Awareness devices

Today in a sudden flash of inspiration I invented a "device", a mechanism to raise awareness. 

It's a graphical image, a metric, a simple visual device, an analytical or rhetorical tool to set people thinking about and discussing the topic - privacy in this case. It explores their perceptions of the state of readiness of the organization to meet the May 25th GDPR deadline. 

The specific thinkers and discussers I have in mind at this point are senior managers, executives or board members, with a significant interest in the organization's readiness for GDPR. They ought to know where things stand, and ought to have a reasonable grasp of the situation, but do they? The device is a way to find out.

Generalizing from there, with minor changes the same device could be used to stimulate analysis and discussion on almost any deadline or situation where there are several non-exclusive options or possibilities on the table, and inherent uncertainties. That's most business decisions, then! It's something I'm sure I'll be using elsewhere in awareness materials, training courses and more.

While it could be used by individuals working in private, it is really intended for group or team settings where people feed off each others' energy and hopefully reach a consensus. Stimulating a productive discussion around a given topic is the main awareness goal, with measuring and comparing perceptions a subsidiary aim.

There are loads of techniques for creative thinking and teamwork so I'd be amazed if my idea is totally novel (and potentially patentable!) ... which hints at the value of exploring and exploiting such methods for awareness and training purposes. It exemplifies the value of employing professionals to handle awareness and training, people like me with sufficient experience and interest to make interesting stuff happen. Another nail in the coffin of those deadly dull death-by-Powerpoint bullet-point-ridden torture sessions that pass for awareness and training in some organizations, stuck firmly in the Dark Ages.

So that's it for today. May's module is nearly over the line, down to the last few hours' slog. Must dash ...

Making an impact

I'm working on an assignment, writing a few hundred words of awareness content for a client on each of a range of information security topics - all topics on which we have prepared entire awareness modules previously. "Privacy", for instance and, today, "Portable IT device security".

I estimated taking an hour or two to prepare each piece. That turned out to be underestimated by about 100%, partly because it's a new format for a new client. As I settle in to the routine and respond to feedback from the client, it's getting easier and quicker with each passing topic. Hopefully I'll hit my estimate by the time we're done!

The subject matter is the easy bit. The challenge is to condense each topic to its bare essentials, express them in a readable and engaging style, and close with some pragmatic action-oriented advice. There's quite a variety of information security risks and controls relevant to, say, portable IT devices, lots of situations and threats to consider, and lots of things to advise people to do. I could easily write thousands of words and throw in a few diagrams, mind maps and figures each worth thousands more ... but for this client I only have a page or two to play with. I spend much of the time deciding what to leave out, then carefully shaving superfluous words from what remains.

In the end, we're hoping the awareness material will grab someone's attention for a brief moment, register with them and influence their behavior - easier said than done in the modern age. We're all constantly bombarded by information. As I compose these very words on one screen, I'm listening to music, watching stuff flow past on another screen, thinking about emails and to-do lists and Anzac day, and idly wondering what's for tea. With so much happening on interrupt these days, it's tougher than ever to concentrate on and complete specific tasks. Deadlines are under threat as we constantly deal with things, adjust priorities and try not to lose the tattered remains of our sanity.

I'm in the fortunate position of working from a home office. I'm in charge here, in control of my environment and workload. In the typical modern open-plan office or Dilbert's cubicle-land, the distractions must be immense, especially with those portable IT devices constantly bleeping for our attention like annoying electronic toddlers. "Office hours" have become irrelevant for many as commuting and home time are consumed by left-over tasks and invaded by further distractions, while at the same time personal life intrudes into the daily grind with social media messages and texts from friends and rellies - thanks largely to those portable IT devices again.

So much for work-life balance. What an oxymoron.

There's a lot to be said for separating private and working lives, prohibiting private social media access in the office for example. On the other hand, BYOD goes the other way: fine, go ahead, use your pink jewel-studded Barbie smartphone for work and, yes, it's OK to take personal calls and tweet if you must, but if the boss calls at 9:30 pm, you had better pick up.

The consequences go further than stress and blurred responsibilities. Information overload is A Thing. The human race is distracted to the point of losing sight of important stuff which (to me at least) includes information risk, security, privacy And All That.

So, the job of a security awareness pro comes down to catching people's attention and exploiting fleeting opportunities. I don't tweet but patently I do blog. Our awareness materials span a range from about 100 words to a few thousands, in a variety of formats and styles. As far as possible we try to inject some life and interest into the dry subject matter, and generally make an impact.

A lasting impact, now that would be good. Hmmm. What else can we do to hammer this stuff home? Suggestions please, in no more than 2 or 3 short words ... and forgive me if I don't respond. Must dash.

Privacy policies under GDPR [UPDATED x3]

As the world plummets towards the May 25th GDPR deadline, organizations are hurriedly revising their web-based privacy policies to align with both the new regulatory regime and their internal privacy practices.

From May 10th, PayPal, for instance, has a new ~4,000 word ~11 A4 page privacy policy - well, several in fact depending on the user's location. Among other things, I notice that they "do not respond to DNT signals" (meaning, I think, that they simply ignore the Do Not Track flag sent by cautious browsers) and they:

"... maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls ..."

Providing 'reasonable' protection is perhaps all we can expect of anyone. It would be unreasonable to insist on absolute security, although it would be nice to have greater assurance than a simple assertion such as confirmation that their privacy and data security measures have been competently and independently checked (audited) for compliance with applicable legal and regulatory obligations (GDPR for instance), as well as good practices such as the ISO27k or NIST SP800 standards.

Google's privacy policy was revised in December. It has a similar length and structure to the PayPal one, with personal choice and transparency being prominent up-front.

Google does mention compliance:

"... We regularly review our compliance with our Privacy Policy. We also adhere to several self regulatory frameworks, including the EU-US and Swiss-US Privacy Shield Frameworks ..." 

There's nothing in there about GDPR compliance as yet, and personally I'm dubious about the assurance value of the Privacy Shield which, as I understand it, is another self-assertion rather than an independent audit and certification mechanism.

Although the information security section highlights a few specific controls, most remain unspecified.

Re people deleting their personal information, I like the way they put this:  

"... We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems ..." 

They are right in saying that backups and other measures are needed for security and resilience reasons, which can make it tricky to ensure that all primary and backup copies of personal data are revised or deleted in line with privacy requirements. It might be nice to know that those backups will eventually expire and be deleted too, preferably within a 'reasonable' period (maybe a year?) but formally ensuring that happens across such a massive, complex and dynamic network would be tough too. So they don't even make the promise. Seems fair enough to me, provided their approach fulfills their privacy obligations, and I'm not in a position to challenge that.

In contrast to PayPal and Google, Santander UK's 'privacy statement' follows the typical European structure and style. It is much shorter (just the 2 pages, not 11) with only brief, plain English statements in most cases, such as this carefully-crafted line near the top:

"We're committed to keeping your personal information safe and confidential both online and offline."

Although that may or may not be a strict promise in the legal sense of a warranty or contractual obligation, it's reassuring to know, especially right up-front. If you can't be bothered to read the rest of the statement, it's a comforting message to take away.

The rest of the message includes the obligatory yawn-inducing tripe about cookies that most EU sites are compelled to trot out as a result of some EU bureaucrat or committee's edict, I guess. What were they thinking it would achieve? Had they no idea how the Web works? Oh well. Aside from that drivel, most of the other sections are an admirable 1-3 sentences each - readable and sufficiently informative for an overview. As an infosec pro, I would have preferred links to further details on many areas but I accept I am "special".

[Update 25th April] Twitter's new privacy policy that comes into effect a month from today is another lengthy tome of about 11-12 pages, although they have at least made an effort to provide a readable summary version as well.

[Update 26th April] The Facebook/Cambridge Analytica privacy breach, plus the widespread adoption of GDPR, may mark a turning point in US attitudes towards privacy and personal data. As I understand it, if the Social Media Privacy Protection and Consumer Rights Act for instance became law as proposed, it would give Americans the rights to opt out of having to provide their personal data [to social media sites] and have the [social media] sites delete any or all of their personal data. It would force the [social media] sites to clarify their terms of service, and introduce a 72 hour privacy breach notification rule [for social media sites?] - requirements curiously similar to the EU and OECD approach to privacy, including GDPR. The apparent myopic focus purely on social media sites strikes me as odd, though, given that the same issues affect anyone using personal data, including big business, the marketing industry and the US Government. Aha, the light just went on.

Meanwhile, Facebook is preparing to update its privacy policy on some as yet unspecified date. The new version is ~4,300 words and ~12 A4 pages, with no mention of GDPR. The pattern is becoming clear.

[Update 27th April] GoDaddy's new privacy policy is shorter, simpler and clearer than most US organizations. There's also a Privacy Center, essentially an FAQ or help page with minimal content at present, but hopefully that will be fleshed out in time. Good on 'em!  It doesn't mention GDPR as such but the phrasing (such as 'only using personal data for the purposes for which it was provided' and having a Data Protection Officer) suggests GDPR compliance is an objective.

David v Goliath

Thanks to a mention in the latest RISKS-list email, I've been reading a blog piece by Bruce Schneier about the Facebook incident and changing US cultural attitudes towards privacy.

"As creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it ... [The smartphone] is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with."

With thousands of data brokers in the US actively obtaining and trading personal information between a far larger number of sources and exploiters, broad-spectrum and mass surveillance is clearly a massive issue in America. The size and value of the commercial market makes it especially difficult to reconcile the rights and expectations of individuals against those of big business, plus the government and security services. This is David and Goliath stuff.

GDPR is the EU's attempt to re-balance the equation by imposing massive fines on noncompliant organizations: over the next few years, we'll see how well that works in practice. 

Meanwhile, US-based privacy advocates such as EPIC and EFF have been bravely fighting the individuals' corner. I wonder if they would consider joining forces? 

Whistleblower policy (UPDATED)

For more than two decades now, I have been fascinated by whistleblowers - people who blow the whistle on various forms of impropriety. 

In my experience, they are high-integrity, ethically-motivated and aggrieved individuals willing to take a stand rather than put up with Things That Should Not Be Going On. They are powerful change agents. To my mind, they are brave heroes taking significant risks to their careers, personal lives, liberty and safety (nods hat to Ed Snowden among others).

I've blogged about it several times, most recently at the start of this month when I said:

Organizations clearly need strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts. 

And that set me thinking: do we actually offer anything along those lines - any awareness and training materials supporting such activities?

We don't currently have a whistleblower policy as such in our suite of information security policy templates, although the term is mentioned in a few of them, generally in reference to a "Whistleblowers' Hotline". We envisage a corporate service being run by a trustworthy, competent and independent person or group such as Internal Audit, or a suitable external service provider.

Whistleblowing has certainly come up in the context of oversight, compliance, governance, fraud etc., so we ought to check through the back catalog to see what we have to hand in the way of guidance/awareness content. I'm thinking the incident management procedures might be adapted to suit, but what else is there? I'll be exploring this further, figuring out the common approaches and concerns and perhaps drafting a whistleblower policy.

This is partially relevant to May's materials on GDPR in that compliant organizations are expected to receive and address privacy-related requests and complaints in a professional manner, a process that arguably ought be in effect today but patently (in my unhappy experience with a certain French hotel chain, for example) it ain't necessarily so. The controversial right to be forgotten, for instance, requires organizations to expunge personal information on request from a data subject, a situation that strongly suggests a serious breakdown of trust between the parties, perhaps as a result of an undisclosed incident. There may be no formal obligation for individuals to explain why they want their personal information erased, but asking the question at least would seem like a sensible thing for the organization to do. It might suggest the need for further investigation, even if the person's reasons are withheld or obscure. 

Obvious when you think about it. I wonder how many are?

Update (June 1st) - a whistleblowing policy template is included in the 'Incidents and disasters' security awareness module.

Looking beyond the horizon [UPDATED]

We are fast approaching an event horizon - May 25th 2018 - beyond which the privacy landscape will be changed forever.

As of today, most of the world respects the rights of individuals to control information about themselves that they consider personal, with the glaring exception of the US which treats personal information as merely another information asset, to be obtained, exploited and traded the same as any other. The changes brought about by GDPR will directly and indirectly affect the whole world, including the US in ways that are not entirely clear at this precise point.

The European Union anticipates the whole world falling neatly into line, playing the privacy game the EU way or facing punitive fines until they do. 

Some players in the US are making noises about continuing their exploitation of personal information with impunity, perhaps grudgingly paying their GDPR fines but only after a massive playground punch-up over whether the EU's rules even apply to the US, and without necessarily falling into line. [Cue cartoon of someone's eyes rolling like a fruit machine, stopping on $$$ $$$ to the sound of a ker-ching cash register or tinkle-tinkle Vegas coin payout.]

Some are talking about fracturing the Internet along the GDPR/non-GDPR boundary, maintaining different privacy rules and approaches on each side and somehow handling the not inconsiderable issue of personal information crossing the boundary. I think this is either fake news, panic, bravado or tongue-in-cheekiness, not dissimilar to those cranky but desperate suggestions to call the year 2000 "199A" followed by "199B" giving a stay of execution for the non-Y2K compliant organizations, perhaps, but a world of pain for the rest of us. 

This strikes me as an interesting perspective to get management thinking differently about GDPR, in strategic business terms. 

Another approach we'll be taking is to treat personal information as a valuable and sensitive information asset not totally dissimilar to secret recipes for herbs and spices, business plans, customer and prospect lists, and more - another opportunity to get management thinking differently about privacy. Securing personal info is not just A Jolly Good Idea for compliance reasons.

Those two concepts, plus the remainder of the awareness materials for May, are all aimed at raising awareness of the privacy and related issues. As always, we'll be supplying a blend of factual information, motivational suggestions, tools and techniques, metrics, strategic options, policy matters, guidance and more: if you think your GDPR project would benefit from any of this, email me - if you care about crossing the event horizon at full pelt on both feet anyway, rather than crawling exhaustedly across the line, collapsing dejectedly in a heap on the home straight, or sticking your head in the sand and pretending it won't affect you. We have awareness content on privacy and other information security topics ready to deliver today, and we're working hard on the privacy and GDPR awareness module for delivery to subscribers on May 1st, for sure. Will your GDPR/privacy awareness stuff be done in time? With just 35 days remaining, have you even started preparing it yet?! Good luck Jim.

[Added 20th April] Talking of heads-in-sand, what do you make of this?

GDPR full immersion

Today I've dived deep into GDPR, poring over, becoming immersed in and trying to make sense of the legislation.

The regulation itself is freely available online - handy really since it is intended to apply and to be implemented and complied-with very widely.

It is an official EU regulation, almost a law, and as such it has clearly been drafted by and for the lawyers.  Readability is clearly not as high on their priority list as making it watertight.

So, the door swings open to interpret and explain it for the common man and, for that matter, the common manager.

GDPR countdown

A countdown is a common way to align everyone towards some event - the launch of a space mission or start of a new year for instance, or the completion of your GDPR compliance project. As a communications, awareness and motivational technique, countdowns work well for that rather narrow objective, focusing attention on a given point in time.

With a little more creativity and effort, it's not hard to use countdowns to get people to re-assess their progress and maybe prioritize things on the way down to the deadline ... and then to follow-through with count-ups - in other words, keep the timer going past the zero point, displaying the time since the deadline passed or expired. 

This is often done for overdue activities, starting with gentle reminders then steadily ramping up the pressure (red reminders, warnings) and perhaps escalating matters (court orders, bailiffs) as time marches inexorably on. 

Before you know it, the point-in-time spot focus has turned into a zone of concern, with an accompanying sequence of activities, a plan and a process. 

The passage of time can also be used in a more positive manner, in the sense of "Look how far we've come!". It is generally implied in the concept of maturity. It takes time to reach then stabilize and become comfortable at each level before starting the assault on the next, like climbing the stairs or a mountain. [Maturity also implies gaining competence and wisdom, which are the more obvious objectives.]

A related concept is that of momentum or inertia - winding things up to reach a critical speed, then sustaining it as long as possible. This is not just Newton's first law of motion as it literally applies to boulders, wheels and space rockets in the physical world. It's also figurative, applying to organizations and processes, even to individuals. Our energy/activity levels and motivations vary and, to an extent, can be influenced by others. Some things fire us up and get us going. Others wear us out and exhaust us. Understanding the difference goes a long way towards making awareness activities more effective.

I'll end with a simple suggestion to use the countdown to the GDPR go-live deadline quite deliberately as a means to align and drive everyone to May 25th, and perhaps to lead them ever onward and upwards thereafter, having hopefully achieved the specific goal. Privacy is no less important on May 26th!

To the GDPR deadline ... and beyond!

Skunkworks & 7 other awareness strategies

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies.

A skunkworks approach is one possibility.

"The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects."

[Wikipedia] 

The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicated resources, with no need for a project team and budget, or even timescale as such. The interest-piquing initial management awareness part can usefully take place in parallel with drafting the formal proposal, saving elapsed time and hopefully ensuring that the proposal aligns with management's evolving perspective. [Hinson tip: it would help if one or two friendly senior managers were brought in on the cunning plan early-on, though, to smooth the way once the strategy comes into view. Most of all, it would need at least one passionate leader, someone with the enthusiasm and energy to fire it up, get it rolling and keep it going for as long as it takes.]

Aside from skunkworks, there are at least 7 other strategies ...

#1 A risky, almost Machiavellian strategy is to engineer a crisis in which unawareness plays a crucial part, more likely seizing upon an opportunity such as an information security incident or an impending compliance deadline (such as May 25th ...) to catch management's attention first, softening them up for the follow-through "What we need right now is {ta-daaaaah} a Security Awareness and Training Program, just like this!". [Hinson tip: suggesting that awareness is The Ultimate Answer To Everything would be unwise but I'm convinced it is a valuable, or rather necessary part of the grand solution. It's hard to imagine anyone seriously suggesting that awareness is unnecessary, let alone detrimental.]

#2 Compliance is a strong driver. Scan applicable laws, regulations, contractual commitments etc. for any obligatory/mandatory requirements to run security awareness and training, plus any recommended/advisory suggestions or other hints that doing so might be A Jolly Good Idea. It's worth systematically assessing internal requirements too, such as corporate policies: aside from any specific mention of security awareness [Hinson tip: ... which the canny CISO or ISM will have previously slipped quietly into the security policies], there's an obvious need to make people aware of the policies if they are expected to know about and comply with them. Security standards such as the ISO27k and NIST SP800 series are further sources of advice, along with PCI-DSS, COBIT and others, although those are aimed at information security pros rather than general management, so would need to be interpreted somewhat to draw out the business advantages ...

#3 ... which leads to another approach: position security awareness as a tool supporting information risk management, information security, compliance, governance, privacy, safety, assurance And All That - or, even stronger still, as a business enabler. Given the choice, this is my preferred approach, directly supporting the idea that information security isn't just something that ought to be done because somebody says so: it is necessary for business reasons, and commercially valuable in its own right. [Hinson tip: it helps of course if management is already sold on the need for information risk management, preferably a structured, comprehensive approach. If they are not, we're heading back to square 1 and the conundrum I raised last week: to get awareness, first we need awareness. The difference here is that although management may not initially be keen on security awareness, hopefully they appreciate the need for information security, if only grudgingly for compliance reasons.]

#4 A related suggestion is to integrate security awareness with other planned business and security initiatives - not just tacked casually on the side as an optional extra (where it is vulnerable to being chopped at the outset, or later on when the going gets tough) but as a necessary core activity, an essential or fundamental part. This is easiest with information security projects, naturally, and not too hard with most IT- and information-related business change projects (e.g. all things cloudy). It takes more creativity, effort and care, though, to position security awareness as an integral part of other business activities, with rapidly diminishing returns, aside perhaps from hooking up with other forms of awareness and training (e.g. health and safety). Again there are risks here in pushing too hard. If management consciously chops out or cuts down on security awareness, it's going to be harder to get them back behind it later on, at least not until they've forgotten what they did! If you ever get to the point of someone saying "Oh not, not that bloody awareness stuff again! Give it a rest!" you'll know you've gone way too far. [Hinson tip: if the awareness stuff is robustly blocked, try to get the blockers to acknowledge that its is 'not appropriate right now' rather than accepting a flat-out "No!", preferably in writing even if YOU have to write it! Leave the door open for a later approach, when the time is ripe. Strategy is a long-term game, so think things through and keep on stacking the deck in your favor. Your time will come, glasshopper.] 

#5 Divide and conquer involves putting effort into persuading specific senior managers, individually at first, of the value of security awareness, then working with them on a plan to convince their peers. As individuals are persuaded, put them in touch with each other. Using management's power and comms structure requires political acumen and drive, which is why I suggest singling-out and collaborating with friendly senior managers: they should know how stuff gets done, and hopefully how to avoid the potholes and barriers that those lower in the pecking order may not even appreciate. They are also a relatively soft-sell: if you can't convince them that awareness is worth doing, what are your chances of persuading the rest of management? [Hinson tip: watch out for those hot buttons - things that catch their imagination, spark genuine interest and hence show real promise. Emphasizing them in subsequent comms makes a lot of sense, perhaps to the point of building proposals around them.]

#6 If the previous strategies seem too much like hard work, here is a low effort low impact approach. Let your awareness and training activities evolve naturally, growing gradually from whatever you are doing already. This is a long, slow, plodding method, but that doesn't automatically discount it. This is the default approach, the straw-man against which to compare the other strategies. [Hinson tip: for more traction, it's possible to accelerate the rate of change using metrics - particularly my favorite, maturity metrics. Measure the current awareness and training activities relative to accepted good practices*, both to define the starting point and to drive improvements. Once things start working more effectively and efficiently, the metrics will demonstrate progress, which in turn encourages more effort - a positive feedback loop that you can use to your advantage. Obvious when you think about it, or when you stumble across it on some random blog ...] 

#7 'Some random blog' brings me to my final strategy: proactively use social networks and social media for security awareness purposes. Email this blog's URL to your colleagues to pump-prime the discussions about strategies that might be worth pursuing. Set up a 'friends of infosec' mailing list or group at work to drip-feed and discuss relevant news, gently and repeatedly reminding people of the value of security awareness, in the sense of spotting emerging risks and avoiding nasty surprises. Publish relevant clips and links to awareness stuff on information security's intranet Security Zone. Mention security awareness in responses and comments to other people's blogs, emails and assorted corridor-comms at work. Drop it casually into your progress reports and management updates. Mention it to your esteemed colleagues from Risk, Privacy, Compliance and Audit over coffee, lunch or beer. Pop it in your newsletters. Be enthusiastic or evangelical like me, hopefully not boring and obnoxious through. [Hinson tip: bring this up in your blog, too. I've scratched your back ...].

* Get in touch for help with that. Awareness metrics are right up my street.

Friday 13th

Today is Friday the thirteenth, a classic opportunity to do something special as part of the security awareness program. How about organizing a fancy dress day with a parade, award ceremony and after-hours social event? 

The horror movie theme is obvious, perhaps too obvious ... but it's not hard to think of variants, ranging from the very simplest "Wear black or blood red" through "Dig out your best Halloween costumes" to "Audition to be a horror movie extra". You might give it more of an information risk and security spin by circulating stuff about malware, scams/frauds and nasty incidents, or not: a more subtle association might be good enough, a way to lighten-up a bit.

I appreciate it's far too late now to organize anything special for today but if you are keen, there are lots more awareness opportunities coming up throughout the year:

• May 25th, GDPR implementation deadline, an obvious candidate for a privacy day (we're already on to that one!);
• Other Friday thirteenths (the next is in July, then none until 2019) and Halloween (the last day of October, on a Wednesday this year);
• Black Friday when everybody allegedly goes mad, doing their shopping online in the run-up to Christmas and Thanksgiving. Possible awareness topics are online/Internet security, identification and authentication, performance and availability, business continuity ...
• Minefield Monday, Super Tuesday, Wonderful Wednesday, Thunderous Thursday, Farcical Friday or whatever: nothing stops you inventing a special themed day (or a week or more) and running activities on some awareness topic that needs a boost. If it is not a public event, though, you and your team will have to do all the publicity yourselves; 
• Turn a specific awareness topic into a themed event - a backup day, maybe, or patch Tuesday, or ... well hopefully you get the idea;
• April Fool's Day - how about focusing on social engineering or fraud?
• Hook in with special events such as "tax day", "world safety day", new year's day, election day and the like, finding and exploiting the information risk and security angles, perhaps in conjunction with colleagues from Health and Safety, Facilities, Finance, Risk Management, Legal/Compliance etc. 

If none of these ideas grabs your imagination, perhaps your colleagues can come up with something better. Turn that into a challenge if you like, opening it up to the workforce to get creative and suggest an information security themed day, event or activity.

Bringing managers up to speed

Today I Googled across a thought-provoking opinion piece in Computerworld back in 2008. Jay Cline's top 5 mistakes of privacy awareness programs were:

1. Doing separate training for privacy, security, records management and code of ethics. 
   
   
2. Equating "campaign" with "program." 
   
   
3. Equating "awareness" with "training." 
   
   
4. Using one or two communications channels. 
   
   
5. No measurement. 

Hmmm, not a bad list that. I've trimmed almost all of it away so if those few remaining words intrigue you, please read the original article.

We've been addressing all those points since launching our awareness services back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness. 

We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and we're working on that.

Jay's list of mistakes could be extended. In particular, most awareness programs focus on general employees or "end users". While Jay mentions offering role-based training for particular specialists, I feel that still leaves a gaping hole in awareness coverage, namely management. You could say they are specialists in managing, although there's no hint of that in Jay's piece.

Looking again at the list, all those mistakes could be classed as management or governance issues, being problems in the way the awareness and training programs and activities are structured and driven ... which, to me at least, implies the need to address that. It's a root cause. If management doesn't first notice that mistakes are being made, and then join-the-dots to figure out that the way security awareness as a whole is handled is probably causing the mistakes, then we're unlikely to see much improvement.

So, raising management's awareness of information security, risk, compliance, privacy, accountability, governance, assurance and so forth makes a lot of sense ... which is exactly what we aim to do through the management stream in our awareness materials. If management truly 'gets it', the awareness task becomes much more straightforward, giving the awareness and training program as a whole a much greater probability of success, leading to a widespread culture of security.

That leaves us with a chicken-and-egg conundrum though. If management doesn't quite 'get it', in other words if this security awareness stuff doesn't presently register with them as an issue worth investing in (or, more often, is treated as something trivial best left to IT or HR, with no real support and bugger all resources), then how can we tackle management's lack of awareness and break the deadlock?

I'll leave you now to contemplate that question, as I will be doing over the weekend. Maybe the vague thoughts I have in mind will crystallize into something more concrete for the blog next week. Meanwhile, by all means chip-in through the blog comments, or email me directly. I'd love to know what you think, especially any innovative and effective solutions you can offer. Is this an issue you face? How are you tackling it, or planning to do so? 

A rich seam

Surprisingly often, a breaking news story falls into our laps at precisely the right moment.

Today, I've been developing a general staff awareness presentation on privacy. Three core messages appeal to me, this time around:

1. Privacy is an ethical consideration - something we anticipate or expect of each other as members of a civilized society.
2. Privacy is also a compliance obligation - something enshrined in the laws of the land and imposed on our organizations.
3. Those two issues together make privacy a business issue.

So, what's been all over the news lately in relation to privacy? Why, the latest Facebook incident, of course. 

I'm not going to re-hash the story now, nor draw out the privacy lessons for you. I've given you more than enough of a clue already, and if you read the press coverage with a slightly cynical and jaundiced eye, you'll find your own take on the incident - as indeed will our subscribers' employees ... which makes it an excellent, highly relevant case study to incorporate into the awareness content.

Thanks to the saturation media coverage, we barely need mention 'Facebook' for people to think of the incident. Almost all will have seen the news reports. Those who use Facebook (a substantial proportion of people, we are led to believe) probably have perfectly reasonable concerns about their own privacy. Those who don't use it are also implicated, although we might need to explain that a little. Either way, it's something they can relate to, a story that resonates and has impact. We can pose a few questions that they can contemplate, in their own way, in their own time.

We will exploit their interest to engage them with the awareness program so, in a way, we are also exploiting the victims' personal information, but (we assert) it's for their own good, for the benefit of their employer and for the sake of human society. We mean well. We are not even vaguely approaching the boundaries of decency or legislation. Public incidents of this nature are perfectly legitimate and in fact rich resources for awareness, training and educational purposes. It would be a waste to let them drift back below our consciousness without milking them for all they're worth.

The real trick is to be constantly scanning the horizon for relevant news items. Information security is such a broad topic that finding stuff is hardly ever the issue - the very opposite in fact. The Facebook incident, for instance, is directly and obviously relevant to privacy, but also to incident management, compliance, governance, information risk, information security, cybersecurity, social engineering, fraud, accountability, business continuity and more.

Ethically speaking, I have no qualms about using reported incidents in this way, particularly where the protagonists are implicated in the incidents rather than merely being the poor unfortunate victims of some malicious third party. I'm currently trying to track down the original source of a quoted Goldman Sachs assessment of the eye-wateringly huge amount of revenue Facebook may forgo once GDPR comes into effect, with the strong implication that they have been making their fortune by exploiting the personal information of their users. OK so it may have been entirely legal, but was it appropriate? Was it ethical? Was it socially acceptable? These rhetorical questions hint at how we might explore the same incident from the business perspective in the management awareness materials, making a link that will hopefully get staff and managers thinking and talking animatedly about privacy.

And that's another security awareness win, right there.

Privacy guide

Aside from revising the materials from the privacy awareness module delivered last November, we're planning some brand new even fresher content this time around.

The imminent go-live date for GDPR is the most obvious reason for updating and re-issuing the privacy materials in May. It's timely. The awareness content should prove useful for organizations that are on-track for the May 25th deadline, helping to explain the hubbub to people who are not so directly involved in the GDPR changes. 

It may also be the final wake-up call for those who are still oblivious, ignorant of the wider effects GDPR will have, both within and beyond the EU. As of today, we're not exactly sure what changes to make though. More research required yet.

Another brand new awareness item we're planning to write and deliver this time around is a 'privacy guide' - a document explaining privacy concepts and practices in a way that hopefully grabs attention, informing and stimulating readers to take account of privacy in how they behave. 

The privacy guide will be a challenge to write, not least because it's a new format we have in mind. When it's done, we'll have a model document to turn into a template or skeleton for future awareness topics, where applicable. I'm already thinking a 'malware guide' and 'social engineering guide' might be worth the effort, provided this first one goes to plan.

GDPR final countdown

We've started working on May's awareness module - the final episode in a privacy series timed to support the run-up and coincide with GDPR (the General Data Protection Regulation) implementation.

It would be hard to find anything new to say this time around if it weren't for the fact that our customers are in a different situation now than when the privacy modules were released previously. They should all (hopefully!) be in the final throes of their GDPR compliance projects. Some may have had a lot of work to do, clarifying and analyzing the requirements, substantially modifying IT systems and business processes, and liaising with assorted information service suppliers to ensure they too will be compliant by May 25th. Others may have had an easier time with most of the requirements covered already. All will be anticipating the changes in their own organizations, and in others since we are all connected. 

The awareness materials they need now are (to some extent) different to those that were relevant before, with new perspectives and concerns. While the basics about privacy, risk, confidentiality etc. are the same as ever, saturation coverage of GDPR in the mainstream media is likely to grab attention for at least a few days around the 25th, hence we're planning for the awareness materials and activities to complement and build on that. 

Looking further forward, there are likely more peaks in media coverage when the first organizations are prosecuted under GDPR and then penalized for privacy incidents. We're seeing the effect right now with Facebook and Zuckerberg all over the news - and that's a story we can hook into as well.

The value of forms

Assorted vendor questionnaires and/or other audits, surveys, inquiries, pre-contract assessments, compliance reviews, self-assessments, invitations to tender etc. received by the organization indicate various issues that are evidently of concern to third-parties such as customers, suppliers and stakeholders. Likewise those sent out by the organization to third-parties. 

The forms and responses are part of the assurance processes associated with:

• Selecting between and contracting with third parties;
• Establishing, checking on and maintaining ongoing business relationships;
• Communicating relevant information, in the hope of concealing or identifying possible issues and concerns (depending on who is providing and consuming the information!);
• Due diligence or due care, satisfying compliance obligations and clarifying liabilities (in the same way that failing to declare relevant matters on an insurance application or claim form can invalidate the cover, the information exchanged or withheld in the course of contracting may become significant in the event of a later incident ... which );
• Increasing understanding and trust between the parties concerned.

Given its importance and value, the associated information (both the blank forms and the responses) perhaps ought to be included in information inventories, leading to the associated risks being managed in the same way as other information risks. 

For example, an engineering company might issue a set of specifications and ask a bunch of possible titanium suppliers a set of questions exploring their capabilities to deliver titanium of the specified quality. The criteria that matter most to the customer can be directly inferred from the questions asked, including the way they are worded (e.g. massive clues such as some being identified as "mandatory" requirements, and more subtle cues such as the order of the questions). Other potentially relevant issues that aren't even mentioned on the form are probably of lesser or no concern. Therefore, the blank form gives insight into the customer's key specifications.

A given titanium supplier would handle several such exchanges in a year, gradually gaining a view on their customers' requirements. If, say, the metal's hardness was an issue that came up in every case, that would clearly be a more important product criterion than, say, malleability, ductility, density or purity that were only brought up occasionally. Likewise for vendor capability questions such as financial stability. Is that a universal concern? How does it stand in relation to, say, years of trading or size of company? 

So, do you manage the information risks associated with vendor questionnaires and the like? Is this stuff on your risk-radar, or off the screen? I must admit if this hadn't come up on the ISO27k Forum so soon after we had completed the awareness module on assurance, it may not have occurred to me.

By the way, similar considerations apply to other kinds of forms, questionnaires, surveys, audit or self-assessment checklists, questionnaires etc. Both the blank and the completed forms reveal valuable/important information that may be relevant to information risk and security. The questions asked on, say, a passport application form plus the credentials requested tell us something about what the passport agency considers important in relation to establishing an applicant's identity, just as an applicant's responses tell the agency about the applicant: it's a two-way exchange of information. 

Fail fast, fail often

'Fail fast, fail often' is the creative idea that businesses (or business units, departments, teams, projects or even individuals) can deliberately push the envelope, innovating and taking chances (knowingly accepting some risks) to the point that they are prepared to fail.

'Fail often' is about being well-practiced at dealing with failure, having the appropriate arrangements in place, and responding positively - bouncing back on the front foot rather than being knocked back and landing in a heap, nursing their wounds. It's certainly not about wanting or trying to fail, nor being inept, incompetent or reckless - far from it. It's about consciously and deliberately choosing to get into some risky situations for sound business reasons, based on information and projections about the risks and opportunities, the costs and benefits. That takes a mature approach to risk management, business continuity management in particular. More than simply accepting that shit happens, it involves being or getting ready to deal with it, and having the fortitude to press ahead anyway. 

Those last two clauses are linked by the way. 'Being ready for whatever may happen' supports 'pressing ahead anyway' - it's assurance. It's the reason fast cars have good brakes. Would you hurtle if you didn't think you could stop smartly?

'Fail often' also implies taking bigger/more chances where the consequences of failure are lower - little fails are dealable-with. Total balls-out disasters are organization-, career- and maybe life-threatening. The point is to gain experience and become well-practiced under relatively limited or controlled conditions before heading out on to the highway in your brand new Bugatti.

'Fail fast' means spotting (at the earliest opportunity) when things look like they are going tits-up and dealing effectively with that developing situation to forestall and either avoid or minimize the damage, rather than failing to notice and respond both in good time and appropriately. This is another angle to risk management. It's mostly about situational awareness - spotting the little dog or kid about to run across the road, or the concrete lorry swerving desperately to avoid it. Knowing how to respond is another part of it.

Security awareness supports both 'fail fast' and 'fail often' ... or rather, given the right approach, it can do:

• Being more aware of the things that might possibly go wrong makes managers and other business people and advisers more able to plan and prepare for them - and more likely to spot them coming (just as the driving instructor says "Watch out for kids" near a school or playground); 
• Having the knowledge and the tools/methods - the competences - to explore and treat information risks improves the quality of decision making and actions. Knowing that there are options, alternative approaches, other possibilities, means less likelihood of being driven down a dead-end street by someone too blinkered to appreciate there might be other routes;
• Being better informed raises the game for everyone involved. Even something as simple as being familiar with terms such as resilience, recovery and contingency gives risk and security-aware managers the advantage over their less clued-up peers. It certainly makes discussion more fruitful, less frustrating!;
• Understanding the wider context gives security-aware people a broader perspective on things, with less chance of literally 'being caught unawares'.

An obvious application of this in the IT/information sphere is agile software development - a suite of methods that aims to make changes to software systems much more frequent, albeit smaller, than through the traditional waterfall approach. There are numerous information risks associated with all software developments, and of course with the systems being developed. There are also numerous ways to deal with those risks. Security-aware people know this and are in a good position to take advantage of the possibilities and shortcuts, while avoiding the potholes. Security-ignorant people risk being taken advantage of, misled, hoodwinked into unwise decisions, led down the garden path and perhaps dumped unceremoniously down the well.

Less obviously, risk awareness supports decisions and actions in a far wider range of situations. I'm a big fan of prioritization as a universal approach, particularly risk-based and value-based prioritization: identify and deal with the most risky, most valuable stuff first and then work your way down to lesser priorities, constantly re-evaluating and monitoring for changes. If at any point you are stopped - maybe run out of money, suffer an incident or experience a dramatic change of circumstances - at least you can say you've secured the big wins already.

7 top tips on documentation

This piece was inspired by a disarmingly simple request on the ISO27k Forum.

Tom is implementing an Information Security Management System using the ISO27k standards, in a small company with fewer than 25 employees. 

Tom said "I think I need to understand better what should be documented and what not".

Good question, Tom!

1. Documenting stuff forces you to concentrate and think carefully about whatever you are writing about. You focus on the topic at hand. It involves and requires a deeper level of analysis than simply doing stuff.
   
   [Hinson tip: preparing documentation is an intellectual process that benefits from experience and expertise. Don't leave it to the office junior, or the person who is generally considered useless and hence has time on their hands. Don't leave it 'til the last minute. Invest in doing it properly and reap the rewards.]
   
   
2. For anything formal (such as policies and procedures) the documentation process generally involves a sequence of activities, several of which get other people involved e.g. in preparing, reviewing, authorizing and using the documentation … so the end products capture and bring together the knowledge of several people. It’s a team effort, a collaboration, a meeting-of-minds. Working together, you are greater than the sum of the parts.
   
   [Hinson tip: assemble a productive team, aligned on common goals and motivated to do a good job. Manage the documentation process and see tip 7.]
   
   
3. The documentation acts as a proxy for the decisions and activities described.
   
   [Hinson tip: you can explain stuff to the auditors using the documents. You can guide and train people using the documents. You can review and update the decisions and activities by reviewing and updating the documents. Within reason, documentation is good ... however ...]
   
   
4. The value of documentation depends on the extent to which the decisions and activities (what people actually do) match the documentation (what they should be doing). This critical control involves aspects such as training, oversight, compliance enforcement and reinforcement, plus the wider business and organizational context – the culture. Do your people read and follow documentation, on the whole, or do they only reluctantly refer to it if there’s a problem, or because the auditors are coming? The way stuff is written and used is extremely important here: it has to be clear and motivational. It needs to be well structured (both the individual items and the overall suite of materials), well designed, well written. It will probably work better if supported by guidelines, training materials and so on.
   
   [Hinson tip: you can even develop metrics to drive these things in a positive direction, if that’s important to you. Ask me how.]
   
   
5. The auditors will object if people don’t do what they are supposed to do, according to the documentation. It's not (just) that auditors are objectionable or sticklers for details. The auditor’s nose is like a bloodhound’s, seeking out these little discrepancies which are legion. Any substantial discrepancies will be reported and may be A Problem for you.
   
   [Hinson tip: counter this by being smart about the way things are written: if people have choices and other options, say so – give them discretion in the documentation. If some things are definite rules and requirements (especially your key controls), be crystal clear about the mandatory bits. For example, reserve “must” and “must not” for absolute mandatory requirements and prohibitions, using “may” or “should” or "ought" or "can"  or other such phrasing for the advisory stuff … and have a process to deal with exemptions (authorized non-compliance) and exceptions (unauthorized non-compliance incidents). If the auditors complain about discretionary things not being done as per the documentation, push back by pointing out that they are discretionary for good reason: business comes first. Business people are grown-ups! They are not just empowered, they are expected to do what's best for the organization, within the constraints of the mandatory bits.]
   
   
6. It’s all too easy for docu-philes to write and write [and write] but that can be costly and counterproductive. Keep it simple especially at the start. You can always elaborate later if things are unclear or are not working as planned, or if you discover workable short-cuts and improvements (that's 'maturity'). If you don’t write enough, there is not enough guidance for the people who need it, with gaps and omissions that force them to make stuff up. If you write too much, it won’t be read and it’s expensive to maintain, while inconsistencies and conflicts are more likely. There are information risks either way … which you need to manage. This is something only you can do: without more information about your situation, I can’t advise you on the volume, depth and breadth of your documentation, other than to start small.
   
   [Hinson tip: use diagrams and illustrations, not just words. It takes extra effort and different skills to draw neat process diagrams, for instance, but they make the sequence clearer for users and act as a tl;dr; summary for those who aren’t sure they want to read the whole thing. A picture paints a thousand words, and can be 'a work of art', eh Picasso?] 
   
   
7. Designing, building, using and maintaining the documentation suite is itself a process that can be managed, formally designed and documented … but don’t lose the plot. ISO/IEC 27009 is a prime example of when the formalities go a step too far: an internal committee advisory about how to write industry-specific variants of the ISO27k standards unwisely became a published standard, causing problems for the very committee that wrote it! There is some advantage in making the documentation process effective and efficient (especially if you are doing a lot of important documentation, in a big company), but don’t go overboard.
   
   [Hinson tip: take a look at how other policies and procedures in your organization are managed for clues about how to make it work best. Let the process evolve naturally until it works well for you and then capture it in writing only if there is a genuine need for the red tape.]

If this seems too hard, too much effort, there are shortcuts such as employing competent professional authors me and using templates. Treat it as a small investment to get to a better result more quickly and efficiently than you would otherwise achieve.