Security awareness on oversight

We bring the year to a close with an awareness and training module on a universal control that is applicable and valuable in virtually all situations in some form or other.  

Oversight blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination.

The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz.

It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  We have drawn it out, putting it front and center.  

In the most general sense, very few activities would benefit from not being overseen in some fashion, either by the people and machines performing them or by third parties.

To a large extent, management is the practical application of oversight.  It’s also fundamental to governance, compliance and many controls, including most of those in information risk and security. 

Imagine if you can a world without any form of oversight where:

• People and organizations were free to do exactly as they wish without fear of anyone spotting and reacting to their activities;
• Robotic machines operated totally autonomously, with nobody monitoring or controlling them;
• Organizations, groups and individuals acted with impunity, doing whatever they felt like without any guidance, direction or limits, nobody checking up on them or telling them what to do or not to do;
• Compliance was optional at best, and governance was conspicuously absent. 

Such a world may be utopia for anarchists, egocentrics and despots but a nightmare scenario for information risk and security professionals, and for any civilized society!

P-day

My lack of blogging lately is due to working flat-out to complete December's security awareness module on oversight. 

Today, Friday the 30th of November, it's P-day here in the IsecT office:

• Posters - two more poster designs are due in from the art department today. This close to the deadline I'd be worried except that, over the years, we have developed a close relationship and understanding with the supplier. I'm confident we'll get the stuff on time, and that it will be good.  Generally, it's right-first-time, which is nice. Our contingency plan involves crayons and a scanner - not pretty but, um, distinctive!
  
  
• Proofreading - checking through the materials for errors and omissions, opportunities for improvement, loose ends to be tied-off and so on. This is oversight, in action. 
  
  
• Polishing - tying-off those loose ends and finalizing the materials. Often I find that having prepared the content for the first stream, working on the second stream reminds me about stuff we should mention or incorporate into the first stream - and the same again with the third stream. There is some iteration, followed by a further round of checks to ensure that all three streams end up consistent, yet reflect the distinct perspectives of the three target audiences.
  
  
• Packaging - we currently use WinZip to package and deliver the materials, an awkward, slow, costly and poorly-supported utility. We really ought to look for a better alternative. Suggestions welcome.
  
  
• Publishing - uploading the materials to the server for customers, updating the website to describe the new module, and notifying subscribers is almost the last step, except for a quick update to this blog if I have time ... because it is ...
  
  
• POETS day - once the month's work is done, it's play time, where 'play' partly involves catching up with all the other stuff that has been piling up on our to-do lists lately - ISO27k drafts to comment on, customers to contact, prospects to persuade, payments to chase. Plus a little R&R. Maybe a small dry sherry and an hour in front of the goggle-box if I'm lucky.

All too soon the cycle turns and it'll be time to start next month's juggling act, the final one of the year. I'll be blogging about our next awareness topic soon. Watch this space ...

Elaborating on information risk

High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of hands” or “The best!”. Same thing with corporate mission statements (“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la revolution!”) and more. To act on and hopefully achieve them in a rational, directed or controlled manner involves understanding what they really mean, peeling back the layers, exploring the meanings and interpretations in more detail – a process that is inherently uncertain i.e. risky. The upside risk (opportunity) arises from the understanding, insight, specificity and consensus generated as they are discussed, amplified and clarified, while the downside risk includes the opposites e.g. misunderstandings, hand-waving generalities and fragmentation of objectives. 

ISO/IEC 27001 tries to persuade organizations to think through their corporate or business objectives, elaborating on the information risk and security implications which form the main drivers for the Information Security Management System. I’m not entirely sure it succeeds though! Section 4 on the context for the ISMS is extremelyimportant to the ultimate success of the ISMS but the standard's wording is succinct and complex, open to a wide variety of interpretations. It’s a topic we often discuss on the ISO27k Forum. 

It’s a tricky thing to do at the outset of an ISMS design and implementation … and, by the way, something that ought to be actively reviewed and updated as time goes on, not least because if it ISMS itself materially changes the organization. A sound ISMS affects not just achievement of the corporate objectives in this area, but opens up further possibilities for the business. A secure organization has more options.

Aside from personal or individual objectives, all the others involve groups of people working towards shared/common objectives (hopefully), and of course that creates room for differences of interpretation, approach, priorities etc. Hence communication is another risky aspect to this – not datacoms but expressing, discussing, understanding and agreeing on complex issues. It includes persuasion, possibly even social-engineering-type manipulation. This very email is an example: I think I know what I’m trying to say, but I’m certainnot all of you will read it, get it and agree with every word! I’m taking a small risk by even expressing it. 

In the information security context, we have numerous objectives, some of which are hard to express and pulling us in different directions (e.g. strong authentication and access controls reduce the availability of information to legitimate/authorized users as well as to the illegitimate/unauthorized ones; strong compliance can be costly and counterproductive). I maintain that exploring and elaborating on them, emphasizing in particular the infosec objectives that most obviously and directly align with and support the organization’s business/strategic objectives is a powerful approach. It certainly makes it harder for anyone to block or interfere with the achievement of security objectives. It can be career-limiting to be seen to be acting againstthe organization’s interests. Resisting without being obvious about it remains a possibility however!

SEC begets better BEC sec

According to an article on CFO.com by Howard Scheck, a former chief accountant of the US Securities and Exchange Commission’s Division of Enforcement: 

"Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls."

A series of Business Email Compromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard:

"The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly."

I wonder how the lawyers will interpret that obligation to 'assess and calibrate' the internal accounting controls? I am not a lawyer but 'assessing' typically involves checking or comparing something against specified requirements or specifications (compliance assessments), while 'calibration' may simply mean measuring the amount of discrepancy. 'Adjusting' accounting-related policies and procedures may help reduce the BEC risk, but what about other policies and procedures? What about the technical and physical controls such as user authentication and access controls on the computer systems? What about awareness and training on the 'adjusted' policies and procedures? Aside from 'adjusting', how about instituting entirely new policies and procedures to plug various gaps in the internal controls framework? Taking that part of the CFO article at face value, the SEC appears (to this non-lawyer) very narrowly focused, perhaps even a little misguided. 

Turns out there's more to this:

"As the report warns, companies should be proactive and take steps to consider cyber scams. Specific measures should include:

• Identify enterprise-wide cybersecurity policies and how they intersect with federal securities laws compliance

• Update risk assessments for cyber-breach scenarios

• Identify key controls designed to prevent illegitimate disbursements, or accounting errors from cyber frauds, and understand how they could be circumvented or overridden. Attention should be given to controls for payment requests, payment authorizations, and disbursements approvals — especially those for purported “time-sensitive” and foreign transactions — and to controls involving changes to vendor disbursement data.

• Evaluate the design and test the operating effectiveness of these key controls

• Implement necessary control enhancements, including training of personnel

• Monitor activities, potentially with data analytic tools, for potential illegitimate disbursements

While it’s not addressed in the report, companies could be at risk for disclosure failures after a cyber incident, and CEOs and CFOs are in the SEC’s cross-hairs due to representations in Section 302 Certifications. Therefore, companies should also consider disclosure controls for cyber-breaches."

The Securities Exchange Act became law way back in 1934, well before the Internet or email were invented ... although fraud has been around for millennia. In just 31 pages, the Act led to the formation of the SEC itself and remains a foundation for the oversight and control of US stock exchanges, albeit supported and extended by a raft of related laws and regulations. Todays system of controls has come a long way already and is still evolving.

Getting the Board on-board

"Engaging with the board: Five ways for Chief Information Security Officers to stand out" was an excellent advisory from PwC that stimulated me to think of supplementary advice, a set of corollaries for PwC's advice.

PwC tip #1: "Invest in your relationships." 

Hinson tip #1: "Don't focus and rely entirely on individual Board meeting/s". 

Board members may usefully be contacted and briefed or lobbied outside of the meetings, ideally in person over an extended period. You might be introduced through a well-connected senior manager who understands and is sympathetic to the information risk and security objectives (implying they need to be on-board first). Failing that, friendly email, text messages and phone calls work. Better still is to establish a long-term business-like social relationship with the Directors and executives based on mutual respect and trust ... which means finding out about their concerns as much as expressing yours. And, by the way, it's worth asking for feedback and improvement suggestions. Are you pitching stuff appropriately? How could your interactions become more effective?

PwC tip #2: "Be thoughtful when preparing pre-read materials."

Hinson tip #2: "Include the Board and executive/senior management in your security awareness program."  

The PwC advisory mentions that  too few Board members are tech-savvy but I'd go further than that. IT/tech and cybersecurity awareness could be higher, yes, but even more important is senior management's broad understanding of information risk and security in general, especially in relation to its value and relevance to the organization's business objectives and to their governance and compliance responsibilities. 

PwC suggests providing executive summaries. A good exec summary doesn't just give a succinct precis of a piece: it catches the reader's eye and intrigues, leading them to want to learn more about the topic at hand. There's an art to writing exec summaries, picking out the key points and expressing them appropriately in as few words as possible, in such a way that readers are willing to read the full version. Despite having been practicing since the 1980s, I still find this as challenging as writing advertisements and marketing copy.

PwC tip #3: "Know your audience."  

Hinson tip #3: "Research the Board." 

Do your homework. Find out who sits on the Board, for starters, and what roles they play. Use Google and Linkedin to profile them, discovering their experience and interests. Experienced Board members often sit on several Boards, for instance: what else do they do? Ask senior colleagues about Board members and Board business, such as who might be sympathetic or resistant to information security, and what else might be on their plates at the moment. Although Board agendas and minutes tend to be confidential, you have a legitimate interest, potentially a need to know. Discreet inquiry of the right people is not unreasonable.

PwC tip #4: "Be strategic with your time."

Hinson tip #4: "Respect the Board's high level business perspective."

For best effect, all awareness and training materials and activities need to suit their intended audiences. The rather basic fare pitched at employees in general, or the more technical content aimed at specialists, is unlikely to resonate with management. Board members, in particular, have lots of significant issues on their plates already so the security awareness materials need to get straight to the point. Furthermore, their perspective is strategic - high level and broadly concerned about the organization as a whole. So 'the points' (the topics covered and points made) need to be relevant, to resonate with them.

We deliver a stream of awareness content aimed specifically at the management audience, including succinct, high-level, business-like items specifically written with senior/executive management and directors in mind. 

Our portfolio of ~70 topics includes but goes well beyond cybersecurity, covering the organizational context and compliance aspects for instance. Governance, risk, control, effectiveness, efficiency, innovation and maturity are brought up frequently as threads or points of interest and concern in the materials.

PwC tip #5: "Focus on your message."

Hinson tip #5: "Focus on effective comms."

PwC's advice revolves around putting on a good show, a professional, polished performance in front of the Board. That wide-eyed bunny-in-the-headlights look is a classic  symptom of someone who is new to the game. Fair enough PwC but there's more to it than appearance or first night nerves.

Don't forget that Board members are politically-savvy, senior, experienced business people - and human beings with all that entails. Don't be too intense, too pushy or disrespectful. You want/need them on your side. Inform, persuade and motivate them. Actively sense their reactions and responses. Exploit their hot buttons. Treat this as a social engineering challenge if you like. Don't forget that the way you communicate stuff is just as important as the content - not just the message but how and when you express it including the context or situation.  

And the best way to get that right is to practice as often as you can, which takes us neatly back to the start. If attending Board meetings is just a fairly routine part of your ongoing productive dialog and trusted relationship with senior managers, you on to a winner. 

Go ahead, make my day

What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email? 

"hello, my prey.
I write you since I attached a trojan on the web site with porn which you have visited.My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list.I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted]
I give you 30h after you view my message for making the transaction.As soon as you read the message I'll know it immediately.It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation.If you need 48h just Open the calculator on your desktop and press +++If you don't pay, I'll send dirt to all your contacts.      Let me remind you-I see what you're doing!You can visit the police office but anyone can't help you.
If you try to cheat me , I'll see it immediately!
I don't live in your country. So anyone can not track my location even for 9 months.Goodbye for now. Don't forget about the disgrace and to ignore, Your life can be destroyed."

It's straightforward blackmail - a crime in New Zealand and elsewhere - but the perpetrators are of course lurking in the shadows, hoping to fleece their more naive and vulnerable victims then cash-out anonymously via Bitcoin. Identifying them is hard enough in the first place without the added burden of having to gather sufficient forensic evidence to build a case, then persuade the authorities to prosecute.

So instead I'm fighting back through awareness. If you receive vacuous threats of this nature, simply laugh at their ineptitude and bin them. Go ahead, bin them all. Train your spam filters to bin them automatically. Bin them without hesitation or concern. 

Then, please help me pass the word about these ridiculous scams. Let your friends and family (especially the most vulnerable) know. Share this blog with your classmates and work colleagues. Send journalists and reporters the URL. Hold a bin-the-blackmail party. 

By all means call your national CERT or the authorities if that makes you feel better. Just don't expect much in the way of a response beyond "We're inundated! Sorry, this is not a priority. We simply don't have the resources."

If enough of us call their bluff, these pathetic social engineering attacks will not earn enough to offset the scammers' risks of being caught ... and who knows, we might just draw some of them into the open in the process. Let's find out just how confident their are of their security, their untraceability and invincibility. 

Recite after me: "Go ahead, make my day ..."

Implementing a security awareness strategy

A strategic goal to become the person, team, function or department to whom people turn for advice on information risk, security and related matters is laudable, but what does that actually mean in fact? What would you need to do to achieve it? What would it require to put it into effect? How would you know whether it was working?

Thinking through the implications and questions of that nature will suggest a number of avenues to work on, for instance:

• Becoming known as a source of advice means people need your contact details, the means to get in touch. Furthermore, the advisory services you offer need to be sound and strong, beneficial both to the business and to the individuals seeking advice. This implies the need to publicize and promote your activities, perhaps through an internal marketing campaign;
• Some people may be reluctant to approach you, for various rational and irrational reasons: figure those out and tackle them one-by-one, as best you can. An open-door policy is just one of many possibilities here. To what extent do people trust and value your services?;
• Aside from the services themselves, the manner in which your services are delivered is another factor. What can you do to make it easier, more productive/effective and generally better for your clients? How might you exceed their expectations? Service quality assurance may be something worth some effort.
• Success breeds success, so how about using successful interactions and assignments as tasters of what you offer?  Even better, can you turn clients into advocates, helping to convince others to come to you?
• There are lots of ways of measuring your awareness and training activities, loads of possible metrics. Inquiries, responses, assignments and engagements, client perceptions and satisfaction can all be measured. Rather than attempt to measure everything, home-in on the aspects that matter most and/or the metrics that give you the most useful information, the most insight ... and if appropriate use these metrics along with client feedback as part of your promotional activities, as well as using them to drive out success.

[This is just one of a bunch of awareness tips in the train-the-trainer guide for our next awareness module. Each month we suggest a handful of creative activities, some relating to the awareness topic at hand and others more general in nature. As we approach our 200th module, perhaps I ought to sift through the entire Back Catalog, collating and structuring the tips into a collection of some sort - maybe even another book ...]

All quiet? TOO quiet?

Don’t just hoard your feedback and metrics: use them! Squeeze every last drop of value from them!

It is all too easy to down-play or dismiss comments and especially criticisms about the awareness program. Resist your natural defensive tendencies. Collate and take another, dispassionate look at your awareness metrics and the feedback you have received in recent months concerning information security and/or the awareness and training program. Try to identify common threads or themes that might have escaped your attention previously, or that seem to crop up repeatedly.

This kind of review is best conducted as a team exercise, better still if you persuade some of your most vocal/persistent critics to get actively involved (invite them to your review meetings, give them the floor and listen hard to what they have to say!). SWOT analysis and brainstorming techniques can help tease out genuine concerns and novel ways to tackle them. For example, if your budget is a serious constraint on the awareness program, there may be free/cheap alternatives and more efficient and effective ways of using whatever you have. 

Metrics and verbatim comments from your audience demonstrating demand for and appreciation of your awareness and training activities should make your status reports more positive and budget requests more compelling.

If you aren't getting much in the way of feedback, don’t sit on your laurels.  Perhaps the awareness program is going extremely well but are you really doing enough to encourage feedback, or are people too lazy or too intimidated to respond? Consider commissioning an independent third party to conduct an anonymous survey on your behalf, or at least set aside a few minutes every day to call or visit people to find out what they truly think. Write yourself a basic script if it helps e.g. start by asking questions about current or recent awareness topics and activities/events.

Trust awareness

Among other findings, PwC's "The Journey to Digital Trust" report picked up on inadequate attention to awareness and training:

"Many businesses could do more to raise employee awareness and accountability around cybersecurity and privacy. Only 34% of respondents say their company has an employee security awareness training program. Only 31% say their company requires employee training on privacy policy and practices."

Less than a third of companies require training on their privacy policies and procedures? Wow! The other two thirds presumably expect their people to 'just know' this stuff. Perhaps it gets into their heads through osmosis, Vulcan mind melds or magic crystals. Perhaps management is over-reliant on the general news media and public awareness activities, forgetting that we are all awash in a vast ocean of information. Picking out the Stuff That Matters is getting harder and harder by the second.

It is any surprise, then, that privacy breaches and other information incidents occur so often? I suspect a good proportion of the organizations that do provide privacy awareness have suffered already - they've learnt the hard way, whereas the rest of us can and should learn from their mistakes.

It's hardly rocket surgery: if workers are expected to do stuff and not do other stuff in order to secure information, maintain privacy and satisfy all the other requirements to minimize information risks and compliance, surely they need to know what's expected of them. Just as kids need to be told and shown, repeatedly, what's right and what's wrong, adults need instruction and guidance in this area.

PwC offers the following 'Actionable advice for business leaders':

• "Prioritize raising workforce awareness about cybersecurity and privacy to support business objectives. Use messaging that avoids invoking security fatigue and is memorable enough to influence behavior when busy employees later face phishing schemes and other sophisticated threats.
• Establish corporate policies governing access to IT assets and data. Enforce the policies at all levels of the company to drive accountability for cybersecurity and privacy."

Well said, PwC! I agree with emphasizing business objectives, although they might also have mentioned personal, team and social objectives: information security and privacy are not just important for our organizations. Protecting the interests of customers, for instance, by adequately protecting their personal information is not purely a strict business matter. Influencing employee behavior is an important goal ... and I might add that influencing decisions (especially management decisions made by business leaders) is one of the most powerful changes that an effective awareness and training program can achieve.

PwC's mention of policies and accountability smacks of the compliance-driven culture which is particularly strong in America and increasing elsewhere in the world - GDPR being a topical example. Noncompliance with the privacy regulations can seriously damage the bottom line and be career-limiting for those held to account for their failures, including management's bad decisions I just mentioned. It's a governance matter. Duck and cover is not a viable response.

Lack of control =/= vulnerability

A common misunderstanding among infosec professionals is that vulnerabilities include the lack or inadequacy of various infosec controls e.g. 'the lack of security awareness training'.

No     No!    NO!

Vulnerabilities are the inherent weaknesses that may be exposed and exploited by the threats, leading to impacts.

In the lack-of-awareness example, people's naïveté and ignorance are inherent human weaknesses that may be exposed in various situations (e.g. when someone receives a phishing email) and exploited by threats (being the phishers in this case i.e. fraudsters using social engineering techniques to mislead or misdirect victims into clicking dubious links etc.) leading to various impacts (malware infection, identity fraud, blackmail or whatever), hence risk. Naïveté and ignorance are vulnerabilities. There are others too, including human tendencies such as greed and situations that distract us from important points, such as security warnings from our email and browser software, or that little voice in our head whispering "Too good to be true!".

Vulnerabilities are independent of (exist with or without) the controls. Sure, well-designed and implemented controls mostly reduce vulnerabilities but the lack of a control is not itself a vulnerability. It's a lack of control, something fundamentally and conceptually quite different. 

Effective infosec awareness and training compensate for and reduce the naivete and ignorance, in part, and give people the skills and motivation to spot and deal appropriately with threats to  information, such as phishing. The control is imperfect, though - we know that - hence the risk is not totally eliminated, merely reduced ('mitigated' in the lingo). The limitations are two-fold: (1) those inherent issues run deep, and (2) the threats are constantly morphing.

I've blogged about this before and was reminded of it yet again today when checking out some 'infosec threat catalogs' on the Web. There are some potentially useful generic infosec threat lists out there but most also list non-vulnerabilities such as lack of awareness, catching my beady eye and distracting me. Those hijack my attention and wind me up, to the point that I refuse to recommend the associated threat catalogs even if those bits are sound. I won't propagate the misconception that lack of control is vulnerability.

Yes, I'm vulnerable too. I'm human. Allegedly. My button is hot.

To complicate matters further, controls can contain or be associated with vulnerabilities. Controls sometimes fail to work as designed. They break or are broken, get bypassed, misconfigured or turned off, or are simply overwhelmed - a genuine concern for phishing given the sheer number and growing variety of attacks. Nevertheless, I maintain that control weaknesses are not vulnerabilities. They are conceptually distinct.

Weak or missing controls result from inherent weaknesses or flaws in our information security practices, which are vulnerabilities. Misunderstanding "vulnerability" is both a vulnerability and a threat, at which point I'm going to leave this top a-spinning as I stagger back to my morning coffee.

What to ask in a security gap assessment (reprise)

Today on the ISO27k Forum, a newly-appointed Information Security Officer asked us for "a suitable set of questions ... to conduct security reviews internally to departments".

I pointed him at my blog piece on "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002's security controls as he implied. I'd start two steps back from there:

1. One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place.
   
   
2. Two steps back takes us to the organizational or business context for information and the associated risks. Contrast, say, a commercial airline company against a government department: some of their information is used for similar purposes (i.e. general business administration and employee comms) but some is quite different (e.g. the airline is heavily reliant on customer and engineering information that few government departments would use if at all). Risks and controls for the latter would obviously differ ... but less obviously there are probably differences even in the former - different business priorities and concerns, different vulnerabilities and threats. The risks, and hence the controls needed, depend on the situation.

I recommend several parallel activities for a new info sec pro, ISO, ISM or CISO – a stack of homework to get started:

• First, I find it helps to start any new role deliberately and consciously “on receive” i.e. actively listening for the first few weeks at least, making contacts with your colleagues and sources and finding out what matters to them.  Try not to comment or criticize or commit to anything much at this stage, although that makes it an interesting challenge to get people to open up!  Keep rough notes as things fall into place.  Mind-mapping may help here.
  
  
• Explore the information risks of most obvious concern to your business. Examples:
• A manufacturing company typically cares most about its manufacturing/factory production processes, systems and data, plus its critical supplies and customers;
• A services company typically cares most about customer service, plus privacy;
• A government department typically cares most about ‘not embarrassing the minister’ i.e. compliance with laws, regs and internal policies & procedures;
• A healthcare company typically cares most about privacy, integrity and availability of patient/client data;
• Any company cares about strategy, finance, internal comms, HR, supply chains and so on – general business information – as well as compliance with laws, regs and contracts imposed on it - but which ones, specifically, and to what extent?;
• Any [sensible!] company in a highly competitive field of business cares intensely about protecting its business information from competitors, and most commercial organizations actively gather, assess and exploit information on or from competitors, suppliers, partners and customers, plus industry regulators, owners and authorities;
• Not-for-profit organizations care about their core missions, of course, plus finances and people and more (they are business-like, albeit often run on a shoestring);
• A mature organization is likely to have structured and stable processes and systems (which may or may not be secure!) whereas a new greenfield or immature organization is likely to be more fluid, less regimented (and probably insecure!);
  
  
• Keep an eye out for improvement opportunities - a polite way of saying there are information risks of concern, plus ways to increase efficiency and effectiveness – but don’t just assume that you need to fix all the security issues instantly: it’s more a matter of first figuring out you and your organization’s priorities. Being information risk-aligned suits the structured ISO27k approach. It doesn’t hurt to mention them to the relevant people and chat about them, but be clear that you are ‘just exploring options’ not ‘making plans’ at this stage: watch their reactions and body language closely and think on;
  
  
• Consider the broader historical and organizational context, as well as the specifics. For instance:
• How did things end up the way they are today? What most influenced or determined things? Are there any stand-out issues or incidents, or current and future challenges, that come up often and resonate with people?
• Where are things headed? Is there an appetite to ‘sort this mess out’ or conversely a reluctance or intense fear of doing anything that might rock the boat? Are there particular drivers or imperatives or opportunities, such as business changes or compliance obligations? Are there any ongoing initiatives that do, could or should have an infosec element to them?
• Is the organization generally resilient and strong, or fragile and weak? Look for examples of each, comparing and contrasting. A SWOT or PEST analysis generally works for me. This has a bearing on the safe or reckless acceptance of information and other risks;
• Is information risk and security an alien concept, something best left to the grunts deep within IT, or a broad business issue? Is it an imposed imperative or a business opportunity, a budget black hole (cost centre) or an investment (profit centre)? Does it support and enable the business, or constrain and prevent it?
• Notice the power and status of managers, departments and functions. Who are the movers and shakers? Who are the blockers and naysayers? Who are the best-connected, the most influential, the bright stars? Who is getting stuff done, and who isn’t? Why is that?
• How would you characterize and describe the corporate culture? What are its features, its high and low points? What elements or aspects of that might you exploit to further your objectives? What needs to change, and why? (How will come later!)
  
  
• Dig out and study any available risk, security and audit reports, metrics, reviews, consultancy engagements, post-incident reports, strategies, plans (departmental and projects/initiatives), budget requests, project outlines, corporate and departmental mission statements etc. There are lots of data here and plenty of clues that you should find useful in building up a picture of What Needs To Be Done. Competent business continuity planning, for example, is also business-risk-aligned, hence you can’t go far wrong by emphasizing information risks to the identified critical business activities. At the very least, obtaining and discussing the documentation is an excellent excuse to work your way systematically around the business, meeting knowledgeable and influential people, learning and absorbing info like a dry sponge.
  
  
• Build your team. It may seem like you’re a team of 1 but most organizations have other professionals or people with an interest in information risk and security etc. What about IT, HR, legal/compliance, sales & marketing, production/operations, research & development etc.? Risk Management, Business Continuity Management, Privacy and IT Audit pro’s generally share many of your/our objectives, at least there is substantial overlap (they have other priorities too). Look out for opportunities to help each other (give and take). Watch out also for things, people, departments, phrases or whatever to avoid, at least for now.
  
  
• Meanwhile, depending partly on your background, it may help to read up on the ISO27k and other infosec standards plus your corporate strategies, policies, procedures etc., not just infosec. Consider attending an ISO27k lead implementer and/or lead auditor training course, CISM or similar.  There’s also the ISO27k FAQ, ISO27k Toolkit and other info from ISO27001security.com, plus the ISO27k Forum archive (worth searching for guidance on specific issues, or browsing for general advice).  If you are to become the organization’s centre of excellence for information risk and security matters, it’s important that you are well connected externally, a knowledgeable expert in the field. ISSA, InfraGard, ISACA and other such bodies, plus infosec seminars, conferences and social media groups are all potentially useful resources, or a massive waste of time: your call. 

Yes, I know, I know, that’s a ton of work, and I appreciate that it’s not quite what was asked for i.e. questions to ask departments about their infosec controls. My suggestion, though, is to tackle this at a different level: the security controls in place today are less important than the security controls that the organization needs now and tomorrow. Understanding the information risks is key to figuring out the latter.

As a relative newcomer, doing your homework and building the bigger picture will give you an interesting and potentially valuable insight into the organization, not just on the information risk and security stuff … which helps when it comes to proposing and discussing strategies, projects, changes, budgets etc. Howyou go about doing that is just as important as what it is that you are proposing to do. In some organizations, significant changes happen only by verbal discussion and consensus among a core/clique (possibly just one all-powerful person), whereas in some others nothing gets done without the proper paperwork, in triplicate, signed by all the right people in the correct colours of ink! The nature, significance and rapidity of change all vary, as do the mechanisms or methods.

So, in summary, there's rather more to do than assess the security controls against 27002. 

PS  For the more cynical among us, there’s always the classic three envelope approach.

Risk awareness (more)

The controls suggested in Annex A of 27001 and the other ISO27k standards are typical, commonplace, conventional, good practice … whatever. Mature organizations often use them and find them useful. They have evolved over decades of experience with IT and millennia of experience with the use of information in a business context, and they are still evolving today. Cloud, BYOD and IoT, for examples, are all relatively new hence the associated risks are still emerging and the controls are a work in progress. Fraud, espionage and hacking are always going to remain challenging because of the ongoing arms-race between defenders and attackers: as fast as the controls are improved, the threats change. 

The published ISO27k standards present a fraction of the accumulated knowledge of hundreds/thousands of ISO/IEC JTC 1/SC 27 committee members and helpers around the world with experience in myriad organizations and situations. Most committee members accept the advice is valid, useful and worthwhile, on the whole. The standards development process reaches consensus among the committee, or as close as we can get with the occasional stalemate, truce, abstention or objection!

The standards are generic – deliberately so since they are meant to be applicable to any and all organizations. They need to be interpreted and applied sensibly according to the specific context of each organization. Key to doing that in the ISO27k way is first for the organization to figure out its information risks, consider and evaluate them, then use the advice in the standards (and/or elsewhere) as guidance on how those risks might be treated.

Sounds straightforward in theory ... but in practice? 

Any individual organization, manager, or information risk and security professional, may not have experienced all the issues that led to the controls being included in the standards - in other words, some of the information risks have not eventuated for them. Some may have occurred but not been recognized as such (e.g. the risk of losing valuable intellectual property when knowledge workers leave the organization may not be apparent, at least not for some time). Therefore, those risks may not feature at all on their risk landscape, or may be downplayed and perhaps lost among the weeds.

Hopefully, though, the exercise of reviewing the controls outlined in the standards leads to the corresponding risks being considered, although this is far from guaranteed, especially if those using the standards are inexperienced in the field. I would prefer the ISO27k standards themselves to be risk-driven in the same way as the ISO27k approach, explaining what information risks are addressed by the standards and, ideally, each of the controls within.

Failing that, we routinely document the information risks associated with each of the security awareness topics in our portfolio for the same reason: helping our customers' awareness audiences understand the purposes or objectives of the suggested controls in each area.

At the moment, the risks are integrated and discussed within various SecAware awareness materials - the presentations, briefings, newsletters etc. Maybe for 2019 we might produce a discrete deliverable for each module specifically on the risks. Hmmmm. That's a thought. I can already picture the format. Drafting the first 'Information risk profile' (or whatever we call it) will be the chance to generate a template to stabilize the format.

That's another thing for my lengthy to-do list. Talking of which, must dash ...

End of year awareness and training review

As we plunge towards the end of another year, now is an opportunity to take a long hard look at your awareness and training program as a whole, thinking forward to next year and beyond. Here are some rhetorical questions  to bear in mind:

• Is the program pitched appropriately? 
• Is your awareness and training approach polished in appearance? Does it look good? 
• Is it professional? Is the branding and presentation up to scratch? 
• Is it attracting sufficient interest and engagement? 
• Is it reaching all the right people across the organization?

What about the delivery mechanisms and awareness activities: are you making good use of the available corporate communications and training facilities? Consider your Learning Management System, intranet, notice boards, seminar and training rooms, email circulations, newsletters, company magazines, courses, briefing sessions, lunchtime updates, security clubs and so on. By all means focus on the methods that achieve the most benefit for the least effort, but don't completely discount the others including novel approaches. Look around for additional opportunities. Remember, you have a diverse audience with differing personalities and preferences. A diverse comms approach takes more effort but increases the reach.

How well is your security awareness and training program working out, in fact? Is it well-respected and popular with punters? Is it adequately funded and proactively supported by management? 

Critically review relevant metrics such as awareness test results and attendance figures, and study evaluation feedback comments to see things from the perspectives of the awareness and training participants. Look at training records and skills profiles. Run an impromptu survey if you need more data.

As your experience and maturity grows, you will undoubtedly find ways to tweak and refine your awareness and training program, possibly making substantial improvements. Talk to colleagues in HR, Health and Safety, Risk etc. about how their awareness and training programs and activities are doing. Share good ideas and novel approaches. Collaborate and work as a team to address common issues and collectively raise your game.

What about the awareness and training program management and governance arrangements: are there rough edges that need attention? Can the metrics and reporting be improved to deliver better value and efficiency (better outputs from less work!)? Do you have sufficient resources - not just budget but people, skills, sources, systems and so on? If you could wave a magic wand, what would you most like to do with additional resources?

Use all of this to review/update your strategy and plan your awareness and training program for 2019. Make notes on what you intend to:

Keep	Drop
Outline the most effective bits, the approaches, activities etc. that are working well and delivering real business value.	This is the low-value, outdated stuff that no longer earns its keep, is unpopular and frankly not worth the effort any more.
Change	New
The things that need revision. Clarify the need or justification for change, elaborate on the anticipated improvements and (for the plan) at least outline how the changes are to be made.	innovation helps keep the awareness and training program topical, engaging and relevant. As well as updating the content, updating the delivery mechanisms etc. can breathe new life into it.

Regarding innovation, for example, millennials just joining the payroll are likely to be more familiar with mobile devices and social media than the average worker, and being new they are obvious targets for awareness and training ... so ... how can you exploit their interests and technological mastery?  

We, too, are enthusiastically reviewing our services in preparation for the new year. No matter how good we are, we can always do better. That hunger for quality improvement is part of our passion for security awareness and training. We can't help it. We love this stuff!

Cloud computing security awareness module released

Cloud computing is a strong and still growing part of the IT industry. It’s a hit!

However, the relative novelty of cloud computing puts inexperienced or naive managers, staff and professionals at something of a disadvantage: lacking appreciation of the technology and the commercial/business context, the information risks and especially the security and other cloud-related controls aren’t exactly obvious.

Information security (in the broadest sense – not just IT or cybersecurity) is a major concern with cloud computing, a source of aggravation and costs for the unaware. The organization's professionals/specialists in areas such as IT, risk, compliance and business continuity should have a deeper understanding of the pros and cons of clouds but have you every wondered how that level of knowledge is achieved? 

Simply put, securing the anticipated business benefits of cloud computing involves addressing the information risks that are associated with it.  If the risks are simply ignored, the benefits may be reduced or destroyed by costly security incidents. 

Learning objectives

We have thoroughly updated/rewritten the awareness materials originally delivered back in 2014 - eons ago in Internet time! So what has changed since then? 

Peer through the fog to learn how to avoid the pitfalls and secure the business benefits of cloud computing, with us.  Our latest awareness module:

• Introduces and outlines cloud computing, providing general context and background information (e.g. explaining why so many organizations are eagerly adopting it) with as little techno-babble as we can get away with;
• Informs workers in general about the information risk and security issues and concerns relating to or arising from cloud computing (e.g. the organization’s partial loss of control over its information), plus the business benefits (e.g. reduced costs, greater resilience and flexibility, plus access to cloud specialists). We’re promoting a balanced view;
• Encourages those considering, specifying, evaluating, contracting for, using or managing cloud computing to identify, analyze and address the information risks, typically through appropriate controls that secure the business benefits as much as the data;
• Promotes information risk and security management as a business enabler, without which cloud computing would be unacceptably risky.

Review your organization’s use of cloud computing - the apps, dependent business processes, strategies, policies and incidents. Are there any cloud -related risks on the corporate radar? How well are they understood and treated? What’s missing? What stands out? Talk to the relevant experts about it. Flush any issues and ideas into the open, incorporating them where appropriate into your awareness delivery.