What Does the ALS Ice Bucket Challenge Say About Us?

If you have not heard about the ALS (Amyotrophic Lateral Sclerosis) Ice Bucket Challenge (#IceBucketChallenge), you are not reading this blog, because you clearly have no phone, no computer, and no friends. It’s a viral sensation that has seen the contributions for ALS charities rise by over 1000% over last years numbers. And growing.

Before I begin, know that I am VERY much in favour of this, have done it myself (dedicated to a friend of mine who has ALS), and hope it continues until such times as ALS charities have enough money to finally buy a cure.

Now the down side, and the unfortunate point of this blog; The giving will not continue much longer, because the only thing faster than a viral topic, is its relegation into permanent obscurity.

This will not cause a fundamental shift in either our individual attitude towards charitable giving, or how charities do their fund-raising. This worked once, now it’s done, and ALS were the lucky recipients. It could have easily been Children With Cancer, or pretty much any other charity, because it’s not the disease that caught our attention, it was everyone else’s attention to the challenge that caught our attention.

But why?

Why does it take something like this to get us to give in the first place? I say US, because I absolutely include myself. I am one of the majority walking right by people holding charity buckets looking to help causes that I cannot be bothered to read. Headphones in, eyes down, my destination and my own problems effectively crowding out any thought of those less fortunate.

Does this make me a bad person? No, it makes me average, yet if you don’t do the Ice Bucket Challenge you are treated as a social leper. Our hypocrisy knows no bounds, it seems.

Yes, this is a cynical view, and I have absolutely no desire to dampen anyone’s enthusiasm, but I think it’s time for a little perspective before the true, more permanent advantage, is lost. However unattractive and un-charitable that advantage may seem, only the results count.

The truth is, unfortunately, an equally cynical proposition; that empathy is in short supply in the average human genome, but fear of being ostracised is not, nor is the need to avoid the feeling of guilt. This is why the ALS Ice Bucket Challenge went viral, and this is where most charities go wrong; they are simply not cynical – or smart - enough to manipulate either the right emotional drivers (which are seldom even approaching altruistic), or social media.

Perhaps this is the wake up call to realise that it’s really not about awareness of the disease itself, it’s about getting contributions. This is not only perfectly OK, but far more honest, and much like a homeless person’s sign”Will work for alcohol.”, when it comes to charitable giving, the end often justifies the means.

Think I’m being TOO cynical? Go and ask 10 people who have done the ALS challenge, what ALS is the acronym for, and I will be willing to bet at least half of them will not know. Ask again in a month and even fewer will.

But that’s OK too, as long as they gave, AND got 3 others to give, when prior to the challenge they had probably never heard of ALS (or its regional equivalents). This was the true genius of the ice bucket challenge, as ALS is no more deserving of either attention or money than a charity fighting children’s cancer. Just ask a friend of mine whose 5 year old daughter is fighting brain cancer where her priorities lay.

The fact is that most of us have a very limited capacity to focus on things that do not affect us directly, but when confronted in the right way, and hopefully with humour, we are ALL very generous. That we don’t give as much as we should the rest of the time does not make us bad people either, it just means those amazing individuals who have dedicated their lives to helping others need to make giving easier, and more in line with makes US feel good. More fun preferably, but at the very least, more interesting.

That’s sad, but inescapably true, and it’s time we embrace it.

In the end, it does not matter where the money comes from. Ask anyone with ALS if they care whether or not the cure came from someone who cared or someone who didn’t give a damn. Only getting better matters.

So if you did the challenge, that’s great, but keep your condemnation against those who didn’t to yourselves, your single act of generosity gives you no right to judge, and they may have other obligations of which you have no concept.

And charities, wake up, people will give a lot more if properly motivated, and I am more than happy to be taken [along] for the ride.

PCI – Going Beyond the Standard: Part 20, Incident Response (IR)

First, you may be asking why this blog does not include Disaster Recovery (DR) and Business Continuity Management (BCM, which governs the entire IR / DR process). Because the PCI DSS section 12.10.x is almost entirely related to IR (with the exception of a VERY brief nod to DR / BCP, below in red), I will handle DR / BCP separately in the series (post 23 in fact).

“12.10.1 - Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

    • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
    • Specific incident response procedures
    • Business recovery and continuity procedures [This is the only requirement in the DSS that goes beyond the protection of CHD.]
    • Data backup processes
    • Analysis of legal requirements for reporting compromises * Coverage and responses of all critical system components
    • Reference or inclusion of incident response procedures from the payment brands.

With regard Incident Response, I put it this way; “What’s the point of being in business, if you don’t intend staying in business?”, and; “Good incident response is what prevents a security event from becoming a business crippling disaster.”

It makes absolutely no sense to me that organisations who basically depend on IT for significant chunks of income (which is most of them), have very little idea how to stop bad things from happening in the first place, let alone fix things when they go wrong. Of course, no incident response is going to predict an earthquake at the datacenter, but the organisations I’ve seen don’t even perform log monitoring properly, let alone consider the impact of acts of nature.

The development of a good incident response plan start with? Yep, a good policy, from there you agree on an appropriate Risk Assessment / Business Impact Analysis process, which in turn provides you everything you need to not only determine if you have any control gaps (after a gap analysis), but – if you’ve done it properly – a good indication of what your incident response and disaster recovery plans should entail.

There is no appropriate IR without an understanding of the business goals. If you have a 4 hour Recovery Time Objective (RTO), your IR will be significantly more robust than one where you can take a week to be back online. Yes, I know that RTOs (and RPOs (Recovery Point Objective for that matter) are DR terms, but if your incident response cannot detect a business crippling event in good time, then neither of those DR goals is an option for you.

When setting up your IR program, the most important word to keep in mind is ‘baseline’. Without a baseline, you don’t have much of a concept of what constitutes an incident in the first place. Only a baseline can give you both context and relevance.

From your baselined system configuration standards (DSS 2.x), to AV (DSS 5.x), to logging (DSS 10.x), to scanning (DSS 11.1.x, and 11.2.x), to FIM (DSS 11.5.x), you have many available inputs into your IR program, none of which will be of the slightest help if you don’t know what they SHOULD look like.

That’s all IR is;, a process whereby an exception to the norm is investigated, and appropriate action taken.

In each of my individual going-beyond-the-standard blogs related to the above DSS requirements, I have stressed the importance of baselining (well, except AV perhaps). The reason I did so was because they all lead up to this. I don’t care how well you have done ANY of the previous requirements, unless you can bring the outputs all together into a comprehensive process of taking action, all you have is a bunch of data to give to your forensics investigator.

You’ll notice though that I did not say a CENTRAL process, because while having a 24X7 Security Operations Centre t manage all of this, it’s rarely practical, even if it involves a outsourced managed service provider (MSP). However, having the correct assignments and procedures to MANAGE the response is of utmost importance, and the details of this plan will vary considerably from company to company.

No IR is not easy, but there is simply too much information and help out there for this difficulty to be any sort of excuse. And no, there is not much in this blog that actually provides guidance, but if this makes SENSE, then you at have at least got enough to begin to ask the right questions.

What’s Next For The PCI Security Standards Council?

I don’t think anyone in the payments arena has any doubt that credit/debit cards, in their current form, will die over time in favour of mobile devices. It’s a natural next step to replace something ubiquitous with something even more ubiquitous.

So where does that leave the SSC, and the card schemes themselves for that matter?

You only have to look at Visa Europe’s website Visa Vision to see that they are moving towards mobile (and other innovations), and articles like The Revolution is Here, do not even mention EMV, and the only reference to plastic is in a future past-tense.

It also begs the question as to why the card schemes are pushing EMV when they themselves see an end to their reign-of-plastic. But the answer is obvious, the cost of fraud over the next 5 – 10 years far outweighs the cost of the transition. The US alone saw $7.1B in credit card fraud in 2013 (according to Business Insider), and I have estimated that the cost of EMV transition in the US is ‘only’ $12B (Why the US Will Not Adopt EMV (Chip & PIN), EMV in the US, a 12 BILLION Dollar Mistake).

So why am I so anti-EMV? Because there are technologies NOW that can replace it, are in more hands, and more widely distributed than cards ever were.  Your mobile phones.

So back to my point; what WILL the cards brands and the SSC do once the plastic dies? Clearly the brands have an enormous leg-up on any new player in the cashless game, and have massive amounts of capital to invest in meeting every aspect of this disruptive innovation; research on innovation, testing proofs-of-concept, garnering adoption within the finance community, and of course, rolling it out to end users.

Mobile phone companies made a small play, and missed, banks could have done it, and didn’t, and large retail could have had a huge impact, and haven’t. Probably because in these three case – even banks – payments is not a core function. Being PAID is core, making the payment is not, so only the card schemes have payments as their entire reason-to-be, and therefore the most motivation.

OK, so if we assume that the card schemes are going to make a huge play in every cashless payment innovation from this point forward, where does that leave the SSC? Probably in exactly the same place, with only one change in title; From Payment Card Industry Security Standards Council, to Payment Industry Security Standards Council.

Regardless of the form of payment there HAS to be a security standard around the protection of the data. Not that the current standards are anywhere near adequate, even for cardholder data, but the SSC has significant experience adopting and implementing standards globally. From mobile apps, to software PINs, to identity management (for KYC, AML etc.) to crypto-currencies, everyone developing technologies must adhere to a minimum set of protective baselines.

So am I really proposing, after so many less-than-positive blogs related to the PCI DSS and the SSC, that they be a standards body for every form of payment globally? Well, no, I’m not, but I think that if they don’t TRY to be just that (with the card brand’s backing), there is no-where else for them to go.

Despite my voluble criticisms of the card brands and the SSC alike, they ARE well placed to do good. I hope they take the opportunity now, because it won’t come again.

PCI – Going Beyond the Standard: Part 19, Security Awareness Training (SAT)

I really should give up being surprised when the most basic of information security fundamentals are performed poorly, but this one constantly amazes me. I guess it’s no different than a doctor being surprised at smokers, or the police surprised at repeat offenders, we can accept as common sense what others perceive as new concepts.

Education and Training is so important that I have listed it as one of The 4 Foundations of Security, along with Management Buy-In, Policies and Procedures, and Governance. The fact is that education is the best and cheapest way for an organisation to implement the desired organisational culture, and distribute the policies and procedures in a manner where they actually understood and followed.

The intent of PCI DSS Requirement 12.6.x is to ensure all employees are trained in their security responsibilities as they relate to the protection of cardholder data. That’s it, just cardholder data, so you can obviously ignore every other form of sensitive data in you environment, right? What about your financial data, or intellectual property, or personal data? Unfortunately you cannot go above and beyond in PCI unless it relates to the protection of cardholder data, so with the exception of perhaps frequency of training, there’s not a lot you can do here.

That’s for PCI though, for your BUSINESS it’s a very different matter, and there is a lot you can do to add true benefit across the organisation. Not just in terms of security either.

The mistake most organisations make is the assumption that security education and training only refers to things like keeping your passwords secret, or not lending out your swipe cards. Yes, training includes these things, but it starts with a thorough coverage of all relevant policies and procedures. I say relevant, because you’re not – for example – going to train your sale team on the proper implementation of firewall configuration standards.

Training is not just some paperwork exercise during on-boarding, then an annual obligation thereafter, it’s the way you bring someone into your organisation and have them up to speed and productive in the fastest time possible. It’s also how you begin to instil the corporate culture (i.e. your policies), and how you ensure that they are performing their duties in-line with standard practices (i.e. your procedures).

Once they have the basics, you can move on to role specific training, and then, if you’re REALLY doing this properly, you will have the individual job specifications detailed to the point where anyone being on-boarded can step straight into the leavers’ shoes with barely a backwards step.

That’s really the whole point; security awareness training is NOT just a compliance obligation, it’s an integral part of your business continuity and knowledge management processes. It can be the difference between a constant reinvention of the wheel every time you have a mover or leaver, and uninterrupted growth. You may argue that this is more than just security awareness education and training, but I will counter that without proper knowledge, there IS no security.

While I agree that every time there is a staff change, the training itself should be reviewed and revamped as appropriate (preferably by the person bringing the new pair of eyes to it), NO-ONE who is just starting should have to work out anything for themselves on how to perform the function to which they have been assigned. At least to a minimum standard. Unless of course it’s a brand new role, in which case they will be responsible to develop and document everything necessary to replace themselves in time.

Too often this is seen as making yourself replaceable, but if you can’t be replaced, how can you move up, or even across?

To perform security awareness and training properly, follow these steps:

1. Like access control, the best way to begin developing a good training program is to properly define the requirements, first at a ‘corporate’ level (everyone), then at a more granular ‘role’ level (sales, systems admins. etc.), and finally at an ‘individual’ level.

2. Once this matrix is complete, combine this ‘paperwork’ into an online delivery mechanism which is a combination Document Management System (DMS) and distribution method. That’s really all online training software is; content management.

3. Run everyone through the program, regardless of tenure, and regardless of when they last took it. Track all ‘signatures’ (an online ‘I Accept’ will suffice).

4. Run training again at a minimum annually, but preferably every 6 months. A good balance is full course annually, and Top 10 Things to Remember at the 6 month mark.

5. Throughout the year, use this distribution method to announce major changes to policies and procedures, as well as ‘zero day’ threats (new phishing techniques for example), for significant changes to relevant compliance regulations or laws, and any ad hoc matter for which you require – for liability purposes – a written confirmation of acceptance.

 6. Provide a robust feedback loop and standardised forms for all personnel to request policy / procedures changes, or to create new ones.

I’ve not touched here on the actual content of the security training, it’s too organisation / sector specific, but there are certainly some basics (101 stuff as the Americans would say). However, the development of a comprehensive and sustainable training program requires specialist skills and experience, so make the effort and expense, there’s not one investment you can make that has a greater ROI.

The Power of Strategic Patience

Forget for a minute that the phrase ‘strategic patience’ was coined over the US’s political approach to North Korea, and consider the actual concept.

In its basic terms, it means that you do very little to actively influence something in the hope that’s it’s already heading in the right direction, and will get there in its own time. Further, if you actually DO get involved, you will potentially prevent the desired goal.

For example; How many times have we cut off our noses to spite our face in forcing an issue? From trying to get someone to go out with us, to getting a raise / promotion at work, to making a sale, I’m sure we have all tried to force something to a point where we actually sabotaged our efforts. Personally, I’ve done all 3, and it was always a long time afterwards before I could work out what went wrong each time;


In extreme scenarios, trying to push an issue is very much like an ultimatum, in the milder forms, it’s nagging. Either way, people have a tendency to be obstinate in the face of pressure, and you are not likely to get the results you desire. Unfortunately, this does not just extend over one deal – for example  - as you will be labelled in a negative way from that point forward.

There is only one thing in the world over which you can have control, and that’s your own reaction to something. I say ‘can’ and not ‘do’ because the vast majority of us have pre-programmed reactions to which we invariably default. Someone yells at me, I yell back, someone smiles at me, I yell back.  Wait? :)

I’m not going to go all neuro-linguistic programming on you and try to STOP you from doing whatever it is you do, but when these defaults involve you forcing a decision from a client (for example), you will eventually lose the client. As much as you would like to think business decisions are made on cold hard numbers/facts, they are every bit as emotional as choosing your personal relationships.

I understand the pressures of selling, but when the sales technique involves someone coming out of their comfort zone, you can only guide, you cannot push. By all means stay in touch, as estimates suggest that 80% of sales are made from the 5th to the 12th contact point, but those contact point can be anything from forwarding an interesting article, to a quick cup of coffee. You do not have to keep reminding them that a decision has to be made. I can assure you they are very aware of it.

Anyone who has ever met me would probably not list patience as one of my virtues (or humility for that matter), and it has taken me a long time to get to the point where I can get out of my own way. But the rewards are significant. When your tendency is to assume the worst when you don’t hear from someone, your written and verbal clues, and even your body language can become increasingly unfriendly. You are falling into a self-fulfilling prophecy.

If you’re in sales and you do this, the issue is your pipe-line, not indecisive clients, if it’s in your personal life, you should be taking a long hard look at yourself first, that’s the only thing over which you do have any influence.