Saturday 25 July 2015

Cut the bleating: how about something positive for a change?

An opinion piece in Forbes by two Cisco people wound me up today. To my jaundiced eye, they were just bleating on about senior management's lack of interest in, concern about, understanding of, and leadership in, IT security

Seems to me they are naive, misguided, overly-cynical and/or disingenuous. I find overtly negative comments unhelpful and counterproductive. It saddens me that so many security pundits (especially those still locked in the introverted world of IT) continue pointing the accusing finger at senior management as if it's entirely their problem, while offering little if anything in the way of constructive advice or, for that matter, accepting any part of the blame for the situation in which we now find ourselves.

Come on guys and gals, we can do better than that.

The key question is whywhy should senior management be concerned about information risk? Why is this issue worthy of their attention? Why is it so important that they show leadership in this area? And why isn't this being addressed anyway, without their direct involvement?

Exemplifying a more positive approach, ENISA made a policy shift from just emphasizing information risks to highlighting the business opportunities associated with information security. In other words, information security is promoted as a business enabler.

Another positive approach is demonstrated here, suggesting the kinds of information risk-related questions that boards/senior management should be posing on a regular basis.

For well over a decade now, customers have been receiving a slew of security awareness materials every month, aimed squarely at management. One of the regular deliverables is a one-page board agenda to get the board or C-suite considering and talking about information risk and security-related matters, at a high level of course. By posing just two disarmingly straightforward rhetorical questions per month, we encourage senior managers to take an interest in and explore the situation (for example by requesting a private briefing on the topic from the CISO and/or the heads of Risk, Compliance, IT, HR, Finance, Operations, R&D etc. and perhaps quizzing them on the details), scratching beneath the surface of those bland word-crafted assurances normally passed up the line. Other regular products in the management stream include elevator pitch and executive briefing papers, both succinctly-worded and emphasizing the strategic, governance, risk, compliance and - above all - business angle on information security.

It seems to us the dialog and discussion is likely to be much more productive and insightful if senior management is security-aware, which means management level awareness is an obvious starting point. If they honestly haven't a clue about the organization's main information risks, and don't even know what questions to ask, awareness is clearly needed. Bleating on about their 'lack of leadership' is whistling down the wind. 


PS Before some smart Alec says it, yes I'm bleating too - bleating about inept and unhelpful comments from colleagues who should know better - but I'm also suggesting practical solutions, approaches that work. This is not just hot air.

Wednesday 22 July 2015

Taking the shine off IoT security

Various information security pundits are bleating about the evident lack of security in the Internet of Things, as if we should be both surprised and aghast. Get real guys!

Consumers* don't buy IoT products because they are secure.
 They buy them because
they are shiny.

Security is not shiny. It is an afterthought, at best. Worse still, since making IoT products secure means they cost more to manufacture, security is an anti-goal at this time. Companies attempting to sell relatively expensive, relatively secure IoT products now are unlikely to establish the market presence they need to make a success of the business, unless they are foresighted enough to forgo short-term success in favor of a (long-term, risky) strategic investment. 

Meanwhile, there is a premium on being first to market**.

In due course, when insecure IoT products have infiltrated our lives and IoT incidents are both frequent and severe enough to become genuine concerns (which they aren't yet), then IoT security will become something that consumers expect and value, to some extent. 

Doubtless IoT security standards will be released in due course, with marketing benefits for suppliers that claim compliance but also risks for those whose products cannot be made compliant or who follow standards that subsequently flounder.

Suppliers already in the IoT market today also have the option of offering their customers 'security enhanced' upgraded products in due course. Upgrading is a soft-sell to existing customers, locks them in, and further enhances the brand, provided the migration is properly handled - again, there are risks such as being perceived to have been supplying woefully insecure products.

The driver to all this, just in case you missed it, is business not security.

So, security pundits, your challenge is to make a sound business case for IoT security instead of bleating on about it. Stop crying wolf and start persuading IoT suppliers that it is in their commercial interests to offer secure products. For example, what does "secure" actually mean in this context? It's not nearly as obvious as it might appear.

Alternatively how about educating and persuading consumers to pay more attention to their information risks and the security in the IoT products they have in their sights. Explain the issues in terms they can understand. Prompt them to ask the right questions of their IoT suppliers. Warn them about the incidents they are likely to suffer (not those desperate worst-case scenarios) if they ignore the issue.

Whining lamely at the IoT suppliers is pointless.


* I'm talking here about retail consumers i.e. home/personal users of IoT things. The situation is somewhat different in the business domain ... or at least it should be, once the information risks relating to IoT are (a) identified, (b) assessed and evaluated, and (c) treated. Does anyone even have a policy on IoT security as yet? I'll be writing my first one next month, along with a stack of IoT security awareness materials for delivery to customers at the end of August. 

**  Sony was once renowned for creating new market segments, being first to market with innovative products such as the Walkman. Oh how the mighty have fallen!

Tuesday 14 July 2015

Employ people who 'get' infosec


Organizations that take information security seriously enough to adopt good practice standards such as ISO27k generally appreciate the need to integrate infosec with HR processes. They have pre-employment screening, on-boarding processes such as security induction sessions, continuous security awareness & training where appropriate throughout employment, and off-boarding/departure activities when the employment or service relationship comes to an end. The key controls are laid out in black and white in section 7 of ISO/IEC 27002:2015. Most such organizations have security-related policies and procedures, along with compliance activities plus enforcement and reinforcement. Very few organizations manage without employment or service contracts, codes of conduct etc., often mentioning compliance. 

Despite all that good stuff and more, we are repeatedly told that 'people are the weakest links', in other words we're not home and dry. We haven't nailed it yet.

Why? What are we missing?

Well, first of all, some organizations simply don't take infosec seriously. While some take the standards route, many more pay lip service to infosec, although they may not appreciate how little they are doing, and I doubt any would ever admit as much. 

Secondly, theory =/= practice.  Information security standards are seldom fully adopted, each organization having different circumstances, pressures and objectives. Even certification to ISO/IEC 27001 does not force the organization to adopt the controls in Annex A or ISO/IEC 27002, let alone "fully". Some evidently delight in spending and doing the least amount possible to gain their certificates. I guess either the business benefits that would be expected to flow from protecting valuable information assets aren't visible and attractive enough, or they simply don't have the resources to invest properly in infosec. 

Thirdly, attitudes and beliefs towards infosec etc. vary among the general population, demonstrating cultural variations that can be substantial (e.g. intellectual property rights are almost meaningless in China, it seems). There is a need for education and public outreach programs going beyond the enforcement-driven anti-piracy campaigns, and those lame malware and phishing public service announcements to take in the ethical, creative and commercial dimensions for instance.

Fourthly, thanks largely to the endless marketing onslaught from tech/IT security companies flogging their antivirus and firewall products as if they are The Ultimate Answer, plus naive journalists and politicians swept along by the promise of technology "solutions", there is a widespread over-emphasis on IT security or (exploiting the latest fad) "cybersecurity", to the detriment of other aspects including:
  • Human aspects - the main subject of this rant;
  • Governance, risk and compliance;
  • Physical security;
  • Legal and regulatory aspects.
Fifthly, organizations are collections of people who vary in their individual levels of security awareness, attitudes/beliefs and practices. They vary both between each other, and vary over time. We all have our off-days!

That roundabout mind-ramble led me to the title line. Why don't we preferentially employ people who 'get' information security? In other words, if we take infosec seriously, shouldn't infosec be one of the criteria or parameters we use when selecting and promoting people? I'm not just talking about infosec pros: if we honestly believe that 'We are all responsible for information security', then surely it is important for everyone

Well OK, how could we put this into practice?  Here are seven pragmatic suggestions off the top of my head:
  1. In conjunction with HR, raise this issue with senior management. Explain the situation, report relevant metrics, lay out strategic options for their consideration and garner their support.

  2. Incorporate information security and/or related aspects such as privacy, compliance, assurance, trust, ethics and risk management in general terms into the promotional materials, vacancy notice boilerplate, 'About us' pages and so forth. Emphasize that management values the corporate security culture, hence candidates/applicants who espouse the same values are likely to be more successful than those who ignore or despise them.

  3. Systematically identify and emphasize the specific infosec-related aspects of jobs in vacancy notices and job descriptions, plus the associated personal competencies and (where applicable) qualifications, in the same fashion as various other requirements are described. Prioritize this for positions in which infosec etc. are core parts of the role.

  4. Provide policies, procedures, guidance and perhaps training for anyone conducting job interviews concerning the infosec expectations of suitable candidates. Add suitable reminders or criteria to the forms typically used as part of the interview and employment process e.g. ratings for the candidate's security awareness level ranging from "blissfully ignorant" to "security evangelist". Increase the weightings on security awareness, trustworthiness etc. for roles where it matters the most.

  5. Survey the workforce (staff, managers and pseudo-employees such as contractors, temps, interns, consultants and advisors) regarding their infosec attitudes, knowledge and competencies, and use the survey results to drive through suitable, whole-organization and tailored awareness and training activities.

  6. Proactively reward and encourage those who go the extra mile, for example by reporting infosec issues, risks, events, incidents and near-misses, or engaging in infosec-related activities such as awareness sessions, risk workshops, documenting or reviewing and commenting on infosec policies and procedures etc.

  7. Identify and deal appropriately with individuals who evidently do not espouse the corporate values. This implies systematically monitoring various activities, behaviors, attitudes, incidents, concerns etc. for indicators of concern, assessing them and acting accordingly. Essentially it's a risk management problem. As with other kinds, it makes sense to prioritize the highest risks, such as potentially unethical managers or IT pro's who flagrantly disregard various policies and procedures. 
I'm not saying it's easy though. It's bound to be tough if senior management and HR don't 'get it'!

Thursday 9 July 2015

Droning on

The security awareness module this month concerns the physical aspects of information security including controlling physical access to information assets.

Seeing a TV program last evening about the NZ police systematically stopping and searching visitors and their cars arriving at a prison, several things occurred to me: 
  1. Some prison visitors aren't exactly the crispiest crackers in the pack.  Despite the strict regulations, the warning signs, the obvious police presence on site and the primetime TV programs (!), they still roll up nonchalantly with barely-concealed drugs, weapons, pathetic excuses and bad attitudes.

  2. Some prison visitors and employees, in contrast, are probably a lot more on the ball ... and some are presumably more creative and ultimately more successful in their endeavours to smuggle in contraband since prisoners evidently have access to tobacco and other drugs, weapons, cellphones and so forth.

  3. What stops smugglers simply dropping contraband over the prison walls using drones? Seriously, how would the prison authorities (a) detect and (b) stop them? Perhaps keeping an active watch for them, then shooting them down or jamming/subverting the wireless remote controls maybe? Radar and automatic ground-to-air weapons?! Or perhaps they just rely on internal detection and confiscation? Drones are readily available, relatively cheap, and are increasingly being used to snoop on neighbours and celebrities (as well as to observe targets and guide-in or deliver lethal payloads in the Middle East) while the controls would be both costly and of limited effect, so I presume this is an increasing risk. 
It's an intriguing and perplexing issue.  I'm just glad I'm not responsible for prison security!

Wednesday 8 July 2015

There's enforcement ... and then there's reinforcement


Over on CISSPforum lately, we've been discussing the use of motivational approaches to encourage desired information security behaviors, complementing the use of penalties to discourage undesirable behaviors - in other words, carrot-and-stick.

Walt Williams said:
"If I owned a antivirus company, I'd want all my employees to have my product freely available to them as a "benefit" ... An example that worked nicely at a past employer was use of the company's insurance (auto) at an employee discounted rate for life (even post employment).  Other items to add to consider adding to the list: Better than standard benefits; Better pay than industry averages; Extra pay for on call time; Time off to match on call time to restore work/life balance; Ownership of service improvements (if you see a problem, with management approval, you're allowed to own fixing it). Amazing the job satisfaction this gives."
I've used the free antivirus approach myself back in the 90's: although I didn't work for an antivirus company, I cut a deal with our corporate antivirus supplier to offer free home licenses for employees.  It's a win-win situation, of course, since as well as being a welcome information security-related benefit for employees, it reduces the risk of their own IT systems being infected and hence compromising corporate information.  These days, I'd suggest extending the deal to mobile devices, especially BYOD of course. 

Jason Burzenski said:
"[A] practice to keep in mind for maximizing the effectiveness of your security controls is managing the perception of the controls in your organization.  We may ask users to sign an acceptable use policy once a year but most of them won't care until they hear how Bob in Accounting got written up for plugging in his personal laptop at work.  In my experience, occasionally shining a little bit of light on the users to let them know you're watching is as effective as security training (but in no way replaces training) because you're changing the way they think."
I’ve been ‘shining a little bit of light on the users’ for decades, ever since the times I occasionally rang up workers whose usernames popped up on the VAX console when they repeatedly failed to enter the correct password at login time … partly to find out what was going on, partly to discover who was so forgetful, partly to offer assistance, but mostly to spread the word that the security log was being monitored.

Extending the idea, I like to ‘shine the warm light of recognition’ on people who Do The Right Thing – in other words, rewarding people for acting securely in some way, perhaps reporting incidents and near misses, or actively participating in information risk and security activities of all kinds (note: there's more to this than just compliance).  As a profession, I feel we have a long way to go on that score.  

Rewards are much more motivational than penalties, on the whole.  Think about it, which would you be more likely to tell others about: receiving a reward of some kind from Information Security, or a penalty?  Enforcement through penalties and disincentives is appropriate, sometimes, but so is reinforcement through rewards and incentives.

Walt suggested another cool idea:
"I have a thing at the company where I work called the Information Security Hero.  I publicly laud anyone who does something to advance security, even if it is just providing me a tip about a problem.  While I find it ironic that no one in IT ever won, it is pretentious, and the CEO always publicly praises the winner.  I'm working on getting a real prize. I've also never outed anyone's mistakes, except with their direct manager."
Building further on all of that, I prepared an extensive menu of rewards or prizes. It started out as a rough note scribbled on a Post-It, and gradually evolved into a 2+ page appendix to the ‘train-the-trainer’ guide in Information Security 101, our basic security awareness module.  

We suggest offering appropriate rewards/prizes from the menu to winners of your security awareness quizzes, crosswords, challenges etc., for outstanding participation in security seminars, workshops etc. … and to other security heroes too. 

By the way, I'm idly thinking about adding a further tongue-in-cheek category of booby prizes to the menu.  

If you are willing to share creative ideas for prizes, especially prizes that are in some way relevant to information security, please comment on this blog.


PS  I'm intrigued by the concept of a corporate employee rewards scheme, similar to loyalty cards, giving recipients the incentive to accrue points for Doing Good Things across the board (not just in information security) in order to earn their choice of higher-value prizes (i.e. not just the much-maligned rice-steamer!).  Do you know of such a scheme actually operating anywhere?  How does it work?  Is it just for employees or does it extend to pseudo-employees such as temps, interns, contractors and consultants, perhaps even suppliers, business partners and customers?