I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old enough to be able to go on almost all of the rides now. Much excitement was expected.
Yes, we had a good day overall, but not as good as it should have been. The first two rides we tried to get on as soon as the gates swung open were closed because of technical faults; both these rides were at opposite corners of the park, so after 30 minutes not only had we not even had one ride, we hadn’t even got in the queue for one. This somewhat set the tone for the day. At the fourth closed ride my wife gave some unfortunate teenaged park assistant an earful (he was rescued by a senior colleague). At the fifth we could only laugh and accept our fate. And so it went on; the photo booth to collect photos from one ride was closed after we had staged the perfect family shot on the ride, the hand dryers in the toilets all blew cold, cold air on a cold day, vending machines were out of order, and so on. The more we looked the more we found fault.
We still had a good day, but we won’t be going back any time soon, and conceded that in the theme park area at least, the Americans have by far the best theme parks compared to Britain.
The whole experience reminded me of some security groups I have experienced. We very often promise a world of smiling, excited faces, a world made better by our presence and an experience that will surpass your expectations. The reality is often a little more drab than that.
We often see security functions that allegedly “enable your teams to work more effectively”, or “allow you to leverage your creativity while we drive your competitiveness” and so forth. In our drive to be seen to be a benefit to the business (good), we often set ourselves up for failure as we establish these grandiose statements (bad). “Leveraging security to be a differentiator in the marketplace” is great, but only if you can deliver on it. An ISO27001 certification may help your business get more work initially, but if the basic principles of good security practice in your delivery teams is not there, that work will soon be lost. Your company workforce working securely and in harmony is the best way of supporting your business, not having a “security strategy that differentiates us to our clients”.
Let’s focus on getting the rides running properly in your security programme before marketing ourselves in a way that ultimately shows even our hand dryers don’t work.
I have never liked the analogy;
Why do we put brakes on cars? So we can go faster. Therefore we put security controls in place so we can do riskier things.
I mean, I get it, the analogy makes sense, but like many analogies, if we are not careful they are likely to become a little too one dimensional. We also have brakes on cars to slow down for traffic lights, to ensure we don’t go too fast and run into the back of the car in front, and also to stop the car quickly to avoid someone crashing into us. I am sure with a squeeze and a shove we could fit these analogies into an infosec analogy, but why bother?
I was reminded of this particular analogy and why I don’t like it this morning as I read my paper. The headline really resonated with me;
‘Living rooms’ on wheels put drivers at risk
The article discusses how the increase in technology in cars has actually led to an increase accidents in recent years. The anti-lock brakes, stability control etc. is creating complacency amongst users, and putting them and others at risk.
If we are not careful we are shifting towards this in our industry. It is of course a good thing to focus on secure coding practises, OWASP, secure by design etc., because that is as important as a seat belt and an air bag in a car (oops, see how easy it is?!), but if we try and put everything into those particular controls, we are abdicating responsibility away from the user more and more. By creating an insulated and isolated environment in which they operate there is no positive/negative feedback loop, no opportunity to learn from mistakes, near misses or even dumb good luck. They quite literally are on their own being guided only by what their immediate vicinity is reporting to them. Another quote;
They are as uninvolved in the process as they can possibly be
This could be describing our users and clients who we are removing more and more responsibility from when it comes to making sensible, thought out decisions about basic security. We are removing their perceived responsibilities as they say to themselves “if the system is letting me do this, it must be alright” as they download malware specifically designed to undermine so called built in security. (Actually the quote is from Peter Rodger, chief examiner for the institute of Advanced Motorists commenting on cars being turned into living rooms.)
Let us continue to understand how mature our security development framework is, let’s observe the OWASP top ten, but let’s also continue to establish clear guidelines, education and expectations of our people at the same time. If we don’t, we may be congratulating ourselves little too early for running a good security programme.
If we do that, we risk going back over a century in time, and putting the cart before the horse, let alone putting better brakes on the car.
(If you want good analogies however, that can help your people truly understand the information security environment they are operating in, head over to the The Analogies Project.)
I will be spending the end of week with the Abertay University Ethical Hackers at their Annual Securi-Tay conference in Dundee. It’s a great conference so if you are at a loose end for Friday and in the area make sure you rock up and say hello to the lovely folks up there!
It was ten to six in the morning, and I was on the station platform waiting for my train to arrive to take me to London. As I walked past two people who were talking, one of them was earnestly telling the other about problems in his office that were caused by “them”:
they’ve changed the heating in the office to make it more consistent apparently but what they don’t realise is that it is sending us all to sleep. They just don’t get it, they’re idiots, and it’s a waste of money
It seems the faceless bureaucrats and management just don’t get it at this gentleman’s place of work and are doing everything they can to hinder the company’s ability to work effectively! But scratch a bit deeper and you may see a slightly different story of trying to deal with complaints from parts of the building that are too cold, using antiquated heating systems that don’t balance heat well the further from the heat source they are, or even just trying to make everyone feel more comfortable in the cold winter months.
The unfortunate impact of their actions though is that productivity has dropped in some areas, and the impression of the team and people behind it has dramatically reduced.
I have regularly stressed the importance of information security ultimately contributing to the success of the business, allowing it to sell more beer if you will, but that is only possible if you understand the business, collaborate with the people on the ground, and align your efforts to their goals. By treating risks in isolated parts of the business without looking at the wider impacts you run the risk of overheating other parts of the business. What initial makes sense in one place does not make sense in another, and the quick win you thought you had really turns out to require a far more nuanced approach.
If what you are doing is simply unavoidable and impacts to the other parts of the business will be felt, then collaboration and communication is vital. Explaining the complaints, challenges, risks etc. and allowing them to voice their feedback is important to ensure people remain bought into your plans. Who knows, you may actually get some better ideas from them that you hadn’t even considered. This approach requires nerves of steel and the skin of a rhino though, as many will see the opportunity to take a swipe at you, but seeing the process through is far more effective in the long term.
Asking for feedback afterwards, chatting to individuals and leadership about what they think about what you have done, and putting that feedback to work to improve your next iteration of the programme all help bring people on side and improve the effectiveness of your information security stance.
Once you are seen to be working in the long term interests of the company and the people who work there, decisions you take and implement will be seen in that wider context, and not just as the actions of someone just “doing their job” and being one of… them.
I think humour should almost always be employed when trying to put across information security awareness to people, especially as half the time they don’t even want to be there anyway.
I did a webinar with my colleagues of Host Unknown last week, hosted by Dan Raywood of IT Security Guru on just this subject. Take a look at it below (login required I am afraid):
Humour is a cross cultural phenomenon and not as exclusive as many people think. Use it to good effect to get your message across, and use the tips that we give, especially at the end of the webinar.
Embrace your inner stand up comedian!