Direct Hit, Near Miss or Remote Miss? Why you are more confident than you should be.

_39166788_blitz416_gettyIn the years running up to the beginning of the second world war the British government was extremely concerned that in the event of hostilities breaking out, the german Luftwaffe would launch significant attacks against Britain and especially London. With an estimated 250,000 casualties in the first week alone, the consensus was that millions of Londoners would flee, leaving the industrial war engine to grind to a halt. Several psychiatric hospitals were even set up on the outskirts of London to handle the huge numbers of casualties psychologically affected by the bombing.

History tells us this was not the case, despite horrific numbers of casualties and extensive damage to homes, property and businesses throughout London.

A Canadian psychiatrist, J. T. MacCurdy, in his book The Structure of Morale postulated this was because the effect of a bomb falling on a population splits them into three groups:

1. The people killed by the bomb. As MacCurdy puts it

the morale of the community depends on the reaction of the survivors, so from that point of view, the killed do not matter. Put this way the fact is obvious, corpses do not run about spreading panic.

Harsh, but true in this model.

2. The Near Misses, the ones that

feel the blast, … see the destruction… but they survive, deeply impressed. It may result in ‘shock’…and a preoccupation with he horrors that have been witnessed.

3. The Remote Misses. These are the people who hear the sirens, the bombs explode, watch the aircraft overhead, but the bombs explode down the street. For them the experience of the bombing is that they survived easily, unlike the Near Miss group. The emotion as a result of the attack…

is a feeling of excitement with a flavor of invulnerability.

Near miss = trauma, remote miss = invulnerability.

Diaries and recollections of the period certainly support these theories. For instance, when a laborer was asked if he wanted to be evacuated to the countryside (after being bombed out of his house twice) he replied;

What, and miss all this? Not for all the tea in China!

The reason for this attitude, the sense of invulnerability, is that they have been through the very worst of time… and survived. They had faced their fears, and realized they were not as bad as they thought they were going to be, and in fact the result of surviving had given them a sense of elation that made them feel even more alive than before.

This is a very long way of saying that we may very easily view security incidents and breaches like this. Sony (perhaps) are the ones right at the centre of the blast. they are affected directly, and don’t even run around spreading panic because they are too busy dealing with the incident itself.

The near misses, Sony’s vendors, suppliers and partners are probably reeling from the near miss and are probably doing all they can to ensure it doesn’t happen to them. in short why are traumatized.

Finally, there is the rest of us. Yeah baby! Another breach, and it wasn’t us! We are invincible! We don’t need to do anything different at all, because we are survivors!

I think I see an issue here. Every time we are not breached, we become more confidant that we will not be breached, and become over confident and convinced we are having the time of our lives doing great stuff in the infosec world and not being breached. let’s hope that bomb doesn’t drop too close to home to burst that bubble, otherwise Careers is So over ceases to be a funny industry joke and very much a reality. Take the precautions now, take the threat seriously, and do what you can now, before it is too late.

I would strongly recommend reading the Book David & Goliath by Malcolm Gladwell if you would like to read more about this concept as well as others along the same lines.

A personal note…

PubGr_logoI am now under new employment as a result of an acquisition of my previous employer, and I have been fortunate enough to be elevated to Group CISO of the acquiring company. Unsurprisingly this has resulted in a massive new workload, travel schedule and responsibilities, and hence my distinct lack of posts this last few months. Despite this I have still been nominated for European Personal Security Blog 2015 in this years Blogger Awards; thank you!

Additionally, I am so proud to say that not only is my new employer keen to promote this blog internally in the new company, but also thrilled to say we have become the newest sponsor of the European Security Blogger Network.

Finally, I have been on the road a huge amount the last few weeks, including at RSA USA where I was very happy with my presentation at the RSA Studio; I spoke about how we have changed our approach to security awareness, and the use of the Restricted Intelligence product to catalyse it.

There were also talks at Munich Identity Management Conference, although the talks are not public yet.

Next week, Bsides London, InfoSec Europe, European Blogger Awards and RSA Unplugged. I am mentoring a rookie at Bsides, Speaking at infoSec, as well as at the Tripwire booth, sponsoring (and nominated!) at the Blogger Awards, and just watching at RSA Unplugged.

It’s has been a busy few months!


Are you the most thrilling ride at the theme park?

emotional-rollercoaster-53445I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old enough to be able to go on almost all of the rides now. Much excitement was expected.

Yes, we had a good day overall, but not as good as it should have been. The first two rides we tried to get on as soon as the gates swung open were closed because of technical faults; both these rides were at opposite corners of the park, so after 30 minutes not only had we not even had one ride, we hadn’t even got in the queue for one. This somewhat set the tone for the day. At the fourth closed ride my wife gave some unfortunate teenaged park assistant an earful (he was rescued by a senior colleague). At the fifth we could only laugh and accept our fate. And so it went on; the photo booth to collect photos from one ride was closed after we had staged the perfect family shot on the ride, the hand dryers in the toilets all blew cold, cold air on a cold day, vending machines were out of order, and so on. The more we looked the more we found fault.

We still had a good day, but we won’t be going back any time soon, and conceded that in the theme park area at least, the Americans have by far the best theme parks compared to Britain.

The whole experience reminded me of some security groups I have experienced. We very often promise a world of smiling, excited faces, a world made better by our presence and an experience that will surpass your expectations. The reality is often a little more drab than that.

We often see security functions that allegedly “enable your teams to work more effectively”, or “allow you to leverage your creativity while we drive your competitiveness” and so forth. In our drive to be seen to be a benefit to the business (good), we often set ourselves up for failure as we establish these grandiose statements (bad). “Leveraging security to be a differentiator in the marketplace” is great, but only if you can deliver on it. An ISO27001 certification may help your business get more work initially, but if the basic principles of good security practice in your delivery teams is not there, that work will soon be lost. Your company workforce working securely and in harmony is the best way of supporting your business, not having a “security strategy that differentiates us to our clients”.

Let’s focus on getting the rides running properly in your security programme before marketing ourselves in a way that ultimately shows even our hand dryers don’t work.


Why do we put brakes on cars? Perhaps not for the reason you think.

Bosch Predictive Emergency Braking System

I have never liked the analogy;

Why do we put brakes on cars? So we can go faster. Therefore we put security controls in place so we can do riskier things.

I mean, I get it, the analogy makes sense, but like many analogies, if we are not careful they are likely to become a little too one dimensional. We also have brakes on cars to slow down for traffic lights, to ensure we don’t go too fast and run into the back of  the car in front, and also to stop the car quickly to avoid someone crashing into us. I am sure with a squeeze and a shove we could fit these analogies into an infosec analogy, but why bother?

I was reminded of this particular analogy and why I don’t like it this morning as I read my paper. The headline really resonated with me;

‘Living rooms’ on wheels put drivers at risk

The Times, Monday 23rd February 2015

The Times, Monday 23rd February 2015

The article discusses how the increase in technology in cars has actually led to an increase accidents in recent years. The anti-lock brakes, stability control etc. is creating complacency amongst users, and putting them and others at risk.

If we are not careful we are shifting towards this in our industry. It is of course a good thing to focus on secure coding practises, OWASP, secure by design etc., because that is as important as a seat belt and an air bag in a car (oops, see how easy it is?!), but if we try and put everything into those particular controls, we are abdicating responsibility away from the user more and more. By creating an insulated and isolated environment in which they operate there is no positive/negative feedback loop, no opportunity to learn from mistakes, near misses or even dumb good luck. They quite literally are on their own being guided only by what their immediate vicinity is reporting to them. Another quote;

They are as uninvolved in the process as they can possibly be

This could be describing our users and clients who we are removing more and more responsibility from when it comes to making sensible, thought out decisions about basic security. We are removing their perceived responsibilities as they say to themselves “if the system is letting me do this, it must be alright” as they download malware specifically designed to undermine so called built in security. (Actually the quote is from Peter Rodger, chief examiner for the institute of Advanced Motorists commenting on cars being turned into living rooms.)

Let us continue to understand how mature our security development framework is, let’s observe the OWASP top ten, but let’s also continue to establish clear guidelines, education and expectations of our people at the same time. If we don’t, we may be congratulating ourselves little too early for running a good security programme.

If we do that, we risk going back over a century in time, and putting the cart before the horse, let alone putting better brakes on the car.

(If you want good analogies however, that can help your people truly understand the information security environment they are operating in, head over to the The Analogies Project.)

Securi-Tay IV

TransparentLogo1-e1423236103647I will be spending the end of week with the Abertay University Ethical Hackers at their Annual Securi-Tay conference in Dundee. It’s a great conference so if you are at a loose end for Friday and in the area make sure you rock up and say hello to the lovely folks up there!


Are you one of “them”? Damaging your information security efforts without even knowing it

90ee2b65615c3fda2b2c4190697c34d4It was ten to six in the morning, and I was on the  station platform waiting for my train to arrive to take me to London. As I walked past two people who were talking, one of them was earnestly telling the other about problems in his office that were caused by “them”:

they’ve changed the heating in the office to make it more consistent apparently but what they don’t realise is that it is sending us all to sleep. They just don’t get it, they’re idiots, and it’s a waste of money

It seems the faceless bureaucrats and management just don’t get it at this gentleman’s place of work and are doing everything they can to hinder the company’s ability to work effectively! But scratch a bit deeper and you may see a slightly different story of trying to deal with complaints from parts of the building that are too cold, using antiquated heating systems that don’t balance heat well the further from the heat source they are, or even just trying to make everyone feel more comfortable in the cold winter months.

The unfortunate impact of their actions though is that productivity has dropped in some areas, and the impression of the team and people behind it has dramatically reduced.

I have regularly stressed the importance of information security ultimately contributing to the success of the business, allowing it to sell more beer if you will, but that is only possible if you understand the business, collaborate with the people on the ground, and align your efforts to their goals. By treating risks in isolated parts of the business without looking at the wider impacts you run the risk of overheating other parts of the business. What initial makes sense in one place does not make sense in another, and the quick win you thought you had really turns out to require a far more nuanced approach.

If what you are doing is simply unavoidable and impacts to the other parts of the business will be felt, then collaboration and communication is vital. Explaining the complaints, challenges, risks etc. and allowing them to voice their feedback is important to ensure people remain bought into your plans. Who knows, you may actually get some better ideas from them that you hadn’t even considered. This approach requires nerves of steel and the skin of a rhino though, as many will see the opportunity to take a swipe at you, but seeing the process through is far more effective in the long term.

Asking for feedback afterwards, chatting to individuals and leadership about what they think about what you have done, and putting that feedback to work to improve your next iteration of the programme all help bring people on side and improve the effectiveness of your information security stance.

Once you are seen to be working in the long term interests of the company and the people who work there, decisions you take and implement will be seen in that wider context, and not just as the actions of someone just “doing their job” and being one of… them.


Attitude, Knowledge, Opinion and Expertise; an information security career map?

opinionI was talking to one of my colleagues a few days ago who joined our team a little under a year ago. Althea (I promised her a name check here) actually joined the security team from the small group of personal assistants in the company. While this is perhaps not the most obvious place to recruit into a technically savvy environment from, Althea has very quickly become an excellent member of the team.

I often hear in conferences and panels about the security skills shortage we are currently suffering, and I regularly quote the story of Althea joining us as an example of how we are very often simply looking in the wrong places and should be looking to promote from within more. Althea has been with the company for six years (a long time these days) and was working for and supporting some of the most senior people in our company. She had to be organised, forthright, able to communicate succinctly and above all remain calm under pressure (you know how senior executives can be sometimes).

For me, her attitude is far more important than her technical ability. Technology and hard skills are things that can be taught in relatively short periods of time; attitude is something that takes a lot longer to learn, decades even. Althea is already well on her way to getting the requisite technical skills required of her role, but her organisational skills, contacts within the organisation, and ability to communicate to people throughout the organisation whatever their seniority is second to none.

I was talking to her about this and related the competence framework I use to try and understand both mine and others maturity in their role. When first moving into a new role you move through each of one of these phases of competence:

  • Unconsciously Incompetent
  • Consciously Incompetent
  • Consciously competent
  • Unconsciously competent

(you might want to reread those a few times, I know I did when I first came across them)

So, if you start with the right attitude, you are going to minimise the amount of time you spend being unconsciously incompetent, as the next logical step is to acquire knowledge. This allows your to bring the right skills to bear onto your role, and bring you quickly into being consciously incompetent and possibly beyond. Minimising the time you spend in the first two phases is of course very important to your career.

But knowledge really isn’t everything. Those with just the knowledge can’t see beyond their day to day tasks and roles; they are unable to see the “big picture” as everything is focussed around technical solutions and black and white answers to business problems. (Just listen to some of the “questions” asked at every security conference you go to; they are not really questions but affirmation that their knowledge is greater than the speaker. They wholly miss the point that knowledge is actually all they have.) I would suggest that forming your own opinions on subjects is a logical and vital step in anyone’s career path. Business problems are not black and white, there are a variety of approaches, solutions, outcomes and inputs that those with a purely knowledge/technical viewpoint simply won’t appreciate. Forming and gathering these opinions takes place through reading, observing, listening, writing and finally testing your opinions in the community. These experiences are not just the gathering of specific knowledge, but the nuances of what can be right in one circumstance, wrong in another and even every possibility in between.

For instance, shipping a single, failed drive that was part of a RAID 5 cluster back to the manufacturer may be the right thing to do for some organizations. From a security knowledge perspective this is anathema unless the drive has been degaussed or even fully destroyed; it completely depends on the business, circumstance and many other factors. Encrypting backup tapes? Obviously this should be done, except of course when it shouldn’t, for the same reasons as before. Security is only one opinion in a sea of opinions that matter.

Having opinions in this industry is vital to stimulate conversation and evolve our understanding and viewpoints in our own workplaces. Once this opinion is applied in a considered and effective manner, only then could one possibly consider themselves having “expertise”, and I wouldn’t label yourself that before someone else does first.

In order to allow your team to grow in this manner it is vital to encourage them to engage with both the internal company community as well as information security community as a whole. Encourage them to take part in any related event, internal and external, or even organise one. What about volunteering to help at a conference, or ultimately even apply to speak? By giving your team members the opportunity to research, write, precis, deliver, defend and receive feedback on a topic of their choice they have the best opportunity to take their knowledge beyond the day to day and into the more opinion based level of the strategic, and become better decision makers in the process.