Finagle's law elaborates on Sod's law: not only will anything that can go wrong, go wrong, but it will do so at the worst possible time. With our self-imposed end of month deadline fast approaching, October's awareness module was close to being completed ... until a hardware failure caused a day's delay. A solid state disk drive gave up the ghost without warning last night. Naturally being highly security-aware we have backups, lots of backups, but rebuilding/restoring the system on a new disk inevitably takes time. Bang went my Saturday! October's module is entirely new, being a new awareness topic for us, so it has taken longer than normal to prepare the module, leaving little slack in our schedule. Such is life.  So, tomorrow I'll be slogging through what remains of the weekend, doing my level best to catch up and complete the materials for delivery on Monday, hopefully. On the upside, our backups worked! We had enough spare hardware to survive this incident...

On the ISO27k Forum this morning, a member from a financial services company asked for some advice on aligning IT and Security with overall corporate/business strategies.  He said, in part:  "Organizational level strategic plan, covering its core business, has been derived. And it includes what is expected form Technology and Security departments,  I.E. to keep customers, shareholders happy and to provide safe and secure technology services.     [I need] to prepare a strategic plan decoded from organization's strategy, specifically for Technology and Security department, with goals, objectives, principles etc.  So for achieving this, my approach is to understand each business strategy and determine the possible ways that Technology and Security team can help it.   Business strategy -> Technology strategy -> Security Strategy" I strongly support the idea of explicitly linking 'our stuff' with corporate/business strategies (plus initiatives, ...

The Coming Software Apocalypse is a long, well-written article about the growing difficulties of coding extremely complex modern software systems. With something in the order of 30 to 100 million lines of program code controlling fly-by-wire planes and cars, these are way too large and complicated for even gifted programmers to master single-handedly, while inadequate specifications, resource constraints, tight/unrealistic delivery deadlines, laziness/corner-cutting, bloat, cloud, teamwork, compliance assessments plus airtight change controls, and integrated development environments can make matters worse.  Author James Somers spins the article around a central point. The coding part of software development is a tough intellectual challenge: programmers write programs telling computers to do stuff, leaving them divorced from the stuff - the business end of their efforts - by several intervening, dynamic and interactive layers of complexity.  Since there's only so much they ca...

A discussion thread on CISSPforum about the security consequences of (some) software developers taking the easy option by grabbing code snippets off the Web rather than figuring things out for themselves (making sure they are appropriate and, of course, secure) set me thinking about human nature. We're all prone to 'taking the easy option'. You could say humans, and in fact all animals, are inherently lazy. Given the choice, we are inclined to cut corners and do the least amount possible, making this the default approach in almost all circumstances. We'd rather conserve our energy for more important things such as feeding and procreating. Yesterday, Deborah mentioned being parked at a junction in town near a one-way side road. In the few minutes she was there, she saw at least 3 cars disregard the no-entry signs, breaking the law rather than driving around the block to enter the side road from the proper direction. Sure they saved themselves a minute or so, but at what ...

In the course of searching for case study materials and quotations to illustrate October's awareness materials, I came across  5 ways to create a bulletproof security culture  by Brian Stafford. Brian's 5 ways are, roughly:  Get Back to Basics - address human behaviors including errors. Fair enough. The  Information Security 101  awareness module we updated last month is precisely for a back-to-basics approach, including fundamental concepts, attitudes and behaviors. Reinvent the Org Chart - have the CISO report to the CEO. Brian doesn't explain why but it's pretty obvious, especially if you accept that the organization's culture is like a cloak that covers everyone, and strong leadership is the primary way of influencing it. The reporting relationship is only part of the issue though: proper governance is a bigger consideration, for example aligning the management of information risks and assets with that for other kinds of risk and asset. Also security metrics...

October's awareness module is gradually taking shape. The management and professionals' seminar slide decks and notes are about 80% done. They're quite intenst, earnest and rather dull though, so we need something inspiring to liven things up a bit. More thinking and digging around required yet. Meanwhile, the staff/general materials are coming along too. The next 7 days will be busy, systematically writing, revising, aligning and polishing the content until it gleams and glints in the sun - talking of which, we set the clocks forward an hour tonight for summer time: it has been a long, wet NZ Winter this year.

Aside from concerning the attitudes and values shared within groups, or its use in microbiology (!), there's another meaning of 'culture' relating to being suave and sophisticated.  In the information risk and security context, it's about both being and appearing professional, exuding competence and quality - and that can be quite important if you consider the alternative.  Given the choice, would you be happy interacting and doing business with an organization that is, or appears to be, uncultured - crude, slapdash, unreliable etc. ? Or would you be somewhat reluctant to trust them? There are some obvious examples in the news headlines most weeks: any organization that suffers a major privacy breach, hack, ransomware or other incident comes across as a victim and arguably perhaps culpable for the situation. It's hardly a glowing endorsement of their information risk, security, privacy and compliance arrangements! Contrast their position against the majority of orga...

This plopped into my inbox last evening at about 8pm, when both ANZ customers and the ANZ fraud and security pros are mostly off-guard, relaxing at home. It's clearly a phishing attack, obvious for all sorts of reasons ( e.g. the spelling and grammatical errors, the spurious justification and call to action, the non-ANZ hyperlink, oh and the fact that I don't have an ANZ account!) - obvious to me, anyway, and I hope obvious to ANZ customers, assuming they are sufficiently security-aware to spot the clues. I guess the phishers are either hoping to trick victims into disclosing their ANZ credentials directly, or persuade them to reveal enough that they can trick the bank into accepting a change of the mobile phone number presumably being used for two-factor authentication, or for password resets. Right now (8 am, 12 hours after the attack) I can't see this particular attack mentioned explicitly on the ANZ site, although there is some basic guidance on " hoax messages ...

For some while now, I've been contemplating what security culture actually means, in practice.  Thinking back to the organizations in which I have worked, they have all had it some extent (otherwise they probably wouldn't have employed someone like me!) but there were differences in the cultures. What were they? Weaknesses in corporate security cultures are also evident in organizations that end up on the 6 o'clock news as a result of security and privacy incidents. In the extreme, the marked absence of a security culture implies more than just casual risk-taking. There's a reckless air to them with people (including management - in fact managers in particular) deliberately doing things they know they shouldn't, not just bending the rules and pushing the boundaries of acceptable behavior but, in some cases, breaking laws and regulations. That's an insecurity culture! The strength of the security culture is a relative rather than absolute measure: it's a matt...

An article bemoaning the lack of an iconic image for the field of “risk management” ( e.g.  the insurance industry) applies to information risk and security as well. We  don’t really have one either.  Well maybe we do: there are padlocks, chains and keys, hackers in hoodies and those Anonymous facemasks a-plenty (a minute's image-Googling easily demonstrates that). Trouble is that the common images tend to emphasize threats and controls, constraints and costs. All very negative. A big downer. Information risk and security may never be soft and cuddly ... but I'm sure we can do more to distance ourselves from the usual negative imagery and perceptions. I really like the idea of information security being an enabler , allowing the organization do stuff (business!) that would otherwise be too risky. So I'll be spending idle moments at the weekend thinking how to sum that concept up in an iconic image. Preferably something pink and fluffy, with no threatening overtones.

Inspired perhaps by yesterday's blog about the S ecurity C ulture F ramework, today we have been busy on a security culture survey, metrics being the first stage of the SCF. We've designed a disarmingly straightforward single-sided form posing just a few simple but carefully-crafted questions around the corporate security culture.  Despite its apparent simplicity, the survey form is quite complex with several distinct but related purposes or objectives: Although the form is being prepared as an MS Word document with the intention of being self-completed on paper by respondents (primarily general staff), the form could just as easily be used for an online survey on the corporate intranet, a survey app, or a facilitated survey (like shoppers being stopped in the shopping mall by friendly people with clipboards ... and free product samples to give away). The survey form is of course part of our security awareness product, linking-in with and supporting the other awareness content...

In preparing for our forthcoming awareness module on security culture, I've been re-reading and contemplating Kai Roer's  Security Culture Framework  (SCF) - a structured management approach with 4 phases. 1. Metrics: set goals and measure Speaking as an advocate of security metrics , this sounds a good place to start - or at least it would be if SCF explored the goals in some depth first, rather than leaping directly into SMART metrics: there's not much point evaluating or designing possible metrics until you know what needs to be measured. In this context, understanding the organization's strategic objectives would be a useful setting-off point. SCF talks about 'result goals' (are there any other kind?) and 'learning outcomes' (which implies that learning is a goal - but why? What is the value or purpose of learning?): what about business objectives for safely exploiting and protecting valuable information? SCF seems to have sidestepped more fundamenta...

Last night we watched a documentary on the History Channel about 9-11 - a mix of amateur and professional footage that took me back to a Belgian hotel room in 2001, watching incredulously as the nightmare unfolded on TV. Tonight there are more 9-11 documentaries, one of which concerns The War On Terror. As with The War On Drugs and The War On Poverty, we're never going to celebrate victory as such: as fast as we approach the target, it morphs and recedes from view. It's an endless journey. The idea of waging war on something is a rallying cry, meant to sound inspirational and positive. In some (but not all) cultures it is ... and yet, in a literal sense, it's hard to imagine any sane, level-headed person truly relishing the thought of going to war. According to  Margaret Atwood,  "War is what happens when language fails", in other words when negotiations fail to the point that violent action is perceived as the best, or last remaining, option. In truth, The War On...

Aside from the elevator pitch, another short awareness item in our newly-revised  Information Security 101  module is a course completion certificate, simply acknowledging that someone has been through the induction or orientation course. I say 'simply' but as usual, there's more to it. For a start, some of us (especially those who consider ourselves 'professionals') just love our certificates: our qualifications and the letters before/after our names mean something to us and hopefully other people. This is a personal thing with cultural relevance, and it's context-dependent (my 30-year-old PhD in microbial genetics has next to nothing to do with my present role!). My even older cycling proficiency certificate is meaningless now, barely a memory, but at the time I was proud of my achievement. Receiving it boosted my self-esteem, as valuable a benefit as being able to demonstrate my prowess on two wheels. I'm tempted to use Cprof on my business cards just to...

I've blogged about passwords several times. It's a zombie topic, one that refuses to go away or just lie down and die quietly. On CISSPforum, we've been idly chatting about user authentication for a week or so. The consensus is that passwords are a lousy way to authenticate, for several reasons. First the obvious.  Passwords are: Hard to remember, at least good ones are, especially if we are forced to think up new ones periodically for no particular reason; Generally weak and easily guessed, due to the previous point; Sometimes generated and issued not chosen or changeable by the user; Readily shared or disclosed ( e.g. by watching us type), or written down; Readily obtained by force, coercion, deception and other forms of social engineering such as phishing or password reset tricks, or interception, or hacking, or brute force attacks, or spyware or .. well clearly there are lots of attacks; Often re-used (for different sites/apps etc ., and over time). Next comes some les...

Moving on from our discussion of the first two paragraphs of this month's elevator pitch paper, here's the closing paragraph: As a manager, you play a vital governance, leadership and oversight rôle.  Please make the effort to engage with and support the security awareness program, discuss information risk and security with your colleagues, and help us strengthen the  corporate security culture . In classical marketing terms, it's the call-to-action for people who have been lured and hooked. Having presented our case, what do we actually want them to  do ?   Compared to the preceding two, the third paragraph is quite long.  While we could easily have dropped the first sentence, it serves a purpose. It shows deference to the management audience, acknowledging their influential and powerful status, gently reminding them that they are expected to direct and oversee things. Essentially (in not so many word), it says "Pay attention! This is an obligation, one of...

Yesterday, I started telling you about one of the smallest deliverables in our awareness portfolio, the elevator pitch aimed at senior executive management. Despite its diminutive size, a lot of effort goes into selecting and fine-tuning those 100-odd words. [Sorry if this detailed deconstruction of the pitch one paragraph at a time is tedious but I think it's useful to understand the design, the purpose of the page and the thinking that goes into it. As far as I know, we are the only security awareness provider specifically targeting senior management in this way. I've made disparaging comments in the past about awareness programs aimed at "end-users": neglecting other employees - especially managers and professionals - seems incredibly short-sighted to me, a bit like trying to teach the passengers how to drive a car, ignoring the driver and the mechanics.]  OK, pressing swiftly ahead, the elevator pitch can be interrupted at any point. If someone is presenting or t...