Not All Risks Are Bad (even the bad ones…)

Keep_Calm_Big_ThinkThe very term ‘risk” often makes people feel uncomfortable, with connotations of bad things happening and that if risk is not minimized or removed then life (or business) becomes too dangerous to continue.

Crossing the road is risky, especially if you live in a busy city, and yet people, young and old alike, do it every day. In fact it is riskier than flying  and yet I would argue that there are more people afraid of flying that of crossing the road. Hugh Thompson of RSA put it very well in his 2011 RSA Conference Europe presentation when he raised the issue of “Sharkmageddon”; more people are killed every year sitting on the beach by falling coconuts than those by sharks, but there is an almost universal fear of sharks. We irrationally consider swimming in the sea safer (less risky?) than sitting under a coconut tree.

Risk is an inherent part of our lives, and if we let the realities of risk take control of our business decisions we become the corporate version of an agoraphobic; staying in the safe confines of the environment  we know and not ever venturing out to be active in the outside world; ultimately we wither and fail be it as individuals or as a business.
In my experience, one of the most misunderstood approaches to treating a risk is to accept or manage it. Most people are comfortable with mitigating, transferring or avoiding a risk as they involve some kind of act to deal with them, something we are all familiar with. We fix a problem, give the problem to someone else or stop doing the thing that causes us the problem in the first place. However, it often feels wrong to simply accept a risk, in essence to do nothing. Although this is not strictly the case, it is essentially how we feel we are dealing with it. You are accepting that there is either nothing you can do, or nothing you are willing to do to reduce the risk. However, you are not blindly accepting it at face value; rather you are being cognisant of the risk as you continue your operational activities. You know it is there as you carry on your day job. These activities and the very environment you are operating in can change without notice, and make the decision to accept a risk now the wrong course of action.

For instance, it may now be cheaper to fix the risk than it was going to cost you, or the highly lucrative contract that made the risk acceptable is now over and there is a greater risk of financial lost that costs more than the revenue you are bringing in. The reasons for change are often financial, although not always. Your risk appetite may also have reduced or the industry you are operating in becomes more regulated; all of these example mean your decision to accept needs to be reviewed.

All risk decisions need to be reviewed regularly, for exactly the reasons given above, but in my opinion it is risk acceptance decisions that should be reviewed more often, as they are the ones that are made as a result of more transient and changing factors, and are the ones that will potentially harm the organisation the greatest.

tiger__extIt’s a bit like keeping a tiger as a pet – it looks awesome and maybe even draws admiring glances from many, but if you forget you locked it into your bathroom overnight you are going to have a very big surprise when you get up to go to the toilet in the middle of the night. You can’t accept risks without truly understanding them in the first place.


Cross Post – The Human Element

(Originally posted on the Iron Mountain Information Advantage Blog, November 20 2013.)

lost-keys1Leaving things on the train or in a restaurant, or in fact anywhere is an unpleasant fact of life for many of us. I would guess that almost all the readers of this blog have at some point left their keys, wallet, shopping, hat, gloves, children, scarf or phone somewhere or other. On occasion, such lapses in concentration can be upsetting, costly, or embarrassing and in some rare instances even dangerous. But in most cases what we leave behind is either easily replaceable (gloves), insured/covered (bank cards) or worth the cost to change and replace (keys). It’s very rare that we leave and lose something irreplaceable (presumably you found the kids!). This is because the items we treasure often have significant intrinsic and/or emotional value. A good example would be family heirlooms, passed down from generation to generation; we treasure them and therefore take care to protect them, storing them in a safe (or at least a safe place) to be taken out only on special occasions.

What about leaving data somewhere? It wasn’t so long ago, that civil servants and the MOD were criticised frequently in the media for leaving highly sensitive and valuable data exposed in public places. Rarely, it seemed, did a day go by without the Daily Mail bemoaning the inability of the public sector to protect our data. Headlines called for heads to roll. And yet, invariably, these were just the kind of simple, human mistakes that every one of us have made in one way or other. These days, however, the vast majority of data is (or at least should be) encrypted, both when it is on the move and when it’s at rest. Consequently, the loss or theft of encrypted data may now raise fewer eyebrows.

Printed matter, however, is another thing entirely. You can’t encrypt paper documents, and paper is very difficult to secure during transport, without somehow physically attaching it to your person. Taking sensitive documents from one location to another, so often a necessity, quickly becomes a thing of peril. Conceptual drawings, designs, technical drawings, mock ups etc. will often need to be taken to a client site or a manufacturer, and sometimes cannot be sent electronically. After a successful pitch and a few celebratory drinks afterwards those documents could all too easily be left on the night bus to Neasden, unprotected and full of intellectual property and sensitive information. A breach like that can so easily turn a night of celebration into a morning of embarrassment and apologies, followed by the inevitable search for new clients.

Protecting printed documents is difficult, probably more difficult than electronic information, and yet we seem to put all of our efforts into the very latest and best encryption, protected USB keys, and expensive data loss prevention (DLP) initiatives. It’s easier to put in place a technology, especially a “transparent” one than it is to change behaviours.

I would suggest that the information security community needs to address this disparity; the paperless office hasn’t transpired, the digital documents are secured, but paper has been left behind. How can we address this without handcuffing briefcases to people? As usual, it has to come down to awareness, we need to drive home the message that paper should be transported with the same care as electronic records, observing sensible procedures such as ensuring there are always two people present when travelling with paper (to act as more of a reminder than as a physical protection) or even only couriering them with a specially selected and reviewed vendor.

I don’t want to turn the Chief Information and Security Officer into a George Smiley type character, but I do want all of our sensitive records to be treated with the same level of protection irrespective of format.


Risk Appetite – managing feast and famine

images-1I was able to attend the RANT forum a few nights ago, and watch an excellent presentation by Sarb Sembhi. However, and this is no insult to the speakers at the RANT forums (being one myself) the most valuable part of the evening is the socialising with colleagues and peers before and after.

I was talking to a couple of people who were recounting the challenges they face with their leadership regarding their risk management activities. I paraphrase greatly, but the gist of the issue was

Highlighting risks to them is all well and good, but then suddenly they tell us that another activity needs to be escalated up the risk matrix, or that there is a hot topic that they want pushed to the top of the risks list so it gets more attention. How are we supposed to manage a risk programme with any credibility when risks get artificially prioritised or de prioritised according to the mood of management?

We came to the conclusion that the risk appetite of the management team in question was a very flexible and fluid thing that changed quite frequently, and seemed entirely disconnected from the risk management activities being carried out.

This is a complex issue, and not one that can be solved in a single blog post, but there are a few guidelines and concepts that may be pertinent to heading off this kind of behaviour.

  1. Listen to them. On the whole an organisations management know what activities and changes will affect the business more than you. If they are highlighting something it is not to mess you around but because they are genuinely concerned about it. Look at your risk programme; does it squarely address the risks they are highlighting? Are they new risks, old risks, or poorly understood risks? Perhaps you have already found them and they need to be reviewed under the new light cast on it by management.
  2. Educate them. How much does your management team actually understand about the risk work you are doing? Do they really know what the scope of your remit is, how you go about finding risks, and more importantly how you measure them? ISO27005 is often described as an arbitary way of measuring risk, but it does a good job of explaining how you can approach and understand it. If you use that standard in your programme, make sure they understand how you measure them, and get their buy in to the approach. This way, when you disagree with their analysis of a “new” risk you can explain in agreed terms why.
  3. Use your governance structure. Your management team should only be looking at risks that are escalated to them, that is to say residual risks that are still considered as “high” (or whatever parlance you use). Every other risk below that should be managed and dealt with by the governance structure in place. Certain lower risks can be mitigated (managed, avoided or transferred) by people closer to that risk; a developer could change a portion of code, a project manager could remove or add contractors or a team member could go through more awareness training. Changing the course of a project or increasing the staffing costs by 50% is beyond their remit and they are therefore not able (or authorised) to treat them effectively; these risks get passed up your governance chain until they reach a point at which they can be dealt with. At the very top I would estimate they should be seeing no more than 0.1% of total risks escalated to them. Any more and it may be that the structure underneath is not doing their job.
  4. images-2Understand their appetite. One of the standard ISO 27005 risk acceptance approaches provides a matrices for what is acceptable and what isn’t. It is provided as an example only, and should not be used out of the box without considering the risk appetite of your organisation. If you are a risk averse organisation, the yellow and red band move down to the lower left, thereby meaning more “red” risks will need to be addressed. A risk taking organisation will move the green and yellow band up, thereby ensuring fewer “red” risks will need to be addressed. The risk profile of an organisation is something that is rarely understood by those that measure risk, and therein lies the problem. Only if the risk profile is drawn up, understood (including the approach to measure the risks in the first place) and signed off can risks be identified, “measured” and addressed in a way that meets the organisations business objectives.
  5. Accept that the appetite changes. if you review your risks annually (as a bare minimum) that is also a cue to review the risk appetite. If incidents throughout the year affect the business for the good or bad, that is a cue to review the risk appetite. If the organisation management suddenly think something is a big risk and needs to be addressed, that is a cue to review the risk appetite. And when I say review, I mean with the management, and not just in isolation.

images

There… simple! Well, not at all when you face these challenges every day, but if you can start that dialogue with your management and start to understand the business as they understand it you will be a long way towards heading off the “the sky is falling, fix it now!” response to risks.


The EU, Porn, and Hollywood

And if that title doesn’t attract attention I don’t know what will…

Unfortunately (for you) while this title is accurate the rest of this post may not quite deliver what you are expecting or hoping for. Just a few days ago (Thursday 16th May) I attended for the first time an ISSA-UK chapter meeting in Bristol where Marcus Alldrick, Richard Hollis and myself were presenting (in that order) to the great and the good of the south west infosec community.

Marcus Alldrick emphasises...

Marcus Alldrick emphasises…

Marcus’ presentation of The EU’s Proposed Data Protection Regulation, It’s Life Jim But Not As We Know It was very well received with a huge amount of interaction to the point of a  twenty minute overrun. I have tended to avoid expending too much energy on draft legislation like this as it often changes dramatically the closer it gets to publication (MA201 CMR 17 is a good example of this), and so the view that Marcus presented was a welcome one. Although his deck was content rich he put it across in his own inimitable style and I found it hugely educational. One point that came across loud and clear is that if it gets enacted in its current format one of the most sought after roles in any company will be that of Chief Privacy Officer for the job security alone (the role must be filled by the same person for a minimum of two years!).

...and Richard hills boasts

…and Richard Hollis boasts

Second up was Richard Hollis with his hotly anticipated Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry. While the expected jokes and euphemisms came thick and fast underneath it were some startling and very interesting lessons, but namely that the adult entertainment industry simply does information security far better than the rest of us; they are single minded, have a lot to lose, and ultimately see the “battle” with maintaining security as just that… it’s a war which they are determined to win. A fascinating insight into an often overlooked industry with some great lessons summarising the underlying security ethos of this industry.

I'm a little teapot

I’m a little teapot

Finally it was my turn. To be honest I was somewhat apprehensive following these two presentations; there was a huge amount of interaction to this point and while my presentations somewhat relied on audience participation the main points I was raising were quite high level and in some cases not often talked about. I shouldn’t have worried. I had an absolute blast talking about different elements of risk management and getting some excellent feedback, comments, questions and of course different opinions. My case was obviously helped by the fact that I was handing out prizes for each correct answer identifying a quote to a film! The presentation itself is below along with a few snippets of the presentation itself taken from the back of the room.

I have always been impressed with the ISSA-UK meetings, the quality of the discussion between people and to be honest the great value that membership of this association brings. I am very much looking forward to more of these, and if asked to present again at one of their sessions. My thanks to Alan and Gabe (@infoseccrow) for giving me the opportunity to present here.

UFOs Dirty Dancing and Exploding Helicopters (PDF)


Use Your Nose and Gut to See The Real Picture

avatars-000032667477-7n71zy-cropAfter the high energy of the conferences last week it was always going to be a challenge coming back to the humdrum of day to day work. Reviewing someone else’s audit findings was never going to be the quickest way to get those energy levels up!

This was compounded somewhat by what I found myself reading of course; this was a audit report on an environment that had a very limited scope, i.e. type of work being carried out, type of data being handled, type of resources required to complete the task. The auditors however were coming in from a very strictly controlled, somewhat binary view of the world. The upshot of this was that there were a lot of findings along the lines of:

  • Workstations have access to the internet.
  • Physically secured environment within the office (of the same company) required.
  • Firewall must separate development environment from the rest of the office.

On the face of it these findings are perfectly acceptable, but what they don’t do is take into account the bigger picture.

The group that was being audited did not have access to any sensitive information, PI or even intellectual property. They required access to the internet as they were a creative group that uses multiple types of resources from the web, and they were already on a secured VLAN.

Unfortunately they failed to understand what was in front of their faces throughout the entire audit and assessment process (in fact, they remind me of the type of auditor that Javvad recently showed us in his latest video)  They didn’t observe their surroundings fully, understand the working environment, nor comprehend the true purpose of the audit, namely to reduce risk not squash the life out of some very expensive resources and make it difficult to do their job.

They did everything by the book.

There is always a time and a place for a slightly more maverick approach in my opinion. There are times when as an auditor you need to go with what your nose tells you is bad, or your gut tells you isn’t right. No kind of by-the-book approach will let this happen. Let’s elaborate on these two approaches a little more:

Using your nose

This is quite literally “smelling” out the findings. Just because a document has been presented and all seems in order, or just because an activity is shown to be in normal use doesn’t always mean everything is in order. I have spent many enjoyable hours discussing with colleagues the tricks and traps that people use to fool auditors and assessors (some of the simpler ones are in Javvad’s video!). I even heard one where freshly printed documents were deliberately given coffee stains to give the impression that they had been around for some time, or people being sent home for the day when the auditor was around. Smelling this out requires a slightly cynical nature and a “poacher-turned-gamekeeper” approach. You might see a name occur too often, or the same approval date on documents that were obviously written at different times and approved by different approvers, but they are all indicators that something may be amiss.

Using your gut

A “gut feeling” is a very difficult thing to define, and to be honest not always as reliable. i often think it is because you have observed something subconsciously that make it a gut feeling. Using your nose is based upon an observable phenomenon whereas using your gut is not. They can be very good indicators that something is not quite right and deserve to be investigated further; the real skill however is knowing when to stop. Burning up half of your audit time because of a gut feeling is unprofessional, a waste of time and is doing both you and the auditees a huge disservice. However it can pay off huge dividends when you get it right in what is uncovered.

I want to caveat the above however; I don’t want to come across as though auditing is some kind of cat and mouse arms race (or any other kind of mixed metaphor). Any good audit or assessment is always going to be open, collaborative and educational and this needs to be the goal from the outset. However, many auditees are placed under huge pressure to pass an audit and sometimes will feel a high risk, deceptive, strategy is the only way to retain their jobs. I myself was once told in no uncertain terms “do whatever it takes to pass the audit” (and of course did).

What I really want to see in the industry is a move away from the checkbox and clipboard approach to auditing and assessing as the natural conclusion of that is a deeply unpleasant homogenisation of controls and environments that stifles creativity, and ultimately reduces the ability of a business to deliver to its clients and to its shareholders.