Are you one of “them”? Damaging your information security efforts without even knowing it

Leave a comment

90ee2b65615c3fda2b2c4190697c34d4It was ten to six in the morning, and I was on the  station platform waiting for my train to arrive to take me to London. As I walked past two people who were talking, one of them was earnestly telling the other about problems in his office that were caused by “them”:

they’ve changed the heating in the office to make it more consistent apparently but what they don’t realise is that it is sending us all to sleep. They just don’t get it, they’re idiots, and it’s a waste of money

It seems the faceless bureaucrats and management just don’t get it at this gentleman’s place of work and are doing everything they can to hinder the company’s ability to work effectively! But scratch a bit deeper and you may see a slightly different story of trying to deal with complaints from parts of the building that are too cold, using antiquated heating systems that don’t balance heat well the further from the heat source they are, or even just trying to make everyone feel more comfortable in the cold winter months.

The unfortunate impact of their actions though is that productivity has dropped in some areas, and the impression of the team and people behind it has dramatically reduced.

I have regularly stressed the importance of information security ultimately contributing to the success of the business, allowing it to sell more beer if you will, but that is only possible if you understand the business, collaborate with the people on the ground, and align your efforts to their goals. By treating risks in isolated parts of the business without looking at the wider impacts you run the risk of overheating other parts of the business. What initial makes sense in one place does not make sense in another, and the quick win you thought you had really turns out to require a far more nuanced approach.

If what you are doing is simply unavoidable and impacts to the other parts of the business will be felt, then collaboration and communication is vital. Explaining the complaints, challenges, risks etc. and allowing them to voice their feedback is important to ensure people remain bought into your plans. Who knows, you may actually get some better ideas from them that you hadn’t even considered. This approach requires nerves of steel and the skin of a rhino though, as many will see the opportunity to take a swipe at you, but seeing the process through is far more effective in the long term.

Asking for feedback afterwards, chatting to individuals and leadership about what they think about what you have done, and putting that feedback to work to improve your next iteration of the programme all help bring people on side and improve the effectiveness of your information security stance.

Once you are seen to be working in the long term interests of the company and the people who work there, decisions you take and implement will be seen in that wider context, and not just as the actions of someone just “doing their job” and being one of… them.

Three Envelopes, One CISO

4 Comments
three-envelopes
The outgoing CISO of a company meets his replacements for lunch the day before he starts. He hands the newcomer three envelopes, labelled 1, 2, & 3.
I have one piece of advice for you. Whenever you have a breach, open each envelope in turn.
The job continues as expected over the months, when the fateful day come and the company suffers a security breach. Just before he is called into the boardroom to represent himself, he remember the envelopes and opens the first one. Inside, the card reads:
Blame your predecessor.
This he does and moves on.
A few months later another security breach occurs. Standing outside the boardroom, he opens the second envelope”
Blame your team.
A few months later, a third breach occurs. With a smile on his a face and spring in his step he approaches the boardroom confident he is going to get away with it again. As he is called in, he opens the envelope, mentally preparing to talk his way out of trouble. His eyes widen as he reads the card:
Prepare three envelopes.

 

512px-Sony_logo.svg
Last week saw the rather shocking news of the Sony security breach that suffered a very overt attack on Sony and multiple days of downtime. Rumours abound around if it was an insider job, the extent of the damage, the rebuilding of the entire Sony Active Directory structure and wiping of all workstations and reinstallation of operating systems. The exact details will no doubt take many months to surface, but one thing seems to be clear; the blame of the breach is being squarely laid at the CISO’s (and sometimes the CIO’s) feet.
One article from IT Security Guru supported this with a quote from Phil Lieberman, CEO of Lieberman Software:
This was a perfect example of sloppy IT security and a CISO that did not implement proper privileged identity management, or a disaster recovery backup plan for continuity of business. The consequences were a loss of control over his environment caused by a focus on convenience of IT rather than the security of the enterprise.

This may well be true of course, and the Sony CISO may well have been incompetent in this instance. There is however a very real alternative possibility. What if the CISO had been very clear in the dangers in this case of convenience over security? And what if the board, or other senior leadership simply felt it was too “expensive” culturally and from the perspective of impact to the current productivity of the company. Sony is a strongly creative focussed business; it is not a bank, an energy company or in a regulated environment, so they are not forced to carry out particular security activities. The ability of their employees to not work as flexibly and without restriction could well be seen as a higher risk than that of a breach (even after the 2011 breaches).

Perhaps the cost of this breach will simply be a blip in the years to come.

The key thing though is that the business may well have accepted this risk and simply moved on, much as they would have accepted a financial risk and moved on. Sometimes financial risks results in massive downturns in business, and I don’t always see the CFO being pilloried on the first day without evidence – that is normally reserved for the CEO or Chair of the Board.

We seem to want to chop down the CISO as soon as something goes wrong, rather than seeing it in the context of the business overall.

Let’s wait and see what actually happened before declaring his Career Is So Over, and also appreciate that security breaches are not always the result of poor information security, but often simply a risk taken by the business that didn’t pay off.

I’m off now to get my PS4 in a fire sale.

Risk, Rubble and Investment

Leave a comment

rubbleOriginally written and posted October 13th 2014 on the InfoSecurity 2014 Blog (and reiterating a pet core message of mine  again!).

Risk is a bad thing. Therefore risk needs to be reduced to rubble, or even better to dust and then swept away under the carpet never to be seen again.

This is the attitude that many of us have, and then pass onto our senior leadership when it comes to information security programs. “Invest £10 million and we will buy technology that will make us safe” we have often said in the past. “My blinky boxes will soon find your risks and reduce them to nothing!”. It should be no surprise for so many of our industry therefore that CISO stands for “Career Is So Over”.

What we often fail to appreciate is that the senior leadership and boards of virtually all organizations understand risk far better than us. They deal with financial, legal, HR and international risk on a regular basis, and know how to take advantage of it to their benefit. Their advisors in the various fields know how to communicate their unit risks in a way that makes sense to business, be it financial, reputational or whatever else makes sense in their industry. The leadership do not require specialist knowledge of these areas because the risk is being translated into terms they understand.

The information security industry however still often talks in terms of “APT’s”, “DLP”, “TLS” and other obscure TLA’s* while trying to explain why more money is needed to “secure all the things”. What is the benefit to the business? What is the real risk in terms everyone can understand? Translating these technical issues and risks into business risks has always been a challenge and has often resulted in information security being perceived as the “expensive part of IT” asking for more money with little positive influence to the business.

If you work in a brewery, the ultimate goal of everyone who works there should be to sell more beer. If you work for Oxfam, the ultimate goal is to get aid to those that need it as quickly, effectively and efficiently as possible. If you work in a publicly listed company, the ultimate goal is to make more money for the shareholders. The role of information security within any organization is not exempt from this; security doesn’t get a special pass because it is, well, security. The role of the information security function is to support the ultimate goal of the organization it operates in.

Understand what your ultimate goal is. Focus your strategy on ensuring you are helping meet that goal. Be willing to compromise in certain areas of security if it helps meet that goal. Ensure you senior leadership understand the risks (in their language, not yours) involved in those compromises. if you don’t get what you want then move onto the next piece of work that supports your ultimate goals (or be prepared to fight harder and more lucidly for your original cause).

If it was that easy you wouldn’t be reading this, but surely it is easier than the ongoing battle for investment that we ultimately never win anyway?

*Three Letter Acronyms (surely you know that?)


Computing SecurityNote: Many of you know I was up for the “Personal Contribution to IT Security” Award at the recent Computing Security Awards. I was (un)fortunately Runner Up in this category, but thank you again to all of you who not only may have voted for me but also nominated me in the first place. It was a wonderful evening with good friends from my work and InfoSec life, and a good excuse to dress up in my best party frock. Here’s to next year!

IMG_4119

Not All Risks Are Bad (even the bad ones…)

1 Comment

Keep_Calm_Big_ThinkThe very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.

Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying  and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.

Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment  we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.

For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.

All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.

tiger__extIt’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.

Cross Post – The Human Element

Leave a comment

(Originally posted on the Iron Mountain Information Advantage Blog, November 20 2013.)

lost-keys1Leaving things on the train or in a restaurant, or in fact anywhere is an unpleasant fact of life for many of us. I would guess that almost all the readers of this blog have at some point left their keys, wallet, shopping, hat, gloves, children, scarf or phone somewhere or other. On occasion, such lapses in concentration can be upsetting, costly, or embarrassing and in some rare instances even dangerous. But in most cases what we leave behind is either easily replaceable (gloves), insured/covered (bank cards) or worth the cost to change and replace (keys). It’s very rare that we leave and lose something irreplaceable (presumably you found the kids!). This is because the items we treasure often have significant intrinsic and/or emotional value. A good example would be family heirlooms, passed down from generation to generation; we treasure them and therefore take care to protect them, storing them in a safe (or at least a safe place) to be taken out only on special occasions.

What about leaving data somewhere? It wasn’t so long ago, that civil servants and the MOD were criticised frequently in the media for leaving highly sensitive and valuable data exposed in public places. Rarely, it seemed, did a day go by without the Daily Mail bemoaning the inability of the public sector to protect our data. Headlines called for heads to roll. And yet, invariably, these were just the kind of simple, human mistakes that every one of us have made in one way or other. These days, however, the vast majority of data is (or at least should be) encrypted, both when it is on the move and when it’s at rest. Consequently, the loss or theft of encrypted data may now raise fewer eyebrows.

Printed matter, however, is another thing entirely. You can’t encrypt paper documents, and paper is very difficult to secure during transport, without somehow physically attaching it to your person. Taking sensitive documents from one location to another, so often a necessity, quickly becomes a thing of peril. Conceptual drawings, designs, technical drawings, mock ups etc. will often need to be taken to a client site or a manufacturer, and sometimes cannot be sent electronically. After a successful pitch and a few celebratory drinks afterwards those documents could all too easily be left on the night bus to Neasden, unprotected and full of intellectual property and sensitive information. A breach like that can so easily turn a night of celebration into a morning of embarrassment and apologies, followed by the inevitable search for new clients.

Protecting printed documents is difficult, probably more difficult than electronic information, and yet we seem to put all of our efforts into the very latest and best encryption, protected USB keys, and expensive data loss prevention (DLP) initiatives. It’s easier to put in place a technology, especially a “transparent” one than it is to change behaviours.

I would suggest that the information security community needs to address this disparity; the paperless office hasn’t transpired, the digital documents are secured, but paper has been left behind. How can we address this without handcuffing briefcases to people? As usual, it has to come down to awareness, we need to drive home the message that paper should be transported with the same care as electronic records, observing sensible procedures such as ensuring there are always two people present when travelling with paper (to act as more of a reminder than as a physical protection) or even only couriering them with a specially selected and reviewed vendor.

I don’t want to turn the Chief Information and Security Officer into a George Smiley type character, but I do want all of our sensitive records to be treated with the same level of protection irrespective of format.