Busy Doing Nothing?

When you are faced with managing third-party risks, it can feel like a Sisyphean task at best. Even a small organisation is going to have  20+ third parties and vendors to deal with, and by the nature of a small business, absolutely not a full-time person to carry them out. As an organisation grows, at the other end of the extreme there will be many thousands of vendors and third parties in different countries and jurisdictions; even a large team is going to struggle to deal with that volume of work.

In The Lost CISO this week I talk about how to manage a third-party risk management programme from the perspective its sheer volume of work.

The key to dealing with this volume is, of course, to take a risk-based approach, and consciously decide to do nothing about a large proportion of them. It sounds counter-intuitive, but then a risk-based approach to anything can seem counter-intuitive. (Why would you “accept” a high-level risk for goodness sake?!) In this case, you would quite literally be putting some effort into deciding what not to do:

We’re busy doing nothing.

Working the whole day through.

Trying to find lots of things not to do.

Busy Doing Nothing, written by Jimmy Heausen-Van & Johnny Burke

This means your best approach is to filter who you absolutely must assess, who you should assess, and who can be reasonably ignored. In theory, the last group will be the majority of your third parties. How you filter is of course down to what is important to your organisation, industry, clients, the data you hold, the physical location of your environment (office or hosted) and any other criteria you can consider. Ultimately, it is what is important to your organisation, not what is important to you as a security person. Why? Because if security has the final say, there is a potential for a conflict of interest and the limiting of the organisation to operate effectively and efficiently. Here is a sample list of criteria you can sort your third parties by:

  1. Do they have access to our client’s (or our client’s customers) confidential/sensitive data?
  2. Do they have access to our confidential/sensitive data?
  3. Do they have data access to our IT infrastructure?
  4. Do they have physical access to our premises?
  5. Is our organisation reliant on their services being available at all times?

Inside each of these selected criteria, you may wish to refine further; in answer to the question, think “yes, but…” and you may find a particular vendor does not make your list as a result.

Congratulations! You have now hopefully reduced your third-parties needing to be assessed by hopefully about 80%. If that is not the case, go back to the beginning and validate your criteria, perhaps with business leadership themselves, or (ironically) a trusted third-party.

This may well still leave a formidable list to get through, so there are some more tricks you can use.

When assessing some of the larger third-parties (think Apple, Google, Microsoft etc.), you may wish to accept their certifications on face value. The chances of getting a face to face meeting and tour of the facility, whilst not impossible, are remote, and very much dependent upon how much you spend with them. The more reputable vendors will be transparent with their certifications, findings and general security programmes anyway.

You can then use this filter again with the slightly less well-known vendors but include a handful of questions (no more than fifteen) that you would like answered outside of certifications.

The smallest vendors with the least formal certification and publicly available can be presented with a more detailed set of “traditional” third-party risk questions. Make sure they are relevant, and certainly no more than 100 in total. You are better off getting a good idea of most of the vendor environments from a returned questionnaire than you are a perfect idea of a handful of environments from a barely returned questionnaire. The idea here is to get a consistent, medium level view across the board in order to spot trends and allocate your resources effectively.

Still overwhelmed with sheer volume? If this is the case, look to a three-year cycle rather than an annual cycle. You can reduce the workload by up to two-thirds this way, but you may wish to consider that some vendors are simply too crucial to have on this kind of cycle.

So all that is left is to ensure all of this is carefully monitored, tracked and managed. For instance, what are you going to do with a vendor that doesn’t meet your standards?

And that, my friends, is for another blog.

(You can download a sample third-party security questionnaire from the (TL)2 security Downloads area. There will be more templates arriving soon that you can download and use for yourself, or you may wish to contact (TL)2 if you would like some help and support in creating a third-party risk programme.)

 

 


Consistency, consiztency, consistancy…

It will come as no surprise to most of you that I travel a lot to other countries, and as such I am a frequent visitor of airports and more memorably, the security procedures of those airports.

Every country has their own agency that manages this process, either outsourced or kept within government. Given the complexities of international and aviation law, I can well imagine the difficulties of staying abreast of the latest advice from a variety of different sources and applying it in a globally consistent way. But surely it can’t be that difficult, especially when it comes to the basics?

Here are just some of the more egregious examples of inconstancy that I have encountered around the world:

  • One airport that confiscated my nail scissors, despite the fact I had been carrying them (and had the case searched) through numerous security checkpoints before. The blade size was within accepted norms, except at this airport.
  • The security official that made me take my 100ml or less liquids out of the clear plastic case/bag I was using and put them into a clear plastic ziplock bag for scanning. I had been using that case for months, and continue to use it without issue to this day.
  • The security line where I din’t have to take off my shoes or belt, nor remove laptops or liquids from my bag because “we have a sniffer dog”. In fairness they did have a dog running up and down the line, but I started to doubt it’s ability to smell knives or similar in my case.
  • Having travelled through five airports in four days, the final airport insisted that I take the camera out of my bag, as it is “standard practise in our country to do this”. Not before or since has it been a practise I have experienced, let alone a standard one.
  • Finally, the multiple security personnel who tell me to leave my shoes on, only to be told as I go through the scanner to take my shoes off and put them on the belt to be x-ray’ed.

It goes without saying that I approach every security checkpoint with a mixture of hope, despair and disdain, and always leave with one of those feelings prevalent. Obviously this is an analogy to our world of infosec, perhaps even a tenuous one, but I do feel it is one worth expressing.

How we guide our organisations to interpret and carry out the policies and regulatory requirements they are beholden to is vital to the attitude and approach the employees will take. Uncertainty breeds many things, in this case doubt and anxiety about how to behave. If a policy is not implemented consistently then how can it be observed consistently? If we are constantly surprising our users then we can’t blame them for feeling jumpy, anxious or unsure, and therefore critical of the service being provided.

Cat-Cucumber-Gif-Gifs-Youtube-Video

Consistency is a very powerful tool to ensure people understand the policies, the purpose and the even the vision of an security organisation. As soon as there is doubt the very purpose of your security organisation is thrown into doubt. For example, why is BYOD allowed for senior execs and not for the rest of the organisation? Or why is a Mobile Device Management solution enforced on some parts of the business and not the other? In both these cases it only encourages the working around of the restrictions that subsequently weaken your security posture.

That is not to say exceptions cannot be made, that is why every policy etc. should have an exceptions statement. After all, expecting a policy to cover all eventualities is simply wishful thinking.

I dare say we all have inconstancies, but it is in all of our interests to drive them out of our organisation wherever possible. Otherwise, you will have people like me wondering what kind of ordeal I am going to have to endure just to get my day job done, and that doesn’t help anyone.

 


Safe Harbor R.I.P.

Open photo-for size2

Safe Harbor has officially fallen from grace, here is a link to the actual ruling:

http://datenschutzpolitik.de/dokumente/ecj-c-362-14.pdf

What this actually means is still not fully clear, but what is clear is that it affects thousands of companies who now find themselves without the added “protection” of its (self certified) legal framework. Thousands of contracts will be invalidated and thousands of companies will be deemed to not have met minimum standards of protection of EU data in the USA.

There is one thing for certain though; with the speed required to address this, there will be one group of people set to profit from this to get the next best thing into place as quickly as possible…

quentynblog_2015-Oct-06

Picture credit – Quentyn Taylor (@quentynblog)


Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.

 


An open letter to Apple – a change of heart

overcome-regretDear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford