Why >WE< must meet the demands of the business

At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:

I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.

levelI think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.

This was reiterated by Andy Ellis at a session at RSA where he said precisely this;

are you the conscience of the business or an enabler to the business?

Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them  out), for the good of the business.

What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.


Really Silly Attitude? Ropey Sales Approach?

cashRSA has had a tough few years; the subject of a high profile phishing attack in March 2011 resulting in the loss of information related to their SecureID product. They denied it was an issue until three months later when information gained from that attack was used against other companies, including Lockheed Martin, and had to subsequently replace a large number of the tokens.

In September this year they recommended that customers of their BSafe product should stop using the built in, default, encryption algorithm because it contained a weakness that the NSA could exploit using a backdoor and therefore would be vulnerable to interception and reading. How very open and forthright of RSA I thought at the time. Despite the potential damage they may be doing to their brand by giving this information freely out, they are doing so in their customers interests and at the same time offering secure alternatives. It reminded me of the early nineties and the pushback against the Clipper chip, with RSA at the forefront protecting client interests and pushing back against the spooks of the three letter agencies of the USA. Here is what D. James Bidzos said at the time:

“We have the system that they’re most afraid of,” Bidzos says. “If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.’s interests that it’s driving them into a frenzy.

Powerful stuff. The newly formed Electronic Frontiers Foundation would have been proud.

 Now this is where it gets interesting and has raised the shackles of many in the Twittersphere and internet echo chambers. A few days ago it was revealed that the real reason for RSA to have used a flawed products for so many years was because the NSA paid them to. It wasn’t a huge amount of money although it possibly helped save the division that runs BSafe in RSA that was struggling at the time.

Businesses change. Leadership changes. Market forces steer a company in different direction to one a degree or another. To my mind though, to deliberately weaken your own product for financial gain is extraordinarily unwise. By taking the money, RSA have declared that profit is above patriotism, whatever your view of patriotism is. If they took no money at all, there would be a good defence that the decision was taken in the national interest and to work harmoniously with the governmental agencies that protect the USA from danger. Unfortunately organisations that have relied on RSA’s products to secure their data have been let down simply to make a fast buck,

In October this year Art Coviello spoke about “Anonymity being the enemy of Security” at his Keynote at RSA Europe. That statement takes on a very different viewpoint now.

The response has been fairly unanimous, but here is one that got me thinking about my relationship with RSA:

Mikko RSA

I personally wouldn’t go this far as I go to network with friends, peers and colleagues, as well as listen to folks from the industry talk and present; I don’t necessarily go to listen to RSA as such. However this kind of reaction is going to have an impact on RSA that is likely to be felt for a number of years to come. Most security people I know are somewhat distrusting in the first place (hence why they are in security very often!). To have these revelations is going to have an impact both in their mainstream business as well as their conference business, so often seen as the gold standard of conferences globally.

If the last few years were tough for RSA, what is the next few years going to be like for a giant in our industry?


Amsterdam has them now: RSA Europe 2013 and playing the Game of Thrones

IMG_2991As usual it was a great week at RSA Europe, as much for the hallways track as all the other tracks on offer. Whilst it may not be as large as it’s bigger brother in San Francisco the move to Amsterdam from London seems to have given the conference a new sense of purpose and scale. The potential to grow in this location is obvious. But I hope it doesn’t grow too much more; there was always a sense of knowing what was going on and when, and where you were in relation to the auditoriums and speakers. I am sure that sense of perspective is more than lost in the scale of RSA San Francisco.

It still had it’s challenges, all minor. For instance, tea and coffee points that seemed perpetually shut throughout the day, a distinct lack of activities on Wednesday even after a 17:00hrs close, and perhaps the location did not lend itself to the kind of out of hours socialising that London had to offer. For me the Novotel bar became the centre of my networking experience, no bad thing, but I would wager there were a few more hotel bars doing the same thing meaning the networking was seriously fragmented.

The usual suspects were there for me to socialise with as well as some new faces, such as Tor and Kjetil from Norway who were both intelligent and hilarious, a combination I always enjoy. I managed to meet a few more of our industry “luminaries” as well which is always interesting (never meet your heroes!), as well as catch up with others I had met previously and enjoyed their company and insights.

IMG_2998For me the whole conference was focused upon 14:40hrs on the Thursday when I presented “Playing the Game of Thrones: Ensuring the CISO’s Role at the King’s Table”. Not only was I presenting in my own right but I was also presenting content and an approach that I had synthesised from a variety of sources and my previous thoughts and theories. The session went extremely well, was watched by a number of people I know and respect, and was fully attended (with even a couple of people having to stand). Questions at the end were thin on the ground although I had noticed that throughout the conference, but the feedback has been phenomenal. I haven’t had the formal feedback from RSA yet, but their newly introduced conference app allows me to see a certain degree of feedback on both me as a speaker as well as the talk itself.

RSAC Europe 2013 GRC-R08 THOM LANGFORD.005

The slides are above in PDF format, and are also available in Keynote format here. My good friend and evil twin brother Kai Roer kindly filmed the talk as well, and as soon as that is available I will be publishing that on YouTube. One of the key reasons for doing so is to invite more comments on the material itself, as I made a few bold statements that I am sure not everyone would agree with. For instance, the less influence a CISO has, the more prescriptive (and lengthy) the policies are, in turn making them less effectives. This is based on my observations only rather than research, so getting feedback on points such as this helps inform everybody more.

All in all it was a great week, making new friends and meeting old ones and always learning new things almost every hour. Here is my honour roll of folks from the week that made it as memorable as always:

Javvad, Brian, Kai, Kjetil, Tor, David, Dave, Bruce, Tor, John, Dwayne, Quentyn, Neira, Josh, Martin, David & Olivier (my apologies to anyone I left out, it is the fault of my memory and not how memorable your were!).