Using security enquiries by customers as a security metric

On CISSPforum, Walt Williams suggested a novel security metric:

"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.

You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.

My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.

It doesn’t get much better than that."

So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the Goal-Question-Metric approach (as ably described by Lance Hayden - a method as useful in information security as in other fields) followed by a PRAGMATIC evaluation (as ineptly described by yours truly plus Krag Brotby - a subjective assessment of the value of the metric in the presumed context of a mid-to-large commercial organisation):

Hyper-glossary nearing completion (?)

My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.

Here's an example of a definition originally added a couple of years ago and most recently amended today:

There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

The biology of bias

'Bias' is generally considered a negative human trait with both practical and ethical implications. Paradoxically, however, that negativism can itself be considered a form of bias. Bias can - sometimes - be positive, beneficial, even necessary, and is to some extent an inevitable consequence of our biology.

BoardOfInnovation blog

In Darwinian terms, 'cognitive bias' comprises a fairly diverse set of behavioural traits that have evolved over the millennia, such as:

• Confirmation bias: a tendency to seek out and place greater emphasis on information that appears to confirm what we already believe, while avoiding, ignoring or downplaying contradictory information;
  
  
• Anchoring bias: initial information (no matter how accurate) provides a basis for comparing and evaluating further information;
  
  
• Observation bias: the mere fact that something is being observed, investigated, discussed, measured, focused-on etc. increases its apparent importance or value;
  
  
• Balance bias: humans are curiously obsessed with achieving balance, equilibrium, parity, fairness, moderation, neutrality, centrism etc. in all manner of situations, despite 'balance' generally being a costly, fragile, often temporary and potentially risky state - in other words, imbalance (a.k.a. bias) is natural whereas balance is unnatural and takes effort, but for some strange reason we seek, strive for and value it anyway. 

The fact that these traits exist today strongly suggests that they confer evolutionary advantages. Biases evidently have their biological utility and value, helping biased individuals survive, prosper and procreate somewhat more efficiently than the unbiased. 

I repeat, bias (imbalance) is natural.

Pro services under attack

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:

I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

Internet security guidance

The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published.

The introduction to the new edition commences:

"The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:

— social engineering attacks;

— zero-day attacks;

— privacy attacks;

— hacking; and

— the proliferation of malicious software (malware), spyware and other potentially unwanted software."

Notice the standard is focused on "Internet security issues" which, in practice, means it covers active attacks perpetrated via the Internet. However:

A pragmatic alternative to the SuperCISO [L O N G]

Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons. We have been chatting lately about what is expected of the Chief Information Security Officer role - namely an exceptional mixture of knowledge, skills and competences possessed by the 'SuperCISO'. 

Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com.  

JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical. 

For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.    

[\rant]

As to whether we need CISOs at Exec Committee or Board level, I agree with JC.

What do auditors do, and for whom? [L O N G]

Once again, my day kicked off with a stimulating and fruitful debate on the ISO27k Forum as members responded to a request for help to find accredited Information Security Management System certification auditors who will add value to the organisation above and beyond the ISO/IEC 27001 conformity certificate.

The original poster copped some grief from the forum in appearing to seek certification auditors who would be kind on the organisation, supporting its business objectives more strongly than its conformity with the standard ... but a follow-up message clarified the position. Aris confirmed to us that he sought: 

"advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just being seen as a transactional, bureaucratic overhead."

... which seems entirely appropriate and ethical to me. Nicely put!

Fuelled by two strong coffees, I've been mulling over a further response from my pal Chris Hall - an experienced and respected auditor and consultant who expressed the opinion that the role of a certification auditor is:

"... simply to assess whether the organisation conforms to the requirements of clauses 4 to 10 of ISO27001. That is all. And to report on it, pointing out where the ISMS does not conform ..."

I see things a little differently and (as usual!) more complex/nuanced in practice than Chris indicates.