Price versus Value; Why it is Important in Information Security

Leave a comment

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>

Opening a New Door of Opportunity

11 Comments

As many of you have worked out by now I am no longer in full time employment and have decided to open the doors on my own business; I give you (TL)2 Security Ltd:

tl2_square_colour_logo

Originally intended to fill a gap on my CV while I find a full time job, and allow me to take on work in the interim, I have been blown away by the interest in the services (TL)2 Security offers and thee immense goodwill from so many people. As I was building the website I decided to go beyond a simple one page brochure and expand it a little, resulting in a genuine sense of excitement that I really could make a go of this little enterprise!

As a result I am sat in an office in Paris having just signed my first contract for a couple of months of work. This isn’t just any work, this is an international contract no less! I am also pleased to say I also have other work lined up and getting ready for the contract stage and all in all I am feeling a little pleased with myself.

FIST-PUMP-BABY-THUMB

You can visit the official site at (TL)2 Security, and see the consultancy services on offer, but they broadly fall into two camps, namely strategic (vCISO, strategic advice & support) and Speaking (conferences, keynotes, brand advocacy). It is deliberately very broad at this point and plenty of grey area in between where I will no doubt take on work that is neither one camp or the other; I do have a mortgage to pay after all.

So please welcome (TL)2 Security to the world, incorporated on 25th January 2019, and the first contract signed exactly a month later. It was a difficult labour, and I am still finding my feet, but I am so very, very excited to help it grow up and become a force to be reckoned with.

As the well know philosopher and entrepreneur, Derek Trotter, once said;

“This time next year, we could be millionaires”

What, No Expense Account? My RSA 2019 Itinerary

Leave a comment

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.

What does a CISO actually do?

Leave a comment

I read this wonderful article by Helen Patton  a CISO and contributor to Medium, and in it she describes the seven main areas she spends her time as a CISO; Technology, Data, Business, All The Other Internal Stuff, Vendors and Partners, Law Enforcement and Customers. (She also adds an eighth area, her Security Team of course!).

It is a fascinating read and one that tells a lot about the type of work a CISO will find themselves doing, and much of it resonated with me. I do believe however that the viewpoint is constrained by one aspect of her role, and one Helen states upfront:

Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy.

It prompted me to write this post because I feel a CISO can do so much more once the role is removed from the auspices of IT. This has been a pet topic of mine for a number of years now, and it is a similar challenge CIO’s once faced, i.e. not reporting into the highest level of management possible. even spoke back in 2013 at RSA on just this topic.

This is a very common reporting line of course, largely because information security responsibilities often come out of IT, or the focus is purely on IT security and therefore fits into that service. It does however create potential issues:

  • The infosec message is filtered through the IT lens, and security issues become a smaller part of the overall IT programme.
  • The role is focussed significantly more on technology (the first item on Helen’s list above) and doesn’t take into account other factors, such as physical, people, or even awareness.
  • If the security function is dictating or heavily influencing technology and architecture, a conflict of intents can arise if there are security deficiencies in those aspects. There is no independent perspective on testing the environments, and a conflict of interest in highlighting deficiencies therein.

In these circumstances the role has a tighter focus, is more hands on, and may potentially not bring the benefits to an organisation that it could.

So what should CISO be doing then?

The CISO primarily needs to be a representative of the business, and not of a department. By that I mean that the CISO is not always going to be the best information Security professional in the same way that the CFO is not always the best accountant. They are however the best person to make decisions that span their area of responsibility AND the business, and actually focus on the bigger picture.

My role as a CISO therefore is not to make the company the most secure company in the world. If I did that, it would be out of business in a matter of months; loss of agility, inability to invest, reluctance to accept certain projects etc etc would make the company wholly unprofitable. My role is to help the company sell more, do more, innovate more and earn more… through the judicious application of security as a competitive advantage.

Put simply, a CISO needs to stop saying “No” to projects or requests that on the face of it are high risk, and stop expecting 100% security on rollouts prior to launch. That doesn’t mean we can’t aspire to perfection, or aim to build the very best environment we can, we just have to accept that something that is a high risk to us, may be a low risk to the business overall. Of course the business needs to understand what the security risks are and be cognisant of the risk when taking decisions, but security is not the single most important input here, it is one of many. We are advisors, not dictators.

The CISO therefore not only does many of the things Helen points out in her article, but it goes beyond that; above everything else in my opinion is being able to truly understand the business, it’s challenges, goals and vision, provide performance information, read the company reports and educate the senior leadership on what risks there are without sowing F(ear), U(ncertainty) and D(oubt). In other words then, what does a CISO do…?

Powerpoint and politics.

Everything else is just details.

The different view of risk modelling

3 Comments

Traffic lightAs someone whose primary function at work is the ‘management’ of risk in all of its glorious forms, I have over the years become very comfortable with its accepted definition and how to measure it. ISO 27005:2008 was my bible, giving me the flexibility to choose a schema that worked for my particular environment as well as the credence that I was doing it right. I always knew that assigning arbitrary numbers to things wasn’t exactly the most scientific way of actually measuring something, but I could deal with that by simply talking about “indicative values” and “helps with prioritisation”.

It was a little under two years ago at the RSA conference that I attended a talk entitled “Pimp My Risk Model: Getting Resilient in a Complex World” by David Porter, and he spoke about a new approach to risk modelling. Rather than focussing on what could happen, and then play that through to the conclusion of an impact that is then measured, it instead focussed on what the desirable outcomes were in the first place and then worked backwards establishing what was required to achieve them, basically dependency modelling. Not only was this more efficient and scalable as not all permutations of threat/vulnerability/asset (for instance) are required to be worked out, it provides better information for early decision making.

The concept is not new, and has its roots in the late last century in the financial markets/actuaries who were looking at better ways to model and manage risk.

There are a number of proponents to this approach, all of whom have a far better understanding than me of this approach, but despite this in the last two years I have simply not seen it in a practical form that can be used every day. Unfortunately, and I am sure I am not alone here, if I can’t implement it quickly it gets passed over for the next best thing that can be. In fact, and perhaps in my own blinkered universe, the approach itself barely raised a murmour since. And yet the concept had stuck with me especially on the few occasions when I had heard it talked about.

It was on Russell Thomas’s blog, exploringpossibilityspace, that I saw just the other day this very approach being touted again. What I enjoyed about this post was the balanced and educational view of the traditional approach (little “r” approach in Russells’s parlance) versus the new dependency modeling approach (big “R”). I think the criticism of ‘r” methods is well founded, although it is widely understood in business and when used properly can help produce at the very least tactical indicators of risk to the business.

My challenge with the ‘R’ approach is that I have yet to see it applied in practical terms and in a way that is easy to digest and understand (I think I hurt myself about two thirds of the way down the article trying to get to grips with the concepts!). As a result therefore, getting business buy in is going to be extremely challenging. Partial information from an ‘r’ approach reaching the business successfully is going to be better than no information from an ‘R’ approach (however better the data is) reaching the business.

I would strongly recommend everyone to read Russell’s writings on this risak model, which also contains links to other resources as well.

There is more work to be done, but I hope it focuses on making it possible to use the approaching a day to day environment; they say there is nothing new in the world of information security, but I have high hopes for an approach to risk modeling that will allow me to do so much more for the business in terms of long term, strategic guidance and support.

And when I can use this model in Excel, count me in!

<Some of you have commented on my extended absence, but a busy few weeks followed by a lovely holiday camping in France took priority. Back in the saddle now and very much looking forward to your comments and feedback!>

Charlie?1 (2)

Charlie?1