Busy Doing Nothing?

When you are faced with managing third-party risks, it can feel like a Sisyphean task at best. Even a small organisation is going to have  20+ third parties and vendors to deal with, and by the nature of a small business, absolutely not a full-time person to carry them out. As an organisation grows, at the other end of the extreme there will be many thousands of vendors and third parties in different countries and jurisdictions; even a large team is going to struggle to deal with that volume of work.

In The Lost CISO this week I talk about how to manage a third-party risk management programme from the perspective its sheer volume of work.

The key to dealing with this volume is, of course, to take a risk-based approach, and consciously decide to do nothing about a large proportion of them. It sounds counter-intuitive, but then a risk-based approach to anything can seem counter-intuitive. (Why would you “accept” a high-level risk for goodness sake?!) In this case, you would quite literally be putting some effort into deciding what not to do:

We’re busy doing nothing.

Working the whole day through.

Trying to find lots of things not to do.

Busy Doing Nothing, written by Jimmy Heausen-Van & Johnny Burke

This means your best approach is to filter who you absolutely must assess, who you should assess, and who can be reasonably ignored. In theory, the last group will be the majority of your third parties. How you filter is of course down to what is important to your organisation, industry, clients, the data you hold, the physical location of your environment (office or hosted) and any other criteria you can consider. Ultimately, it is what is important to your organisation, not what is important to you as a security person. Why? Because if security has the final say, there is a potential for a conflict of interest and the limiting of the organisation to operate effectively and efficiently. Here is a sample list of criteria you can sort your third parties by:

  1. Do they have access to our client’s (or our client’s customers) confidential/sensitive data?
  2. Do they have access to our confidential/sensitive data?
  3. Do they have data access to our IT infrastructure?
  4. Do they have physical access to our premises?
  5. Is our organisation reliant on their services being available at all times?

Inside each of these selected criteria, you may wish to refine further; in answer to the question, think “yes, but…” and you may find a particular vendor does not make your list as a result.

Congratulations! You have now hopefully reduced your third-parties needing to be assessed by hopefully about 80%. If that is not the case, go back to the beginning and validate your criteria, perhaps with business leadership themselves, or (ironically) a trusted third-party.

This may well still leave a formidable list to get through, so there are some more tricks you can use.

When assessing some of the larger third-parties (think Apple, Google, Microsoft etc.), you may wish to accept their certifications on face value. The chances of getting a face to face meeting and tour of the facility, whilst not impossible, are remote, and very much dependent upon how much you spend with them. The more reputable vendors will be transparent with their certifications, findings and general security programmes anyway.

You can then use this filter again with the slightly less well-known vendors but include a handful of questions (no more than fifteen) that you would like answered outside of certifications.

The smallest vendors with the least formal certification and publicly available can be presented with a more detailed set of “traditional” third-party risk questions. Make sure they are relevant, and certainly no more than 100 in total. You are better off getting a good idea of most of the vendor environments from a returned questionnaire than you are a perfect idea of a handful of environments from a barely returned questionnaire. The idea here is to get a consistent, medium level view across the board in order to spot trends and allocate your resources effectively.

Still overwhelmed with sheer volume? If this is the case, look to a three-year cycle rather than an annual cycle. You can reduce the workload by up to two-thirds this way, but you may wish to consider that some vendors are simply too crucial to have on this kind of cycle.

So all that is left is to ensure all of this is carefully monitored, tracked and managed. For instance, what are you going to do with a vendor that doesn’t meet your standards?

And that, my friends, is for another blog.

(You can download a sample third-party security questionnaire from the (TL)2 security Downloads area. There will be more templates arriving soon that you can download and use for yourself, or you may wish to contact (TL)2 if you would like some help and support in creating a third-party risk programme.)

 

 


The Runners and Riders of Lockdown

After over six weeks of some kind of lockdown here in the UK, and similar amounts of time elsewhere in the world, it has become very obvious to me that many companies out there are simply ill-equipped to deal with the change in lifestyle the lockdown demands.

By ill-equipped, I don’t just mean from a technology perspective, although we see some of that as companies reduce security requirements to get users online from home. What I mean is that culturally they are not equipped to deal not only with a workforce that needs to work remotely but also a market that is doing the same. Put simply; companies are struggling to re-gear their sales and marketing departments to this brave new world we find ourselves.

I say this because as an industry we are used to a plethora of in-person events happening where vendors can either have stalls displaying their latest products, or stages where carefully polished presentations and panels are put on for us to watch, learn and hopefully decide to buy their product from. Webinars and online events were there but were the distant, impoverished, uglier cousin of something live, in-person and your face. Indeed, just a few weeks before the lockdown I was at RSA Conference in San Francisco, where the very epitome of what I describe was played out for the world to see.*

Then suddenly, it all stopped. Conferences and shows were cancelled, events postponed indefinitely, and in many cases, the security product landscape just stopped. I understand why, in many cases, cash flow needed to be conserved in these unprecedented times. However, it very quickly became apparent that this was the new normal, and that the companies that didn’t embrace it would quickly become irrelevant. after all, if you can’t adapt to a few weeks of disruption, what kind of company are you, delivering products to an industry that needs to plan for disruption?

I watched “Have I Got News For you” in those first few weeks on the BBC, a topical panel show comprised of 5 people, and they did it by having the guests record from their homes.

Have I Got News For You, March 2020

It was different, the dynamic was… a little off… but the show went ahead, the jokes landed, and each subsequent show got better. In other words, the BBC just got on with it, embraced the change, and made it work.

The same needs to happen to many of the security vendors, as unfortunately, it is a case of remaining relevant throughout the lockdown, in the front of people’s minds, and showing that they can overcome adversity by delivering knowledge and information. Those that don’t do it, retract into their proverbial shells and wait for “normality” to return will suffer.

Also, let us assume that normality does return, whatever form that might take. Those that have embraced these alternative Zoom/Skype/Teams/Hangouts/whatever approaches may find they are just as valuable as in-person events and can operate both, side by side, now unconstrained by the lockdown and able to use film and audio in even more creative ways. Which company would you choose to work with in the future, the one who sat tight, and did little market outreach during the lockdown, or the company that continued to communicate with their clients and potential clients through different mediums, sometimes getting it wrong but continually innovating and improving. Which company has the better culture?

It isn’t even a matter of cost. The LinkedIn Live, Zoom, Webinar etc. technologies already existed and were invested in, just woefully underutilised.

The same argument also applies to work from home, as many organisations now realise that productivity isn’t hours sat at the office desk, but rather results.  Which organisation/manager would you want to work for? The one that never changes or the culturally adaptive one that is based on results and trust?

These are challenging times, but these are the times that are going to show many companies in their true light, and you can use this time to differentiate between them.

 

*I do love a good conference, and the benefits they bring to my peers and me are fabulous, in case you think I am biased against them.


Price versus Value; Why it is Important in Information Security

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>


Consistency, consiztency, consistancy…

It will come as no surprise to most of you that I travel a lot to other countries, and as such I am a frequent visitor of airports and more memorably, the security procedures of those airports.

Every country has their own agency that manages this process, either outsourced or kept within government. Given the complexities of international and aviation law, I can well imagine the difficulties of staying abreast of the latest advice from a variety of different sources and applying it in a globally consistent way. But surely it can’t be that difficult, especially when it comes to the basics?

Here are just some of the more egregious examples of inconstancy that I have encountered around the world:

  • One airport that confiscated my nail scissors, despite the fact I had been carrying them (and had the case searched) through numerous security checkpoints before. The blade size was within accepted norms, except at this airport.
  • The security official that made me take my 100ml or less liquids out of the clear plastic case/bag I was using and put them into a clear plastic ziplock bag for scanning. I had been using that case for months, and continue to use it without issue to this day.
  • The security line where I din’t have to take off my shoes or belt, nor remove laptops or liquids from my bag because “we have a sniffer dog”. In fairness they did have a dog running up and down the line, but I started to doubt it’s ability to smell knives or similar in my case.
  • Having travelled through five airports in four days, the final airport insisted that I take the camera out of my bag, as it is “standard practise in our country to do this”. Not before or since has it been a practise I have experienced, let alone a standard one.
  • Finally, the multiple security personnel who tell me to leave my shoes on, only to be told as I go through the scanner to take my shoes off and put them on the belt to be x-ray’ed.

It goes without saying that I approach every security checkpoint with a mixture of hope, despair and disdain, and always leave with one of those feelings prevalent. Obviously this is an analogy to our world of infosec, perhaps even a tenuous one, but I do feel it is one worth expressing.

How we guide our organisations to interpret and carry out the policies and regulatory requirements they are beholden to is vital to the attitude and approach the employees will take. Uncertainty breeds many things, in this case doubt and anxiety about how to behave. If a policy is not implemented consistently then how can it be observed consistently? If we are constantly surprising our users then we can’t blame them for feeling jumpy, anxious or unsure, and therefore critical of the service being provided.

Cat-Cucumber-Gif-Gifs-Youtube-Video

Consistency is a very powerful tool to ensure people understand the policies, the purpose and the even the vision of an security organisation. As soon as there is doubt the very purpose of your security organisation is thrown into doubt. For example, why is BYOD allowed for senior execs and not for the rest of the organisation? Or why is a Mobile Device Management solution enforced on some parts of the business and not the other? In both these cases it only encourages the working around of the restrictions that subsequently weaken your security posture.

That is not to say exceptions cannot be made, that is why every policy etc. should have an exceptions statement. After all, expecting a policy to cover all eventualities is simply wishful thinking.

I dare say we all have inconstancies, but it is in all of our interests to drive them out of our organisation wherever possible. Otherwise, you will have people like me wondering what kind of ordeal I am going to have to endure just to get my day job done, and that doesn’t help anyone.

 


What does a CISO actually do?

I read this wonderful article by Helen Patton  a CISO and contributor to Medium, and in it she describes the seven main areas she spends her time as a CISO; Technology, Data, Business, All The Other Internal Stuff, Vendors and Partners, Law Enforcement and Customers. (She also adds an eighth area, her Security Team of course!).

It is a fascinating read and one that tells a lot about the type of work a CISO will find themselves doing, and much of it resonated with me. I do believe however that the viewpoint is constrained by one aspect of her role, and one Helen states upfront:

Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy.

It prompted me to write this post because I feel a CISO can do so much more once the role is removed from the auspices of IT. This has been a pet topic of mine for a number of years now, and it is a similar challenge CIO’s once faced, i.e. not reporting into the highest level of management possible. even spoke back in 2013 at RSA on just this topic.

This is a very common reporting line of course, largely because information security responsibilities often come out of IT, or the focus is purely on IT security and therefore fits into that service. It does however create potential issues:

  • The infosec message is filtered through the IT lens, and security issues become a smaller part of the overall IT programme.
  • The role is focussed significantly more on technology (the first item on Helen’s list above) and doesn’t take into account other factors, such as physical, people, or even awareness.
  • If the security function is dictating or heavily influencing technology and architecture, a conflict of intents can arise if there are security deficiencies in those aspects. There is no independent perspective on testing the environments, and a conflict of interest in highlighting deficiencies therein.

In these circumstances the role has a tighter focus, is more hands on, and may potentially not bring the benefits to an organisation that it could.

So what should CISO be doing then?

The CISO primarily needs to be a representative of the business, and not of a department. By that I mean that the CISO is not always going to be the best information Security professional in the same way that the CFO is not always the best accountant. They are however the best person to make decisions that span their area of responsibility AND the business, and actually focus on the bigger picture.

My role as a CISO therefore is not to make the company the most secure company in the world. If I did that, it would be out of business in a matter of months; loss of agility, inability to invest, reluctance to accept certain projects etc etc would make the company wholly unprofitable. My role is to help the company sell more, do more, innovate more and earn more… through the judicious application of security as a competitive advantage.

Put simply, a CISO needs to stop saying “No” to projects or requests that on the face of it are high risk, and stop expecting 100% security on rollouts prior to launch. That doesn’t mean we can’t aspire to perfection, or aim to build the very best environment we can, we just have to accept that something that is a high risk to us, may be a low risk to the business overall. Of course the business needs to understand what the security risks are and be cognisant of the risk when taking decisions, but security is not the single most important input here, it is one of many. We are advisors, not dictators.

The CISO therefore not only does many of the things Helen points out in her article, but it goes beyond that; above everything else in my opinion is being able to truly understand the business, it’s challenges, goals and vision, provide performance information, read the company reports and educate the senior leadership on what risks there are without sowing F(ear), U(ncertainty) and D(oubt). In other words then, what does a CISO do…?

Powerpoint and politics.

Everything else is just details.