Your InfoSec premiums have increased by 20% this year. Are we worth it?

High-insurance-PremiumsMy annual home insurance quote came through this morning, with the usual 10-20% uplift that I know I can remove again through simply phoning the provider and threatening to leave. It is a pretty standard technique in the industry that has been going on for years, and that preys upon the lazy people in the world who can’t be bothered to look for a better deal.

Rewind a few months when I spoke with a very senior executive who admitted that he saw information security as a form of insurance.

“I don’t want to have to pay for it, but I do because I know that when I need it you guys come and fix the problems we are in”

This is a somewhat common and fair attitude to information security given our background as an industry and how we often interact with the business (a particularly large topic that this entire blog is really about). yet what was so interesting was his follow on comment:

“the things is, I am sure there is so much more information security can do for us, I just don’t know what it is”

When I first took out home insurance, I was most concerned about getting the cheapest quote. I was young, free and almost single, but all of the extras that the larger insurance companies were offering (and charging for) did not concern me. If my house burnt down I would find somewhere else to live while the insurance company sorted everything out, what do I need a hotel for?  Lost my house keys? I will change the crappy lock on the front door myself when I get round to it, I don’t need a locksmith from the insurance company to do it for me.

Fast forward to today, and I live a far more complex busy life, cash rich (relatively speaking), time poor, with responsibilities to my children and wife, and a lifetime of memories in my house that are virtually irreplaceable. if things go wrong, I need it fixed quickly and easily and with the minimum of impact to me and my family. I even have proactive services, such as boiler cover and servicing to reduce the likelihood of things going wrong in the first place. Therefore I am leveraging every aspect of what the insurance company can give me even before something goes wrong, and the peace of mind that I get knowing they are looking out for me even prior to disaster striking is worth (almost!) every penny.

An information security programme must be able to sell every aspect of its services to the business, and not just be seen as a reactionary force. if it does that, every time something goes wrong, both the financial and emotional premiums of paying for your services will increase time over time until the point the programme is seen as imply an overhead like paying the rent and keeping the plant watered, i.e. when the time comes, costs to be reduced.

Look at how you provide service before the fact; risk assessments, security testing, awareness and education can all be seen as services that prevent and/or add value to the business. What about the day to day? Consultancy to the business to do things securely without them even thinking about it; it doesn’t have to have “security” written on it to be a win for you and the business. And of course don’t forget after the event; incident management, business continuity, or even helping in the quality acceptance environments after something has been developed.

The key is to be involved in the full lifecycle of your business, whatever they are. They will be different from business to business and industry to industry, so it may not always be easy to identify, but it is extremely valuable.

And the prices we quote every year? Unlike insurance premiums, we are worth every penny.

Note: I don’t actually like the analogy of infosec and insurance, but it is one I regularly hear, so I decided to try and embrace it in this blog. I still don’t like it, but I can see how it could be useful for a simple elevator pitch or short conversation. There are plenty of analogies out there, and the best place for them in my humble opinion is at The Analogies Project. Check them out, and use them wherever possible. Even better, think about becoming a contributor.

TAP-Contributor-Dark-250x160


The Consistency of Plastique

51lIxdlS2nL._SX300_As I said in my last post I have been travelling quite extensively recently, but this weekend I was able to take a long weekend in Oslo with my wife just before the Nordic CSA Summit where I was invited to speak on “the CISO Perspective”. As a gift for speaking, each of us was given a block of Norwgian cheese, in a roughly square shape, that really did seem to have the consistancy, weight and look of a lump of plastique (I imagine…). It did occur to me that in the spirit of all good 44CON prizes, it was intended to get you stopped at the airport.

On my return home yesterday, I was pret sure my bag would be picked up for secondary screening given the presence of this lump of cheesy explosive in my bag (although apparently @digininja tells me a malt loaf has the same effect as well). Sure enough, my bag was selected, I presented to the good natured security folks the block of cheese, and with a wry smile they let my bag through. The same could not be said of my carry on bag though.

5piecelockpicktoolI was asked quite curtly if I had a penknife or similar in this bag; now I am getting more forgetful, but I was pretty sure I hadn’t. The security guy really did not look like he believed me, so we started to empty my bag. Then I remembered, I had a pick lock set that I had put into  zipped pocket in my bag about nine months ago, intending to give it to my good friend Akash in Boston who had expressed an interest in that particular art. Remember I just said I am getting forgetful? That’s why it has been in my bag for so long having seen Akash many times this last nine months. Oh well.

But it also occurred to me that I had been through about ten different airports in that time, and this was the first time it had been picked up, let alone even identified as a possible penknife (understandable as the picks fold into the main body).

This underscores to me the inconsistency of the security scanning at virtually every airport. Shoes on or off? Belts on or off? IPads as well as laptops taken out? Kindles, in the bag or out? My bag of cables that you tell me to keep in my bag at one airport, and then getting admonished for not pulling it out of the bag at the next? As an end user of these services (and I am fully supportive of them despite this I must say) it is extremely frustrating. There seem to be too many exceptions in place without clear reason, and without tying back to a singular way of doing things. The shoe bomber, Richard Reid, saw to it we have to take our shoes off going through security… except of course when you don’t.

Consistency in an information security programme is obviously key. But sometimes the pendulum swings too far the other way. Any policy that ends with “There are no exceptions to this policy” is asinine at best,  and crippling to the business at worst. There will always be a need for an exception in order to ensure business can be carried out effectively. As long as the risks are understood and communicated effectively, then move on and do it.

It certainly doesn’t mean that the exception can be used as an excuse to carry on working like that. There is no concept of precedence in this case. If there was the natural end state would be complete mayhem as every exception is used to the point where there is no policy left. An exception is just what it says on the tin, a one off easing off the rules for business to to operate effectively and efficiently. It should be time based, must be reviewed regularly, and where possible repealed if alternative approaches have come to light.

Consistency is important when applying policies, especially across a large organisation, but for goodness sake, don’t forget that change is an important part of business and needs to be embraced. But please do a better job of managing that change, and the subsequent exceptions, than airport security does.

Conferences and Presentations

What with InfoSec Europe, BSides, RSA Unplugged and the just attended Nordic CSA Summer conference it has been busy on the presentation front again. I have a few more presentation to upload to this site as well as some footage. I am hoping to make it to Blackhat in Vegas for the first time this year, and speak on behalf of friendly vendor who I have always enjoyed working with.

IMG_5656

Diligently preparing for the conference

As I also mentioned in my last post, my employer became a sponsor of the European Security Blogger Awards, something I hope we will be for future events as well. Unfortunately I lost my best personal blogger award crown this year to Lee Munson of Security faq’s. I can’t help but feel that if I have to lose to someone, Lee would be top of my list as he consistently outshines me in both quality and volume of blogging. As a community we are lucky to have someone like Lee and if you haven’t already done so please do reach out to him and congratulate him.

IMG_5513

 


Are you the most thrilling ride at the theme park?

emotional-rollercoaster-53445I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old enough to be able to go on almost all of the rides now. Much excitement was expected.

Yes, we had a good day overall, but not as good as it should have been. The first two rides we tried to get on as soon as the gates swung open were closed because of technical faults; both these rides were at opposite corners of the park, so after 30 minutes not only had we not even had one ride, we hadn’t even got in the queue for one. This somewhat set the tone for the day. At the fourth closed ride my wife gave some unfortunate teenaged park assistant an earful (he was rescued by a senior colleague). At the fifth we could only laugh and accept our fate. And so it went on; the photo booth to collect photos from one ride was closed after we had staged the perfect family shot on the ride, the hand dryers in the toilets all blew cold, cold air on a cold day, vending machines were out of order, and so on. The more we looked the more we found fault.

We still had a good day, but we won’t be going back any time soon, and conceded that in the theme park area at least, the Americans have by far the best theme parks compared to Britain.

The whole experience reminded me of some security groups I have experienced. We very often promise a world of smiling, excited faces, a world made better by our presence and an experience that will surpass your expectations. The reality is often a little more drab than that.

We often see security functions that allegedly “enable your teams to work more effectively”, or “allow you to leverage your creativity while we drive your competitiveness” and so forth. In our drive to be seen to be a benefit to the business (good), we often set ourselves up for failure as we establish these grandiose statements (bad). “Leveraging security to be a differentiator in the marketplace” is great, but only if you can deliver on it. An ISO27001 certification may help your business get more work initially, but if the basic principles of good security practice in your delivery teams is not there, that work will soon be lost. Your company workforce working securely and in harmony is the best way of supporting your business, not having a “security strategy that differentiates us to our clients”.

Let’s focus on getting the rides running properly in your security programme before marketing ourselves in a way that ultimately shows even our hand dryers don’t work.


Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.

 


Three Envelopes, One CISO

three-envelopes
The outgoing CISO of a company meets his replacements for lunch the day before he starts. He hands the newcomer three envelopes, labelled 1, 2, & 3.
I have one piece of advice for you. Whenever you have a breach, open each envelope in turn.
The job continues as expected over the months, when the fateful day come and the company suffers a security breach. Just before he is called into the boardroom to represent himself, he remember the envelopes and opens the first one. Inside, the card reads:
Blame your predecessor.
This he does and moves on.
A few months later another security breach occurs. Standing outside the boardroom, he opens the second envelope”
Blame your team.
A few months later, a third breach occurs. With a smile on his a face and spring in his step he approaches the boardroom confident he is going to get away with it again. As he is called in, he opens the envelope, mentally preparing to talk his way out of trouble. His eyes widen as he reads the card:
Prepare three envelopes.

 

512px-Sony_logo.svg
Last week saw the rather shocking news of the Sony security breach that suffered a very overt attack on Sony and multiple days of downtime. Rumours abound around if it was an insider job, the extent of the damage, the rebuilding of the entire Sony Active Directory structure and wiping of all workstations and reinstallation of operating systems. The exact details will no doubt take many months to surface, but one thing seems to be clear; the blame of the breach is being squarely laid at the CISO’s (and sometimes the CIO’s) feet.
One article from IT Security Guru supported this with a quote from Phil Lieberman, CEO of Lieberman Software:
This was a perfect example of sloppy IT security and a CISO that did not implement proper privileged identity management, or a disaster recovery backup plan for continuity of business. The consequences were a loss of control over his environment caused by a focus on convenience of IT rather than the security of the enterprise.

This may well be true of course, and the Sony CISO may well have been incompetent in this instance. There is however a very real alternative possibility. What if the CISO had been very clear in the dangers in this case of convenience over security? And what if the board, or other senior leadership simply felt it was too “expensive” culturally and from the perspective of impact to the current productivity of the company. Sony is a strongly creative focussed business; it is not a bank, an energy company or in a regulated environment, so they are not forced to carry out particular security activities. The ability of their employees to not work as flexibly and without restriction could well be seen as a higher risk than that of a breach (even after the 2011 breaches).

Perhaps the cost of this breach will simply be a blip in the years to come.

The key thing though is that the business may well have accepted this risk and simply moved on, much as they would have accepted a financial risk and moved on. Sometimes financial risks results in massive downturns in business, and I don’t always see the CFO being pilloried on the first day without evidence – that is normally reserved for the CEO or Chair of the Board.

We seem to want to chop down the CISO as soon as something goes wrong, rather than seeing it in the context of the business overall.

Let’s wait and see what actually happened before declaring his Career Is So Over, and also appreciate that security breaches are not always the result of poor information security, but often simply a risk taken by the business that didn’t pay off.

I’m off now to get my PS4 in a fire sale.