Wash Out Your Ears – The importance of listening during risk assessments

2 Comments

listening-ears1I can’t tell you the number of times I have sat on the other side of the table during a risk assessment or audit and not only been talked at by the auditor but also not even listened to. Unless what I or my colleagues are saying are a part of the accepted script the auditor expects to hear it can often fall on deaf ears.

It doesn’t matter if what I am saying is germane to the topic in hand, explains in more technical detail, or even if it addresses a number of questions old or yet unasked, the auditor blindly continues, or even just appears to switch off. How can this lead to a successful audit or assessment? To some, an audit or assessment is a sequence of activities to be completed in a set order and a set pace, and that will never result in quality findings. Approaching an audit or risk assessment from a less mechanical perspective will often derive results in unexpected ways.

Simply listening will give you at least two things:

  1. More information. It may not always be immediately relevant, but at some point in the day it will help you form a larger and more complete picture.
  2. Unprepared auditees will sometimes talk themselves into trouble! Nerves can make people do very silly things, and letting people engage their mouths before their brains can lead to some startling insights.

When you combine the above points you can often find what I call the “over specific response” occurring. What this means is that people will also sometimes be very specific in their responses, for instance when asked if a particular procedure has been tested, the response “Yes, this procedure has been tested” gives rise to so many other questions such as “when, where, and by whom?”, and yet at a casual listening it is a very positive response. Listening to the exact response and unpicking the precise verbiage is vital.

Additionally, there is one other aspect of listening that should be observed; that is, carrying on listening even when the other person has stopped talking. Just as nature abhors a vacuum, human beings as social animals abhor a silence. Staying silent for longer than is comfortable (at least to them) very often produces more talking and more information than they originally intended. When I first presented this thought just over a year ago in a risk forum a member of the Metropolitan Police in the audience later asked me if I had ever had interrogation training, as this was exactly one of the approaches they used! I would certainly never suggest that an audit or assessment is an interrogation, but there is very much an art to getting the maximum amount of information out of someone trying to give you the absolute minimum.

One rule of thumb to take away in this instance is a quote I first read in The Leaders Workbook by Kai Roer (@kairoer):

Try to keep in mind that you have twice as many ears as you have mouth, implying you should spend more time listening than talking.

That’s a pretty good ratio for any risk assessment or audit I think.

Certified Information Security [Insert Qualification Here] Post Nominals

6 Comments

exam_paperThe good news for me this last week was that I eventually took the CISSP exam and passed. I was obviously pleased and relieved, and I am currently going through the endorsement process. Despite the drubbing that the CISSP as a certification over the last year or so I have to admit that on the whole I was impressed with the depth and breadth of the subjects covered.

Of course the caveat to this is that I think this on the basis that the CISSP is an information security certification, not an IT security certification. There is plenty of content about fire extinguishers, foot candle illuminations of parking areas or even the legal constraints of transferring information outside of the EEA, all of which are important to my mind when taking into account the broader concepts of information security (especially when considering the Confidentiality, Integrity & Availability triangle). Much of the criticism I observed was around the relevance of topics like my previous three examples to IT security, to which I reply “It’s not”. There are sections that focus on these areas, but they quite rightfully don’t dominate the subject matter.

That said, there were areas that I thought were woefully under represented in the reference material that I used, for instance I disagreed with the definition of ISO 27001 versus ISO27002, their definition of an adequate security measure for WEP (hiding the SSID… really?) and other small points. I was however revising against the 2nd edition CBK which has now been updated to the third edition, so perhaps there have been updates in some of these areas.

The other area I struggled with was the relevance of some of the information required for the exam. The level of details required in areas like security architecture for models that actually aren’t in use any more or encryption techniques or even the finalists in the competition to decide what encryption method to use in what ultimately became AES… over twenty years ago! None of this is going to be useful to me in may day to day job at all.

But again, overall it really made me think about my “craft” and I have found it beneficial. There was an element of me taking this exam as a box ticking exercise given my current role, but this was mainly because I came to infosec quite late in my career and there were questions being asked as to why I didn’t have this qualification. It made sense to get it done now and out of the way as it were, and add to my CISM and CGEIT (and MBCS CITP… at this rate my business cards are going to have to be very wide.)

The big question for me now though is what’s next? CRISC or the CIPP/E? Risk or Privacy?

Don’t Put Baby in the Corner

2 Comments

5670_fullLast week I had the opportunity to do both a presentation at the BCS IRMA Specialist Group as well as take part in a drastically reduced panel with Javvad Malik (and only Javvad!) at the InfoSec Europe 2013 Press conference.

Firstly I want to recount the panel for the press conference. After some last minute drop outs (one of which I was replacing anyway!) there was just Javvad and me available to do it less than 24 hours before we were due to start. In his own inimitable style he proposed a double act Parkinson style to talk about the challenges faced by a CISO in the Enterprise. I was somewhat unconvinced by this but true to his word, the whole session went extremely well and was thoroughly enjoyable. Afterwards Javvad was told  by some of the journalists that the session was a great way to end the two days with the non vendor focus of the session, and the humour that Javvad and I of course used!

One of the main topics we discussed was that of the position of the CISO within the organisation and the influence that this subsequently brings. Ultimately my position is clear on this, that the CISO needs to be as high in the organisation, and as independent of vertical alignment as possible. What I mean by this is that if the CISO is on the board (or executive leadership team as appropriate) and does not report into the CFO, COO, CIO or any other C level executive there is a dramatically increased chance of security being a successfully managed activity in the enterprise. It ensures full representation of the security function at the most senior levels, free of conflicts of interest and able to vie for budget and attention on an equal footing with the rest of the business units.

I will caveat this however. If there is no security function in place or it is in its nascent stages, or the business itself is smaller, it makes absolute sense to have the security function perhaps initially reporting into the CIO; in all likelihood the staff building the team will come from IT anyway. However, as the team grows it needs to evolve its leadership and position in the organisation, perhaps moving away from the IT function, to the COO and then ultimately to the board.

This transition is something that I have never seen planned in advance, and this is probably one of the fundamental reasons why the CISO and security function is constantly under represented in the modern enterprise as it struggles to gain independence. This will always result in poor awareness and training, lack of budget and lack of true top down security adoption as they compete for ever diminishing resources from lower down in the organisation.

One fairly unique place I have seen the security function is reporting into the General Counsel/Legal function. This I have seen work well as it is the GC that is traditionally responsible for the tracking and management of risks for the enterprise, and frequently has the ear of the CEO. I rarely see a conflict of interest with the security function either. This is not common though, and is likely to only be likely in the larger organisations that have a formal role of GC.

Bottom line, if the newly appointed CISO (i.e. a senior level position for a mature security team) reports into the CIO, then in reality, security is not going to function effectively in that organisation.

And finally (although not in chronological order), the BCS. It was the final presentation of “An Anatomy of a Risk Assessment” and it was (as far as I can tell) well received. Unfortunately the weather and lack of sandwiches post the even meant there was little time to mingle afterwards, but I have since received a number of favourable comments and of course connection requests on LinkedIn which is always heartening. I did however  feel I didn’t answer one of the questions at the end, about India, particularly well, and may have come across as a little disingenuous when nothing could be further from the truth. I hope my friends and colleagues from india will forgive me if they make it to the end of the video when I get hold of a copy (and post it here). As an aside I found an extremely flattering write up of the very first time I presented this in January last year. To the author at Acumin, thank you! http://acumin.wordpress.com/2012/02/

All in all, a very enjoyable and engaging kick off to 2013.

 

2012 in review

2 Comments

Blogging can be seen as a very inwardly focussed activity, it is all about me, me, me. I have always tried to maintain a fairly balanced online presence, keeping it professional if a little informal, striving to only blog, or tweet quality rather than quantity. On the whole this has worked for me. The downside to this though has been a slow increase in my online presence (or brand, whatever term works for you) and therefore Twitter followers and blog visits. For example one of the primary reasons for blogging this year has been to “practise” writing about my profession in a way that I don’t get in my place of work and not to gain fans and followers (although that would be a nice by product!).

That said, the automated report that WordPress sends out prompted me to consider what I have achieved over the last year and realise how positive I feel about my online presence. To put it into context here are some very quick (and totally unscientific) stats: In 2011 (when I joined Twitter) I had four blog posts in a self managed blog page, attended one conference (RSA), had less than ten followers and tweeted maybe ten times. I had publicly spoken once, for two minutes, at the Christmas RANT forum. In short, I had no idea what the community had to offer or indeed how to engage with it.

It was at the aforementioned RSA conference that two things happened; firstly I realised that 80% of the presentations I watched were of a quality that I felt I could reproduce. Secondly I met a few folks on the last night that in all honestly changed my perception of the industry and how I could participate in it, namely Brian Honan (@BrianHonan), Kai Roer (@kairoer), Alex Hutton (@alexhutton) and Aaron Barr (@aaronbarr) amongst others. They showed me (unknowingly) how they worked with the community, staying in touch through Twitter, communicating through blogs, articles, podcasts etc.. I have since stayed in touch with Brian and Kai, both of whom I respect greatly and would like to thank for their openness and friendliness to me back in October 2011!

Fast forward to today and my stats are a little better: 26 blogs posts, nearly 500 tweets (not all of them are rubbish either!), 111 followers, six public speaking engagements including one panel and the RSA conference itself, a video blog with the almighty Javvad Malik (@j4vv4d) and contributed to two articles (for Tripwire and (In)Secure magazine). I attended in one capacity or another nearly twenty events/conferences/forums. The best part is that these stats don’t do the experience itself any justice. I have made friends and met many people for whom I have the most deep respect for and who I genuinely like and enjoy their company. I have submitted a joint CFP for a conference with one of them, and hope to continue my relationship with Acumin and the RANT forum (@Acumin & @GemmaPats) who gave me my first big break in public speaking (thank you!). In short, 2012 has been awesome as both a learning experience and a source of fun and enjoyment as regards my chosen profession. The blog stats below are of course modest by most peoples standards, but they are interesting and encouraging to me nonetheless in the context of the above.

I tweeted over the Christmas holidays that my word for 2013 is “growth” both professionally and personally; while I hope that my 2013 “stats” will continue to “grow” more importantly I hope that my new friendships and opportunities to learn in this odd, frustrating, challenging yet ultimately rewarding industry and community continue.

And before you ask, yes, New Year, New Theme for the blog; I’ve grown out of my dark goth and emo phase and now it is time for some colour and class!

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,200 times in 2012. If it were a Dreamliner, it would take about 5 trips to carry that many people.

Click here to see the complete report.

Presentation Style IS Important

Leave a comment

Poor Presenter Type.004Just before Christmas I had an excellent opportunity to co present one of Javvad’s (@j4vv4d) eponymous InfoSec video blogs. In it we took a tongue in cheek look at the variety of styles of bad presentation that we have observed at various conferences and forums. I should of course stress that neither one of us claims to be keynote material with regards to our own presentation style, but we are constantly struck by how many presentations are unintelligible, difficult to follow, underprepared or any other myriad of things that dramatically reduce the impact and message a presentation is supposed to give.

The video blog (here) looks at ten different styles that we felt were the most heinous; there were a further ten left on the cutting room floor! Obviously it was a humorous view in order to best get the point across but it does underscore a serious point, namely that it is astonishing that for a so called professional industry the quality of presentations is often so low, even at events that you have to pay for. I for one expect more.

What I want to look at now though is not “what” we should be doing to improve these presentations because that has been done elsewhere (here and here); rather I will focus on the “why” because it is important to understand the reasons for improving our presentations and the positive outcomes it will have to our community.

In my opinion, it comes down to three points:

Firstly (and in reference back to the video blog), I see so many people in the audience quite simply just turning off in the face of poor presentation style (be it the slide, the verbal delivery etc). All of us attend these forums and conferences to learn from other people, observe their real world experiences and look to see how we can apply the learning into our own professional lives. And yet the first message we get is that the topic in hand is dull, or inaudible or illegible. In any kind of information security conference all topics should be interesting to one extent or another to all attendees. It is the presenters primary responsibility to make the topic interesting, grab the audiences attention and maintain it throughout.

Secondly, it is a question of value for money. This is very apparent in the situations where an event costs money to attend; I expect a certain level of professionalism, content and delivery, and in too many cases it is simply not apparent. In free events, this is less obvious for the audience (who are often getting free beer and food at the same time), but the poor presenter is letting down the sponsor and perhaps sullying their name and reputation. Of course there is also the reputational damage to the individual giving the poor presentation!

Finally, it is a matter of professionalism for the industry and community. Not only do we need to be taken seriously amongst ourselves but we must ensure we can speak convincingly within our own organisations. If we cannot put across our thoughts, analysis, reasoning, proposals and perhaps most importantly our requests for budget in a convincing and professional manner the infosec industry (and your department) will never be taken seriously.

None of us are perfect, especially when it comes to standing up in front of a demanding audience, but I strongly believe we should be asking our trusted colleagues, peers and acquaintances for feedback each and every time we present. What we get back from them may make for uncomfortable listening, but as long as the feedback is given constructively, openly, without fear of reprisal and with good intentions we will all benefit, as individuals, as organisations and as an industry.