Shameless Coronavirus Special Promotion – Risk Edition!

iu-18Many, many moons ago, my good friend and learned colleague Javvad Malik and I came up with a way to explain how a risk model works by using an analogy to a pub fight. I have used it in a presentation that has been given several times, and the analogy has really helped people understand risk, and especially risk appetite more clearly (or so they tell me). I wrote a brief overview of the presentation and the included risk model in this blog some years back.

And now the Coronavirus has hit humanity AND the information security industry. Everyone is losing their minds deciding if they should self isolate, quarantine or even just generally ignore advice from the World Health Organisation (like some governments have shown a propensity to do) and carry on as usual and listen to the Twitter experts. During a conversation of this nature, Javvad and I realised that the Langford/Malik model could be re-purposed to not only help those who struggle with risk generally (most humans) but those who really struggle to know what to do about it from our own industry (most humans, again).

Disclaimer: we adopted the ISO 27005:2018 approach to measuring risk as it is comprehensive enough to cover most scenarios, yet simple enough that even the most stubborn of Board members could understand it. If you happen to have a copy you can find it in section E.2.2, page 48, Table E.1.

Click the image to view in more detail and download.

The approach is that an arbitrary, yet predefined (and globally understood) value is given to the Likelihood of Occurrence – Threat, the Ease of Exploitation, and the Asset Value of the thing being “risk measured”. This generates a number from 0-8 going from little risk to high risk. The scores can then be banded together to define if they are High, Medium or low, and can be treated in accordance with your organisation’s risk appetite and risk assessment procedures.

In our model, all one would have to do is define the importance of their role from “Advocate” (low) to “Sysadmin” (high), personality type (how outgoing you are) and the Level of human Interaction your role is defined as requiring. Once ascertained, you can read off your score and see where you sit in the risk model.

In order to make things easier for you, dear reader, we then created predefined actions in the key below the model based upon that derived risk score, so you know exactly what to do. In these troubled times, you can now rest easy in the knowledge that not only do you understand risk more but also what to do in a pandemic more.

You’re welcome.

Note: Not actual medical advice. Do I really need to state this?


Drowning, Not Waving…

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. Afterwards a number of people spoke to us about how pleased they were that we had been open and honest about a subject that is so often swept under the carpet as too difficult to deal with or just plain embarrassing. I have also seen the LinkedIn articles written since get a huge amount of traction with every comment a positive and supportive one.

I briefly told my story last week, and so have decided to elaborate a little more to a larger audience here. This is not meant to be virtue signalling, or jumping on the bandwagon, but rather a message to everyone out there who has suffered in silence and felt they were the only one with these feelings. These are the “highlights”, and some parts of the story are just between me and, well me, but I am sure this will paint the correct picture.

My last role was challenging to say the least; as a  newly minted CISO I was tasked with building a security team from the ground up (again) in a large global organisation that was as politically charged as it was not interested in security. We did well, growing to over 60 people at last count before I left, and were considered a high performing team who collaborated and never said no. People enjoyed working with us and we took on more and more work and constantly delivered.

The cost though was an intense environment where my main role was PowerPoint and politics, and constant air support for the team. Combine a tough travel schedule and the global, always on element, I never truly switched off. That said, one of my mottos was “Work Hard, Play Hard” so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered.

So I did what every self respecting professional does, and started to self medicate with alcohol. It was, for the most part free from British Airways and Hilton, or on expenses (see above). It wasn’t a problem as I had a good tolerance, was a happy (maybe even hilarious) drunk, and while stupid things were done, it only bought us closer and more effective as a team.

And it wasn’t a problem for a number of years… until it suddenly was.

2017 was a very difficult year for me. In that year I drank almost every single day to excess as a result. I would get up in the morning and carry on working until the end of the day and I would start again. I wasn’t an alcoholic as I didn’t need to drink 24 x 7, so that was OK. I also managed to spend thousands of my own money on nights out with friends and team mates, pushing myself seriously into debt. My anxiety, stress and depression were getting worse, but I was able to medicate for that myself, so no problem.

Then came Rome. I will save you, dear reader, from the gory details, suffice to say that at 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off. I had lost my third phone that year from the nights entertainment, had driven myself further into debt and I just couldn’t do it anymore.

Thankfully, an ambulance turned up, I was talked down, hospitalised for a few hours and then discharged. With no phone, in a foreign country, no idea of where my hotel was or where I even was, I managed (in a complete blur) to get back to the hotel, call my wife, get to the airport and get home only to spend the next four weeks in the care of the NHS and my family, and off work.

The irony of my situation wasn’t lost on me; here I was, a successful, well paid, C-Level Executive, ostensibly well known and regarded in the industry, and I am clinically depressed and suicidal. Therefore to say I was scared, lonely and emotional would be an understatement, and I decided to make some changes in my life.

Two of those changes are of direct relevance here;

  1. I stopped drinking alcohol. I was classed as a Non-Dependent Alcoholic and as a result was tasked with cutting down my intake dramatically. I decided to stop entirely, a choice I would have considered unthinkable, even laughable, just a few months before. I haven’t drunk alcohol since, not because I can’t allow myself to, but because it simply isn’t an important part of my life now.
  2. I decided to be more open about my mental health issues with not only my family, but my friends and work colleagues, and address them proactively.  I was not going to be defined by this event and lifestyle change, and I also wasn’t going to be held to ransom, mistakenly or maliciously, by the events I have just disclosed above. I have yet to discover anyone who I confided in who was at the very least supportive, if not understanding, be they family, friends and especially my team.

There is of course a damn good reason why I am sharing this with you. What follows is my takeaways for everyone who read the above and felt it resonated with them even just a little.

  1. Alcohol is a bad way to treat yourself for anything longer than a few days. Talk to a doctor or therapist sooner rather than later and save yourself a life threatening event to wake you up.
  2. There is no stigma in sharing your mental health struggles. I am constantly amazed at the overwhelmingly positive response from everyone I talk to about my personal experiences. If your friends and colleagues are not supportive of you, perhaps you should question why you are in the state of mental decline in the first place.
  3. If you work for a good company, and/or have a good team, your time out of the office will be dealt with and accommodated for allowing you to recover. When you come back, you will do so with more energy and vigour than most other members of the team. If you are not being supported, see point 2.
  4. If a member of your team is struggling, you don’t actually have to do much to help. Communicating to them that they should take whatever time they need to address their issues, and not asking questions is all that is needed. If your team can’t take up the slack, then how are they going to cope during an incident anyway?
  5. Be supportive if you can; it is difficult, but even small gestures like gifts of tea and chocolate (you know who you are…) or staying in touch over instant messenger to make sure someone is OK is also a great way to show your support. Humour helps too.

I’m going to close this with a call to action. This isn’t some virtue signalling programme that I will front up on Twitter and Facebook, but rather a call for everyone to include mental health topics in their team meetings, their management reports and metrics, as well as face to face meetings. The financial losses to our industry are probably staggering because of mental health issues, so we should be tracking and probing on it in our organisations as much as gender or racial diversity.

I want to reiterate, again, that if you are feeling it, someone else is feeling it too. Now you know what I have been through, I hope it means you now you have someone you can reach out to as well, or have to courage to seek help and support when before you didn’t.

As for me, I have never been better these last 18 months or so. I sleep better, I work better, I manage stress better, and I am pretty sure my jokes are better too. Therefore, I leave you with this unattributed quote:

I wouldn’t recommend suicide, it’s bloody dangerous. I nearly killed myself…

 

Note: I am going to be at the RSA conference in San Francisco in a 
couple of weeks time, as well as at a variety of other conferences 
over the coming months. Please do say hello and let me know your 
thoughts on this topic. Should it be as mainstream as I suggest, 
or should we just stick with the stiff upper lip approach?
Can and should we be doing something else?

What, No Expense Account? My RSA 2019 Itinerary

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.


Consistency, consiztency, consistancy…

It will come as no surprise to most of you that I travel a lot to other countries, and as such I am a frequent visitor of airports and more memorably, the security procedures of those airports.

Every country has their own agency that manages this process, either outsourced or kept within government. Given the complexities of international and aviation law, I can well imagine the difficulties of staying abreast of the latest advice from a variety of different sources and applying it in a globally consistent way. But surely it can’t be that difficult, especially when it comes to the basics?

Here are just some of the more egregious examples of inconstancy that I have encountered around the world:

  • One airport that confiscated my nail scissors, despite the fact I had been carrying them (and had the case searched) through numerous security checkpoints before. The blade size was within accepted norms, except at this airport.
  • The security official that made me take my 100ml or less liquids out of the clear plastic case/bag I was using and put them into a clear plastic ziplock bag for scanning. I had been using that case for months, and continue to use it without issue to this day.
  • The security line where I din’t have to take off my shoes or belt, nor remove laptops or liquids from my bag because “we have a sniffer dog”. In fairness they did have a dog running up and down the line, but I started to doubt it’s ability to smell knives or similar in my case.
  • Having travelled through five airports in four days, the final airport insisted that I take the camera out of my bag, as it is “standard practise in our country to do this”. Not before or since has it been a practise I have experienced, let alone a standard one.
  • Finally, the multiple security personnel who tell me to leave my shoes on, only to be told as I go through the scanner to take my shoes off and put them on the belt to be x-ray’ed.

It goes without saying that I approach every security checkpoint with a mixture of hope, despair and disdain, and always leave with one of those feelings prevalent. Obviously this is an analogy to our world of infosec, perhaps even a tenuous one, but I do feel it is one worth expressing.

How we guide our organisations to interpret and carry out the policies and regulatory requirements they are beholden to is vital to the attitude and approach the employees will take. Uncertainty breeds many things, in this case doubt and anxiety about how to behave. If a policy is not implemented consistently then how can it be observed consistently? If we are constantly surprising our users then we can’t blame them for feeling jumpy, anxious or unsure, and therefore critical of the service being provided.

Cat-Cucumber-Gif-Gifs-Youtube-Video

Consistency is a very powerful tool to ensure people understand the policies, the purpose and the even the vision of an security organisation. As soon as there is doubt the very purpose of your security organisation is thrown into doubt. For example, why is BYOD allowed for senior execs and not for the rest of the organisation? Or why is a Mobile Device Management solution enforced on some parts of the business and not the other? In both these cases it only encourages the working around of the restrictions that subsequently weaken your security posture.

That is not to say exceptions cannot be made, that is why every policy etc. should have an exceptions statement. After all, expecting a policy to cover all eventualities is simply wishful thinking.

I dare say we all have inconstancies, but it is in all of our interests to drive them out of our organisation wherever possible. Otherwise, you will have people like me wondering what kind of ordeal I am going to have to endure just to get my day job done, and that doesn’t help anyone.

 


The Consistency of Plastique

51lIxdlS2nL._SX300_As I said in my last post I have been travelling quite extensively recently, but this weekend I was able to take a long weekend in Oslo with my wife just before the Nordic CSA Summit where I was invited to speak on “the CISO Perspective”. As a gift for speaking, each of us was given a block of Norwgian cheese, in a roughly square shape, that really did seem to have the consistancy, weight and look of a lump of plastique (I imagine…). It did occur to me that in the spirit of all good 44CON prizes, it was intended to get you stopped at the airport.

On my return home yesterday, I was pret sure my bag would be picked up for secondary screening given the presence of this lump of cheesy explosive in my bag (although apparently @digininja tells me a malt loaf has the same effect as well). Sure enough, my bag was selected, I presented to the good natured security folks the block of cheese, and with a wry smile they let my bag through. The same could not be said of my carry on bag though.

5piecelockpicktoolI was asked quite curtly if I had a penknife or similar in this bag; now I am getting more forgetful, but I was pretty sure I hadn’t. The security guy really did not look like he believed me, so we started to empty my bag. Then I remembered, I had a pick lock set that I had put into  zipped pocket in my bag about nine months ago, intending to give it to my good friend Akash in Boston who had expressed an interest in that particular art. Remember I just said I am getting forgetful? That’s why it has been in my bag for so long having seen Akash many times this last nine months. Oh well.

But it also occurred to me that I had been through about ten different airports in that time, and this was the first time it had been picked up, let alone even identified as a possible penknife (understandable as the picks fold into the main body).

This underscores to me the inconsistency of the security scanning at virtually every airport. Shoes on or off? Belts on or off? IPads as well as laptops taken out? Kindles, in the bag or out? My bag of cables that you tell me to keep in my bag at one airport, and then getting admonished for not pulling it out of the bag at the next? As an end user of these services (and I am fully supportive of them despite this I must say) it is extremely frustrating. There seem to be too many exceptions in place without clear reason, and without tying back to a singular way of doing things. The shoe bomber, Richard Reid, saw to it we have to take our shoes off going through security… except of course when you don’t.

Consistency in an information security programme is obviously key. But sometimes the pendulum swings too far the other way. Any policy that ends with “There are no exceptions to this policy” is asinine at best,  and crippling to the business at worst. There will always be a need for an exception in order to ensure business can be carried out effectively. As long as the risks are understood and communicated effectively, then move on and do it.

It certainly doesn’t mean that the exception can be used as an excuse to carry on working like that. There is no concept of precedence in this case. If there was the natural end state would be complete mayhem as every exception is used to the point where there is no policy left. An exception is just what it says on the tin, a one off easing off the rules for business to to operate effectively and efficiently. It should be time based, must be reviewed regularly, and where possible repealed if alternative approaches have come to light.

Consistency is important when applying policies, especially across a large organisation, but for goodness sake, don’t forget that change is an important part of business and needs to be embraced. But please do a better job of managing that change, and the subsequent exceptions, than airport security does.

Conferences and Presentations

What with InfoSec Europe, BSides, RSA Unplugged and the just attended Nordic CSA Summer conference it has been busy on the presentation front again. I have a few more presentation to upload to this site as well as some footage. I am hoping to make it to Blackhat in Vegas for the first time this year, and speak on behalf of friendly vendor who I have always enjoyed working with.

IMG_5656

Diligently preparing for the conference

As I also mentioned in my last post, my employer became a sponsor of the European Security Blogger Awards, something I hope we will be for future events as well. Unfortunately I lost my best personal blogger award crown this year to Lee Munson of Security faq’s. I can’t help but feel that if I have to lose to someone, Lee would be top of my list as he consistently outshines me in both quality and volume of blogging. As a community we are lucky to have someone like Lee and if you haven’t already done so please do reach out to him and congratulate him.

IMG_5513