The Consistency of Plastique

51lIxdlS2nL._SX300_As I said in my last post I have been travelling quite extensively recently, but this weekend I was able to take a long weekend in Oslo with my wife just before the Nordic CSA Summit where I was invited to speak on “the CISO Perspective”. As a gift for speaking, each of us was given a block of Norwgian cheese, in a roughly square shape, that really did seem to have the consistancy, weight and look of a lump of plastique (I imagine…). It did occur to me that in the spirit of all good 44CON prizes, it was intended to get you stopped at the airport.

On my return home yesterday, I was pret sure my bag would be picked up for secondary screening given the presence of this lump of cheesy explosive in my bag (although apparently @digininja tells me a malt loaf has the same effect as well). Sure enough, my bag was selected, I presented to the good natured security folks the block of cheese, and with a wry smile they let my bag through. The same could not be said of my carry on bag though.

5piecelockpicktoolI was asked quite curtly if I had a penknife or similar in this bag; now I am getting more forgetful, but I was pretty sure I hadn’t. The security guy really did not look like he believed me, so we started to empty my bag. Then I remembered, I had a pick lock set that I had put into  zipped pocket in my bag about nine months ago, intending to give it to my good friend Akash in Boston who had expressed an interest in that particular art. Remember I just said I am getting forgetful? That’s why it has been in my bag for so long having seen Akash many times this last nine months. Oh well.

But it also occurred to me that I had been through about ten different airports in that time, and this was the first time it had been picked up, let alone even identified as a possible penknife (understandable as the picks fold into the main body).

This underscores to me the inconsistency of the security scanning at virtually every airport. Shoes on or off? Belts on or off? IPads as well as laptops taken out? Kindles, in the bag or out? My bag of cables that you tell me to keep in my bag at one airport, and then getting admonished for not pulling it out of the bag at the next? As an end user of these services (and I am fully supportive of them despite this I must say) it is extremely frustrating. There seem to be too many exceptions in place without clear reason, and without tying back to a singular way of doing things. The shoe bomber, Richard Reid, saw to it we have to take our shoes off going through security… except of course when you don’t.

Consistency in an information security programme is obviously key. But sometimes the pendulum swings too far the other way. Any policy that ends with “There are no exceptions to this policy” is asinine at best,  and crippling to the business at worst. There will always be a need for an exception in order to ensure business can be carried out effectively. As long as the risks are understood and communicated effectively, then move on and do it.

It certainly doesn’t mean that the exception can be used as an excuse to carry on working like that. There is no concept of precedence in this case. If there was the natural end state would be complete mayhem as every exception is used to the point where there is no policy left. An exception is just what it says on the tin, a one off easing off the rules for business to to operate effectively and efficiently. It should be time based, must be reviewed regularly, and where possible repealed if alternative approaches have come to light.

Consistency is important when applying policies, especially across a large organisation, but for goodness sake, don’t forget that change is an important part of business and needs to be embraced. But please do a better job of managing that change, and the subsequent exceptions, than airport security does.

Conferences and Presentations

What with InfoSec Europe, BSides, RSA Unplugged and the just attended Nordic CSA Summer conference it has been busy on the presentation front again. I have a few more presentation to upload to this site as well as some footage. I am hoping to make it to Blackhat in Vegas for the first time this year, and speak on behalf of friendly vendor who I have always enjoyed working with.

IMG_5656

Diligently preparing for the conference

As I also mentioned in my last post, my employer became a sponsor of the European Security Blogger Awards, something I hope we will be for future events as well. Unfortunately I lost my best personal blogger award crown this year to Lee Munson of Security faq’s. I can’t help but feel that if I have to lose to someone, Lee would be top of my list as he consistently outshines me in both quality and volume of blogging. As a community we are lucky to have someone like Lee and if you haven’t already done so please do reach out to him and congratulate him.

IMG_5513

 


Why >WE< must meet the demands of the business

At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:

I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.

levelI think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.

This was reiterated by Andy Ellis at a session at RSA where he said precisely this;

are you the conscience of the business or an enabler to the business?

Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them  out), for the good of the business.

What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.


An Approach to Risk Decision Making – a Review

Public expenditure

I decided to write a review of a paper submitted to wired.com on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!

In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved.  With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.

This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.

In summary, the model is as follows:

Figure1_660

Figure 2 in the model requires an analysis of controls required to address a risk.

Figure2_660

This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.

Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.

Figure3_660

Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.

These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..

There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.

The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.

Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.

Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.

Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.


Risk Appetite – managing feast and famine

images-1I was able to attend the RANT forum a few nights ago, and watch an excellent presentation by Sarb Sembhi. However, and this is no insult to the speakers at the RANT forums (being one myself) the most valuable part of the evening is the socialising with colleagues and peers before and after.

I was talking to a couple of people who were recounting the challenges they face with their leadership regarding their risk management activities. I paraphrase greatly, but the gist of the issue was

Highlighting risks to them is all well and good, but then suddenly they tell us that another activity needs to be escalated up the risk matrix, or that there is a hot topic that they want pushed to the top of the risks list so it gets more attention. How are we supposed to manage a risk programme with any credibility when risks get artificially prioritised or de prioritised according to the mood of management?

We came to the conclusion that the risk appetite of the management team in question was a very flexible and fluid thing that changed quite frequently, and seemed entirely disconnected from the risk management activities being carried out.

This is a complex issue, and not one that can be solved in a single blog post, but there are a few guidelines and concepts that may be pertinent to heading off this kind of behaviour.

  1. Listen to them. On the whole an organisations management know what activities and changes will affect the business more than you. If they are highlighting something it is not to mess you around but because they are genuinely concerned about it. Look at your risk programme; does it squarely address the risks they are highlighting? Are they new risks, old risks, or poorly understood risks? Perhaps you have already found them and they need to be reviewed under the new light cast on it by management.
  2. Educate them. How much does your management team actually understand about the risk work you are doing? Do they really know what the scope of your remit is, how you go about finding risks, and more importantly how you measure them? ISO27005 is often described as an arbitary way of measuring risk, but it does a good job of explaining how you can approach and understand it. If you use that standard in your programme, make sure they understand how you measure them, and get their buy in to the approach. This way, when you disagree with their analysis of a “new” risk you can explain in agreed terms why.
  3. Use your governance structure. Your management team should only be looking at risks that are escalated to them, that is to say residual risks that are still considered as “high” (or whatever parlance you use). Every other risk below that should be managed and dealt with by the governance structure in place. Certain lower risks can be mitigated (managed, avoided or transferred) by people closer to that risk; a developer could change a portion of code, a project manager could remove or add contractors or a team member could go through more awareness training. Changing the course of a project or increasing the staffing costs by 50% is beyond their remit and they are therefore not able (or authorised) to treat them effectively; these risks get passed up your governance chain until they reach a point at which they can be dealt with. At the very top I would estimate they should be seeing no more than 0.1% of total risks escalated to them. Any more and it may be that the structure underneath is not doing their job.
  4. images-2Understand their appetite. One of the standard ISO 27005 risk acceptance approaches provides a matrices for what is acceptable and what isn’t. It is provided as an example only, and should not be used out of the box without considering the risk appetite of your organisation. If you are a risk averse organisation, the yellow and red band move down to the lower left, thereby meaning more “red” risks will need to be addressed. A risk taking organisation will move the green and yellow band up, thereby ensuring fewer “red” risks will need to be addressed. The risk profile of an organisation is something that is rarely understood by those that measure risk, and therein lies the problem. Only if the risk profile is drawn up, understood (including the approach to measure the risks in the first place) and signed off can risks be identified, “measured” and addressed in a way that meets the organisations business objectives.
  5. Accept that the appetite changes. if you review your risks annually (as a bare minimum) that is also a cue to review the risk appetite. If incidents throughout the year affect the business for the good or bad, that is a cue to review the risk appetite. If the organisation management suddenly think something is a big risk and needs to be addressed, that is a cue to review the risk appetite. And when I say review, I mean with the management, and not just in isolation.

images

There… simple! Well, not at all when you face these challenges every day, but if you can start that dialogue with your management and start to understand the business as they understand it you will be a long way towards heading off the “the sky is falling, fix it now!” response to risks.


Don’t Put Baby in the Corner

5670_fullLast week I had the opportunity to do both a presentation at the BCS IRMA Specialist Group as well as take part in a drastically reduced panel with Javvad Malik (and only Javvad!) at the InfoSec Europe 2013 Press conference.

Firstly I want to recount the panel for the press conference. After some last minute drop outs (one of which I was replacing anyway!) there was just Javvad and me available to do it less than 24 hours before we were due to start. In his own inimitable style he proposed a double act Parkinson style to talk about the challenges faced by a CISO in the Enterprise. I was somewhat unconvinced by this but true to his word, the whole session went extremely well and was thoroughly enjoyable. Afterwards Javvad was told  by some of the journalists that the session was a great way to end the two days with the non vendor focus of the session, and the humour that Javvad and I of course used!

One of the main topics we discussed was that of the position of the CISO within the organisation and the influence that this subsequently brings. Ultimately my position is clear on this, that the CISO needs to be as high in the organisation, and as independent of vertical alignment as possible. What I mean by this is that if the CISO is on the board (or executive leadership team as appropriate) and does not report into the CFO, COO, CIO or any other C level executive there is a dramatically increased chance of security being a successfully managed activity in the enterprise. It ensures full representation of the security function at the most senior levels, free of conflicts of interest and able to vie for budget and attention on an equal footing with the rest of the business units.

I will caveat this however. If there is no security function in place or it is in its nascent stages, or the business itself is smaller, it makes absolute sense to have the security function perhaps initially reporting into the CIO; in all likelihood the staff building the team will come from IT anyway. However, as the team grows it needs to evolve its leadership and position in the organisation, perhaps moving away from the IT function, to the COO and then ultimately to the board.

This transition is something that I have never seen planned in advance, and this is probably one of the fundamental reasons why the CISO and security function is constantly under represented in the modern enterprise as it struggles to gain independence. This will always result in poor awareness and training, lack of budget and lack of true top down security adoption as they compete for ever diminishing resources from lower down in the organisation.

One fairly unique place I have seen the security function is reporting into the General Counsel/Legal function. This I have seen work well as it is the GC that is traditionally responsible for the tracking and management of risks for the enterprise, and frequently has the ear of the CEO. I rarely see a conflict of interest with the security function either. This is not common though, and is likely to only be likely in the larger organisations that have a formal role of GC.

Bottom line, if the newly appointed CISO (i.e. a senior level position for a mature security team) reports into the CIO, then in reality, security is not going to function effectively in that organisation.

And finally (although not in chronological order), the BCS. It was the final presentation of “An Anatomy of a Risk Assessment” and it was (as far as I can tell) well received. Unfortunately the weather and lack of sandwiches post the even meant there was little time to mingle afterwards, but I have since received a number of favourable comments and of course connection requests on LinkedIn which is always heartening. I did however  feel I didn’t answer one of the questions at the end, about India, particularly well, and may have come across as a little disingenuous when nothing could be further from the truth. I hope my friends and colleagues from india will forgive me if they make it to the end of the video when I get hold of a copy (and post it here). As an aside I found an extremely flattering write up of the very first time I presented this in January last year. To the author at Acumin, thank you! http://acumin.wordpress.com/2012/02/

All in all, a very enjoyable and engaging kick off to 2013.