I wrote previously about how cyber insurance can be a useful addition to your risk management program.
Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.
You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording.
While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.
To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.
If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly.
It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction.
Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.
The focus of many of my projects is on risks. I’ve observed through multiple assessments in various companies and industries a lack of formalised risk management process. Some of the plans may exist but they are not linked to specific risks and risk reduction levels are not being measured and reported on appropriately.
The security function can be effective in responding to incidents but the strategic risk-driven planning is often missing. The root cause of this state of affairs is often can be generalised as low maturity of the security function. If that’s the case, the team spends most of its time fighting fires and have little capacity to address the challenges that cause these fires in the first place.
To address this, I assess current state of the security function, define the target maturity level and then develop a high-level roadmap to achieve that desired state.
If the company is geographically distributed, noticeable differences usually exist between a number of business units in terms of overall policy framework. The suggestion here is to define a baseline level of security controls across the entire enterprise. The first step in defining these is to understand what we are trying to protect – the assets.
Modern corporations own a wide range of assets that enable them to operate and grow. They broadly include physical and non-physical assets, people and reputation. Engagement from appropriate parts of the business to identify these is important here as potential attacks to these assets might negatively affect the operations.
By understanding the assets we are able to better identify risks, enable effective detection and response, and prioritise controls and remediation efforts better.
It also helps to conduct a bottom-up review of assets to understand what exactly we’ve got there, focusing on the most critical ones and creating and updating asset inventories.
Understanding the asset base and setting standards and guidance for protecting them will focus the efforts and help you prevent and better respond to security issues.
Assets are tightly linked to threat actors, because it’s not enough to know what we need to protect – we also need to know what we are protecting our assets against. Threat actors vary in their motivation and ability and – depending on the company – include nation states, organised crime, insiders, hacktivist, competitors, etc.
A combination of assets and threats helps us to define risks.
Identifying risks and placing them on a heat map helps determine the inherent, residual and target risks. Inherent risks show the level of risk assuming all the controls or remediating measures were absent or failing. Think of it as if security function didn’t exist. It’s not a happy place where we see the majority of risks have high impact and likelihood being in the top right hand side corner of the chart.
Luckily, security function does exist and even if they don’t have a formalised risk management process, they are usually doing a good job in addressing some of these risks.
Current level of risk is taking into account all the controls and remediating measures in place. The initial impact and likelihood is usually reduced and sometimes to an acceptable level agreed by the business. The idea here is although further reduction of impact and likelihood is possible, it might not be cost-effective. In other words, the money might be better spent in addressing other risks.
Target risks is the future state risk level once additional controls and remediation measures are implemented by the security team.
The main takeaway here is that a formalised risk management approach (with accompanying processes and policies) is needed to ensure all risks are identified and tracked over time, and the appropriate resources and efforts are spent on the top priority risks.
“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.
Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.
No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford
Scientists in various fields adopt statistical methods to determine relationships between events and assess the strength of such links. Security professionals performing risk assessments are also interested in determining what events are causing the most impact.
When analysing historical data, however, they should remember that correlation doesn’t always imply causation. When patterns of events look similar, it may lead you to believe that one event causes the other. But as demonstrated by the chart above, it is highly unlikely that seeing Nicolas Cage on TV causes people to jump into the pool (although it may in some cases).
The Psychology of Information Security – Resolving conflicts between security compliance and human behaviourPosted: November 26, 2015
In today’s corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company’s assets and mitigate risks to the furthest extent possible.
Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users’ core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.
This can be addressed by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them – after all, people are a company’s best assets.
I just finished writing a book with IT Governance Publishing on this topic. This book draws on the experience of industry experts and related academic research to:
- Gain insight into information security issues related to human behaviour, from both end users’ and security professionals’ perspectives.
- Provide a set of recommendations to support the security professional’s decision-making process, and to improve the culture and find the balance between security and productivity.
- Give advice on aligning a security programme with wider organisational objectives.
- Manage and communicate these changes within an organisation.
Based on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.
The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance.
In my previous post I discussed free online courses in information security. Here I would like to share a few more resources.
Thom Langford: Security risk is just one of the many types of risks a business faces on a day-to-day basisPosted: June 10, 2014
Interview with Thom Langford, Director of security risk management
Could we start with your personal story: your beginnings and how you got to where you are.
I was always interested in computers. My first computer was a Sinclair Spectrum 48K. I’ve always had a technology fascination. I got very much into this during school and university, and my first job was as a VAX/VMS operator, running overnight batch jobs. It was a physically tiring job, as we had to print 70,000 to 100,000 pages at night to have them delivered to the client and a 24-hour shift system, which got me to learn how to work under pressure. I then got into PCs in a big way, and moved from supporting Autodesk CAD products, to being an IT manager for a small systems integration company in Swindon. When the company was bought out by Coopers and Lybrand and subsequently merged with Price Waterhouse, to become PwC, I became known as a “builder of things”. I built a retail solutions centre, both the technology and the physical environments, from the ground up.
I subsequently built a client showcase development centre in Heathrow, a fast-track product delivery centre in London, and was also doing client work in Swansea building an innovation centre. Again, this included building both the IT as well as the physical environment: buildings, walls, the electrics and the soft furnishings, everything, basically.
I then moved to Sapient as an IT and facilities manager, which was a bit of an odd combination, although a natural move given my previous experience. I was doing that job for a number of years, initially for London and then for our global offices, when I noticed a gap in our capabilities around security, disaster-recovery and business continuity. I then spoke to one of our C level executives, and he agreed. He broadened the scope somewhat further and then asked me to start 10 days later. So it was a very rapid move for me into security. Even though I had already had a strong background in physical and IT security, this was a very different world for me. I tried to get qualified very quickly, which is something that is very difficult when you have little to no budget, which happens when you start mid-year. So I basically begged, borrowed and stole everything. We brought together a team and got a CISO on board and that’s basically where we are today. Right now I am the acting CISO. I am responsible for teams based out of India and North America, working to strengthen our security posture both internally as well as to the industry.
You are responsible for risk management. What is your view on risk management in general? How do you think is your view different from others, if at all?
I think everybody has a view on risk management, and it is not always a good one. Traditionally, risks are seen as bad and that have to be removed. They never change and the same risks are going to be there all the time. This was, at least, my perspective in the beginning. Everything is static and you live in the world of Excel spread sheets: you list your risks in them, you list what you are going to do about them, how you are going to measure them, and then you decide whether you’ve fixed them or not. Nobody was able to tell me whether a risk was acceptable or otherwise. This was basically as far as I saw, within my responsibility: to act as the conscience of a company, because that was my job. That attitude has changed for me a lot in the last 4 years. If you are the conscience of the business, the business will be stifled quite dramatically because of your security implementations. Actually, all you are doing is reducing their ability to work effectively because you don’t see the big picture of how the business operates.
Security risk is just one of the many types of risks a business faces on a day-to-day basis: socioeconomic, financial, geopolitical, legal, personnel, everything has to be taken into account. To say that a business cannot carry out an activity based on one aspect or one facet of risk, I think, is the entirely wrong thing to do. You should act more as an enabler and to become more of a yes person than a no person.
When identifying risks you will probably need the help of different stakeholders. How do you identify these different stakeholders? How do you manage the relationship with them? How do you get people to speak up?
Risk in security is just one facet of security in any business. So any enterprise should have a risk committee that is composed by a delivery group, a legal group, a financial group, etc. As long as you are measuring your risks in the same way, whether it’s in ordinal numbers or any kind of format that makes sense, those risks will be filtered as they rise up through the organisation. So if you have, for instance, 1000 security risks on your risk register, a single figure of risks should be reaching the very top of the organisation. Any more than that is an indication of people not being empowered enough to deal with risks as they emerge. Not everybody in the organisation will be able to address a risk, and so therefore, it needs to be escalated.
Escalation is not a bad thing: it’s about getting people who are better qualified or more capable or have more authority of dealing with something than you are. Not because you are incapable, but because they are in a better position than you to do so. So from the thousands that arise at the very bottom level, only a few will reach the higher levels, where they can be better dealt with.
As far as stakeholder management, it is much easier to deal with senior level stakeholder management and just seeing the very tip of the iceberg. As long as they are empowering everyone else and they can be sure that they have the tools to deal with the bulk of it all, the easier it is. This way you don’t have to deal with this vast spreadsheet concerning every single case. By empowering everybody in the organisation, it is easy for them to see why it is important to deal with risks directly. If the people at the top levels don’t want to deal with the stuff that reaches them, they basically delegate it to somebody else back down, in which case, it is being dealt with in the end.
So filtering is one approach, which is about empowering people at various levels of the organisation to recognise and deal with the risks as they feel appropriate and qualified to do so.
There are two main trains of thought in information security, namely, compliance-based and risk-based. What’s your approach, and why do you think is it more beneficial?
I think compliance is extremely useful, but it is not the be-all and end-all. Let’s say that you are using ISO 27001, for example, where measuring risk is a core part of it. But if all you are trying to do is to get the certification, you’re only engaging in security theatre. You’re only doing what is required to get the auditor happy and you are ticking things off and writing procedures, but nobody really knows anything about it. Nobody is paying any actual attention to it, apart from that one day in which you make sure that the right people are in the right office, and the auditor has that long lunch that you need, etc. So it’s a start, but it is not the way to go.
Whereas a proper risk-based approach will actually make that conversation continue way beyond the initial compliance. It’s a bit of an old argument “compliance doesn’t equal security”, which it can be if it is taken in the right sense and with the right approach. But all too often, organisations will stop at compliance and not continue with real risk-based security. An example of that is a risk register that is only looked at once a year: that is compliance. A risk register should be looked at on a regular basis to ascertain that risks haven’t changed, or if likelihoods haven’t changed, or if exploitations have changed, if risk appetites have changed within the organisation, for example. If it becomes a living and breathing document, then you are looking more at a risk-based approach to security. If it’s just a mechanical once-a-year, tick-tick-tick format, then you are in a compliance environment.
What should companies do in order for them to shift from this traditional compliance approach to the risk-based one?
I think that it is about coming back to understanding what are the benefits of security and the objectives of the business. If you can connect the benefits of your security program to the ability for a company to sell more of its products, to safely enter riskier markets (because they are able to handle their data more securely), to give confidence to their clients, to bring confidence to the industry (or to whatever regulatory body that looks after them), then that’s when you can actually get more done as a result of your security program. If you are just doing security for security’s sake, we go back to being just a conscience again.
So it’s about connecting your security programme to the goals of the business. If you haven’t even read your company’s annual report, how do you know what your security programme is supporting? If you haven’t attended a shareholder meeting or an earnings call, you can’t really know what you are doing. You only have to do this a few times to get your bearings. If you don’t understand what the core purpose of the business is, how can you actually align your security with it? It’s like IT giving out computers with Linux and Open Office when the company actually needs Windows with Microsoft Office. Linux and Open Office are perfectly acceptable approaches, but the choice for them is not aligned with the business’ needs, which probably include cross-compatibility and other functions that only Microsoft Office can do. If you don’t know what the business needs from security, you need to find out: talk, listen, read, whatever it takes to find out what it is that the business needs from you.
Let’s say that you are assigned as security manager within a company. What are the first things that you would do in your first weeks?
You need to talk: you talk as broadly and as highly as you need to understand where you are standing and what is required. Talk to as many people as possible. For instance, if you are in a manufacturing plant, you start by talking to the people on the shop floor and see how they operate. Talk to the shift leaders and the managers there. If you are consultancy, start by talking to the programme directors, to the business development people and to the partners. It doesn’t matter where you are: start talking from the ground upwards, so you actually understand what it is they do and how they do it, what they need and what they know.
These conversations might be very short, or you might run into people who don’t know much, in which case you are starting with a blank slate and you can bring your own influence onto them. If the floor leader tells you that smokers are leaving the shop doors open to go have their cigarette break, well, that’s a problem you have already identified. It’s a small issue, but potentially important. If you start solving their problems, perceived or otherwise, then you start to build fanatical advocates for security.
If you understand that the CFO’s primary goal is to ensure that he’s able to get reports and the payroll out on a monthly basis, then you can start focusing more on the integrity and availability of the data. You can then prioritize for a disaster-recovery and business continuity, so that they have the confidence that what you are actually doing is helping them do their job more easily and they are able to sleep at night. If you CFO is staying awake the night before payday because he’s not sure if his Oracle systems are going to stay up and running overnight, then that’s a problem that you can fix. So you need to communicate, talk and listen: in fact, listen twice as much as you talk, because you’ve got two ears and one mouth, and find out what peoples’ problems are, perceived or otherwise.
Nasim Taleb in his book The Black Swan provides the following examples of Mirage Casino’s four largest losses:
- $100 million from a tiger mauling
- Unsuccessful attempt to dynamite casino
- Neglect in completing tax returns
- Ransom demand for owner’s kidnapped daughter
How many of these losses could’ve been identified and managed appropriately?
John Adams in his research Risk, Freedom and Responsibility suggests that “Risk management is not rocket science – it’s much more complicated.” He further elaborates on this point in his research: “The risk manager must […] deal not only with risk perceived through science, but also with virtual risk – risks where the science is inconclusive and people are thus liberated to argue from, and act upon, pre-established beliefs, convictions, prejudices and superstitions.”
According to Adams, there are three types of risk:
- Directly perceptible risks are dealt with using a proper judgment. “One does not undertake a formal, probabilistic, risk assessment before crossing the road.”
- Risks perceived through science are subject to formal risk managementprocess. “Here one finds not only biological scientists in lab coats peering through microscopes, but physicists, chemists, engineers, doctors, statisticians, actuaries, epidemiologists and numerous other categories of scientist who have helped us to see risks that are invisible to the naked eye. Collectively they have improved enormously our ability to manage risk – as evidenced by the huge increase in average life spans that has coincided with the rise of science and technology.”
- Virtual risk is not perceived through science, hence people are forced to act based on their convictions and beliefs.“Such risks may or may not be real, but they have real consequences. In the presence of virtual risk what we believe depends on whom we believe, and whom we believe depends on whom we trust.”
Klein in his Streetlights and shadows: searching for the keys to adaptive decision making suggests the following issues with risk management:
- It works best in well-ordered situations
- Fear of speaking out may result in poor risk identification
- Organisations should understand that plans do not guarantee success and may result in a false sense of safety
- Risk Management plans may actually increase risk.
Klein also identifies three risk decision making approaches:
- Prioritise and reduce
- Calculate and decide
- Anticipate and adapt
To illustrate individual’s decision-making process while dealing with risk, Adams introduces another concept called “Risk thermostat”
The main idea behind it is that people vary in their propensity to take risks which is influenced by the perception of risk, experience of losses, and potential rewards.
People tend to overestimate spectacular but rare risks, but downplay common risks. Also, personified risks are perceived to be greater than anonymous risks.
The protection measures also can be introduced to only increase perceived security, rather than implement actual mechanisms. A possible example might be using National Guard in airports after 9/11 to provide re-assurance. However, such a security theatre has other applications in relation to motivation, deception and economics.
Finally, Adams discusses the phenomenon of risk compensation and appropriate adjustments which take place in the risk thermostat. He argues that introducing safety measures changes behavior: for example, seat belts can save a life in a crash, so people buckle up and take more risks when driving, leading to an increased number of accidents. As a result, the overall number of deaths remains unchanged.
All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.
Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.
However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledge, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.
The project risk management process is similar to the information security risk management and consists of four stages:
1. Identification – Log risk, agree and assign an owner
2. Analysis – An owner assesses risk and sets probability and impact
3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.
4. Response planning – What response will be taken to manage the risk
It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log
- ID – assign a number (e.g. 1, 2, 3)
- Risk– a specific definition of the risk event.
- Consequence –what effect each entry has on the business/change programme/projects
- Trigger – an event which signals the risk occurrence
- Date Raised – when the risk was initially raised
- Date Updated – when the risk was updated
- Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
- Due Date – when will the actions be completed
- Probability (on a scale 1-5) – likelihood of the risk occurring
- Impact (on a scale 1-5) – impact if the risk does occur
- Risk Score – probability x Impact
- Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
- Current Status – indicate risk status (Red, Amber, Green, Closed)
During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.
Let’s start with the basics. How did you start your journey in information security?
Back in 1998 I graduated with a BSc in Computer Science and chose to focus on Object Oriented Analysis & Design and Java. In September 1999 I started contracting in the telecom industry in Netherlands. It was a unique, pre-dotcom-crash situation. A brand new multi-billion-dollar joint venture between two telecom groups – loads of money, starting from scratch with next to no infrastructure – really brilliant place for a relatively new graduate to come in to. A start-up with loads of money! While, officially regarded as a “Web Developer”, since they had no developer PCs, no servers, no DEV/TEST/Prod, no source-control, no standards, no policies, no DMZ; I ended up being involved in everything – and it was great! Set up policies, set up development standards, and specifying and ordering the PCs and software for the developers; specifying the servers for the website/database, and then being in meetings with the networking people to define what the firewall rules were going to be, and what we needed to do. Basically, doing everything!
A year later, I began a contract in Munich working as a secure Java developer using the new JAAS (Java Authentication and Authorisation Service) API in an Agile/Extreme programming team. So back in 2000 I was exposed to security and ever since I’ve kind of been in-and-out, either just doing application development or some other branch of security.
Then, in 2005 while I was working permanently with Accenture and I was exposed to identity management as a specific field –Thor Xellerate (later to become Oracle Identity Manager). Working on various client sites, I found identity management very interesting because it cut across every part of the business. Everybody in the business needs access to multiple, different systems, and the IDM provisions and de-provisions the users with the appropriate level of access, for all users.
Very interesting. What are you working at the moment?
In January, I was contacted by a cloud-based accountancy firm regarding a cyber-security voucher that the government was funding to encourage Small and Medium sized firms and Sole-traders to improve their cyber security stance.
It was one of the more enjoyable projects I’ve been involved in. Compared to working in a large faceless organisation, or government department, where you might disappear in amongst thousands of other small cogs, and your influences is small; here, you get to make an impact. When you are working in a smaller organisation of about 50 people or up to 200 people; your influence and impact is clear to see and is appreciated by the client. More over, since I’m communicating directly with the business leaders, the security serves the business needs instead of just an individual department’s needs.
Why do you think this is important? What is the main difference between working for a small company compared to a big one?
I believe you are going to understand their business better, so you can give genuinely relevant advice. You don’t need to worry about keeping your consultancy/employer or specific business-unit happy. You just need to focus on the business, and on giving them the best advice for them.
I hope to keep doing this for the foreseeable future, because it is easy to get bored of working in big companies. I mean, big organisations are nice because you get exposed to good technology, complex problems and huge projects etc., but as far as getting return for your work where you actually see results there and then; then you can’t beat the immediacy of an SME. You don’t need permission/sign-off from a dozen different stakeholders before you update that policy document. You change that policy or that you give them a piece of advice that has changed their focus to create a secure coding development platform; how to improve testing on that; you’ve given them access to resources they didn’t even know about, and you’ve given them new ideas and new perspectives.
And you’ve also shown them how they can actually improve themselves. So if they go for ISO 27001, that might be a differentiator between themselves and their competitors, and it’s also something that they can tell their customers: “We value your data privacy seriously, we have these standards in place, and we’re looking after you.”
When you work in security, you take a lot of things for granted. But then you go to some small or medium-sized companies, and they’ve been so focused on building their small business and delivering new functions, security is way back in their list of priorities. Now you get to raise that up and show them that it not only benefits them on the compliance side of things, but that the benefit also lies in their knowing where their data is, who has access to their data, they know when they have access to it. And you can put all sorts of different levels of controls onto things and give them a far greater peace of mind about how they are dealing with things internally to their company and how they are dealing with things with regards to their product. So delivering this cyber-security voucher to SMEs is something that I’m pursue with a lot more zeal at the moment, because I never knew about it before, and I know it can make a big difference to all of them. £5K is pretty meaningless to your average Fortune 500 company, but to an SME it is a pretty big deal.
What in your opinion is the main obstacle in implementing a similar approach in large corporations?
One of the problems with large corporations, and the same thing in government, is that each separate individual department has a budget. And they need to work to that budget, and they need to ensure that they are doing enough so that they get the same budget or more next year. And it gives a very narrow view to what they are doing. For me the best security (and IT investment in general) is when it is applied at the enterprise-level, across all of the various business units, and considers how we can make all of these people work well together. There is no point in having a really strong security in your finance department, when another department isn’t even talking to them, and they are doing similar work but on different platforms. On the one hand, you are wasting money, because they are duplicating work, they are duplicating data, they are duplicating the risks involved: in fact they are not even duplicating, they are making the risks much wider, because they may not be tracking where the data is going, and on another platform; its going all over the place.
[So if one department has Oracle DB, another is running Sybase and another small team has MS Access; a) You have the cost of the separate platforms; b) separate licensing for same task; c) you need to harden each platform separately; d) you need define a mechanism to share the data across the systems to maintain the integrity of the data; e) you need to support and patch separate systems etc. Conversely, the enterprise could have defined a single Database platform that all departments to use thus saving a world of pain.]
And while the ISO 27001 and various other standards out there will give you a kind of check-box compliance, “yes, we did this, we did this,” it doesn’t give you the kind of thing to say, “I feel comfortable about this.” Yes, you might feel comfortable about it if the legal department comes and questions you about it, but do you feel comfortable enough about it to be able to say that we have done a good job here, and we have delivered something to the client that actually works for them?
What about the security culture?
Yes, one of the things that I kept on stressing to one of my clients was: “you have a culture here that works for you. You have a very nice environment because everybody knows what’s going on here. If you are a developer, you know everybody in marketing, you know everybody in sales, and everybody knows you. And you have very free-flowing information going on, and it helps a great deal in how you operate. So when you are adding security controls, you don’t want to break what’s already working. You want to make sure it becomes better”.
Can security awareness training help to resolve this?
There is a problem with awareness training and educating users. If you are like me, I come from a technical background, you become very narrow-minded thinking: well I find technology very easy, why can’t you work it out? “Well, because I work in marketing!”
I don’t know anything about marketing so why should they know anything about technology?
There is a certain level of arrogance that we in technology developed about other people: in fact, there is a massive amount of arrogance, you come up with all kinds of deprecating or dismissive terms like “problem exists between keyboard and chair (PEBKAC)” or other phrases, just because they just don’t understand. Why don’t they understand? Because they are qualified for something completely different, something which you don’t understand.
So one should stop being so arrogant, step into their shoes, and understand them or try to find a way to translate what you do into terms that they will understand.
So what is the solution?
For me, I always go back to real world examples. Most people understand security from the real world. We are used to carrying five or six different keys for different things. But on the Internet, people only use one key; they only use one password. And they use it everywhere. So when it gets lost, people have access to everything that they own.
In the real world, I have a separate key for my car, a separate key for my home, a separate key for the main door vs. a separate key for my own apartment, and we are used to this kind of thing. But trying to explain to a user why it is that we use a password manager, we have to explain it to them in terms that they will actually understand, and actually take time for them to join the dots within their brain. “So that’s why I should have a different password. That’s why I should make my password really difficult.” Until they put two and two together, they are going to go for whatever is easiest.
So there are a lot of places where not only security people, but technology people in general need to learn to meet the end user halfway and make security transparent and ubiquitous: make security a layer that they don’t necessarily need to think about so much. But from our side, we need to make our code secure, we need to make our cloud system interactions secure, and we need to make our data policies and the implementation of our data policies secure.
Can you elaborate on security policies? Do you see any problems with them?
There’s no point in writing something in your policy that everyone is ignoring. There was a company a few years ago with the policy that nobody was allowed to use Microsoft Messenger. Everyone was using Microsoft Messenger! Your policy says this, and everyone is doing something different. So why is it written in your policy? Either train your people to not use it, and give them a valid, relevant, genuine alternative that they can use, or don’t put it in your policy.
And there are loads of things in the policy documents to please the auditors and to please the compliance team. But that is not how you do security. It in fact makes security worse because it gives the illusion to management that all these things are in place, when all the while the users are bypassing or ignoring it.
How security professionals can help the management in this case?
You need to give them the tools that help. If they are carrying client-data upon which they need to write reports, they need to do some data classification, state who should have access to it and how valuable things are. So if you have classified data, how should you encrypt it, how should you store it, how should you transfer it. So, for argument’s sake, buy a set of encrypted USB keys. If you know that people are working off of their laptops, get something like TrueCrypt or something else that encrypts their laptop, so that their laptop is encrypted if their laptop goes missing or something, you’re safe. Institute Two-Factor-Authentication. And, educate the user: you make sure they understand.
Are there any problems with implementation of such solutions?
Big corporations get these things, they throw loads of money at it, but they don’t look at it from the perspective of how does a business actually use this.
So one of the things which I was saying was that yes you can buy a really cool firewall and IPS system, but you can also do a simple hardening of your database, of your OS, of your application server, close down all of the open ports, close down all of the services that shouldn’t be on, and lets do some monitoring on some user behaviour, on how people are accessing your system. That will give you, for much cheaper, a whole load of control and peace of mind.
What the possible solution might be then?
From the technology and security side, you need to be aware of the business, and what are the drivers of this business, where do they make their money, where is the “data gold”, and what do they need to protect, and how they are going to protect that, and remain operational. You’ve got data which is very valuable to the company because it’s being used. If they can’t use that data, it’s worthless to them. So if you lock it down too much, or you prevent it from moving around to certain people, then you’re preventing the company from doing business. So until you actually understand that, you can’t put in the relevant controls to allow them to use their data and have a level of security.
You’re never going to be 100% secure, so trying to dream that you are going to be 100% secure is a waste of time, trying to do it by way of fear and scaring your client into doing things is a completely wrong way of doing things, because when you are in a state of fear, your judgment is so far off the mark, that it’s ridiculous. Whereas in the case of “I understand what I’m doing over here. Yes, there are some dangers in this. But we understand it.“
Can you give an example?
It is all about risk management – don’t be afraid of them; simply understand them and manage accordingly.
I’m a snowboarder, and last winter I did an avalanche skills training certification course. The way they manage risk is very similar to how we in security do many things (In many respects they are better because lives depend on it). They have to look at a lot of different things that can trigger an avalanche –current weather conditions, weather over the preceding weeks, terrain, different types of snow; which places you are in danger of being in an avalanche, and there are various trigger points and safety concerns (yes, it gets complicated). You don’t live in fear of avalanches because you saw something in some crappy disaster movie. Instead you live in awareness of it and manage your safety. It’s called awareness training, as opposed to a “you’ll magically be safe from an avalanche by doing this.” It’s a case of saying: right, these are different factors that can trigger an avalanche and these are different things that can make you safer from an avalanche.
So if you have had a lot of snowfall in the preceding days followed by a rapid thaw, then it is very likely that some areas on the mountains will have avalanches. So under those circumstances, you don’t go out into very steep slopes, you stay on the slopes that are shallower, or in the treeline. Yes, you may not have as much fun, but you live to play another day.
Before you go out, there are a few things that you are supposed to do. You’re supposed to notify people that this the zone that we are going to, you define a leader of the group, you take all the various precautions that you have all the avalanche transceivers, probes and shovels, and all these kind of things so that, if the worst happens, you are prepared to dig someone out, and that kind of stuff.
Are there any issues applying the same principles to security?
When you go to have your tyres changed, you don’t need to tell the mechanic to make sure to pump up the tires to the correct pressure. They do it automatically. But for us in IT, we need to stipulate this bunch of standard documents and requirements, and we have this non-functional sets that put these standards in place, “you will make sure that you are using this framework” to prevent SQLi attacks. People should be doing this automatically in our industry (it should be part of our quality process), but we don’t do it.
And there is a lot on our side to blame, because we don’t communicate properly, we don’t talk to the right people. And we also have a tendency to think: I told you once, how come you haven’t changed it?
We want it instantly, or at the latest, tomorrow. No, it’s going to take them time to learn, it’s going to take them time to step up their game to the correct level. And you need to be appreciative of this.
What is your approach?
There’s no one magic bullet that will solve this problem, since it is spread across so many systems and every business is different.
For a previous client, following initial meetings, I setup multiple security roadmaps for them in the three areas that we chose to focus on: business continuity planning; software development and data privacy.
How was this to be achieved? What steps must we take in the next week, month, quarter and where do we expect to be in six months from now. The steps we take must be measureable to some degree. This allowed us to apply a maturity model to it.
It involved some technology, some education, and a lot of communication across business domains and teams to ensure we were serving the business. It also involved the flexibility to acknowledge what isn’t working and change accordingly.
So we have a way of setting these things up so that we can track how well are we doing and where we are, and then you’ve got the ways for them, for the technical team to give feedback back to management, to say that “we’ve added this, and this has given us this additional benefit”.
Thank you Yousef. A few final words of wisdom, please.
You need to be honest with your customer. Sometimes they are not going to listen and you are going to have to do what they want you to do, and that’s part of the business. But you need to understand what the business is, and not just the department that you are being called into. You need to explore what is going on at an enterprise level.