Interview – Page 2 – Cyber Security Leadership

Martin Ruskov: People follow examples, not advice

Interview with Martin Ruskov – Researcher in Exploratory Learning

Martin

Martin Ruskov recently completed his PhD on Educational Serious Games in the Information Security Research Group at UCL. As part of his research he developed a prototype for participatory information security, based on the Conjunction of Criminal Opportunity framework (a holistic crime prevention framework). The prototype is currently being used in graduate classes on security at UCL and Oxford University. Martin has previously worked in the broader field of interactive media and has been involved in teaching in leading organisations across Europe.

What problems do you see with human behaviour and security compliance?

People follow examples, not advice. In other words, for them it is important to see that management take security policies seriously by taking the lead in compliance, not only say so, but later circumvent them. This is a general management issue which was summarised very well by Chris Argyris for HBR in 1991 but there is growing evidence (as in the yet unpublished work at UCL’s Information Security Research Group ) that this is an important issue and subsequently awareness and behaviour of management needs to be addressed.

When management is compliant and transparent about it, the rest will follow. However, this is an expensive process, not only financially, but again in broader resources, with delayed returns.

Finally people are inclined to seek easy answers. Unfortunately reality is complex and very often a simple rule how to handle certain situations cannot be written. The challenge is to find a balance between personal responsibility and judgement on one hand, and efficiency on the other.

Can game-based learning help to resolve this issue?

I am far from convinced that game-based learning is the way to address awareness and behaviour change at the level of senior management.

However, game-based learning and captology have suggestions that show how attention can be attracted, ideas can be explored, and potential solutions can be advocated and encouraged.

How to improve security awareness trainings?

Complex issues require extensive discussion, and feedback about practice as a way to be grasped. It is my strong belief that these are activities that require a lot of effort on behalf of facilitators, trainers or lecturers.

I believe that a sensible way to try to optimise awareness training is to try to automate trivial issues when there exists the desired clear-cut yes or no answer, so that resources can be dedicated to lengthier and confusing discussions about complex topics.

How to improve usability of security controls?

This is a very difficult issue. Ease of use usually means less need for the users to deeply comprehend the underlying mechanisms. As an illustration we can use personal computers, for example usability paradigms in the OSX vs Linux operating systems . Whereas OSX has always the coolest interfaces, presets and skins, it leads people into an Instagram-like mainstream fashion where superb content can be produced with minimal effort. Linux, on the other hand gives users complete control. This leads on one hand to much higher threshold to entry, but on the other to much more experimentation and learning in the process of doing. Ideally we would want professionals (in this case CISOs, and information security officers in general) to be able to work out everything themselves, but in fact we can rarely afford the necessary resources (e.g. time and money) for that. Academia takes this approach – both in mathematics and project management many professors would ask students first to work out a method by hand before they engage with the tools that automate it, but again with academia one of the biggest challenges is that the curriculum is overloaded and not flexible enough to meet new challenges.

How companies should change their approach to information security management?

I believe a continuous iterative approach would provide valuable insights of the issues in context. Information security is an arms race between attackers and preventers. It is difficult to involve in it employees who have other primary tasks, but security managers should be ready to accommodate contributions from volunteering employees. It is much more productive and efficient to collaborate with the people willing to engage, which would hopefully lead to wider engagement from others. Hopefully such an approach would lead to broader awareness culture among employees, while yet maintaining their focus on their main professional goals.

Mo Amin: You can transform technology but how do you transform people?

Mo Amin – Information Security Professional

Can you please tell us a little bit about your background?

Long ago in a galaxy far far…oh ok…ok…Just like a lot of people in IT I got asked the same question “My PC has died, can you help me?” When you say yes to one person it’s a downward spiral…and before you know it you’re THE computer guy! Even now I (depending on my mood) will help out. So this was my first real experience in building rapport with clients, charging for my time and to a certain extent being held accountable for the service I provided.

I taught me a lot and was a catalyst in helping me to land my first role in desktop support. I was part of a small team which allowed me to get involved in some network and application support too. Whilst doing my day role I was involved in a couple of investigations, which got me interested in information security and through a few lucky breaks I slowly moved into the field. I’ve been lucky enough to have worked in a number of areas ranging from operational security through to consultancy. However, I’ve always intrinsically enjoyed the awareness and education side of things.

What is it that you are working on at the moment?

I am working with Kai Roer of The Roer Group to help develop the Security Culture Framework. Essentially, the framework aims to help organisations to build a security culture within their business, as opposed to simply relying on topic based security awareness. Making sure that organisations begin to build a security culture into their business is something I believe in strongly. So when Kai asked if I’d like to help I was more than happy.

Let’s talk for a moment about information security in general. What do you think are the biggest challenges that companies are facing at the moment?

I think that one of the biggest challenges is educating staff on the risks that the business faces and getting people to understand and relate to why it is that we are asking them to adopt secure practices. The problem revolves around changing the attitude and overall culture of an organisation. In my humble opinion, this is the biggest challenge. The difficulty lies in changing behaviour because you can change technology but how do you positively change the behaviour of people?

What is your approach or proposed solution to this challenge? What should companies do?

I’ve always learned by seeing something in action or by actually doing it. Obviously, within the context of a busy organisation this isn’t easy to do. However, as information security practitioners, professional or however we label ourselves we need to be more creative in our attempts to help those that we work with – we need to make awareness more engaging. I think it’s important to have workshops or sessions in breakout areas where staff can come along see how quickly weak passwords are cracked, what can happen if you click on that dodgy but enticing looking attachment. It’s about visualising and personalising threats for people, for example, if you plan your awareness programme carefully you could map your corporate security messages for the home environment and provide your staff with a “Top 10 of do’s and dont’s” Make it creative and engaging and the messages that you give for their home environment they will begin to bring them back to the office.

Lots companies offer security awareness training, which doesn’t seem to have much of an impact. What do you think about these trainings? Should they be changed in some way in terms of targeting, or accounting for individuals’ particular needs, or focusing on behaviour?

The problem is that most of this is simply topic based awareness, in that it’s not seeking to change behaviour. There seems be to be a lot of generic content that applies to everyone in an organisation. Sadly this is a tick-box exercise for the purposes of compliance. Awareness should be unique to your organisation where you cater for different personality types as best you can. Some people actually like reading policies where as some prefer visual aids, so the ways that individuals learn needs to be better understood. The process of educating your staff should be a sustained and measured programme; it needs to be strategic in its outlook.

What about communication?

Better engagement with the business is what we need to be doing. Our relationships with the likes of legal, HR, finance, marketing, PR should be on an everyday basis not only when we actually need their expertise. These departments usually already have the respect from the business. Information security needs to be seen in the same light.

How do you identify the relevant stakeholders and establish communication with them, and further propagate the whole process of communication within the organisation?

Grab a copy of the organisation chart and start from there. Your job is to introduce yourself to everyone. In my experience doing this over a coffee really helps and preferably not in a meeting room, because it is better to create a new business relationship in a social context, wherein the other person gets to understand you, firstly as a human being and secondly as a work colleague. Most importantly, do this at the beginning and not two months down the line. Building relationships at the very beginning increases your chances of being in the position of asking for last minute favours and paves the path for easier collaboration, as opposed to having to ask for people’s help when they don’t even know you. Usually people are open and honest. They may have a negative image of information security, not because they don’t like you, but most likely because of the interaction they’ve had in the past.

So let’s say that you have joined a new organisation that has a very negative preconception of information security because of a bad previous experience. Once you have already identified all the key people you have to work with, how do you fight this negative perception?

You need to find out what was done previously and why the outcome was negative in the first place. Once you’ve established the actual problem, you have to diffuse the situation. You need to be positive, open and even simple things like walking around and talking to people – show your face. Visit different departments and admit any failings, you need to do a PR and marketing exercise. In a previous role I’ve actually said

“I know what went wrong the last time, I know we screwed up. I want to ask you what you want to see from the information security department from now on.”

People are ready to engage if you are, be personable and be professional. It’s surprising how much positive and usable feedback you actually get.

The majority of the time, people will tell you,

“I just want to be able to do my job without security getting in the way”.

Once you have these sorts of conversations going you begin to understand how the business actually functions on a day-to-day basis. It’s at this stage where you can be influential and change perception.

Javvad Malik: One of the biggest challenges that companies are facing is securing at the same rate of innovation

Interview with Javvad Malik – Senior Analyst at 451 Research and blogger at http://www.J4vv4D.com

Javvad

Could you start by telling us about yourself?

My first proper job was during my work placement year during my degree as an IT security administrator at NatWest Bank which, to be honest, I had no idea what this job was about. Actually, very few people knew what it was. But as a student doing a degree in Business Information Systems, I needed to specialise in something and so I went and took this job to see if I could make any sense of this field. I figured that this bank was a huge company and if things didn’t work out in IT Security, I could always explore opportunities in other departments.

Back in the day, there was around seven people in the security operations team for the whole bank, and only three for the monitoring team with whom we only had an intermittent communication. NatWest was then acquired by RBS and I remained in IT security for the next five years, during which I moved more to the project-side of security, as opposed to the operations-side. I had more interactions with the internal consultancy-team and their job appealed to me, because they didn’t seem to need to keep so up-to-date with all the latest technologies from a hands-on perspective and they made more money.. I was unable to make an internal move so I decided to get into contracting and stayed within financial services, where the majority of my roles involved arguing with auditors, resolving issues through internal consulting, being the middle-man between the business and pen-testers, project reviews, and the sort.

On the side, I got very interested in blogging. Blogs were the new fantastic boom readily accessible and cheap for everybody. Suddenly everybody with a blog felt like a professional writer, which I enjoyed, but found it a difficult area in which one could differentiate or bring a unique perspective to. I then tried video blogging, which I discovered was bloody hard, because it takes a lot of skills to help you look like a professional instead of like an idiot most of the time. But because I was among the first to get into this type of delivery mode, my profile was raised quite quickly within the security community, and perhaps to an even broader one. One of the advantages to video blogging that I uncovered was that people who watch you can somehow relate to you better than if they just read your work: they can see your body language, hear your voice, your tone, everything. The result is quite funny, because it often happens to me that when I go to a conference, somebody will greet me as if I’m their best friend. Because they see me so often on YouTube, they feel like they know me. It’s very nice when people acknowledge you like that, and it goes to show that the delivery channel really has that impact.

So because of this impact, one day, Wendy, the research director at 451 Research, asked me if I would be interested in becoming an analyst. In reality I had no idea what an analyst did. She said that I would have to speak to vendors and write about them, which sounded a lot like blogging to me. She immediately said, “yes, it is pretty much like blogging,” to which I then replied, “well, I have my demands. I do video blogging, I’d like to attend and speak at conferences and I don’t want any restrictions here, because I know that many companies impose restrictions around this kind of activity.”

Currently I’ve been an analyst for the past two years, which I have enjoyed very much and has allowed me to broaden my skillset; not to mention give me the opportunity to meet a ton of extremely talented people.

Where do you predict will the security field go?

When I was starting in the field, nobody really knew what security was. Then came the perception that it was all about hackers working from their mums’ basements. Then, they were assumed to be IT specialists, and then that they were specialists who didn’t necessarily know much about IT but who knew more about the risk and/or the government background and now everyone is just confused

Security itself is very broad. It is kind of like medicine: you have GPs who know a little bit about everything, which is the base level of knowledge. For complex cases they will refer you to other doctors who specialise in, say, blood, heart, eyes, ears, and other specific body parts. The same applies to security. You will have some broad generalists and others who are technical experts or those who are more into security development and can tell you how to use code more securely. You then have non-technical security people, who know more about understanding the business, the risk, and how to implement security into it. You also get product or technology specific experts who are only there to maybe tune your SIEMs for you, forensics experts, incident-response specialists, and so on. You will find specialists with overlapping skills, just as you will find those who possess unique abilities as well. Security has exploded “sideways” like that. So you can call lots of people “security experts” but in reality they are very different from each other, which means that they are not necessarily interchangeable. You can’t, obviously, switch a non-technical person for a technical one. I believe that one of the signs of immaturity within the industry is that people still don’t recognize these differences, which often leads to lots of finger-pointing in situations like: “you don’t know how to code, how can you call yourself a security professional? You don’t understand what the business does. You’ll never be a security professional.” These kinds of things, I think, are the natural growing pains of this and any industry.

What will probably happen going forward is that as things become increasingly interconnected and peoples’ whole lives more and more online, you will have more and more of a visibility of security. Additionally, we will see the need to extend the capabilities outside of the enterprise into the consumer space. We are already seeing an overlap between personal and corporate devices. So I think that everything will kind of bleed into everything else: some areas will become operationalised, others will be commoditised, but I think that there will continuously be a need for security that will always have to be there. What that will look like will probably be different to what we see today.

What kind of challenges do you think will the companies face in the future in terms of security?

One of the biggest challenges that companies are facing is securing at the same rate of innovation. Every company wants to be the first one to develop a new way that they can hook in with their customers. Whether this is in the form of being the first in developing a new app that can enable consumers to do banking, or to do payments and inter-payments, and so on, which sometimes comes at the cost of security. Balancing this business case between the perceived benefits and the security risks of it can be very challenging. The speed at which businesses want to and need to innovate, because that’s what the market is forcing them to do, is making security cost-prohibitive.

The other challenge is that the business model for many companies lies almost exclusively in advertising revenue. Nearly every mobile app or social media site or other online service that is free is typically generating either their primary or supplementary revenue by selling user information. With so many companies trying to grab data and sell to the highest bidder – we have a big challenge in educating users in terms of what security risks lie as well as trying to enforce good security practises within the vendor space but without breaking business models.

How would you say companies should then approach this challenge in the first place?

The way that companies typically “solve” this challenge is by burying their head in the sand and outsourcing the problem. So they will go out to another company and ask them: “can you offer us a secure platform to do it?” To which they answer, “of course we can. Just give us your money.” The challenge is that companies and individuals don’t appreciate that poor security choices made today may have an impact that will not be immediately felt, but perhaps in a few months’ or years’ time. Sadly, by then, it’s usually too late. So this is what both companies and individuals need to be careful about.

Returning to the point about security professionals being very diverse, what’s the role of security professionals from the risk governance and compliance perspective? Can you elaborate more on the security culture within a company and how can it be developed?

Security culture is a very difficult thing: it is not impossible but it relies on understanding human behaviour more than technical aspects. Understanding human behaviour means understanding personality types and how they respond to different environments and stimuli, which can be more challenging that understanding technical aspects.

The general observation that I can make about human behaviour, regardless of the personality type, is that people don’t tend to be aware of what they are giving up. The best and most prevalent example would be how much in demand mobile apps are and how insecure they are, because people unknowingly give away lots of data in order to have access to them. Chris Eng from Veracode makes an excellent analogy by saying that “people usually don’t care what they are agreeing to as long as they can still fling birds against pigs.” This is the crux of it. People don’t think it makes much of a difference if they give their email address away, or if they let the app access their GPS data or their contacts, because they can’t perceive a direct impact. The problem is that this impact might not be felt until ten years’ time. So if you are giving data to Facebook, Instagram and Whatsapp, for example, you can’t really predict what will happen later on. In the last year Facebook acquired both Instagram and Whatsapp. So now you have a single company that holds all of your photo data that you maybe didn’t want on Facebook, along with all the stats on your behaviour that you’ve been feeding to Facebook, along with the people you are chatting to, and so on. So now Facebook has an incredible amount of information about you and can target and market a lot better. Someone could also use all this data for any purpose. I’m not saying that Facebook or other companies gather users personal data for malicious purposes, but it reminds me of the saying, “The path to hell is paved with good intentions.”

How can you make people change their behaviour?

You have to make it real and personal for them. You have to make that personal connection. In security we tend to say: “we have 50,000 phishing emails that come through every day, and people click on them.” But to the individual user, that doesn’t really have that much of an impact. Are we making this information personal? The communication methods and the techniques that we need to change behaviour are there, we don’t need to reinvent it with security people who don’t understand how communication necessarily works or who are not the best communicators to begin with.

We can remember how 15-20 years ago, nobody cared about recycling, because nobody really cared about the environment. It was just a few people in Greenpeace with long hair and who smelled a bit funny who were trying to stop the oil companies from drilling into the sea, for example. Now, you go into any office and you find 10 bins for every different type of recycling material, which everybody now uses. It’s been a long-term campaign which finally created that social change, and which now makes it unacceptable for people to behave in another way. As you walk on the street, you will see that very few people, if any, throw wrappers on the floor. They usually hold onto them until they get to a bin and then they dispose of them. We need to adopt the same practices to change behaviour in security and in many cases that means actually letting people who know how to market and communicate do that for us instead of trying to do it all ourselves.

Daniel Schatz: It is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisation

Interview with Daniel Schatz – Director for Threat & Vulnerability Management

Daniel

Let’s first discuss how you ended up doing threat and vulnerability management. What is your story?

I actually started off as a Banker at Deutsche Bank in Germany but was looking for a more technical role so I hired on with Thomson Reuters as Senior Support Engineer. I continued on to other roles in the enterprise support and architecture space with increasing focus on information security (as that was one of my strong interests) so it was just logical for me to move into that area. I particularly liked to spend my time understanding the developing threat landscape and existing vulnerabilities with the potential to impact the organisation which naturally led me to be a part of that team.

What are you working on at the moment and what challenges are you facing?

On a day to day basis I’m busy trying to optimise the way vulnerability management is done and provide advice on current and potential threats relevant to the organisation. I think one of the challenges in my space is to find a balance between getting the attention of the right people to be able to notify them of concerning developments/situations while doing so in a non-alarmist way. It is very easy to deplete the security goodwill of people especially if they have many other things to worry about (like budgets, project deadlines, customer expectations, etc.). On the other hand they may be worried about things that they picked up on the news which they shouldn’t waste time on; so providing guidance on what they can put aside for now is also important. Other than that there are the usual issues that any security professional will face – limited resources, competing priorities with other initiatives, etc.

Can you share your opinion on the current security trends?

I think it is less valuable to look at current security trends as they tend to be defined by media/press and reinforced by vendors to suit their own strategy. If you look at e.g. Nation state cyber activities; this has been ongoing for a decade at least yet we now perceive it as a trend because we see massive reporting on it. I believe it is more sensible to spend time anticipating where the relevant threat landscape will be in a few months or years’ time and plan against that instead of trying to catch up with today’s threats by buying the latest gadget. Initiatives like the ISF Threat Horizon are good ways to start with this; or follow a DIY approach like I describe in my article

What is the role of the users in security?

I think this is the wrong approach to ask this question to be honest. Culture and mind-set are two of the most important factors when looking at security so the question should emphasise the relationship of user and security in the right way. To borrow a phrase from JFK – Do not ask what users can do for security, ask what security can do for your users.

How does the good security culture look like?

One description of culture I like defines it as ‘an emotional environment shared by members of the organisation; It reflects how staff feels about themselves, about the people for whom and with whom they work and about their jobs.’ In this context it implies that security is part of the fabric of an organisation naturally weaved in every process and interaction without being perceived to be a burden. We see this at work within the Health & Safety area, but this didn’t happen overnight either.

How one can develop it in his/her company?

There is no cookie cutter approach but talking to the Health & Safety colleagues would not be the worst idea. I also think it is generally appreciated if security professionals understand that they are supposed to support the strategy of an organisation and recognise how their piece of the puzzle fits in. Pushing for security measures that would drive the firm out of the competitive market due to increased cost or lost flexibility is not a good way to go about it.

What are the main reasons of users’ non-secure behaviour?

Inconvenience is probably the main driver for certain behaviour. Everyone is unconsciously constantly doing a cost/benefit calculation; if an users expected utility of opening the ‘Cute bunnies’ attachment exceeds the inconvenience of ignoring all those warning messages a reasonable decision was made, albeit an insecure one.

What is the solution?

Either raise the cost or lower the benefit. While it will be difficult to teach your staff to dislike cute bunnies, raising the cost may work. To stick with the previous example, this could be done by imposing draconian punishment for opening malicious attachments or deploying technology solutions to aid the user in being compliant. There is an operational and economic perspective to this of course. If employees are scared to open attachments because of the potential for punishment it will likely have a depressing consequence for your business communications.

Some will probably look for ‘security awareness training’ as answer here; while I think there is a place for such training the direct impact is low in my view. If security awareness training aims to change an organisations culture you’re on the right track but trying to train users utility decisions away will fail.

Thank you Daniel!

Konrads Smelkovs: Very few insiders develop overnight

Interview with Konrads Smelkovs – Incident Response

Konrads

Could you please tell us a little bit about your background?

I work at KPMG as a manager, and I started working with security when I was around thirteen years old. I used to go to my mother’s work, because there was nobody to look after me. There used to be an admin there who used to run early versions of Linux, which I found to be rather exciting. I begged him to give me an account on his Linux box, but I didn’t know much about that, so I started searching for information in Altavista. The only things you could find there was how to hack into Unix, and there were no books at the time I could buy. I downloaded some scripts off the internet and started running them. Some university then complained that my scripts were hacking them, though I didn’t really understand much of what I was doing. So my account got suspended for about half a year, but I got hooked and found it rather interesting and exciting, and developed an aspiration in this direction. I then did all sorts of jobs, but I wanted a job in this field. So I saw an add in the newspaper and applied for a job at KPMG back in Latvia, 6 or 7 years ago. I was asked what it is I could do, and I explained to them the sort of things I had done in terms of programming: “a little bit of this, a little bit of that…”, I did some reading about security before the interview, and they then asked me if I could do penetration testing. I had a vague idea of what it entailed, because I understood web applications quite well. So I said, “yeah, sure. I can go ahead and do that because I understand these things quite well.”

What are you working on at the moment?

In the past I used to focus mainly on break-ins. Now people resort to me for advice on how to detect on-going intrusions, which takes up a large portion of my time at the moment, but more at a senior level. I do threat modelling for a corporation. I have to know how to break-in in order to give them reasonable advice, but it’s mainly in the form of PowerPoint presentations and meetings.

When you develop threat models for corporations, how do you factor in insider threats as well as the human aspect of security?

I believe the industry oscillates from one extreme to the other. People spoke a lot about “risk” but they understood very little about what this risk entailed. They then spoke about IT risks, but it was more of a blank message. Then it all became very entangled, and there was talk about vulnerability thinking: “you have to patch everything.” But then people realised that there is no way to patch everything, and then started talking about defence strategies, which pretty much everybody misunderstands, and so they started ignoring vulnerabilities. This especially happened because we all had firewalls, but we know that those don’t help either. So what we are trying to do here is to spread common sense in one go. When we talk about threat models, we have to talk about who is attacking, what they are after, and how they will do it. So the “who” will obviously have a lot of different industry properties, why they are doing it, what their restrictions and their actions are and so on. Despite the popular belief in the press, in The Financial Times, CNN, and so on, everybody talks about the APT, these amazing hackers hacking everything. They don’t realise that the day-to-day reality is quite different. There are two main things people are concerned about. One of them is insider threats, because insiders have legitimate access, and just want to elevate that access by copying or destroying information. The second is malware, which is such a prevalent thing. Most malware is uploaded by criminals who are not specifically after you, but are after some of your resources: you are not special to them. There are very few industries where there is nation-state hacking or where competitive hacking is current. So when we talk about threat models, we mainly talk about insider threats within specific business units and how they work. This is what I think people are most afraid of: the exploitation of trust.

How do you normally advice executives in organisations about proper information security? Do you focus on building a proper security culture, on awareness training, technological/architectural means, or what do you consider is the most important thing they should keep in mind?

We need to implement lots of things. I believe that a lot of the information security awareness training is misguided. It is not about teaching people how to recognise phishing or these sort of things. It is about explaining to them why security is important and how they play a part in it.

Very few insiders develop overnight and I believe that there is a pattern, and even then, insiders are rare. Most of the time you have admins who are trying to make themselves important, or, who out of vengeance, try to destroy things. So whenever you have destruction of information, you have to look at what kind of privileged access there is. Sometimes people copy things in bulk when they leave the company, to distribute it to the company’s competitors.

So lets say you develop a threat model and present it to the company, who’s executives accepted and use to develop a policy which they then implement and enforce. Sometimes, these policies my clash with the end-users’ performance and affect the way business within the company is done. Sometimes they might resist new controls because privileges get taken away. How would you factor in this human aspect, in order to avoid this unwanted result?

Many companies impose new restrictions on their employees without analysing the unwanted result it may lead to. So for example, if companies don’t facilitate a method for sharing large files, the employees might resort to Dropbox which could represent a potential threat. Smart companies learn that it is important to offer alternatives to the privileges they remove from their employees.

How do you go by identifying what the users need?

They will often tell you what it is they need and they might even have a solution in mind. It’s really about offering their solutions securely. Rarely is the case when you have to tell them that what they want is very stupid and that they simply should not do it.

Finally, apart from sharp technical skills, what other skills would you say security professionals need in order to qualify for a job?

You have to know the difference between imposing security and learning how to make others collaborate with security. Having good interpersonal skills is very important: you need to know how to convince people to change their behaviour.

Thank you Konrads.

Jitender Arora: The key to success is to approach any change from human psychological perspective

Interview with Jitender Arora – Information Security & Risk Executive (Financial Services)

Arora

Could you please start by telling us about your background?

I am a Computer Science and Engineering graduate, with Masters Degree in Consultancy Management. I had been a very technical, hands-on person from the very beginning of my career. I spent the first two years building firewalls, proxy servers and hardening UNIX servers. After few years, I was presented with an opportunity to move into information security and risk. At the time, I was working for Wipro Technologiesand they were building a Security Consultancy Practice, which would be front-ending with their customers, and working on the projects. The organisation was recruiting for this practice from other parts of the organisation so I decided to move into this new practice which proved to be a very exciting and challenging assignment. That’s where my journey in terms of “information security and risk”started from. Later, I had leadership roles in organisations like Adobe Systems and Agilent Technologies. I moved to the UK around 8 years ago, and that’s when my journey began working in the financial services sector.

What do you do now?

Around four years ago, I decided to quit my job and start my own small consulting firm with two friends I had met at RBS. We did a good job for two years, and build a good profitable business. Unfortunately, due to some unavoidable circumstance the partnership didn’t work out and we decided to amicably part ways. After that, I didn’t want to jump into the first thing that came along, and so I focused on my independent journey as Interim Executive in leading business transformation and change programs that address governance, risk and compliance problems faced by my client organisations. My engagements are outcome oriented to deliver the specific outcome for the client organisation. Over the last 3 or 4 years, I have built a strong reputation of being an outcome-oriented management consultant.

You are a very well known speaker within the industry. What made you decide to engage in this sort of activities as well?

It was not an intentional choice. I was once having a conversation with my best mate, Javvad Malik, around the need for new speakers at conferences who are able to present a different point of view. In a way, Javvad encouraged (or should I say pushed, Thank You Jav) me to go ahead and speak at conferences. At that point, I wasn’t too keen on it because I have always felt anxious about speaking in a public forum. Additionally, English is not my first language, which represented another barrier. But I decided to face my fear, and just go along with it. When I actually started speaking, I received an encouraging response from the audience and attendees liked my take on topics which they said provided a unique perspective. Being a very pragmatic consultant, I usually have a different point of view, as opposed to being a paranoid view. I approach security & risk problems and issues as a business person which provides a different perspective, so that’s where I think I got some good recognition from the market, especially in the speaking circuit. I believe speaking engagements not only present an opportunity for building your own personal brand but also helps sharpen your selling and marketing skills. The way you approach people, build their perception of you, sell yourself and your ideas, it’s a very good skill to have which is not generally taught in school or at university. Now, I encourage my colleagues and professionals to speak at events.

Returning to what you were saying about being an outcome oriented consultant, could you please elaborate on how changes can be implemented within organisations when these changes involve people and their behaviour? How do you address the people aspect of security?

As a security professional, when you implement a new security control, you are usually changing the way people are operating. A very simple example would be when implementing a control in terms of how people access production system. So if you go into an organisation in which their practices have been acceptable for the past 10 years, and you suddenly tell them that they can no longer follow same practice, you are, in a way, taking a privilege away from them and they will react accordingly. The analogy that I usually use for this is if I suddenly tell my son, who normally watches 1 hour of T.V. a day for the past several years, that he cannot watch it without taking permission every time and not more than 30mins from now on. He will not like it and will most likely rebel and show his displeasure.

As security professionals we try to change the process, and we want to introduce a certain level of governance on top of it. It’s very important to manage the people aspect of implementing such changes for security. You need to get people on your side before you actually implement these controls. It is a lot about socialising, and communicating, which brings me back to the point on selling and marketing. You have to package, sell and market these changes by conveying the message that “even though we are taking this privilege away from you by implementing these controls, we are going to give you something in return: We will guarantee that you run your business in a compliant manner and do not get audit findings or regulatory issues in which you will have to invest to address them”. So returning to the original example, it’s about establishing a secure way of accessing production systems which, although might be different from existing methods and might involve a little extra work, will ensure that everybody can continue to do their job while being compliant. We will create a robust production access environment: “So let’s be proactive and address this situation together before someone else comes and asks us to fix it.”

There are some of security professionals who scare the clients and users as a strategy for avoiding unwanted behaviour, by telling them, for example, that they might even risk getting fired. What is your opinion on this approach?

If you scare people too much, they will be scared as long as you are in front of them, but the behaviour won’t change. The objective should be to change the behaviour, and when we say “behaviour”, we are referring to the way people operate on a day-to-day basis. Make sure that they don’t see this as a temporary situation, but as a routine. A very simple example for this would be physical security guards. We have security guards in all the office buildings who are standing on the side, observing people, looking for individuals who may seem malicious or suspicious. But they don’t intimidate people around them. You might even be able to approach them for directions and they will kindly answer if they can help. But the moment they detect somebody suspicious, they will intervene. Now let’s imagine that instead of having these friendly security personnel, we had big bouncers who are aggressive. Would you feel okay approaching them? Sometimes security in our context operates like those big nightclub bouncers, because it is intimidating. So business people stop inviting you as a security professional to their business initiatives because they see security as the big intimidating bouncer: as a problem. For them, if you bring security in, you are bringing a problem in. That needs to change, and it largely depends on relationships and how you manage those relationships, how you come across in your meetings with them, and what they main message of your proposition is: “we are not taking anything away from you, we are going to help implementing new controls that will allow you to run your business in a secure and compliant manner meeting legal and regulatory obligations.”So it’s a trade-off and it’s a lot about perception, so the scaring tactic I don’t think works for too long.

You have come up with a way of selling all of your services to the executives and they understand the value of them. What about the actual people who use the service?

I think of executives as the same as the end-users, so the methods I use to sell security doesn’t change at for different levels. It’s the way you deliver message and what message you deliver has to be adapted for different levels. Business executives will normally focus on how you are going to solve the problems that will allow the business to address the compliance issues and meet regulatory requirements. They are the ones that get chased around by the auditors and the regulators. But for the end-users, compliance is not their problem. They never get to own or see these auditing issues. From their perspective, they have a business to do, a server to manage, an infrastructure to run, they want to operate the way they have done so far. So if bringing in new security controls doesn’t mean making life difficult, they are happy to participate. As a security professional, that’s the message that you can give: “we are not here to make your life difficult, but to make sure you have the right tools to do your job effectively in a secure and compliant manner.”

As a preliminary step to implementation, would you have to first understand what it is people normally do on a day-to-day basis?

Absolutely. The very first thing I like to do is to see these users or consumers of these controls as my key stakeholders. One thing I always do in any of these change programmes is approach stakeholders including user groups in their working environment, and make them feel comfortable. Ask them, listen to them and understand what their problems are. What is it that they like that they would like to keep, and what they don’t like that they would like to have changed, and what is it that they might have seen somewhere else and might be a good thing to include as part of this change. Key benefit from being in listening mode is that people become part of the journey because they have largely contributed to the creation and design of these new controls. The key to success is to approach any change from human psychological perspective and engaging them by asking, listening and taking their feedback on board. Another thing that I always make sure to do is to fix the things they don’t like in the existing environment. Listen to people; understand what they like, what they don’t like, make sure you can fix their problems, and if they want something else, try to help them get it: get them on your side. Make them feel like they are part of this journey and also give them credit for their contribution to the success.

Let’s imagine that a security manager decides to implement a security policy in any given company. Let’s say that they take a standard framework like, say, ISO 27001, they tweak it a bit and apply it into the company’s environment. Do you see any potential problems with this?

Frameworks are a good start. But what lots of organisations do is that they lift the framework as is and if you look at the policies in most of them, there is not much difference. But if you think of different types of organisations like the financial services, investment banking, or law firms, you have many different environments: you have different drivers and they come with a very different set of challenges. A lot of professionals, who write policies, do so in isolation. They don’t spend time understanding how a specific organisation carries out its business. An interesting question would be, once a policy is written, whom do you want to be the target audience? Is the policy being written by security people, to be interpreted by security people? Or is a policy being written by security people, to be understood by security people, when in reality it is supposed to be meant for business people? In one of my previous engagements, I had security experts writing the policy, and I then hired a technical writer to review, proof-read and rewrite the policy. The end products between the policy written by the security experts and by the technical writer were completely different: the latter was much more understandable by the business community. We don’t realise that, unless an external person comes along and starts asking questions –“oh, what do you mean by this?”- that the language is not easily understandable for everyone. So I believe that every organisation should hire competent technical writers to translate their security policy, standards and guidance from specialised security jargon into a language that is understandable for business people.

So once your policy is written in understandable terms for everyone, how do you make people read it and comply?

The first thing I do in any organisation is that I visit their homepage and type in “information security”. If the policy doesn’t come up as the first search result, something is wrong. If people can’t find the security policy, how can you expect them to read it? How can you expect them to comply?

Another thing that I have done in few organisations is to conduct a simple survey, by asking three simple questions to business community:

Do you know that we have an information security department?
Do you know services this department has to offer?
Do you know how to contact them if you need it?

It’s very eye-opening and you get lots of strange responses from the business people. Many times they do not know how to contact the security department or what services they provide. If they don’t know you exist, how can they possibly approach you? We can have a fantastic policy embedded in some website, but nobody is looking at it nor reading it.

Another problem is that security policies are long documents: They are not exciting, they are not novels. So I wouldn’t expect business people to read each and every bit and understand it. The probability to succeed can increase if you can provide them a platform where they are able to search when they need to and know where to go and look for answers when they need it. And this touches the point of approachability and availability of the policy and guidance.

But lets focus on the policy itself. How many policies do we have in a typical regulated organisation that we expect employees to read and comply with? E.g. security, anti-money laundering, acceptable use, expenses, travel and anti-bribery policy etc: it’s a huge list. Think about how long it takes an individual to read those policies, understand, remember and follow them. We’re human, it’s not possible. What’s important is that on a day-to-day basis there are some aspects that you need to demonstrate and follow as a normal business user and whenever in doubt go and seek answers. I like to refer to this as “acceptable behaviour”, not only in terms of privacy and security but overall behaviour.

You can take key messages from all of your relevant policies, and communicate them in friendly, simplistic and interesting terms linking it back to acceptable behaviour. It’s not the computer-based training (CBT) that can change human behaviour, but human-to-human interaction. It’s about helping people understand how to do what they do on a day-to-day basis, how to make their daily life easier and making the information accessible if they need to know more.

To wrap it up, you have mentioned previously that it is important to build a good security culture within the organisation. How do you define a good security culture?

A good analogy for this would be our behaviour regarding airport security, what we know we can do and what not to do, as well as reporting anything that may look suspicious. We are generally aware of our surroundings, especially when we are in an unknown territory. This is very natural to us in the physical world where we can see, hear and touch things in our surroundings. The challenge now is that we are spending so much of our time in this virtual world, where our senses can’t be used in the same way. We have to ask ourselves what key risk indicators in this virtual world are. How should we conduct ourselves in this virtual world? This is the kind of awareness that needs to be built into people’s behaviour. I think this journey should start from earlier stages in life, when people are being schooled. When I was in school, when I was growing up, my parents used to tell me: don’t talk to strangers, don’t accept anything from strangers, don’t give away your personal information to people you don’t know well, and so on. It’s an advice on how to conduct yourself safely in the physical world. Now, those messages have to change. You need to build a culture into the newer generations who are now and will be spending so much of their time in the virtual world. The definition of stranger in the virtual world is different from that in the physical world. The definition of “acceptable behaviour”in this virtual world has to be different from physical world. The definition of those risk indicators haven’t changed. One cannot expect behaviour to change on the first day a person joins the workforce, because by that time, behaviours are already formed.

The moment people become security aware, they become security advocates who can help spread this awareness on behalf of the security department. The organisations have to start a chain-reaction by making a few people security-aware and sending the message across the organisation. Everybody becomes self-aware at some point and starts thinking on his/her own about what is right and wrong. But this doesn’t happen because of computer-based training or policies. It is the change in human behaviour that is required in the long-term.

Thank you Jitender

Yousef Syed: Most people understand security from the real world

Interview with Yousef Syed – Enterprise Security Architect at Bayvision Limited

Syed

Let’s start with the basics. How did you start your journey in information security?

Back in 1998 I graduated with a BSc in Computer Science and chose to focus on Object Oriented Analysis & Design and Java. In September 1999 I started contracting in the telecom industry in Netherlands. It was a unique, pre-dotcom-crash situation. A brand new multi-billion-dollar joint venture between two telecom groups – loads of money, starting from scratch with next to no infrastructure – really brilliant place for a relatively new graduate to come in to. A start-up with loads of money! While, officially regarded as a “Web Developer”, since they had no developer PCs, no servers, no DEV/TEST/Prod, no source-control, no standards, no policies, no DMZ; I ended up being involved in everything – and it was great! Set up policies, set up development standards, and specifying and ordering the PCs and software for the developers; specifying the servers for the website/database, and then being in meetings with the networking people to define what the firewall rules were going to be, and what we needed to do. Basically, doing everything!

A year later, I began a contract in Munich working as a secure Java developer using the new JAAS (Java Authentication and Authorisation Service) API in an Agile/Extreme programming team. So back in 2000 I was exposed to security and ever since I’ve kind of been in-and-out, either just doing application development or some other branch of security.

Then, in 2005 while I was working permanently with Accenture and I was exposed to identity management as a specific field –Thor Xellerate (later to become Oracle Identity Manager). Working on various client sites, I found identity management very interesting because it cut across every part of the business. Everybody in the business needs access to multiple, different systems, and the IDM provisions and de-provisions the users with the appropriate level of access, for all users.

Very interesting. What are you working at the moment?

In January, I was contacted by a cloud-based accountancy firm regarding a cyber-security voucher that the government was funding to encourage Small and Medium sized firms and Sole-traders to improve their cyber security stance.

It was one of the more enjoyable projects I’ve been involved in. Compared to working in a large faceless organisation, or government department, where you might disappear in amongst thousands of other small cogs, and your influences is small; here, you get to make an impact. When you are working in a smaller organisation of about 50 people or up to 200 people; your influence and impact is clear to see and is appreciated by the client. More over, since I’m communicating directly with the business leaders, the security serves the business needs instead of just an individual department’s needs.

Why do you think this is important? What is the main difference between working for a small company compared to a big one?

I believe you are going to understand their business better, so you can give genuinely relevant advice. You don’t need to worry about keeping your consultancy/employer or specific business-unit happy. You just need to focus on the business, and on giving them the best advice for them.

I hope to keep doing this for the foreseeable future, because it is easy to get bored of working in big companies. I mean, big organisations are nice because you get exposed to good technology, complex problems and huge projects etc., but as far as getting return for your work where you actually see results there and then; then you can’t beat the immediacy of an SME. You don’t need permission/sign-off from a dozen different stakeholders before you update that policy document. You change that policy or that you give them a piece of advice that has changed their focus to create a secure coding development platform; how to improve testing on that; you’ve given them access to resources they didn’t even know about, and you’ve given them new ideas and new perspectives.

And you’ve also shown them how they can actually improve themselves. So if they go for ISO 27001, that might be a differentiator between themselves and their competitors, and it’s also something that they can tell their customers: “We value your data privacy seriously, we have these standards in place, and we’re looking after you.”

When you work in security, you take a lot of things for granted. But then you go to some small or medium-sized companies, and they’ve been so focused on building their small business and delivering new functions, security is way back in their list of priorities. Now you get to raise that up and show them that it not only benefits them on the compliance side of things, but that the benefit also lies in their knowing where their data is, who has access to their data, they know when they have access to it. And you can put all sorts of different levels of controls onto things and give them a far greater peace of mind about how they are dealing with things internally to their company and how they are dealing with things with regards to their product. So delivering this cyber-security voucher to SMEs is something that I’m pursue with a lot more zeal at the moment, because I never knew about it before, and I know it can make a big difference to all of them. £5K is pretty meaningless to your average Fortune 500 company, but to an SME it is a pretty big deal.

What in your opinion is the main obstacle in implementing a similar approach in large corporations?

One of the problems with large corporations, and the same thing in government, is that each separate individual department has a budget. And they need to work to that budget, and they need to ensure that they are doing enough so that they get the same budget or more next year. And it gives a very narrow view to what they are doing. For me the best security (and IT investment in general) is when it is applied at the enterprise-level, across all of the various business units, and considers how we can make all of these people work well together. There is no point in having a really strong security in your finance department, when another department isn’t even talking to them, and they are doing similar work but on different platforms. On the one hand, you are wasting money, because they are duplicating work, they are duplicating data, they are duplicating the risks involved: in fact they are not even duplicating, they are making the risks much wider, because they may not be tracking where the data is going, and on another platform; its going all over the place.

[So if one department has Oracle DB, another is running Sybase and another small team has MS Access; a) You have the cost of the separate platforms; b) separate licensing for same task; c) you need to harden each platform separately; d) you need define a mechanism to share the data across the systems to maintain the integrity of the data; e) you need to support and patch separate systems etc. Conversely, the enterprise could have defined a single Database platform that all departments to use thus saving a world of pain.]

And while the ISO 27001 and various other standards out there will give you a kind of check-box compliance, “yes, we did this, we did this,” it doesn’t give you the kind of thing to say, “I feel comfortable about this.” Yes, you might feel comfortable about it if the legal department comes and questions you about it, but do you feel comfortable enough about it to be able to say that we have done a good job here, and we have delivered something to the client that actually works for them?

What about the security culture?

Yes, one of the things that I kept on stressing to one of my clients was: “you have a culture here that works for you. You have a very nice environment because everybody knows what’s going on here. If you are a developer, you know everybody in marketing, you know everybody in sales, and everybody knows you. And you have very free-flowing information going on, and it helps a great deal in how you operate. So when you are adding security controls, you don’t want to break what’s already working. You want to make sure it becomes better”.

Can security awareness training help to resolve this?

There is a problem with awareness training and educating users. If you are like me, I come from a technical background, you become very narrow-minded thinking: well I find technology very easy, why can’t you work it out? “Well, because I work in marketing!”

I don’t know anything about marketing so why should they know anything about technology?

There is a certain level of arrogance that we in technology developed about other people: in fact, there is a massive amount of arrogance, you come up with all kinds of deprecating or dismissive terms like “problem exists between keyboard and chair (PEBKAC)” or other phrases, just because they just don’t understand. Why don’t they understand? Because they are qualified for something completely different, something which you don’t understand.

So one should stop being so arrogant, step into their shoes, and understand them or try to find a way to translate what you do into terms that they will understand.

So what is the solution?

For me, I always go back to real world examples. Most people understand security from the real world. We are used to carrying five or six different keys for different things. But on the Internet, people only use one key; they only use one password. And they use it everywhere. So when it gets lost, people have access to everything that they own.

In the real world, I have a separate key for my car, a separate key for my home, a separate key for the main door vs. a separate key for my own apartment, and we are used to this kind of thing. But trying to explain to a user why it is that we use a password manager, we have to explain it to them in terms that they will actually understand, and actually take time for them to join the dots within their brain. “So that’s why I should have a different password. That’s why I should make my password really difficult.” Until they put two and two together, they are going to go for whatever is easiest.

So there are a lot of places where not only security people, but technology people in general need to learn to meet the end user halfway and make security transparent and ubiquitous: make security a layer that they don’t necessarily need to think about so much. But from our side, we need to make our code secure, we need to make our cloud system interactions secure, and we need to make our data policies and the implementation of our data policies secure.

Can you elaborate on security policies? Do you see any problems with them?

There’s no point in writing something in your policy that everyone is ignoring. There was a company a few years ago with the policy that nobody was allowed to use Microsoft Messenger. Everyone was using Microsoft Messenger! Your policy says this, and everyone is doing something different. So why is it written in your policy? Either train your people to not use it, and give them a valid, relevant, genuine alternative that they can use, or don’t put it in your policy.

And there are loads of things in the policy documents to please the auditors and to please the compliance team. But that is not how you do security. It in fact makes security worse because it gives the illusion to management that all these things are in place, when all the while the users are bypassing or ignoring it.

How security professionals can help the management in this case?

You need to give them the tools that help. If they are carrying client-data upon which they need to write reports, they need to do some data classification, state who should have access to it and how valuable things are. So if you have classified data, how should you encrypt it, how should you store it, how should you transfer it. So, for argument’s sake, buy a set of encrypted USB keys. If you know that people are working off of their laptops, get something like TrueCrypt or something else that encrypts their laptop, so that their laptop is encrypted if their laptop goes missing or something, you’re safe. Institute Two-Factor-Authentication. And, educate the user: you make sure they understand.

Are there any problems with implementation of such solutions?

Big corporations get these things, they throw loads of money at it, but they don’t look at it from the perspective of how does a business actually use this.

So one of the things which I was saying was that yes you can buy a really cool firewall and IPS system, but you can also do a simple hardening of your database, of your OS, of your application server, close down all of the open ports, close down all of the services that shouldn’t be on, and lets do some monitoring on some user behaviour, on how people are accessing your system. That will give you, for much cheaper, a whole load of control and peace of mind.

What the possible solution might be then?

From the technology and security side, you need to be aware of the business, and what are the drivers of this business, where do they make their money, where is the “data gold”, and what do they need to protect, and how they are going to protect that, and remain operational. You’ve got data which is very valuable to the company because it’s being used. If they can’t use that data, it’s worthless to them. So if you lock it down too much, or you prevent it from moving around to certain people, then you’re preventing the company from doing business. So until you actually understand that, you can’t put in the relevant controls to allow them to use their data and have a level of security.

You’re never going to be 100% secure, so trying to dream that you are going to be 100% secure is a waste of time, trying to do it by way of fear and scaring your client into doing things is a completely wrong way of doing things, because when you are in a state of fear, your judgment is so far off the mark, that it’s ridiculous. Whereas in the case of “I understand what I’m doing over here. Yes, there are some dangers in this. But we understand it.“

Can you give an example?

It is all about risk management – don’t be afraid of them; simply understand them and manage accordingly.

I’m a snowboarder, and last winter I did an avalanche skills training certification course. The way they manage risk is very similar to how we in security do many things (In many respects they are better because lives depend on it). They have to look at a lot of different things that can trigger an avalanche –current weather conditions, weather over the preceding weeks, terrain, different types of snow; which places you are in danger of being in an avalanche, and there are various trigger points and safety concerns (yes, it gets complicated). You don’t live in fear of avalanches because you saw something in some crappy disaster movie. Instead you live in awareness of it and manage your safety. It’s called awareness training, as opposed to a “you’ll magically be safe from an avalanche by doing this.” It’s a case of saying: right, these are different factors that can trigger an avalanche and these are different things that can make you safer from an avalanche.

So if you have had a lot of snowfall in the preceding days followed by a rapid thaw, then it is very likely that some areas on the mountains will have avalanches. So under those circumstances, you don’t go out into very steep slopes, you stay on the slopes that are shallower, or in the treeline. Yes, you may not have as much fun, but you live to play another day.

Before you go out, there are a few things that you are supposed to do. You’re supposed to notify people that this the zone that we are going to, you define a leader of the group, you take all the various precautions that you have all the avalanche transceivers, probes and shovels, and all these kind of things so that, if the worst happens, you are prepared to dig someone out, and that kind of stuff.

Are there any issues applying the same principles to security?

When you go to have your tyres changed, you don’t need to tell the mechanic to make sure to pump up the tires to the correct pressure. They do it automatically. But for us in IT, we need to stipulate this bunch of standard documents and requirements, and we have this non-functional sets that put these standards in place, “you will make sure that you are using this framework” to prevent SQLi attacks. People should be doing this automatically in our industry (it should be part of our quality process), but we don’t do it.

And there is a lot on our side to blame, because we don’t communicate properly, we don’t talk to the right people. And we also have a tendency to think: I told you once, how come you haven’t changed it?

We want it instantly, or at the latest, tomorrow. No, it’s going to take them time to learn, it’s going to take them time to step up their game to the correct level. And you need to be appreciative of this.

What is your approach?

There’s no one magic bullet that will solve this problem, since it is spread across so many systems and every business is different.

For a previous client, following initial meetings, I setup multiple security roadmaps for them in the three areas that we chose to focus on: business continuity planning; software development and data privacy.

How was this to be achieved? What steps must we take in the next week, month, quarter and where do we expect to be in six months from now. The steps we take must be measureable to some degree. This allowed us to apply a maturity model to it.

It involved some technology, some education, and a lot of communication across business domains and teams to ensure we were serving the business. It also involved the flexibility to acknowledge what isn’t working and change accordingly.

So we have a way of setting these things up so that we can track how well are we doing and where we are, and then you’ve got the ways for them, for the technical team to give feedback back to management, to say that “we’ve added this, and this has given us this additional benefit”.

Thank you Yousef. A few final words of wisdom, please.

You need to be honest with your customer. Sometimes they are not going to listen and you are going to have to do what they want you to do, and that’s part of the business. But you need to understand what the business is, and not just the department that you are being called into. You need to explore what is going on at an enterprise level.