An open letter to Apple – a change of heart

1 Comment October 30, 2014 Thom Langford

Dear Apple,

I wrote to you back in 2012, deriding your decision to remove the lock lead security hole on your laptops. I may even have been a little rude.

An epiphany of sorts has happened to me at some point over the last few years though, and I think it stemmed from your decision to remove the security hole. Back then, I argued that physical loss of an asset was still bad, even with encryption enabled, because of downtime, replacement costs etc.. It also, I argued, helped to instill a culture of security in people as the physical act of locking their laptop would also remind them of their other security obligations, a constant reminder pif you will.

I was wrong.

The lock lead has been seen as barrier to productivity as our workplaces have changed and our people have become more mobile. People have avoided using them, or evened cursed them because their offices didn’t take the relevant logical step of ensuring there were adequate anchor points to be used. People were moving from one room to another on a regular basis for their meetings, and locking and unlocking their laptop reminded them of how out of touch security was with the realities of daily life.

I even did a back of a napkin calculation; a company with 10,000 laptops would spend (roughly) about $500k USD every three years on lock leads. That same company may experience thefts that could have been prevented by a lock lead that would total less that $10k a year. Financially this no longer makes sense. My inner chimp was scared that laptops would simply be stolen regularly from our offices and if I didn’t do anything about it I would get fired. In fact, decisions like this are costing our companies hundreds of thousands of dollars off the bottom line. So much being a “business enabler”.

So I take it back, all of it, and I want to thank you for setting me on the right path (and saving us all lots of money).

Your sincerely,

Thom “with regret” Langford

Risk, Rubble and Investment

Leave a comment October 16, 2014 Thom Langford

Originally written and posted October 13th 2014 on the InfoSecurity 2014 Blog (and reiterating a pet core message of mine again!).

Risk is a bad thing. Therefore risk needs to be reduced to rubble, or even better to dust and then swept away under the carpet never to be seen again.

This is the attitude that many of us have, and then pass onto our senior leadership when it comes to information security programs. “Invest £10 million and we will buy technology that will make us safe” we have often said in the past. “My blinky boxes will soon find your risks and reduce them to nothing!”. It should be no surprise for so many of our industry therefore that CISO stands for “Career Is So Over”.

What we often fail to appreciate is that the senior leadership and boards of virtually all organizations understand risk far better than us. They deal with financial, legal, HR and international risk on a regular basis, and know how to take advantage of it to their benefit. Their advisors in the various fields know how to communicate their unit risks in a way that makes sense to business, be it financial, reputational or whatever else makes sense in their industry. The leadership do not require specialist knowledge of these areas because the risk is being translated into terms they understand.

The information security industry however still often talks in terms of “APT’s”, “DLP”, “TLS” and other obscure TLA’s* while trying to explain why more money is needed to “secure all the things”. What is the benefit to the business? What is the real risk in terms everyone can understand? Translating these technical issues and risks into business risks has always been a challenge and has often resulted in information security being perceived as the “expensive part of IT” asking for more money with little positive influence to the business.

If you work in a brewery, the ultimate goal of everyone who works there should be to sell more beer. If you work for Oxfam, the ultimate goal is to get aid to those that need it as quickly, effectively and efficiently as possible. If you work in a publicly listed company, the ultimate goal is to make more money for the shareholders. The role of information security within any organization is not exempt from this; security doesn’t get a special pass because it is, well, security. The role of the information security function is to support the ultimate goal of the organization it operates in.

Understand what your ultimate goal is. Focus your strategy on ensuring you are helping meet that goal. Be willing to compromise in certain areas of security if it helps meet that goal. Ensure you senior leadership understand the risks (in their language, not yours) involved in those compromises. if you don’t get what you want then move onto the next piece of work that supports your ultimate goals (or be prepared to fight harder and more lucidly for your original cause).

If it was that easy you wouldn’t be reading this, but surely it is easier than the ongoing battle for investment that we ultimately never win anyway?

*Three Letter Acronyms (surely you know that?)

Note: Many of you know I was up for the “Personal Contribution to IT Security” Award at the recent Computing Security Awards. I was (un)fortunately Runner Up in this category, but thank you again to all of you who not only may have voted for me but also nominated me in the first place. It was a wonderful evening with good friends from my work and InfoSec life, and a good excuse to dress up in my best party frock. Here’s to next year!

Flushing Risk at 44CON

3 Comments September 15, 2014 Thom Langford

I have just returned from two long days and two long nights of 44CON, the premier conference in London for technical InfoSec professionals (and even a few of us management types). It saw the debut of by “Flushing Away Preconceptions of Risk” presentation, an expansion of the my recent post for the Analogies Project.

The core messages of the presentation are not necessarily pleasant ones; the correct use of risk in any organisation is one of the most powerful tools in an information security programme, and yet it seems to me that very few of us understand it fully. Many of us struggle with not only identifying what the real risks are in the first place, but also how to measure them and even how to properly treat them.

Doing my bit to advertise 44CON

Identifying risks at first seems like an easy think – identify assets, and then identify what could go wrong. I won’t elaborate the analogy much here (read it at the Analogies Project), but given how we regularly fail to identify risky behaviours correctly in our daily lives it should be no surprise we fail to do so professionally. The same bias applies to when we subsequently try and measure the risks; every mechanism we use introduces potential errors and even vagueness. I was quite proud to introduce the Langford/Malik Risk Model (ver 1.0), an approach that I evolved from one that Javvad Malik introduced in his book. Again, it uses an analogy although this time of a pub fight to not only describe levels of risk but also risk appetite. I do hope that not too many of you will find it useful next Friday and Saturday night.

The Langford/Malik Risk Model ver 1.0

Finally the effective treatment of risk was covered, and how we so often simply do what has been done before, not what is going to be effective now. Just because a risk hasn’t been realised doesn’t mean you have treated it effectively, it just means that an incident hasn’t happened (that you know of).

The slides are below, but since my presentation style has evolved more into storytelling rather than bullet point reading, by themselves they may say little to you, but the session was recorded and when it is released I will make it available here. Like any presentation it barely touches the surface of risk management and its issues, but it was intended to be thought provoking and prompt people to not assume that just because they have always done things in a certain way that it is the best or even correct way.

This slideshow requires JavaScript.

As for 44CON itself, well, any conference that has a “gin o’clock” on each day has to be pretty good in my books! It was a very well organised conference, with an excellent and highly motivated Crew to help support it. SpeakerOps were particularly good providing a personal touch I have not seen at any other conference. The quality of the talks and the speakers was also excellent, but as I alluded to in my introduction, many of them were technically beyond me!

The highlight for me however was a workshop I attended demonstrating the beta version of the Cyber CPR product. This is a virtual machine (that can also be deployed on ultra portable hardware if need be) that builds and entire incident management environment allowing for the discovery, gathering and analysis of evidence during an incident. It build a virtual “war room” environment, where multiple incidents can be tracked at once, in a secure and separate environment from the one that has actually just been breached. With tools built into the backend and access via a browser it even does away to have many of the tools on your own environment, making it great for remote and ad hoc use alike.

The product is in Beta at the moment, and does lack a few features, (they described it as not ready for active duty), but what i saw was very polished and useful even in it’s beta configuration. Commercially it will be available for free with up to three users, and only $5k GBP for up to twenty (please don’t quote me on these figures though). I would strongly recommend you take a look at this excellent environment that for very little outlay will significantly improve many current incident response teams, and their over use of Excel. The team expects it to be commercially ready by Spring next year.

Obligatory selfie with Jonathon Schiefer

The final highlight was to be able to meet Jonathon Schiefer the director of the film Algorithm which had its European debut at 44CON on Wednesday night. It was fascinating to hear about the backstory of the film, his challenges and even how he made the film financially and technically. He was an absolute pleasure to chat with, and I thoroughly regretted my decision to have a curry instead of watching the film. At a stretch you could say we are kindred spirits when it comes to our film making, but he is without a doubt in an entirely different league to me!

44CON will be back next year, but we were also enticed with the news of another 44CON spring conference being planned as well. I would strongly recommend anyone who can get to London to attend both of these conferences. Congratulations to Adrian and Steve and the many people in the crew for putting on a fabulous conference.

Woof Woof, Bark Bark (or how to not support security in your organization).

1 Comment August 18, 2014 Thom Langford

I recieved the email below from a colleague at work. At first glance it is funny, the chief security officer being represented by a dog… Hilarious! Of course security is just about being able to bark at people and occasionally bite them. This role isn’t about corporate responsibility or even enterprise risk management, it is about wagging your tail and barking at people and getting them to do things because you have barked it so.

I’m having second thoughts about my growth plan if this is where it leads to.

If I am honest, I am guilty of this too. I have often described myself as an “overpaid security guard” to people who haven’t a clue about information security, and they nod knowingly at me, thinking they understand InfoSec policy, enterprise risk and even DLP.

The above example of belittling the security function of an organisation has steeled me into action; if I can’t explain the role of a CISO/CSO to my Mother, then I need to re-evaluate what it is I am doing and the impact it has on the business. It also annoys me that the role of CISO is so easily belittled. I don’t think I have ever seen a CFO role boiled down to an image of a coffee bean, or even the CIO image reduced to a mouse or keyboard. What makes this worse is that this product offers “the highest security for your files in the cloud” and yet this is how seriously they take security.

A fundamental part of this is down to us as CISO’s and security people to ensure we don’t belittle ourselves to ingratiate ourselves. It is extremely difficult for us to ensure we are valued and respected in our organisations as it is, and sometimes the somewhat subservient/comedic route feels easiest. This is not the best way; it is the longest and hardest route to acceptance and understanding because the role is by it’s nature seen as a frivolity and a hilarious side act.

(We should note however that there is a place for humour in security, and if used correctly it is extremely effective. The point I am making above is that security as a serious subject should not be presented as a humourous aside.)

I recall a situation where I noticed someone working at a hot desk who had no visible identification. I asked around if anyone knew who the individual was, and nobody did. As I approached the individual I was met with a chorus of “get him Thom” and “tackle him mate!” etc. with much hilarity ensuing. None of it was meant meanly of course, but it was synonymous with the simplistic attitude of security. If any of the people who had spoken those words had any real idea of the security implications of having someone in their office without any idea of who they are, then their response may have been a bit more serious. The best part is of course that I had plainly failed in my security education and awareness with this group of people.

We are not guard dogs. We are not security guards (although they are an important part of the security function). We are not bouncers. We are not doing security for theatrical effect.

We are here to protect your revenue, your reputation and your bonus payouts. We are here to ensure we maintain good relationships with our clients, and allow our organisations to take on greater risk and therefore reap greater reward. We are here to help inform the business of security risk and advise as required.

What’s so funny in that?

Note: I have been extremely quiet on here these last few months; my role has changed dramatically at work requiring more travel and less time for the frivolous acts of blogging. Combine that with a busy schedule with Host Unknown and my other info sec commitments I have neglected this blog site somewhat. Hopefully this post sees me back in the saddle again, and you can always catch up with me on Twitter. Oh, and the holiday was good too!

Not All Risks Are Bad (even the bad ones…)

1 Comment April 9, 2014 Thom Langford

The very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.

Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.

Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.

For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.

All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.

It’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.