Too Much of a Good Thing

The one thing the current lockdown has taught me is that you really can eat too much chocolate… who knew?

Left to my own devices and without the distraction of a routine, regular work and people observing my unhealthy eating habits, my faulty brain tells me that more chocolate can only be a good thing and that I should continue to eat it until physical discomfort forces me to stop (in spite of my brain’s protestations.). It is an obsessive and compulsive behaviour that I recognise in myself, and do my best to contain, but it is a constant struggle arguing with myself that chocolate is not the most important thing in my life.

The same could be said to be true of many security professionals and their desire to roll out security practises to their organisations, implementing new procedures, standards, policies and ways of working that are designed to make the organisation very secure. They do this despite the protestations of the organisation itself telling them they have had enough, the new ways of working are too restrictive, difficult to follow and ultimately leave them with a security stomach ache.

This weeks Lost CISO episode talks about when too much security, like chocolate, is a bad thing.

This compulsion to think that security is the most important part of a business’ life is one that leads to users having security headaches all day and the business itself feeling slovenly, bloated and sluggish. (OK, that’s enough of the analogies.)

It is ultimately self-defeating, as users will do their best to work around draconian working practices, and the perception of a security organisation will be one of business prevention than vital service. I, and many others, have spoken about not being the department of “no”, but it goes well beyond just saying “yes”.

Agreeing to everything without thought of the consequences is potentially even more dangerous than saying no, especially in the short term. The vital distinction that needs to be made is that of a two way conversation between security and the end users and business. Finding out what is trying to be achieved is far more valuable than just focusing on what is being asked. Requests can be addressed in many different ways, not just by punching a whole in the firewall or switching off 2FA on the VPN, for instance.

In fact, this very conversation helps create even stronger relationships as it highlights two things:

  1. How seriously you take their request.
  2. How much you care about the organisation you both work for.

A great example of this in the above video is that of companies relaxing their security stance during the remote working ramp up of the lockdown. If the response was simply “no”, or even a straight “yes” with no consequences there would have been issues sooner or later. Working with the business, relaxing the standards for the initial growth and then methodically scaling and tightening the security once the initial growth is over is absolutely the right way to go.

So next time you feel yourself reaching for the chocolate wanting to say “no”, think beyond the the immediate consequences and how you can use security for the long term betterment of your organisation rather than your simple security stats.

And one bar of chocolate/security is always enough for everyone, right?

Do you need two re-align your security team to your business and don’t know where to start? (TL)2 Security has a proven track record helping security leaders and teams creat strtaegies and business plans that make real, competitive, differences to organisations. Contact (TL)2 to find out more.


Busy Doing Nothing?

When you are faced with managing third-party risks, it can feel like a Sisyphean task at best. Even a small organisation is going to have  20+ third parties and vendors to deal with, and by the nature of a small business, absolutely not a full-time person to carry them out. As an organisation grows, at the other end of the extreme there will be many thousands of vendors and third parties in different countries and jurisdictions; even a large team is going to struggle to deal with that volume of work.

In The Lost CISO this week I talk about how to manage a third-party risk management programme from the perspective its sheer volume of work.

The key to dealing with this volume is, of course, to take a risk-based approach, and consciously decide to do nothing about a large proportion of them. It sounds counter-intuitive, but then a risk-based approach to anything can seem counter-intuitive. (Why would you “accept” a high-level risk for goodness sake?!) In this case, you would quite literally be putting some effort into deciding what not to do:

We’re busy doing nothing.

Working the whole day through.

Trying to find lots of things not to do.

Busy Doing Nothing, written by Jimmy Heausen-Van & Johnny Burke

This means your best approach is to filter who you absolutely must assess, who you should assess, and who can be reasonably ignored. In theory, the last group will be the majority of your third parties. How you filter is of course down to what is important to your organisation, industry, clients, the data you hold, the physical location of your environment (office or hosted) and any other criteria you can consider. Ultimately, it is what is important to your organisation, not what is important to you as a security person. Why? Because if security has the final say, there is a potential for a conflict of interest and the limiting of the organisation to operate effectively and efficiently. Here is a sample list of criteria you can sort your third parties by:

  1. Do they have access to our client’s (or our client’s customers) confidential/sensitive data?
  2. Do they have access to our confidential/sensitive data?
  3. Do they have data access to our IT infrastructure?
  4. Do they have physical access to our premises?
  5. Is our organisation reliant on their services being available at all times?

Inside each of these selected criteria, you may wish to refine further; in answer to the question, think “yes, but…” and you may find a particular vendor does not make your list as a result.

Congratulations! You have now hopefully reduced your third-parties needing to be assessed by hopefully about 80%. If that is not the case, go back to the beginning and validate your criteria, perhaps with business leadership themselves, or (ironically) a trusted third-party.

This may well still leave a formidable list to get through, so there are some more tricks you can use.

When assessing some of the larger third-parties (think Apple, Google, Microsoft etc.), you may wish to accept their certifications on face value. The chances of getting a face to face meeting and tour of the facility, whilst not impossible, are remote, and very much dependent upon how much you spend with them. The more reputable vendors will be transparent with their certifications, findings and general security programmes anyway.

You can then use this filter again with the slightly less well-known vendors but include a handful of questions (no more than fifteen) that you would like answered outside of certifications.

The smallest vendors with the least formal certification and publicly available can be presented with a more detailed set of “traditional” third-party risk questions. Make sure they are relevant, and certainly no more than 100 in total. You are better off getting a good idea of most of the vendor environments from a returned questionnaire than you are a perfect idea of a handful of environments from a barely returned questionnaire. The idea here is to get a consistent, medium level view across the board in order to spot trends and allocate your resources effectively.

Still overwhelmed with sheer volume? If this is the case, look to a three-year cycle rather than an annual cycle. You can reduce the workload by up to two-thirds this way, but you may wish to consider that some vendors are simply too crucial to have on this kind of cycle.

So all that is left is to ensure all of this is carefully monitored, tracked and managed. For instance, what are you going to do with a vendor that doesn’t meet your standards?

And that, my friends, is for another blog.

(You can download a sample third-party security questionnaire from the (TL)2 security Downloads area. There will be more templates arriving soon that you can download and use for yourself, or you may wish to contact (TL)2 if you would like some help and support in creating a third-party risk programme.)

 

 


A Lot of Talking…

One month in and (TL)2 Security seems to be attracting a fair amount of interest which is very heartening. What I am not used to however is projects just disappearing. In my old day job, if i decided to pursue a project we got onto it and did it until it was finished or I decided to abandon it. In my new world that decision is not up to me and so a number of leads have, as is the normal course of things, just gone cold on me.

It is, to say the least, very disconcerting, and I have a new found respect for salespeople as a result. Who knew I would be uttering those words today?

That said, I am also keeping busy preparing for two big speaking engagements coming up:

One Identity UNITE Conference, April 1 – 4 2019

This is a new conference for me, and one where I am doing the closing Keynote of the main conference on Wednesday 3rd April.

A closing keynote is an interesting one to do, and I discussed this with the organisers in a preparation call; the delegates will be tired and need buoying up , the message needs too be uplifting and inspiring, and does not need to be technical or even a core message from the conference.

To that end I will be talking about trust, why it is important, how we lose it and what to do when that happens. Trust is key in IAM, not least because it is a fundamental tenet of uniquely identifying someone under the auspices of the authorising them to a system. But it also matters as we continue to gather more and more details about people in order too ascertain their identity in the first place. I opened a business bank account recently and had to take a photo of my passport to be uploaded in order to be correctly identified. I have to trust that that bank will not lose my passport details or sell them on, and if they do, what are they going to do about it?

Wednesday 3rd April: Won’t Somebody Think of the Users? – Auditorium

I am looking forward to the conference, and while it is driven by a vendor for its users the agenda looks to be very engaging across the board. Any vendor that avoids selling directly during events like this is always OK in my books!

card_57bae26a3ac5378b4433ffaf300bdf12

European identity & Cloud Conference, May 14 – 17 2019

I have worked with Kuppinger Cole at this conference (and a couple of their other ones) since 2014; they put on a fantastic show with great talks, and a wide range of workshops and topics. The setup is very professional, and the staging and production vales are very high. As a speaker it is an absolute pleasure as everything is taken care of, your requests are taken seriously and they do their best to make the environment as easy as possible to work in.

In my experience, most conference organisers will focus mostly on the attendees; after all they are the ones that are playing to attend. Speakers are often bundled around, ignored until five minutes before we are required, told we have to use their Windows XP laptop with Powerpoint 2011 on it, and then quickly forgotten about.

Not so Kuppinger Cole. Given I have spoken at their conferences some five times, and enjoyed every part of it means not only do they like what I do, but I also like what they do. To be fair, they also like to get the value for money out of me so I am going to be presenting one keynote and then involved in two other talks:

Tuesday 1§4th May: Facing the Post-GDPR Reality – Auditorium

Wednesday 15th May: How Traditional IAM Will Change Within the next 5 Years – ALPSEE

Wednesday 15th May: Panel: Anonymisation and Pseudonymisation – What Is It and Why Does It Matter? – AMMERSEE I

What I also like about working with Kuppinger Cole is that these are the titles they gave me. I could change them if I really wanted, but as they stand they challenge me to create interesting content and take it in a direction i may not have originally though of.

Ultimately, what I am saying is come and see my talks as i will be delivering with a smile and from a good place (not just the stage), and in fact every speaker will be doing the same. Come and see the difference a happy speaker makes at a fabulous conference!

 

 


Ground Control to Major Thom

I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest of environments.

Having seen two shuttles first hand in the last nine months (the Enterprise on USS Intrepid in New York and the Atlanta at Kennedy Space Centre), it boggles my mind that something so big could get into space and back again, to be reused. Facts like the exhaust from each of the three main engines on the shuttle burn hotter than the melting temperature of the metal the engine ‘bells’ are made of (they ingeniously pipe supercooled fuel down the outside of the bells to not only act as an afterburner of sorts but also cool the bells themselves) go to show the kind of engineering challenges that needed to be overcome.

There was one incident however that really struck me regarding the relationship between the crew onboard and the crew on the ground. On the Shuttle’s maiden flight into space, STS-1 also known as Columbia carried out 37 orbits of the earth with two crew on board, mission commander John W. Young and pilot Robert L. Crippen. Once orbit was achieved an inspection of the critical heat tiles on the underside of the shuttle showed some potential damage. If the damage was too extensive the return to earth would (as later events in the Shuttle’s history proved) be fatal.

The crew however were tasked with a variety of other activities, including fixing problems onboard they could address. They left the task of assessing and calculating the damage to those on the ground who were better equipped and experienced to deal with the situation. This they duly did and as we know Columbia landed safely just over two days later.

It struck me that this reflects well the way information Security professionals should treat the individuals we are tasked with supporting. There is much that individuals can do to help of course, and that is why training and awareness efforts are so important, but too often it is the case that “we would be secure if it wasn’t for the dumb users”. The sole purpose of the Columbia ground crew was to support and ensure the safe return of those on board STS-1 so that they could get on with their jobs in space. Ours is the same.

Just because te crew had extensive training to deal with issues as they arose, the best use of their time was to focus on the job in hand and let ground crew worry about other problems. The people we support should also be trained to deal with security issues, but sometimes they really need to just get on with the deliverables at hand and let us deal with the security issue. They might be trained and capable, but we need to identify when the best course of action is to deal with their security issues for them, freeing them to do their work.

Never forget that we support our organisations/businesses to do their jobs. We provide tools to allow them to be more effective in their end goals but it is still our responsibility to do the heavy lifting when the time comes. Except in very rare cases we are there because of them, not in spite of them.

(Photo courtesy of William Lau @lausecurity)


Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further…

The UK Parliament in this report have recommended that CEO salaries should be defined by their attitude and effectiveness of their cybersecurity. I am not one normally for histrionics when it comes to government reports, partly because they are often impenetrable and not directed at me or my lifestyle, but I will make an exception in this case. I think this attitude is quite simply short sighted and a knee jerk reaction to a very public breach that was admittedly caused by a lackadaisical attitude to security.

I have argued for a long time that the security function is not a “special flower” in the business, and that by supporting that case security becomes an inhibitor of the business, restricting it from taking the kind of risks that are vital to a growing and agile business. The only way I would agree to this demand would be if the CEO’s compensation was directly related to financial performance, staff attrition, number of court cases levelled and number of fires or false alarms in its premises, and have that all supported by a change in the law. If that happened, there would suddenly be a dearth of well paid, well motivated CEO’s in the country.

By calling security out individually means the security function will all to easily slip back into old behaviours of saying NO! to every request, only this time the reason given is not just “it’s not secure”, but also “Bob’s pay depends on it”.

This can only work if every other function of the CEO was also covered by similar laws as I said above. Sure, there are basic behaviour laws around financial, people, legal, facilities etc. such that a company can’t be embezzled, people can’t be exploited or put into danger etc.. But this recommendations makes security far to primary a concern. It also doesn’t even take into account the fact that determined hackers will get in anyway in many cases, or that data can easily be stolen through softer, social engineering techniques. Zero day exploit, never before seen? Sorry Mr CEO, you need to take a pay cut for not having a cyber crystal ball and defending against it. Determined nation state attacks? Tough luck you only have a cyber budget a fraction the size of the attackers, back to reduced pay.

I get that many folks are angry with the level of CEO pay and reward in the workplace these days. In the case of Talk Talk I find it astounding that Dame Dido Harding has been awarded £2.8 million GBP in pay and shares after what has to be an absolutely disastrous year fro Talk Talk. That said, I also don’t know the details of her contract and the performance related aspects of it; maybe she hit all of her targets, and cyber risk was not one of them.

This is where we need to address this; not in law and regulation, but in cyber savvy contracts and performance metrics within the workplace and enforced by the Board. No emphasis on cybersecurity, but a balanced view across the entire business.

No single part of a business is the special flower, we all have an equal and unique beauty and contribution to make.