Shameless Coronavirus Special Promotion – Risk Edition!

iu-18Many, many moons ago, my good friend and learned colleague Javvad Malik and I came up with a way to explain how a risk model works by using an analogy to a pub fight. I have used it in a presentation that has been given several times, and the analogy has really helped people understand risk, and especially risk appetite more clearly (or so they tell me). I wrote a brief overview of the presentation and the included risk model in this blog some years back.

And now the Coronavirus has hit humanity AND the information security industry. Everyone is losing their minds deciding if they should self isolate, quarantine or even just generally ignore advice from the World Health Organisation (like some governments have shown a propensity to do) and carry on as usual and listen to the Twitter experts. During a conversation of this nature, Javvad and I realised that the Langford/Malik model could be re-purposed to not only help those who struggle with risk generally (most humans) but those who really struggle to know what to do about it from our own industry (most humans, again).

Disclaimer: we adopted the ISO 27005:2018 approach to measuring risk as it is comprehensive enough to cover most scenarios, yet simple enough that even the most stubborn of Board members could understand it. If you happen to have a copy you can find it in section E.2.2, page 48, Table E.1.

Click the image to view in more detail and download.

The approach is that an arbitrary, yet predefined (and globally understood) value is given to the Likelihood of Occurrence – Threat, the Ease of Exploitation, and the Asset Value of the thing being “risk measured”. This generates a number from 0-8 going from little risk to high risk. The scores can then be banded together to define if they are High, Medium or low, and can be treated in accordance with your organisation’s risk appetite and risk assessment procedures.

In our model, all one would have to do is define the importance of their role from “Advocate” (low) to “Sysadmin” (high), personality type (how outgoing you are) and the Level of human Interaction your role is defined as requiring. Once ascertained, you can read off your score and see where you sit in the risk model.

In order to make things easier for you, dear reader, we then created predefined actions in the key below the model based upon that derived risk score, so you know exactly what to do. In these troubled times, you can now rest easy in the knowledge that not only do you understand risk more but also what to do in a pandemic more.

You’re welcome.

Note: Not actual medical advice. Do I really need to state this?


The Lost CISO who?

And why am I being spammed with Twitter and LinkedIn about him all the time at the moment?

I came up with the concept of The Lost CISO when I was working late in the office one night. I decided to start writing and doing something about it straight away, and even created the banner and took my own picture for it sat at my desk. I also pulled the graphics together there and then, not in Photoshop, but Apple Pages (I was an executive at the time and to my shame do not know how to use PhotoShop. It still came out alright I think, though.

youtube-banner-png.png

The idea was to create short informational videos, 2-3 minutes long, almost like a high energy presentation, in front of a green screen that I could then superimpose relevant imagery etc. It was a good concept, I thought, and within my technical skills with a camera and Final Cut Pro X. Or so I thought. I could also put all of my other InfoSec videos under the same brand, tying it up into a neat piece of branding. The films would be aimed at people simply are keen to learn, and no more. Not all of it will be groundbreaking stuff, but it will be researched, experienced or just advice that flies in the face of common knowledge. The basics, Plus, I suppose.

I created a test and shared it with some friend who gave me some honest feedback on quality, imagery etc.. I then did a first episode (bearing in mind each one took me about 7 days of intermittent working to edit), shared it again, and excitedly held my breath.

“Do not release this… it will do your personal brand more damage than good…”

Ouch.

Back to the drawing board; except I didn’t, life and work got in the way. Until twelve months went by, and I decided to just get this done properly once and for all. So I invested in some quality lighting, foley and a decent green screen, and even hired someone to do the filming and editing for me, and got to work. Of course, now I run my own business, I wasn’t able to prepare the topics as well as I wanted. To be honest, I pretty much flew through the filming so I could get onto the next job in my increasingly long To-Do list, but the quality, and to be honest, the creative talent I hired shines through far more than before.

As always, my success (such as it is) is tied to the talent of others. A lesson for everyone there, I think…

What’s the infosec lesson here? None really, although perhaps at a stretch I could say that just because my original idea failed didn’t mean it was a bad one, and I just needed the right resources. I don’t know, parallels to infosec education and awareness training maybe.

I hope you enjoy the series, and please do comment on them, let me know what you think and also if you would like a particular topic covered.

 

 

 

 


Keeping It Supremely Simple, the NASA way

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 


Price versus Value; Why it is Important in Information Security

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>


Waving, Not Drowning

I have just stepped off the stage at the Pulse Conferences CISO 360 Congress in Rome having presented on “The True Cost of Security, A Personal Story”, recounting my experience of poor mental health. I published my life threatening experiences in my Blog, Drowning not Waving, published a few months ago, and those of you with good memories will recall those events also took place in Rome in September 2017.

I haven’t been back to Rome since then until now to do this talk, and so I am doing so with significant apprehension and unease. It’s an odd feeling, and one I haven’t experienced since my breakdown, but it is one that I will work through and will ultimately do me good. I also have to thank the incorrigible Clive Room of Pulse Conferences for giving me the opportunity to do this talk to a significant audience, and in Rome also. Personal stories are always so much more powerful, and if people in the audience either get the help they need, recognise others in their lives who need the help they need or even just understand that it is a perfectly normal thing to go through, then it will be worth it.

It is also the last time I will be publicly talking about this topic.

I have been approached many times since my original post by people thanking me, empathising with me or generally being extremely supportive as my post had a personal impact on them in some way. In short, the response has astounded me. However, I don’t want to be known as “the mental health guy”; the point of my story is that I recovered, got better, moved on and actually came out a better person. The point of my story was that it was a transitory period of my life and not one (for me) that I have to keep going back to in order to maintain my recovery. The point of my story was to let others know that they are not alone.

Does this mean that I don’t care about this topic any more? Obviously not, and I will always be happy to engage with people about it, help and support them if needed. I am always going to “available” if that is the word, to anyone that feels I may be able to help them.

It does mean that this will be the last time I blog about it, present or appear on a panel on the subject or make any kind of public appearances or endorsements on the topic. Some of you may think this is a bit odd, or maybe even callous and cold, and I understand that. However, this is what is the right thing to do for me in my pursuit of happiness, continued engagement with the InfoSec community and growth of my own business.

To be absolutely clear though, if you want to talk/DM/email with me about this topic then please do. If you feel the need to talk about your own struggles, or think I can help, then reach out, and I will make myself available to you as best I can. Depression and alcohol dependence is a an empty and lonely place to be, and if a kind word and a smile from me will help you then then don’t hesitate. You should also speak to a mental health professional as well of course, as you would have to be very unwell to think I am your best route to happiness!

Thank you to everyone who has shown support, love, compassion, empathy and friendship since reading my story, you know who you are, and I send it all back times three thousand