Archive | October 2014

An open letter to Apple – a change of heart

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford

Attitude, Knowledge, Opinion and Expertise; an information security career map?

opinionI was talking to one of my colleagues a few days ago who joined our team a little under a year ago. Althea (I promised her a name check here) actually joined the security team from the small group of personal assistants in the company. While this is perhaps not the most obvious place to recruit into a technically savvy environment from, Althea has very quickly become an excellent member of the team.

I often hear in conferences and panels about the security skills shortage we are currently suffering, and I regularly quote the story of Althea joining us as an example of how we are very often simply looking in the wrong places and should be looking to promote from within more. Althea has been with the company for six years (a long time these days) and was working for and supporting some of the most senior people in our company. She had to be organised, forthright, able to communicate succinctly and above all remain calm under pressure (you know how senior executives can be sometimes).

For me, her attitude is far more important than her technical ability. Technology and hard skills are things that can be taught in relatively short periods of time; attitude is something that takes a lot longer to learn, decades even. Althea is already well on her way to getting the requisite technical skills required of her role, but her organisational skills, contacts within the organisation, and ability to communicate to people throughout the organisation whatever their seniority is second to none.

I was talking to her about this and related the competence framework I use to try and understand both mine and others maturity in their role. When first moving into a new role you move through each of one of these phases of competence:

  • Unconsciously Incompetent
  • Consciously Incompetent
  • Consciously competent
  • Unconsciously competent

(you might want to reread those a few times, I know I did when I first came across them)

So, if you start with the right attitude, you are going to minimise the amount of time you spend being unconsciously incompetent, as the next logical step is to acquire knowledge. This allows your to bring the right skills to bear onto your role, and bring you quickly into being consciously incompetent and possibly beyond. Minimising the time you spend in the first two phases is of course very important to your career.

But knowledge really isn’t everything. Those with just the knowledge can’t see beyond their day to day tasks and roles; they are unable to see the “big picture” as everything is focussed around technical solutions and black and white answers to business problems. (Just listen to some of the “questions” asked at every security conference you go to; they are not really questions but affirmation that their knowledge is greater than the speaker. They wholly miss the point that knowledge is actually all they have.) I would suggest that forming your own opinions on subjects is a logical and vital step in anyone’s career path. Business problems are not black and white, there are a variety of approaches, solutions, outcomes and inputs that those with a purely knowledge/technical viewpoint simply won’t appreciate. Forming and gathering these opinions takes place through reading, observing, listening, writing and finally testing your opinions in the community. These experiences are not just the gathering of specific knowledge, but the nuances of what can be right in one circumstance, wrong in another and even every possibility in between.

For instance, shipping a single, failed drive that was part of a RAID 5 cluster back to the manufacturer may be the right thing to do for some organizations. From a security knowledge perspective this is anathema unless the drive has been degaussed or even fully destroyed; it completely depends on the business, circumstance and many other factors. Encrypting backup tapes? Obviously this should be done, except of course when it shouldn’t, for the same reasons as before. Security is only one opinion in a sea of opinions that matter.

Having opinions in this industry is vital to stimulate conversation and evolve our understanding and viewpoints in our own workplaces. Once this opinion is applied in a considered and effective manner, only then could one possibly consider themselves having “expertise”, and I wouldn’t label yourself that before someone else does first.

In order to allow your team to grow in this manner it is vital to encourage them to engage with both the internal company community as well as information security community as a whole. Encourage them to take part in any related event, internal and external, or even organise one. What about volunteering to help at a conference, or ultimately even apply to speak? By giving your team members the opportunity to research, write, precis, deliver, defend and receive feedback on a topic of their choice they have the best opportunity to take their knowledge beyond the day to day and into the more opinion based level of the strategic, and become better decision makers in the process.

Risk, Rubble and Investment

rubbleOriginally written and posted October 13th 2014 on the InfoSecurity 2014 Blog (and reiterating a pet core message of mine  again!).

Risk is a bad thing. Therefore risk needs to be reduced to rubble, or even better to dust and then swept away under the carpet never to be seen again.

This is the attitude that many of us have, and then pass onto our senior leadership when it comes to information security programs. “Invest £10 million and we will buy technology that will make us safe” we have often said in the past. “My blinky boxes will soon find your risks and reduce them to nothing!”. It should be no surprise for so many of our industry therefore that CISO stands for “Career Is So Over”.

What we often fail to appreciate is that the senior leadership and boards of virtually all organizations understand risk far better than us. They deal with financial, legal, HR and international risk on a regular basis, and know how to take advantage of it to their benefit. Their advisors in the various fields know how to communicate their unit risks in a way that makes sense to business, be it financial, reputational or whatever else makes sense in their industry. The leadership do not require specialist knowledge of these areas because the risk is being translated into terms they understand.

The information security industry however still often talks in terms of “APT’s”, “DLP”, “TLS” and other obscure TLA’s* while trying to explain why more money is needed to “secure all the things”. What is the benefit to the business? What is the real risk in terms everyone can understand? Translating these technical issues and risks into business risks has always been a challenge and has often resulted in information security being perceived as the “expensive part of IT” asking for more money with little positive influence to the business.

If you work in a brewery, the ultimate goal of everyone who works there should be to sell more beer. If you work for Oxfam, the ultimate goal is to get aid to those that need it as quickly, effectively and efficiently as possible. If you work in a publicly listed company, the ultimate goal is to make more money for the shareholders. The role of information security within any organization is not exempt from this; security doesn’t get a special pass because it is, well, security. The role of the information security function is to support the ultimate goal of the organization it operates in.

Understand what your ultimate goal is. Focus your strategy on ensuring you are helping meet that goal. Be willing to compromise in certain areas of security if it helps meet that goal. Ensure you senior leadership understand the risks (in their language, not yours) involved in those compromises. if you don’t get what you want then move onto the next piece of work that supports your ultimate goals (or be prepared to fight harder and more lucidly for your original cause).

If it was that easy you wouldn’t be reading this, but surely it is easier than the ongoing battle for investment that we ultimately never win anyway?

*Three Letter Acronyms (surely you know that?)


Computing SecurityNote: Many of you know I was up for the “Personal Contribution to IT Security” Award at the recent Computing Security Awards. I was (un)fortunately Runner Up in this category, but thank you again to all of you who not only may have voted for me but also nominated me in the first place. It was a wonderful evening with good friends from my work and InfoSec life, and a good excuse to dress up in my best party frock. Here’s to next year!

IMG_4119

%d bloggers like this: