Ground Control to Major Thom

I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest of environments.

Having seen two shuttles first hand in the last nine months (the Enterprise on USS Intrepid in New York and the Atlanta at Kennedy Space Centre), it boggles my mind that something so big could get into space and back again, to be reused. Facts like the exhaust from each of the three main engines on the shuttle burn hotter than the melting temperature of the metal the engine ‘bells’ are made of (they ingeniously pipe supercooled fuel down the outside of the bells to not only act as an afterburner of sorts but also cool the bells themselves) go to show the kind of engineering challenges that needed to be overcome.

There was one incident however that really struck me regarding the relationship between the crew onboard and the crew on the ground. On the Shuttle’s maiden flight into space, STS-1 also known as Columbia carried out 37 orbits of the earth with two crew on board, mission commander John W. Young and pilot Robert L. Crippen. Once orbit was achieved an inspection of the critical heat tiles on the underside of the shuttle showed some potential damage. If the damage was too extensive the return to earth would (as later events in the Shuttle’s history proved) be fatal.

The crew however were tasked with a variety of other activities, including fixing problems onboard they could address. They left the task of assessing and calculating the damage to those on the ground who were better equipped and experienced to deal with the situation. This they duly did and as we know Columbia landed safely just over two days later.

It struck me that this reflects well the way information Security professionals should treat the individuals we are tasked with supporting. There is much that individuals can do to help of course, and that is why training and awareness efforts are so important, but too often it is the case that “we would be secure if it wasn’t for the dumb users”. The sole purpose of the Columbia ground crew was to support and ensure the safe return of those on board STS-1 so that they could get on with their jobs in space. Ours is the same.

Just because te crew had extensive training to deal with issues as they arose, the best use of their time was to focus on the job in hand and let ground crew worry about other problems. The people we support should also be trained to deal with security issues, but sometimes they really need to just get on with the deliverables at hand and let us deal with the security issue. They might be trained and capable, but we need to identify when the best course of action is to deal with their security issues for them, freeing them to do their work.

Never forget that we support our organisations/businesses to do their jobs. We provide tools to allow them to be more effective in their end goals but it is still our responsibility to do the heavy lifting when the time comes. Except in very rare cases we are there because of them, not in spite of them.

(Photo courtesy of William Lau @lausecurity)


Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further…

The UK Parliament in this report have recommended that CEO salaries should be defined by their attitude and effectiveness of their cybersecurity. I am not one normally for histrionics when it comes to government reports, partly because they are often impenetrable and not directed at me or my lifestyle, but I will make an exception in this case. I think this attitude is quite simply short sighted and a knee jerk reaction to a very public breach that was admittedly caused by a lackadaisical attitude to security.

I have argued for a long time that the security function is not a “special flower” in the business, and that by supporting that case security becomes an inhibitor of the business, restricting it from taking the kind of risks that are vital to a growing and agile business. The only way I would agree to this demand would be if the CEO’s compensation was directly related to financial performance, staff attrition, number of court cases levelled and number of fires or false alarms in its premises, and have that all supported by a change in the law. If that happened, there would suddenly be a dearth of well paid, well motivated CEO’s in the country.

By calling security out individually means the security function will all to easily slip back into old behaviours of saying NO! to every request, only this time the reason given is not just “it’s not secure”, but also “Bob’s pay depends on it”.

This can only work if every other function of the CEO was also covered by similar laws as I said above. Sure, there are basic behaviour laws around financial, people, legal, facilities etc. such that a company can’t be embezzled, people can’t be exploited or put into danger etc.. But this recommendations makes security far to primary a concern. It also doesn’t even take into account the fact that determined hackers will get in anyway in many cases, or that data can easily be stolen through softer, social engineering techniques. Zero day exploit, never before seen? Sorry Mr CEO, you need to take a pay cut for not having a cyber crystal ball and defending against it. Determined nation state attacks? Tough luck you only have a cyber budget a fraction the size of the attackers, back to reduced pay.

I get that many folks are angry with the level of CEO pay and reward in the workplace these days. In the case of Talk Talk I find it astounding that Dame Dido Harding has been awarded £2.8 million GBP in pay and shares after what has to be an absolutely disastrous year fro Talk Talk. That said, I also don’t know the details of her contract and the performance related aspects of it; maybe she hit all of her targets, and cyber risk was not one of them.

This is where we need to address this; not in law and regulation, but in cyber savvy contracts and performance metrics within the workplace and enforced by the Board. No emphasis on cybersecurity, but a balanced view across the entire business.

No single part of a business is the special flower, we all have an equal and unique beauty and contribution to make.


Making the world angrier, one process at a time

Angry Thom BlogI have recently set up Family Sharing on my iOS devices, so that I can monitor and control what apps go on my kids devices without having to be in the room with them. Previously they would ask for an app, and I would type in my AppleID password and that was  that. Unfortunately with my new role I am travelling so much now that the thought of waiting a week before they can get an apps was causing apoplectic grief with my kids. Family Sharing was the solution, and when I had finally worked it out, we were goood to go and it works well. I can now authorise a purchase from anywhere in the world. I get woken up at 3am with a request for a BFF makeover or car crash game (one girl, one boy) but my kids are happy.

One problem however was that for some reason my daughters date of birth was incorrect, therefore indicating that she was an adult, and thereby breaking the whole “app approval” process. Straightforward to fix? Not at all.

I won’t bore you with the details, but it was the most frustrating process I have encountered in a long time. I admit, I misinterpreted the instructions along the way (they were a bit asinine in my defence), but it came down to the fact that I had to have a credit card as my default payment method for my family account, not a debit card, simply to authorise the change of status of my daughter from an adult to a child. In other words, I had to jump through hoops to restrict her  account rather than give it more privilege. Not only that, but from an account that already had the privileges in the first place. There didn’t seem to be any element of trust along the way.

I am sure there is a good, formal response from Apple along the lines of “take your security seriously”, “strong financial controls” etc, but as an experience for me it sucked, and if I could have worked around it I would have. Thankfully not all of Apple’s ecosystem works like this!

This is a problem for many information security organisations when they introduce procedures to support organisational change or request mechanisms. For instance, how many times have you seen a change request process require CISO, CIO and potentially even higher approvals for even simple changes? Often this is due to a lack of enablement in the organisation, the ability to trust people at all levels, and often it is a simple lack of accountability. It seems we regularly don’t trust either our own business folks as well as our own employees to make the right decisions.

Procedures like this fail in a number of places:

  1. They place huge pressure on executives to approve requests they have little context on, and little time to review.
  2. The operational people in the process gain no experience in investigting and approving as they simply escalate upwards.
  3. The original requestors are frustrated by slow progress and no updates as the requests are stuck in senior management and above queues.
  4. The requestors often work aroun d the procedure, avoid it, or simply do the opposite of what finally comes out of the request as work pressures dictate a quicker response.
  5. The owners of the procedure respond with even tighter regulations and processes in order to reduce the ability nof the nrequestor to wotk around them.

And so the cycle continues.

The approach I have regularly used in situations like this comprises of two tenets:

  1. Consider the experience of the user first, then the desirable outcomes of the process second.
  2. Whatever process you then come up with, simplify it further. And at least once more.

Why should you consider the expoerience of the user first? Who is the process for the benfit of, you as in formation secuity, or them as the end user? If you answered the former, then go to the back of the class. We are not doing security for our benefit, it is not security for the sake of security, it is to allow the user, our customers, to do more. If we make their experience bad as they do their best to make more money, sell more beer, do more whatever, security becomes an irellevance at best and a barrier to successful business at worst.

Making the requstors exoerience as painless and as straightforward as possible (perhaps eeven throw in a bit of education in there?) they are encouraged to not only see the long term benefits of using the procedure as we defined, but also become fanatical advocates of it.

Secondly, why should we keep it simple? Well not only to support the above points, but also because guess who is going to have to support the process when it is running? Of course, you and your team. If the process itself is bulky and unmanageable then more time will be spent running the process than doing the work that the process needs to support. If that amount of time becomes too onerous over time, then the process itself breaks down, the reporting on the process becomes outdated, and ultimately the process itself becomes irrelevant and considered a waste of time by those it affects.

Putting your requestors at the centre of your simplified process universe will always make that process more robust, more understood, more beneficial and of course more relevant to the business, and who can argue with that?

InfoSecurity Europe

I spoke at this years InfoSecurity Europe in London a few months back on articulating risk to senior management. Peter Wood, the moderator, did an excellent job as moderator of the panel, and even revitalised my faith in them after too many very poor experiences earlier this year.


Are you the most thrilling ride at the theme park?

emotional-rollercoaster-53445I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old enough to be able to go on almost all of the rides now. Much excitement was expected.

Yes, we had a good day overall, but not as good as it should have been. The first two rides we tried to get on as soon as the gates swung open were closed because of technical faults; both these rides were at opposite corners of the park, so after 30 minutes not only had we not even had one ride, we hadn’t even got in the queue for one. This somewhat set the tone for the day. At the fourth closed ride my wife gave some unfortunate teenaged park assistant an earful (he was rescued by a senior colleague). At the fifth we could only laugh and accept our fate. And so it went on; the photo booth to collect photos from one ride was closed after we had staged the perfect family shot on the ride, the hand dryers in the toilets all blew cold, cold air on a cold day, vending machines were out of order, and so on. The more we looked the more we found fault.

We still had a good day, but we won’t be going back any time soon, and conceded that in the theme park area at least, the Americans have by far the best theme parks compared to Britain.

The whole experience reminded me of some security groups I have experienced. We very often promise a world of smiling, excited faces, a world made better by our presence and an experience that will surpass your expectations. The reality is often a little more drab than that.

We often see security functions that allegedly “enable your teams to work more effectively”, or “allow you to leverage your creativity while we drive your competitiveness” and so forth. In our drive to be seen to be a benefit to the business (good), we often set ourselves up for failure as we establish these grandiose statements (bad). “Leveraging security to be a differentiator in the marketplace” is great, but only if you can deliver on it. An ISO27001 certification may help your business get more work initially, but if the basic principles of good security practice in your delivery teams is not there, that work will soon be lost. Your company workforce working securely and in harmony is the best way of supporting your business, not having a “security strategy that differentiates us to our clients”.

Let’s focus on getting the rides running properly in your security programme before marketing ourselves in a way that ultimately shows even our hand dryers don’t work.


Less is sometimes more; InfoSec’s role in the business

Funny-and-Lazy-Animals-7-300x229I read an excellent article the other day from a LinkedIn reference talking about how laziness can be an effective approach to productivity. It dispelled the myth that “leaning in” when applying yourself to your job isn’t always required to do a good job. There is no need to get up at 04:30hrs to get your morning yoga done before getting to the office at 06:00 and working through the next fourteen hours. it even makes mention of an old Prussian army management matrix that made use of this concept. It reminds me of a Bill Gate’s quote (although it sounds like Steve Jobs!):

I will always choose a lazy person to do a difficult job, because a lazy person will find an easy way to do it

When put like that it sounds right, and yet the concept of using a lazy person seems counterintuitive. Perhaps we should replace lazy with “busy”, or “time poor”, but I think the point is well made nonetheless.

It reminded me of when I wast first put in charge of an information security project to ascertain the organizations level of exposure to personally Identifiable Information (PII). There had been a number of high profile breaches in the media, and the leadership was concerned about how many records we had access to and what we were doing about it. My approach was to work with a very talented team of junior infosec professionals, and we came up with an amazing spreadsheet that tracked every facet of what we thought we might need with, with macros and reporting buttons, lovely color scheme etc. We even tried to make it as friendly as possible as the trick up our sleeve was that we would be asking 95% of the organisation to fill this in themselves (and therefore saving on high labour costs to get this done). The other 5% were the very risky ones we already knew, so they got a personal visit from us to make them feel really special!

After a month of pushing, chasing and cajoling, our completion rate was something like 13%, and we were just a few days away from our deadline. Senior management were not happy, and demanded a full review. The career dissipation light started blinking in my peripheral vision.

We were trying to be far too clever for our own good, far too detailed, we wanted to cross EVERY i and dot EVERY t, whatever the cost to the project and the business. We were detail oriented and were going to get the most accurate report this company had ever seen. Except we didn’t. I was clearly told in no uncertain terms that I had completely misunderstood the business, how busy they were, how finite detail wasn’t what was at stake but getting a good idea of the scale of the problem was, and also to understand that people are generally doing their best to protect the company and were not in the habit of hiding the sort of activities we were doing our best to uncover.

We reduced the 154 question spreadsheet to 10 questions, some of which were voluntary. They were the the most important questions we had to ask, and we subsequently got the data we needed in a little over three weeks for roughly 97% of the organisation (you can’t help some people unfortunately). I managed to keep my job.

Perhaps it is our backgrounds in audit and compliance, but we infosec professionals love our checklists, our questions, our matrices and black and white answers to really drill down to the finite detail. That is not to say that at times they are not important – a good penetration test does need to be detailed and very complete, but that is mainly because the expectation of it being so. It wouldn’t surprise me though if 20% of a pen test uncovers 80% of the vulnerabilities. Vendor security questionnaires, risk assessments, audits, project or team reviews etc., can all potentially be done just as effectively with an element of brevity. Understanding what is important to the business and not to the security function is key here. If infinitesimal detail is important to the business then by all means go for, just ensure that is what the business really is after. most of the time they just need a reasonable picture.

Creating barriers to the successful adoption of security practices by using fifty page reference documents, or encouraging people to work around a security risk because doing the right thing involves sign off from six different gatekeepers is not a recipe for success as it puts the organization in direct opposition to the security function. By making sure that checklists and questionnaires are focussed, relevant and to the point will only encourage people to adopt the security measure that matter because there is clear benefit for a small amount of input.

We have all got better things to do with our time than collate thousands of questions that we have insisted are answered in order to ensure that the ultimate security objectives have been met. In some instances there may be value in that, but in the majority of cases I would wager there is none.

And besides, the rugby/cricket/baseball* match is on this afternoon, so we need to leave early to catch the game.

*Delete as appropriate. Just don’t add football.