Froud on Fraud: Cybersecurity Predictions for 2017

This time last year I wrote Froud on Fraud: Top 5 Predictions for 2016. Unsurprisingly, none of these things has transpired. At least not yet anyway [embarrassed silence].

So why do this again, when it’s fairly clear that any insight I have – if any – is aimed more towards potential long-term trends than to short-term results?

The reason I’m taking another stab is I can’t help feeling that 2017 is going to something of a watershed year for cybersecurity. At least I hope so, because there is so much hype, scaremongering and dross out there that something needs to change. And it must change soon, before cybersecurity professionals get lumped into the same category as the better known examples of  sleaze; used car salesmen, estate agents, and lawyers (no offence Sis).

The last few years has been bad for the cybersecurity/privacy profession. From Snowden, to the Snooper’s Charter, from Target to Yahoo there has been no good news. Forget that the press will not print good news if they can possibly help it, things actually are getting worse. State sponsored attacks, organised crime, numerous vulnerabilities in Android and iOS, irresponsible Internet of Things manufacturers, there is little to smile about.

But instead of coming to the rescue, the cybersecurity industry seems Hell-bent on making it worse by cashing in on the confusion. From biometrics vendors disgracefully overstating their worth, to consulting practices doing everything in their power to cross-sell and upsell their wares , it’s becoming increasingly difficult to know where to turn.

The only bright side? Legislation.

Yes, legislation. The Payments Service Directive (PSD2) and the General Data Protection Regulation (GDPR) – for example – are both designed to start putting things right in payments and data privacy respectively. No one with a vested interest in keeping things the same was ever going to do something themselves, so now they’ll have to. Banks, large retail, you name it, there will now be a price to pay for how you treat the consumer.

And let’s face it, it’s all about the consumer.

So with the above in mind, these are my predictions for 2017:

o

  1. ISO 27001 certification will be increasingly important: Unlike PCI which is entirely prescriptive, no other regulation that I have ever seen requires anything other than ‘appropriate‘ or ‘reasonable‘ security measures. Appropriate and reasonably to whom is always the first question. ISO 27001, and other frameworks like it, perform one overarching function; to provide demonstrable evidence that an organisation is taking security seriously. Whether the organisation is actually taking security seriously is another matter, but it is hard to fake certification. Not impossible mind you, just difficult. ‘Compliance’ with GDPR, and other data privacy regulations globally will look to ISO for help.
    o
  2. Biometrics vendors will keep pushing their wares, and fail: OK, so this one is more of a wish than a prediction, but I am so sick of the hype around biometrics that I need to vent. Yes, biometrics if very important, yes, it’s better than a password in most scenarios, but it is NOT an answer by itself. Biometrics will not replace the password, nor will it ever be a solution all by itself. It will do what every other form of authentication should do; take its rightful place in the arsenal of identity management systems.
    o
  3. Amazon GO will be the new model for brick & mortar: Any brick and mortar retailer not terrified by the opening of the Amazon GO store in Seattle is completely missing the point. The point is that consumers don’t care how they PAY, they care how they BUY. Cash, credit cards, even the Apple Pays and their ilk are just forms of payment, they are not relevant to how we choose the products and services we actually BUY.  We demand a lot more from our merchants than a glorified cash register. In Invisible Payments, Are They Real? (Aug ’15) I went a little further than Amazon did, and will go even further in a week or so. And while I don’t expect 2017 to see a sharp increase in GO-esque stores, it’s definitely a glimpse of the near future.
    o
  4. Containerised Security Services: Anyone who has looked to Amazon Web Services or Azure for hosting their e-commerce systems often do so in order to outsource security as well. The fact that neither of these services provide much is often a nasty surprise. Yes, the merchants asked the wrong questions (or none at all), but it is incomprehensible to me that vendors like AWM DON’T provide comprehensive security wrappers. 2017 will see an increase in modular and full-service security programs (at least to PCI minimums) from all of the major providers. Hopefully these will be easily understandable and transparent to non-experts, because even the better service providers do a piss-poor job of getting their point across.
    o
  5. Automated Governance, Risk & Compliance: A fantastic concept, implemented poorly. However, with the ever increasing regulatory landscape, larger organisations simply can’t keep up with the audits. GRC tools have traditionally been mostly manual in nature, which explains their lack of adoption. More and more GRC vendors are looking to automate compliance baseline input by providing APIs to end-point vendors (A/V, SIEM, vulnerability scanning etc) for automated input of production system data. 2017 will see GRC vendors finally focusing on the only thing that makes sense; asset management and automated baseline comparisons of known-good profiles.

OK, so 5. is a bit of a stretch, but there’s no way my OCD would allow for only 4 predictions.

What are your predictions?

[If you liked this article, please share! Want more like it, subscribe!]

CISO Lifespan

Why CSOs / CISOs Only Have a 2 Year Lifespan

In previous blogs I expanded upon two main reasons why CISOs seem to have such a limited lifespan, and why the role is currently one of the most difficult senior leadership roles to both fulfil, and stay in long-term.

In Make the CSO Role a Board Appointment, or Don’t Bother Having One I touched upon the fact that so few CSOs; 1) are hired by the right people or for the right reasons, 2) report to the correct hierarchy, and 3) have the necessary support from the people from whom they need it most.

In The 3 Types of CISO: Know Which You Need I tried to explain why there is effectively no such thing as an ‘all-rounder’ CISO, so expectations are already completely out of line with reality.

I’ve now come up with a 3rd; Expecting the CISO alone to fix everything.

While this may be a byproduct of the first two, it is nevertheless important enough to be addressed by itself. And for once, I can’t actually blame the CEO entirely for this issue, the CISO is every bit as culpable.

Consider this scenario; An organisation, for whatever reason, decides it needs a security expert in senior management. Even if the BoD does get involved from the beginning, the organisation will end up writing a job description of some sort. This is no different from going to the Doctor’s, diagnosing yourself, and writing your own prescription.

This description will then be advertised in some fashion, guaranteeing that the only people who respond are the ones wholly unqualified to fill it. In the same way that anyone who wants to be in politics should be stopped from doing so, anyone who responds to a CISO role that they didn’t draft themselves has no idea what they are doing.

There is only one exception to this, and that’s if the organisation has already put the basics of a security program in place and need someone to optimise it. Everything before this is a series of consulting gigs, the aim of which is to prepare the organisation’s security program to the point a CISO can come in and run with it.

So, whether you’re an organisation looking for a long-term CISO, or a CISO looking for a long-term gig, what do you do?

A Security Program in 10 Difficult-as-Hell Steps

o

Clearly there are many steps in between these, as none of this appropriately addresses two of the most important aspects of any security program; 1) Senior Leadership’s role in changing the corporate culture, and 2) a Knowledge Management program personified by documented processes and procedures.

But in no way do I wish to downplay the CISO role to one of a babysitter, it is still one of the most difficult roles imaginable. However, I have never met a CISO who joined an organisation at Step 1, and was still the CISO a year or so later. Because the CISO role is perceived by many security professionals as the pinnacle of their career, too few ask the hard questions before committing;

  1. Has the organisation followed the 10 steps? – If no, where are they in the process?. If yes;
  2. Am I right for the job? – If no, can I help them find someone who is. If yes;
  3. Do I really want the job? – Go in with your eyes wide open, or again, walk away.

As long as both the organisation and the prospective CISO are fully aware of these issues, there is no reason a CISO can’t go the distance. That said, there is no reason a security program can’t be put on track without one…

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there’s just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]

ISO 27001 Certification

How to Begin Your ISO 27001 Certification Project

There are many consultants with significantly more ISO 27001 experience than I have. And type “how to begin ISO 27001” into Google and you’ll get ~8.2 million hits. So what makes me think I can do any better?

Actually, I not saying I can, but I am saying that my style of consulting seems to be conducive to getting such difficult projects off the ground quickly. Or at all for that matter. No security project is more difficult that implementing an ISMS.

In last week’s blog; ISO 27001 Certification, Is It Really Worth It? I stated that the top 5 reasons that ISO certification projects fail are:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

It follows therefore that to make certification a success, you must overcome these challenges at a minimum. Sadly, nothing I say from this point point forward will be in any way new. Some of what I have to say has been said dozens of times by me, and thousands of times by my peers and betters.

The Challenges

  1. Grossly underestimating the level of effort – Symptomatic of one thing; asking the wrong questions. If you had asked the right people the right questions you would KNOW just how difficult an ISO certification project is. No certification should be undertaken lightly, but there are more than enough ISO experts out there to make the level of effort abundantly clear.
    o
  2. Doing it just to land a big contract (or for marketing purposes) – While I can empathise with this one, allowing what amounts to greed to provide the entire impetus for something that requires a fundamental shift in culture is naive at best. The promise of a big contract can, and often does, provide the initial business case for ISO certification. But to then focus entirely on doing just enough to land that project is a total waste of time and effort. Many good consultants will rightly walk away from such projects. It’s our reputation too.
    o
  3. Tying the certification to an overly aggressive deadline – Usually an extension of 2 above, and will invariable derail the project before it begins. If all you’re focused on is a looming deadline, nothing will be done properly, nor will it be sustainable. Remember, ISO certification requires 6 month health checks, an unsustained ISMS will result in the removal of your certification. Quite right too.
    o
  4. Ignoring the expert help – You don’t go to the doctor and tell them you have a brain tumour. You tell them you have a headache and let them do the rest. So why would you hire an ISO expert them argue with every step of the way just because you don’t like what you hear? A good consultant will not ask you for anything they already have, or they do not need, so either do the work or stop the project if it’s too much.
    o
  5. Having no business goals in mind – Contracts, even very large ones, are not business goals, they are a means to achieving a business goal. Done correctly, an ISMS can enable almost every goal you’d care to mention. Done correctly. Before you begin your project, find out what your CEO’s goals are and map the ISMS efforts to them. Miss this step and you will fail every time.

I use the word ‘recommend’ very carefully, but I HIGHLY recommend that you put all the relevant stakeholders through a 1 day ISMS training session to set the scene. Without this context, you will have no support.

If the CEO can’t even make an appearance at this session, that will tell you all you need to know about how your project is going to go.

[If you liked this article, please share! Want more like it, subscribe!]

ISO 27001 Certification

ISO 27001 Certification, Is It Really Worth It?

For the last decade, ISO 27001 certification has been the de facto standard for security programs across the globe. The only problem is, few organisations can be bothered with it. In the years of its existence, I have been asked about implementing a total of twice.

Why?

The reasons are numerous, and vary from organisation to organisation. However, they most often fall within these categories. The client has:

  1. never actually heard of it;
  2. doesn’t care about cybersecurity;
  3. thinks it’s too difficult;
  4. thinks it’s too expensive; and
  5. cannot see a return on investment (ROI).

But the biggest reason I have not been involved in ISO that much?… The Payment Card Industry Data Security Standard (PCI DSS). Which coincidentally, began at almost the same time.

All by itself, PCI has sucked the security budgets out of enough organisations that there was little left for anything else. And if I’m honest, because of PCI, I haven’t had to go looking for any other work.

Think about that for just a minute…

A very basic, controls-only standard, related to a single form of data, that’s not even a law has driven enough business my way that I have not had to worry about diversifying.

And frankly, I still don’t, but with what’s going on here in the EU, we are all going to need something better. From the General Data Protection Regulation (GDPR) to the Payment Services Directive (PSD2), the regulatory landscape is finally making real security a necessity.

It follows therefore that organisations will begin looking to ISO for options.

And that’s really the point, can the ISO standards actually help, or is the 2700X series just a bunch of meaningless paperwork? At first glance, it certainly looks that way, and few organisations choose to go any further. And the ones that do, get so lost in the paperwork that they forget why they are doing it. It’s only when the framework is fully customised and implemented, that you see its true and significant benefits.

However, before you look to ISO, you absolutely MUST do your homework! You have to know exactly what an Information Security Management System (ISMS) is, why you’re doing it, and how you’re going to keep it going. If you can’t answer those questions, don’t start, because you will never cross the finish line.

The biggest killers of ISO certification projects, are, in this order:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

These are usually exacerbated by not getting senior leadership support, and then failing to tailor ISO to your needs. So what organisations end up with 99 times out of 100 is a stalled project and an external consultant taking all the blame.

ISO 27001 certification is bloody difficult…

…just accept that from the beginning. It requires commitment from every aspect of your organisation, and will only be effective if you enable the culture shift necessary to embrace it properly.

Strangely enough though, it actually looks fairly simple, as the ISO 27001 standard itself is only 30-odd pages long and only 114 controls. However, for every 1 of those controls, there are an average of 4 additional aspect to consider from the NINETY-odd page ISO 27002. Then, if that’s not enough, you must show some kind of evidence that you actually doing what you say you are!

For example, the very first ISO 27001 control is “A.5.1.1 – Policies for information security – A set of policies for information security shall be defined and approved“. Sounds simple enough until you realise that there are a minimum of 19 suggested ‘Implementation Guidance’ factors behind it.

From requiring that Information Security Policies address; “business strategy” and “regulation, legislation and contract“, to the suggested ‘examples’ of “policy topics”, A.5.1.1 becomes a project all by itself. Then, assuming you get all this paperwork together, you have to ensure that the policies are; “communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2).” Finally, you then need to provide some ‘record’ that this is all implemented , or that you have a risk treatment plan in place that shows you’re going to get it implemented …how …and when.

There are 114 of these, and even if you decide a few of them are not relevant to you, you must fully justify their EXclusion.

Not trying to put you off, the implementation of an appropriate ISMS is one of the best things you can do for your business as a whole. Just make sure you start out the project for the right reasons, with the right support, and the right goals in mind. And for GOD’S sake, get an expert in for a day FIRST to show all major stakeholders what to expect BEFORE you commit to the full project!

I see ISO 27001 certification becoming a must-have for almost any business, but only if it’s done properly.

[If you liked this article, please share! Want more like it, subscribe!]