Risk Appetite – managing feast and famine

Leave a comment

images-1I was able to attend the RANT forum a few nights ago, and watch an excellent presentation by Sarb Sembhi. However, and this is no insult to the speakers at the RANT forums (being one myself) the most valuable part of the evening is the socialising with colleagues and peers before and after.

I was talking to a couple of people who were recounting the challenges they face with their leadership regarding their risk management activities. I paraphrase greatly, but the gist of the issue was

Highlighting risks to them is all well and good, but then suddenly they tell us that another activity needs to be escalated up the risk matrix, or that there is a hot topic that they want pushed to the top of the risks list so it gets more attention. How are we supposed to manage a risk programme with any credibility when risks get artificially prioritised or de prioritised according to the mood of management?

We came to the conclusion that the risk appetite of the management team in question was a very flexible and fluid thing that changed quite frequently, and seemed entirely disconnected from the risk management activities being carried out.

This is a complex issue, and not one that can be solved in a single blog post, but there are a few guidelines and concepts that may be pertinent to heading off this kind of behaviour.

  1. Listen to them. On the whole an organisations management know what activities and changes will affect the business more than you. If they are highlighting something it is not to mess you around but because they are genuinely concerned about it. Look at your risk programme; does it squarely address the risks they are highlighting? Are they new risks, old risks, or poorly understood risks? Perhaps you have already found them and they need to be reviewed under the new light cast on it by management.
  2. Educate them. How much does your management team actually understand about the risk work you are doing? Do they really know what the scope of your remit is, how you go about finding risks, and more importantly how you measure them? ISO27005 is often described as an arbitary way of measuring risk, but it does a good job of explaining how you can approach and understand it. If you use that standard in your programme, make sure they understand how you measure them, and get their buy in to the approach. This way, when you disagree with their analysis of a “new” risk you can explain in agreed terms why.
  3. Use your governance structure. Your management team should only be looking at risks that are escalated to them, that is to say residual risks that are still considered as “high” (or whatever parlance you use). Every other risk below that should be managed and dealt with by the governance structure in place. Certain lower risks can be mitigated (managed, avoided or transferred) by people closer to that risk; a developer could change a portion of code, a project manager could remove or add contractors or a team member could go through more awareness training. Changing the course of a project or increasing the staffing costs by 50% is beyond their remit and they are therefore not able (or authorised) to treat them effectively; these risks get passed up your governance chain until they reach a point at which they can be dealt with. At the very top I would estimate they should be seeing no more than 0.1% of total risks escalated to them. Any more and it may be that the structure underneath is not doing their job.
  4. images-2Understand their appetite. One of the standard ISO 27005 risk acceptance approaches provides a matrices for what is acceptable and what isn’t. It is provided as an example only, and should not be used out of the box without considering the risk appetite of your organisation. If you are a risk averse organisation, the yellow and red band move down to the lower left, thereby meaning more “red” risks will need to be addressed. A risk taking organisation will move the green and yellow band up, thereby ensuring fewer “red” risks will need to be addressed. The risk profile of an organisation is something that is rarely understood by those that measure risk, and therein lies the problem. Only if the risk profile is drawn up, understood (including the approach to measure the risks in the first place) and signed off can risks be identified, “measured” and addressed in a way that meets the organisations business objectives.
  5. Accept that the appetite changes. if you review your risks annually (as a bare minimum) that is also a cue to review the risk appetite. If incidents throughout the year affect the business for the good or bad, that is a cue to review the risk appetite. If the organisation management suddenly think something is a big risk and needs to be addressed, that is a cue to review the risk appetite. And when I say review, I mean with the management, and not just in isolation.

images

There… simple! Well, not at all when you face these challenges every day, but if you can start that dialogue with your management and start to understand the business as they understand it you will be a long way towards heading off the “the sky is falling, fix it now!” response to risks.

Why I am an Analogies Project contributor

1 Comment

Bruce_Hallas-300x286That devilishly handsome bloke you see to the right is Bruce Hallas. I used to go to school with him nearly 25 years ago, and then last summer, at the first old boys school reunion that our year organised since leaving I met him again, and it turns out we are in the same infosec business. I spoke to him about all of the good work I am doing, the company I work for, the many countries I visited and generally tried to make myself feel more important than the skinny eighteen year old I was when I last saw him. He told me that he runs his own infosec consultancy, his own blog, works with the UK government, and was in the process of setting up “a project” as a freely available, self funding, resource of analogies/stories to help people better understand information security. (Bruce immediately won the “my life is awesome since leaving school” competition of course.)

Since that time, The Analogies Project has grown from one man, an idea and a website to something producing real, quality content, and with a very promising and bright future.

In the words of the Project itself;

The Analogies Project has a clear mission. To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.

Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.

The part of this project that I like the most is that it is essentially a community project. Bruce isn’t charging money for membership to the analogies as they are written (and they are coming thick and fast now!), and none of the contributors are charging for their work either. There are not only the web contributions in the form of a library, but a book planned, a conference, and even an opera! With the momentum that is currently behind the project at the moment there is every reason to believe in its future success.

So why am I contributing? Honestly, I have selfish and philanthropic reasons to do so. Obviously it gets my name out there, allows me to practise my writing, test some ideas and also say “I was there from the start”. All that aside though, I have frequently struggled in my day job to get infosec concepts across to people, either directly, in meetings or even in awareness training. To have had a resource like this available to me five years ago would have made my life so much easier, allowed me to advance the infosec “cause” more effectively and given me a set of tools I knew were consistant with the prevailing thoughts of industry commentators. Having a centralised, peer validated, toolkit available is fundamental to us as professionals when it comes to the messaging we give to our users, clients, bosses, teams and even the infosec community as a whole.

It’s still early days, but I have submitted my first contribution just last week (soon to be published I hope) and I am already inspired enough to be working on my second and third. There are a number of analogies already in place, and I would urge you to read them and consider them in the context of your current communications to your audiences, whomever they may be.  The book will be another important milestone and one I hope to play a part in; indeed I hope to be able to play a part in the the project for the forseeable future, and why I am happy and proud to display my “contributor” badge up on the top right of this site.

TAP-Contributor-Semi-Transparent-250x160

If you feel you have something to contribute, then head over to The Analogies Project and let Bruce and the organisers know. If you don’t feel ready to, then certainly check it out anyway. You won’t regret it.

Why the Feds will still be attending DefCon

Leave a comment

not_a_cia_undercover_agent_tee_shirt-r9461211bf55a482f9a192e013ac3584c_804gs_216This is not a the type of post you normally get from me but I felt compelled to jump out of my comfort zone given the amount of coverage that DefCon is getting as a result of banning “Feds” from attending DefCon 21 this year.

My personal opinion on this is somewhat irrelevant given DefCon is not the type of conference I attend given the core topics covered are not my day job. For what it is worth however I am a staunch believer in having as open and transparent a dialogue between two opposing viewpoints as possible, and therefore feel this is an odd and somewhat self defeating decision.

But perhaps more importantly I feel there is something of a naiveté surrounding the fact that 1) people think the message will be taken seriously by the Feds, and 2) that the Feds have not successfully been undercover there anyway.

I know that the “Spot the Fed” fun that occurs every year is seen as proof that the general community of attendees is able to spot the government moles that attend. I find this preposterous though! Whatever department of “Fed” it is that attends, be it the NSA, FBI, CIA or other TLA agency I think it is germane to appreciate that these are a group of people who successfully infiltrate  organisations far more dangerous than DefCon, and for far longer periods. Undercover operations are taken extremely seriously, require extraordinary amounts of character and commitment, and are not easily undermined. I am sure someone with the power of Google will be able to find the odd example of undercover operations that have gone awry, but to my mind, there are likely to be more Feds at DefCon than anyone would think, and there have been for years.

I am not going to go into what the motives for doing this are, that is for people far more politically minded than me. I would however suggest that this years Spot the Fed competition will be a dud, not because they aren’t there, but because the Feds who attend in plain sight won’t be attending. Who will you be sitting next to at DefCon this year, and how much about them do you really know?

And they say security awareness training is working?

3 Comments

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

  1. They are able to afford expensive looking laptops or have been issued an expensive looking laptop
  2. Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

 

Now you see it...

Now you see it…

Can you see it?

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.

The ISSA-UK and why I like them

Leave a comment

I have always had a soft spot for the ISSA-UK; ISACA and (ISC)2 are all very well (and have a slightly different  value offering what with their examinations and credentials), so the ISSA have sometimes in my opinion been compared alongside them somewhat unfairly. I like them for a number of reasons:

  1. Great value for money – at less than £100 per year and with a considerably higher number of events per year (at least in London) than (ISC)2 and ISACA, that’s a lot of potential CPE’s.
  2. Quality of speakers; I am biased (having now become an ISSA-UK speaker), but I have always been impressed with the quality of speakers. The highlight for me of the last 12 months for instance was Bill Hagestad  when he spoke about the Chinese cyber threat.
  3. Awesome people and networking; I am constantly meeting great people and having great conversations with them, infosec related and otherwise. Just tonight I made tentative arrangements to do a talk alongside someone else, discussed a high profile speakers apparent downfall (always useful for the future when the inevitable happens to oneself) and “connected” with a number of highly intelligent and rightly opinionated people.

Overall I think of them as having the least of an agenda with no exams to sell or certifications fees to maintain, and this is why it puts them at the top of my list.

Telling it like it is apparently

Telling it like it is apparently

Last nights talks were very similar to the Bristol one of a few weeks ago in that Richard Hollis presented on Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry, and I did my UFO’s, Dirty Dancing and Exploding Helicopters, a Hollywood guide to risk management presentation again. The final presentation was by Adrian Wright, ISSA-UK VP of Projects on Securing The ‘Internet of Things’ – Implications and Key Questions. 

I have to apologise to Adrian as I overran on my presentation putting the pressure on him to be as succinct as possible. Running over time is rightfully seen as something of a cardinal sin for a presenter, but in my mitigation it was because of the level of interaction from audience was just brilliant, and we got a good number of opinions across all of the topics put forward.

I have commented on Richard’s excellent presentation from when he gave it in Bristol, but Adrian’s I had not seen before. It was utterly fascinating and presented (as expected) very well by Adrian. What struck me the most was that the adoption of new technology is just increasing in speed over time almost exponentially. What this means for the internet of things is that before we know it, literally in the next few years, we will see a massive shift in how we consume food, control our homes and even park our cars. Only time will tell, but in this case, not a lot of time.

A great evening as usual and my tanks go to Gabe Chomic (@infoseccrow) for the invitation.

The presentation from the night is here in PDF and native Keynote, and as always if anyone would like to continue to conversation with me you know the usual channels!