When It All Goes Pete Tong…

Leave a comment

Murphy’s Law states:

“If something can go wrong, it will go wrong”

Many CISOs will also state:

“it is not a case of if you have been breached, but rather that you have, you just don’t know it yet”

Depressing as both statements sound by themselves, put them together, and you enter into a worldview of doom and gloom from which it is hard to crawl. It doesn’t matter what you do; there will always be a breach and multiple mistakes in your team. These factors create a perfect storm for finding a new job relatively quickly.

But there is hope that when you start a new role or join a new company, there is one thing that needs to be in place before anything else; the Incident Management Plan*. In all but the most security mature organisations, any improvements put into place by you will take months and years to bear fruit, during which time a disaster can strike without notice (the unknown unknowns hitting at an unknown time, if you will.) So making sure you have a plan to fall back on at a moment’s notice gives you space and time to respond appropriately while still being able to focus on the more fundamental changes you have in mind for the organisation.

But what to put into these plans? There are a few key points that should always be adhered to whenever writing a response plan;

Keep it Simple

Human beings are emotional sacks of meat and adrenalin when things go wrong. They can simultaneously be forgetful, angry, scared, sad, and even stupid. Therefore your plans, and by association, your writing and grammar, need to be as simple as possible. It’s not an easy task and will require many edits, reviews and rewrites, but simplicity is your friend during a confusing and rapidly changing situation. 

Keep it Flexible

Extending the first point, you also cannot create a prescriptive document. If you define every action based on a specific input, your plan will fail when that particular input isn’t happening. The plan needs to work on the principles of what must occur during an incident rather than the specifics of what needs to be done. It is useful, for instance, to focus on roles and responsibilities rather than activities; in this way, someone is accountable for “public communications”; how they achieve that is up to them, but the plan does not define it.

Know What’s Important

This is another way of saying, “Understand your critical services”. These services could be technology-based, process focussed or even role/person-specific. During an incident, the immediate focus is to get the bare minimum of services/capabilities/business operating again as quickly and safely as possible. Going back to Business As Usual is for later on. You need to know what the bare minimum is to achieve it.

The ISO 22301:2019 – Security & Resilience – Business continuity management systems standard is a great place to start to understand the mechanics of this element in more detail (and great for this topic as a whole).

Collaborate While Creating

It never ceases to amaze me how often plans like this get created in isolation across companies, divisions and departments. What that means, more often than not, is a competition for resources because they all assume they will have exclusive access to the resources required to see them through a crisis just because they have a plan.

Ideally, there should be a single master plan for the organisation that allows each discrete business area to manage their plans (essential in larger organisations). Then, all of these plans and their requirements are fed back into the overarching strategy to carry out capacity planning and coordination more effectively and efficiently.

Multi-channel Sharing and Education

This is the one time I will permit using a few trees to print out your plans. Electronic documents are still valuable and should be saved in different formats and on other devices and platforms (for redundancy, obvs). Having paper copies of the entire document, in addition to aide memoirs, laminated “cheat sheets”, credit card numbers and any other creative approaches to ensuring the needed information is always available. Remember, this is a time of crisis; your laptop may be burning down with your building, and your phone may be out of battery with nowhere to charge. Base your communication and distribution methods on the assumption of Murphy’s Law above.

Test the Plan, Learn and Review

You must test the plan as much as possible, especially when creating it. If you feel brave enough, you can have a tabletop walkthrough or pull the plug on a data centre. Some third-party services allow you to test your plan in a virtual space using specialised communications tools that are even more realistic. Whatever the case, every time you check it, review it and feed the findings back into the plan. Even a slight improvement could make all the difference.

Test the Plan Again

Did I mention testing? Even if you have a real-life crisis, use the learnings and feedback to improve the plan again. Every opportunity to stress the crisis plan, people and procedures must happen.

Test it Again

It must be tested, whatever happens, at least once a year, and reviewed yearly. You will be surprised at how much your business changes over a year; a process may be updated, people and roles change, and telephone numbers and email addresses frequently updated. If your plan doesn’t reflect even these simple changes, it is more likely to fail.

The Holy Trinity Mantra

Finally, if in doubt, remember these three elements of your plan. I like to ensure they are seen through in this order, but you may feel differently according to your business and how it operates. (If people don’t list as number one on your list, take a long, hard look at yourself.) Nonetheless, The Trinity remains the same.

  1. Focus on People – without your people, you have no business to speak of, recovered or otherwise.
  2. Focus on Facilities – even with just a pen, paper, telephone, and somewhere to work, your people can work miracles in keeping the business afloat. Keep them safe, secure and happy.
  3. Focus on Technology – get the systems running to take the strain off the people. This may have taken days or weeks, depending on the incident. Ensure your critical systems are running first, and that includes payroll. Paid people pull together in a crisis. Unpaid people don’t.

Hopefully, you will never have to use the plan, but if you do, feeling prepared for anything is a powerful way to ensure your best work on everything else on your list. Knowing that you have it ready to go is like remembering to take your umbrella with you when you leave the house. Because you have it, it isn’t going to rain; mildly annoying but so much better than getting caught in a monsoon in your best work attire.

*Also known as the Crisis Management Plan, Business Continuity Plan, When It Hits The Fan Plan, or any other variable that works for you, your company, and your business culture.

Links to other interesting stuff on the web (affiliate links)

How to Upskill Your Cybersecurity Team

The AWS Security Cheat Sheet

Think Before You Share The Link

Consistency, consiztency, consistancy…

Leave a comment

It will come as no surprise to most of you that I travel a lot to other countries, and as such I am a frequent visitor of airports and more memorably, the security procedures of those airports.

Every country has their own agency that manages this process, either outsourced or kept within government. Given the complexities of international and aviation law, I can well imagine the difficulties of staying abreast of the latest advice from a variety of different sources and applying it in a globally consistent way. But surely it can’t be that difficult, especially when it comes to the basics?

Here are just some of the more egregious examples of inconstancy that I have encountered around the world:

  • One airport that confiscated my nail scissors, despite the fact I had been carrying them (and had the case searched) through numerous security checkpoints before. The blade size was within accepted norms, except at this airport.
  • The security official that made me take my 100ml or less liquids out of the clear plastic case/bag I was using and put them into a clear plastic ziplock bag for scanning. I had been using that case for months, and continue to use it without issue to this day.
  • The security line where I din’t have to take off my shoes or belt, nor remove laptops or liquids from my bag because “we have a sniffer dog”. In fairness they did have a dog running up and down the line, but I started to doubt it’s ability to smell knives or similar in my case.
  • Having travelled through five airports in four days, the final airport insisted that I take the camera out of my bag, as it is “standard practise in our country to do this”. Not before or since has it been a practise I have experienced, let alone a standard one.
  • Finally, the multiple security personnel who tell me to leave my shoes on, only to be told as I go through the scanner to take my shoes off and put them on the belt to be x-ray’ed.

It goes without saying that I approach every security checkpoint with a mixture of hope, despair and disdain, and always leave with one of those feelings prevalent. Obviously this is an analogy to our world of infosec, perhaps even a tenuous one, but I do feel it is one worth expressing.

How we guide our organisations to interpret and carry out the policies and regulatory requirements they are beholden to is vital to the attitude and approach the employees will take. Uncertainty breeds many things, in this case doubt and anxiety about how to behave. If a policy is not implemented consistently then how can it be observed consistently? If we are constantly surprising our users then we can’t blame them for feeling jumpy, anxious or unsure, and therefore critical of the service being provided.

Cat-Cucumber-Gif-Gifs-Youtube-Video

Consistency is a very powerful tool to ensure people understand the policies, the purpose and the even the vision of an security organisation. As soon as there is doubt the very purpose of your security organisation is thrown into doubt. For example, why is BYOD allowed for senior execs and not for the rest of the organisation? Or why is a Mobile Device Management solution enforced on some parts of the business and not the other? In both these cases it only encourages the working around of the restrictions that subsequently weaken your security posture.

That is not to say exceptions cannot be made, that is why every policy etc. should have an exceptions statement. After all, expecting a policy to cover all eventualities is simply wishful thinking.

I dare say we all have inconstancies, but it is in all of our interests to drive them out of our organisation wherever possible. Otherwise, you will have people like me wondering what kind of ordeal I am going to have to endure just to get my day job done, and that doesn’t help anyone.

 

What does a CISO actually do?

Leave a comment

I read this wonderful article by Helen Patton  a CISO and contributor to Medium, and in it she describes the seven main areas she spends her time as a CISO; Technology, Data, Business, All The Other Internal Stuff, Vendors and Partners, Law Enforcement and Customers. (She also adds an eighth area, her Security Team of course!).

It is a fascinating read and one that tells a lot about the type of work a CISO will find themselves doing, and much of it resonated with me. I do believe however that the viewpoint is constrained by one aspect of her role, and one Helen states upfront:

Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy.

It prompted me to write this post because I feel a CISO can do so much more once the role is removed from the auspices of IT. This has been a pet topic of mine for a number of years now, and it is a similar challenge CIO’s once faced, i.e. not reporting into the highest level of management possible. even spoke back in 2013 at RSA on just this topic.

This is a very common reporting line of course, largely because information security responsibilities often come out of IT, or the focus is purely on IT security and therefore fits into that service. It does however create potential issues:

  • The infosec message is filtered through the IT lens, and security issues become a smaller part of the overall IT programme.
  • The role is focussed significantly more on technology (the first item on Helen’s list above) and doesn’t take into account other factors, such as physical, people, or even awareness.
  • If the security function is dictating or heavily influencing technology and architecture, a conflict of intents can arise if there are security deficiencies in those aspects. There is no independent perspective on testing the environments, and a conflict of interest in highlighting deficiencies therein.

In these circumstances the role has a tighter focus, is more hands on, and may potentially not bring the benefits to an organisation that it could.

So what should CISO be doing then?

The CISO primarily needs to be a representative of the business, and not of a department. By that I mean that the CISO is not always going to be the best information Security professional in the same way that the CFO is not always the best accountant. They are however the best person to make decisions that span their area of responsibility AND the business, and actually focus on the bigger picture.

My role as a CISO therefore is not to make the company the most secure company in the world. If I did that, it would be out of business in a matter of months; loss of agility, inability to invest, reluctance to accept certain projects etc etc would make the company wholly unprofitable. My role is to help the company sell more, do more, innovate more and earn more… through the judicious application of security as a competitive advantage.

Put simply, a CISO needs to stop saying “No” to projects or requests that on the face of it are high risk, and stop expecting 100% security on rollouts prior to launch. That doesn’t mean we can’t aspire to perfection, or aim to build the very best environment we can, we just have to accept that something that is a high risk to us, may be a low risk to the business overall. Of course the business needs to understand what the security risks are and be cognisant of the risk when taking decisions, but security is not the single most important input here, it is one of many. We are advisors, not dictators.

The CISO therefore not only does many of the things Helen points out in her article, but it goes beyond that; above everything else in my opinion is being able to truly understand the business, it’s challenges, goals and vision, provide performance information, read the company reports and educate the senior leadership on what risks there are without sowing F(ear), U(ncertainty) and D(oubt). In other words then, what does a CISO do…?

Powerpoint and politics.

Everything else is just details.

Direct Hit, Near Miss or Remote Miss? Why you are more confident than you should be.

20 Comments

_39166788_blitz416_gettyIn the years running up to the beginning of the second world war the British government was extremely concerned that in the event of hostilities breaking out, the german Luftwaffe would launch significant attacks against Britain and especially London. With an estimated 250,000 casualties in the first week alone, the consensus was that millions of Londoners would flee, leaving the industrial war engine to grind to a halt. Several psychiatric hospitals were even set up on the outskirts of London to handle the huge numbers of casualties psychologically affected by the bombing.

History tells us this was not the case, despite horrific numbers of casualties and extensive damage to homes, property and businesses throughout London.

A Canadian psychiatrist, J. T. MacCurdy, in his book The Structure of Morale postulated this was because the effect of a bomb falling on a population splits them into three groups:

1. The people killed by the bomb. As MacCurdy puts it

the morale of the community depends on the reaction of the survivors, so from that point of view, the killed do not matter. Put this way the fact is obvious, corpses do not run about spreading panic.

Harsh, but true in this model.

2. The Near Misses, the ones that

feel the blast, … see the destruction… but they survive, deeply impressed. It may result in ‘shock’…and a preoccupation with he horrors that have been witnessed.

3. The Remote Misses. These are the people who hear the sirens, the bombs explode, watch the aircraft overhead, but the bombs explode down the street. For them the experience of the bombing is that they survived easily, unlike the Near Miss group. The emotion as a result of the attack…

is a feeling of excitement with a flavor of invulnerability.

Near miss = trauma, remote miss = invulnerability.

Diaries and recollections of the period certainly support these theories. For instance, when a laborer was asked if he wanted to be evacuated to the countryside (after being bombed out of his house twice) he replied;

What, and miss all this? Not for all the tea in China!

The reason for this attitude, the sense of invulnerability, is that they have been through the very worst of time… and survived. They had faced their fears, and realized they were not as bad as they thought they were going to be, and in fact the result of surviving had given them a sense of elation that made them feel even more alive than before.

This is a very long way of saying that we may very easily view security incidents and breaches like this. Sony (perhaps) are the ones right at the centre of the blast. they are affected directly, and don’t even run around spreading panic because they are too busy dealing with the incident itself.

The near misses, Sony’s vendors, suppliers and partners are probably reeling from the near miss and are probably doing all they can to ensure it doesn’t happen to them. in short why are traumatized.

Finally, there is the rest of us. Yeah baby! Another breach, and it wasn’t us! We are invincible! We don’t need to do anything different at all, because we are survivors!

I think I see an issue here. Every time we are not breached, we become more confidant that we will not be breached, and become over confident and convinced we are having the time of our lives doing great stuff in the infosec world and not being breached. let’s hope that bomb doesn’t drop too close to home to burst that bubble, otherwise Careers is So over ceases to be a funny industry joke and very much a reality. Take the precautions now, take the threat seriously, and do what you can now, before it is too late.

I would strongly recommend reading the Book David & Goliath by Malcolm Gladwell if you would like to read more about this concept as well as others along the same lines.

A personal note…

PubGr_logoI am now under new employment as a result of an acquisition of my previous employer, and I have been fortunate enough to be elevated to Group CISO of the acquiring company. Unsurprisingly this has resulted in a massive new workload, travel schedule and responsibilities, and hence my distinct lack of posts this last few months. Despite this I have still been nominated for European Personal Security Blog 2015 in this years Blogger Awards; thank you!

Additionally, I am so proud to say that not only is my new employer keen to promote this blog internally in the new company, but also thrilled to say we have become the newest sponsor of the European Security Blogger Network.

Finally, I have been on the road a huge amount the last few weeks, including at RSA USA where I was very happy with my presentation at the RSA Studio; I spoke about how we have changed our approach to security awareness, and the use of the Restricted Intelligence product to catalyse it.

There were also talks at Munich Identity Management Conference, although the talks are not public yet.

Next week, Bsides London, InfoSec Europe, European Blogger Awards and RSA Unplugged. I am mentoring a rookie at Bsides, Speaking at infoSec, as well as at the Tripwire booth, sponsoring (and nominated!) at the Blogger Awards, and just watching at RSA Unplugged.

It’s has been a busy few months!

Woof Woof, Bark Bark (or how to not support security in your organization).

1 Comment

security_dog_hoodie_on_black_whiteI recieved the email below from a colleague at work. At first glance it is funny, the chief security officer being represented by a dog… Hilarious! Of course security is just about being able to bark at people and occasionally bite them. This role isn’t about corporate responsibility or even enterprise risk management, it is about wagging your tail and barking at people and getting them to do things because you have barked it so.

I’m having second thoughts about my growth plan if this is where it leads to.

CSO dog

If I am honest, I am guilty of this too. I have often described myself as an “overpaid security guard” to people who haven’t a clue about information security, and they nod knowingly at me, thinking they understand InfoSec policy, enterprise risk and even DLP.

The above example of belittling the security function of an organisation has steeled me into action; if I can’t explain the role of a CISO/CSO to my Mother, then I need to re-evaluate what it is I am doing and the impact it has on the business. It also annoys me that the role of CISO is so easily belittled. I don’t think I have ever seen a CFO role boiled down to an image of a coffee bean, or even the CIO image reduced to a mouse or keyboard. What makes this worse is that this product offers “the highest security for your files in the cloud” and yet this is how seriously they take security.

A fundamental part of this is down to us as CISO’s and security people to ensure we don’t belittle ourselves to ingratiate ourselves. It is extremely difficult for us to ensure we are valued and respected in our organisations as it is, and sometimes the somewhat subservient/comedic route feels easiest. This is not the best way; it is the longest and hardest route to acceptance and understanding because the role is by it’s nature seen as a frivolity and a hilarious side act.

(We should note however that there is a place for humour in security, and if used correctly it is extremely effective. The point I am making above is that security as a serious subject should not be presented as a humourous aside.)

I recall a situation where I noticed someone working at a hot desk who had no visible identification. I asked around if anyone knew who the individual was, and nobody did. As I approached the individual I was met with a chorus of “get him Thom” and “tackle him mate!” etc. with much hilarity ensuing. None of it was meant meanly of course, but it was synonymous with the  simplistic attitude of security. If any of the people who had spoken those words had any real idea of the security implications of having someone in their office without any idea of who they are, then their response may have been a bit more serious. The best part is of course that I had plainly failed in my security education and awareness with this group of people.

We are not guard dogs. We are not security guards (although they are an important part of the security function). We are not bouncers. We are not doing security for theatrical effect.

We are here to protect your revenue, your reputation and your bonus payouts. We are here to ensure we maintain good relationships with our clients, and allow our organisations to take on greater risk and therefore reap greater reward. We are here to help inform the business of security risk and advise as required.

What’s so funny in that?

Note: I have been extremely quiet on here these last few months; my role has changed dramatically at work requiring more travel and less time for the frivolous acts of blogging. Combine that with a busy schedule with Host Unknown and my other info sec commitments I have neglected this blog site somewhat. Hopefully this post sees me back in the saddle again, and you can always catch up with me on Twitter. Oh, and the holiday was good too!

ThomLangford_2014-Aug-10

ThomLangford_2014-Aug-10 1