier by tying networks together.  Before the Interstate Highway System, navigating roads in the United States was difficult, every state had a different numbering system.  Today, navigating through the various municipal and state government networks is very difficult.  You must have a different accounts and logins in for the DMV, voter registration, taxes, etc.  The concept of Information City, which is part of Connected Cities, will develop technology and communications to bring together social, economic, and governments networks.

We are at a precipice for emerging transportation technology, which means municipalities will soon have to develop revolutionary solutions to control traffic.  Autonomous automobiles are on the horizon and the proliferation of drones makes this a three-dimensional problem.  Connected Cities will have a great advantage by integrating sensors to control traffic and communicate with autonomous vehicles.

The United States will have to address our infrastructure challenges.  This is a great opportunity to not only repair our roads and bridges, but also make fundamental improvements on public safety, commerce, and quality of life for the future.  Ascension Technology Group is a leader in technology solutions for municipalities to help their citizens navigate through a complex network of services.  The fundamental concept of Connected Cities is knowledge-based urban development.  Now is the time to integrate infrastructure investments with the development of Smart Cities.


California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was passed on June 28, 2018.  The CCPA grants consumers the right to request businesses disclose the personal information, sources, and purposes businesses collect about consumers.  It also enables consumers to learn what information is shared with and sold to third parties.  The California legislature passed the bill in a relatively short period of time, largely because of an impending resolution that would have placed the issue on the ballot in the upcoming election on November 6, 2018.  The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR), which took effect earlier this year.  One major difference in the two laws is the GDPR has an opt in clause, while the CCPA has an opt out clause, which means companies doing business in the EU must give citizens the option of allowing personal information to be collected, whereas citizens in California must request businesses delete personal information.  Regardless of the differences, these privacy laws are going to profoundly impact the way businesses handle information about consumers.

The clock is now ticking for the CCPA as the law takes effect on January 1, 2020.  One of the lessons learned from the GDPR is once the ball drops on New Year’s Eve 2020, there will be advocates waiting to pounce on businesses that do no comply with the CCPA.  The European Center For Digital Rights filed lawsuits against Google and Facebook (as well as Facebook subsidiaries:  WhatsApp & Instagram) on the first day the GDPR became law.  The potential fines could total 7€ Billion.  NOYB  Although the California law does not place a fine on businesses based on a percentage of total annual global revenue (like the GDPR) , it can fine a company up to $750 per incident, so a company with millions of customers could potentially face fines in the hundreds of millions of dollars.

The CCPA requires businesses to establish at least two communications methods (most likely website and telephone) for consumers to contact the company to request what personal information the company has about them and how to opt out.  Interestingly, the law does not require a consumer to establish an account with the company before opting out.  Therefore, even if a business does not have an account with a consumer, they are still responsible for protecting the privacy of citizens who are not customers.  So, if a customer signs onto a company website to shop, but never buys anything and company collects personal information, they must comply with the CCPA.

The CCPA does give businesses some leeway in collecting personal information.  After all, companies must collect personal information to conduct business transactions and maintain security.  Businesses still have a need to collect consumer information for marketing and research.  The CCPA allows businesses to collect and retain consumer data by pseudonymizing or de-identify personal information.  In other words, privacy is maintained because the consumers’ data is not identifiable to a specific person.  However, pseudonymization and de-identification must be a one-way process.  This is a very important point, companies cannot have the ability to collect information, put it into an anonymizing database and then be able to reconstruct the personal information.

The CCPA presents new challenges for businesses to protect personal information.  This law of course does not stop at the California border; it impacts commerce across the United States.  Ascension Technical Group has experience in maintaining privacy and security for businesses and consumers and we would like to help your company prepare for the new privacy law standards that are long overdue.



Apple CEO declares “Our own information…is being weaponized against us with military efficiency!”

Wall Street Journal is reporting Apple CEO, Tim Cook, stated “Our own information—from the everyday to the deeply personal—is being weaponized against us with military efficiency,” Mr. Cook said. “Today, that trade has exploded into a data-industrial complex.”*

Washington’s small to mid-size businesses are not the “data-industrial complex.”  However, we can expect strong reactions from state and federal legislators to demand businesses, small to large; to implement much stronger defenses to protect personal data.  Also, we shall see tighter prohibitions regarding the collection of personal data. I understand and agree to some extent!

More and more, we are finding leaders beginning improve security and privacy as a matter of business cost control–not as a means of compliance.   It is better to make effective, measured improvements over time; rather than get forced by legislation to make significant changes–driven by an arbitrary compliance date.

I was personally involved with knee-jerk legislation, when the Sarbanes-Oxley Act was enacted into law.  Many of us–attorneys, auditors, business colleugues were all looking at each other, trying desparately, to intreprete the law.  We were also realizing the powerful consequences, if we do not meet the regulatory requirements, on time.  Tough times. The company I was working with at the time, spent millions over that year, just to produce a report with two signatures.  Huh!

Please feel free to comment or call me.

Paul Scott

(425) 750-0760





"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

Change Management in Rapidly Changing Business Cycles

One of the toughest jobs I had in the military was the Chief of Current Intelligence Operations at U.S. Central Command (CENTCOM).  I was responsible for managing all intelligence forces in the CENTCOM area of responsibility (AOR), but specifically I orchestrated deployments tens of thousands of intelligence personnel to Afghanistan, Iraq, and the Horn of Africa between 2006-2010.  This was a period of heavy insurgency and piracy activity in the AOR.  President Bush and Congress authorized surge operations in the region to defeat the Taliban, al Qaeda, and Somali Pirate threats, which meant a rapid increase in requirements for intelligence forces throughout the region.  I distinctly remember the initial reaction from leaders on the ground; give us more troops.  However, they did not define the capabilities they needed.  There are of course a finite number of intelligence airmen, marines, sailors, and soldiers in the military and CENTCOM already had the bulk of intelligence resources since 9/11.  Moreover, counter insurgency operations were fluctuating in Iraq and Afghanistan, which meant commanders on the ground in Operations Iraqi Freedom (Iraq) and Enduring Freedom (Afghanistan), as well as Navy commanders in Operation Ocean Shield (Somalia) were arguing for the same resources.  The challenge was to find practical means to source requirements during a period of immense and rapid expansion, with competing internal requirements.

Perhaps the most practical solutions we devised was to use unit sourcing to fill requirements.  Instead of trying to provide a scores of individual teams, we could provide a battalion or brigade size unit to satisfy the commanders’ needs.  Even though an intelligence battalion is much larger, it was a win-win-win solution because ground commanders had a unit they could command and control, the battalion/brigade commanders could much easier prepare their units for deployment, and the force providers could write orders for whole units, instead of trying to fill hundreds of four of five soldier teams.

In times of rapid expansion, business leaders are faced with similar dilemmas.  They face tough decisions about where to expand their business operations while trying to balance internal competing opportunities.  One solution may be to outsource a requirement to another company that already has the full capability to get the job done. This is very similar to our methodology at CENTCOM of trying to find a unit sourcing solution.  There are several advantages to this approach, such as rapidly standing up a new capability, reducing the internal disruption, and having the ability to set limits on the time commitment to a new project.  However, the cost may of course be higher.

Another big dilemma in change management during rapidly changing business cycles is balancing competing requirements.  We all want to hire strong leaders who have a desire to succeed.  When business owners have competing, passionate leaders, who believe their own project is the key to success for the company, it is very difficult to choose one course of action over another, especially when emotions run high, which invariably they will.  This may seem counterintuitive, but while we were trying to satisfy competing requirements a CENTCOM we resisted the strong push to set priorities between the competing commands in Iraq and Afghanistan.  We did not do this for two reasons.  First, we knew if we set priorities the force providers would not source all our requirements and may only provide troops for 70-80% of our needs.  Second and more importantly, if we set priorities for one command over another, we would lose the neutral, decision-making authority to evaluate requirements.  Leadership in business is usually all about setting priorities, but sometimes you must enable the competing parties fight it out and let the team that makes the best argument win the case.  In these situations, the role of business leaders must be to ensure a level playing field.

At Ascension, we can be your trusted, independent advisors to help you make tough change management decisions.  We can help set up the ground rules to have a fair and impartial decision-making process.