ISO 27001 Certification

ISO 27001 Certification, Is It Really Worth It?

For the last decade, ISO 27001 certification has been the de facto standard for security programs across the globe. The only problem is, few organisations can be bothered with it. In the years of its existence, I have been asked about implementing a total of twice.

Why?

The reasons are numerous, and vary from organisation to organisation. However, they most often fall within these categories. The client has:

  1. never actually heard of it;
  2. doesn’t care about cybersecurity;
  3. thinks it’s too difficult;
  4. thinks it’s too expensive; and
  5. cannot see a return on investment (ROI).

But the biggest reason I have not been involved in ISO that much?… The Payment Card Industry Data Security Standard (PCI DSS). Which coincidentally, began at almost the same time.

All by itself, PCI has sucked the security budgets out of enough organisations that there was little left for anything else. And if I’m honest, because of PCI, I haven’t had to go looking for any other work.

Think about that for just a minute…

A very basic, controls-only standard, related to a single form of data, that’s not even a law has driven enough business my way that I have not had to worry about diversifying.

And frankly, I still don’t, but with what’s going on here in the EU, we are all going to need something better. From the General Data Protection Regulation (GDPR) to the Payment Services Directive (PSD2), the regulatory landscape is finally making real security a necessity.

It follows therefore that organisations will begin looking to ISO for options.

And that’s really the point, can the ISO standards actually help, or is the 2700X series just a bunch of meaningless paperwork? At first glance, it certainly looks that way, and few organisations choose to go any further. And the ones that do, get so lost in the paperwork that they forget why they are doing it. It’s only when the framework is fully customised and implemented, that you see its true and significant benefits.

However, before you look to ISO, you absolutely MUST do your homework! You have to know exactly what an Information Security Management System (ISMS) is, why you’re doing it, and how you’re going to keep it going. If you can’t answer those questions, don’t start, because you will never cross the finish line.

The biggest killers of ISO certification projects, are, in this order:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

These are usually exacerbated by not getting senior leadership support, and then failing to tailor ISO to your needs. So what organisations end up with 99 times out of 100 is a stalled project and an external consultant taking all the blame.

ISO 27001 certification is bloody difficult…

…just accept that from the beginning. It requires commitment from every aspect of your organisation, and will only be effective if you enable the culture shift necessary to embrace it properly.

Strangely enough though, it actually looks fairly simple, as the ISO 27001 standard itself is only 30-odd pages long and only 114 controls. However, for every 1 of those controls, there are an average of 4 additional aspect to consider from the NINETY-odd page ISO 27002. Then, if that’s not enough, you must show some kind of evidence that you actually doing what you say you are!

For example, the very first ISO 27001 control is “A.5.1.1 – Policies for information security – A set of policies for information security shall be defined and approved“. Sounds simple enough until you realise that there are a minimum of 19 suggested ‘Implementation Guidance’ factors behind it.

From requiring that Information Security Policies address; “business strategy” and “regulation, legislation and contract“, to the suggested ‘examples’ of “policy topics”, A.5.1.1 becomes a project all by itself. Then, assuming you get all this paperwork together, you have to ensure that the policies are; “communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2).” Finally, you then need to provide some ‘record’ that this is all implemented , or that you have a risk treatment plan in place that shows you’re going to get it implemented …how …and when.

There are 114 of these, and even if you decide a few of them are not relevant to you, you must fully justify their EXclusion.

Not trying to put you off, the implementation of an appropriate ISMS is one of the best things you can do for your business as a whole. Just make sure you start out the project for the right reasons, with the right support, and the right goals in mind. And for GOD’S sake, get an expert in for a day FIRST to show all major stakeholders what to expect BEFORE you commit to the full project!

I see ISO 27001 certification becoming a must-have for almost any business, but only if it’s done properly.

[If you liked this article, please share! Want more like it, subscribe!]

screen-shot-2016-10-01-at-12-32-47

PSD2: Where is the FCA?

On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.

Anyone know what ‘apply’ means in this context?

On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.

All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.

So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.

For example, the most pressing questions are:

  1. If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
    o
  2. What happens to ASPSPs if they aren’t ready? Are there penalties?
    o
  3. When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
    o
  4. Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
    o
  5. Does the FCA have final say in liability?

I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.

Of the 50 people I trained in those 3 days:

  1. PSD2 knowledge was very low;
  2. So far they have received little guidance from senior leadership;
  3. 85% were more scared than optimistic;
  4. Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
  5. Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;

Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?

No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.

All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.

Here’s what senior leadership at ASPSPs could be doing:

  1. Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
  2.  Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
  3. Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
  4. Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
  5. Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.

The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:

  1. Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
  2. Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
  3. Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.

The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Recruiter

Cybersecurity Recruiters, The Gauntlet Is Thrown!

Anyone in the cybersecurity field who spends any time on LinkedIn will see numerous recruiters vying for your attention. You will also see numerous complaints from cybersecurity professionals about how those recruiters conduct their business. Unfortunately recruiting as a profession is becoming a stigma.

But why is this happening? The profession itself is a critical one, and done well is of tremendous value to any professional’s career. These partnerships can, and should, last a lifetime, yet the majority of recruiters I’m come across these days are nothing short of used car salesmen.

But if you can find a good one!… Who else can put so many opportunities in front of you when you’re too busy doing your dayjob? Who else can talk you up to the RIGHT people before they even see your CV? In other words, who else can help you in your career as much as really good recruiter? Even mentors rarely have as much influence.

So What is a ‘Good Recruiter’?

While this is becoming more and more an oxymoron, it’s really quite simple from a candidate’s perspective:

  1. Do not approach me with a job in mind. At least not out of the gate. You have no idea what I’m looking for, or even if I’m open to conversations. The positions you’re trying to fill are your problem, not mine. Instead, approach me with a request to talk. If I’m not willing to talk I’ll let you know, politely, and waste no more of your time. If you don’t start the partnership with MY interests first and foremost, we’ll have little to discuss. Besides, to provide good service to your clients, you need to know if I’ll be a good fit. For example, trying to place me in a position that requires extreme tact and diplomacy will likely not go well.
    o
  2. Do your HOMEWORK! There are few things more irritating than; “I read your LinkedIn profile and think you’d be a perfect fit for…” If you had actually read my profile, you would know that I’m not at the beginning of my career looking for a Security Analyst position in Abu Dhabi starting at AED140K. If you want to start handling more senior placements, don’t treat potential candidates with such discourtesy. You get one shot at this, if that.
    o
  3. Assume you may never place me, but call me anyway. Recruiting, like sales, is all about relationships, and EVERY relationship pays off in some way. Maybe not directly, but going from one ‘kill’ to the next will set you up for eventual failure. Deservedly so. Senior candidates may place infrequently, but they usually know lots of other people. Recruiting is as much about networking as it is direct contact. That’s why I call this a partnership, I can help you too.
    o
  4.  Stay in touch. Any recruiter who stops calling / emailing me just because a job placement falls through, will not get a second chance. And any recruiter (or employer for that matter) who stops calling hoping you’ll ‘get the hint’ is a coward and extraordinarily unprofessional. Communicate, Hell, over-communicate, but keep your candidates in the loop, there’s always a next time.
    o
  5. Be proud of what you do. How many people have you LinkedIn with who have titles like ‘Security Consultant’ who turn out to be recruiters? At least half of the invites I receive from recruiters are hidden behind some other title. In Peter Smith’s; “Why do we hate (our own) sales people?“, he used an excellent phrase; “If a person is worried about having sales in their job title, then they probably do not have the right DNA.” This applies every bit as much to recruiters. Take pride in your profession, you are needed.

The Challenge

I now throw down the gauntlet to all recruiters specialising in senior cybersecurity placements. While I am not actively looking for a move, I am open to any conversation. I have my own business, so short/long-term contract work is best, but I will not disregard full-time gigs if the opportunity is right. Please reach out.

But what I’m really looking for is great recruiters. I have a hard time believing that there is a such a deficit of cybersecurity talent, I just don’t think employers are asking the right questions. There are many junior security folk out there who need help, I am going to make it one of my goals to put them in touch with recruiters I trust and respect.

First I have to find them.

To end this blog on a crappy analogy; In Jerry McGuire there are two types of sports agent; 1) scumbag agent Bob, who cares nothing for anyone and 2) equally slick, but with a heart of gold Jerry.

Be Jerry.

[If you liked this article, please share! Want more like it, subscribe!]

Internet of Things Cybersecurity

Of Course the Internet of Things Isn’t Perfect

Can you name one invention that changed the course of human history that was perfect out of the gate?

Farming? Domestication of animals? Transportation?

OK, what about something a little more fundamental like utilities? Water, electricity, telephone and so on. Things so taken for granted in developed countries that we barely give them a second’s thought.

How about something actually appropriate to my subject; The Internet itself?

Not only weren’t any of these things perfect when first introduced, they still aren’t. Not by a long shot, and nor will they ever be. So why are we expecting more from the Internet of Things?

As a security expert, I cannot imagine anything more horrifying than billions of connected devices built almost entirely for function. Where race to market is the primary motivator because any competitive advantage is all but gone in a matter of days. And security, if it was even considered during development, was only done so perfunctorily, and likely with a fair degree of annoyance.

However, as a tech geek and a lazy git, the Internet of Things also fills me with anticipation bordering on joy. With the things that are already possible, my life has become significantly easier. With what’s to come, I can see a positive impact on the only thing that has ever mattered to me;

Having more time. Or perhaps more to the point; making better use of the time I have left.

Everyone talks about the risks and the inevitable disasters related to IoT, because that’s what sells column inches (like this recent event). Or they talk about increased efficiency, convenience, and quality of life because that’s what sells products. But what it all boils down to is this; What price do we have to pay for more time? How much of our privacy, or even our physical safety are we prepared to put at risk for a better life? A life spent doing the things we want to do, not the things we have to do just to get by.

Unfortunately, in our society, we are being allowed to accept less and less responsibility for our actions. From ‘Caution, Contents Hot’ labels on our coffee cups, to political correctness, to affirmative action, we are completely devolving accountability for our own lives to external entities.

This must stop. When it comes to the Internet of Things, we must make our own choices, and we absolutely must accept the consequences. It does not matter how many regulations and standards the Government puts into place, the IoT will always be far from perfect. Bad people WILL make bad things happen. Should organisations be held liable for gross negligence? Of course. Does that help the person whose pacemaker was hacked through their iPhone? No, it doesn’t.

‘Educated consumer’ is right up there with ‘religious tolerance’ in being a perfect oxymoron. But educated consumers is exactly what we all need to be. We now have a lot of control about how much of our identity is available online. Again, it’s not perfect, but with account insurance, regulatory compliance and such, the rewards from our online functionality far outweigh the risks.

But what happens when everything from the front door to the contents of our cupboards is available in the Internet? When every appliance, every utility, our location, health, finances, are all just a hack away? Will the amazing convenience that can be  achieved outsourcing ‘control’ of those things be worth the risk of total loss?

Only you can make that choice, and you cannot point fingers at anyone else if things go wrong. There is no recourse open to you, and the only defence you have is to educate yourself.

Start by assuming that everything you put online can be lost in its entirety. Are you prepared for that, because it’s not an exaggeration?

[If you liked this article, please share! Want more like it, subscribe!]

Cloud Computing

Are Cloud Providers ‘Too Big to Fail’ – Let’s Hope So

In a rather ludicrously titled article (yes, even for me!) ‘Too big to fail’ cloud giants like AWS threaten civilization as we know it” the author nevertheless addresses an interesting point. And while I almost entirely disagree with the final conclusions, they represent a valid, if extreme viewpoint. If those conclusions are a little self-serving, this can be forgiven in light of my own issues with some Cloud Providers.

The basic premise is that traditional hardware (servers etc.) sales are dropping, while cloud-based and managed services are on the rise. With the corresponding drop in hardware related skills (no demand), eventually we’ll be dependent on one of the big providers (Amazon, Google & Microsoft).

This is apparently very bad, as: “If one of these goes down hundreds of thousands of other companies go down too.” This is the “interesting point” I referred to earlier, unfortunately the reasoning presented simply makes no sense. Two examples provided are:

  1. power grid failures or natural disasters – with the fallout propagated worldwide; and
  2. AWS’ hiking of its UK prices post-Brexit as an example of how quickly customers could be affected.

First, suggesting the Google, Amazon or Microsoft have a single point of failure that could take them down globally is ridiculous. Second, with regard price fluctuations, this is likely the result of organisations choosing a provider based on price alone, and not performing adequate due diligence. In trying to save money by using US based provider, and not writing mitigating language into contract, you are the ones leaving yourselves exposed.

I’m really not picking on either the subject of the article, or the author, I’m just using this to demonstrate my point. Cloud services, done PROPERLY, are the future. Or without the stupid buzz-phrase; outsourced services over the Internet are the future of infrastructure management. The issue is that a lot of Cloud services are abysmal, and the due diligence performed by many organisations nothing short of a disgrace.

But outsource they will, and they should. For example, how many organisation really want to hire dedicated teams to perform all of the following;

  1. Design Operating System Hardening Guides;
  2. Build and maintain servers;
  3. Install and configure all relevant security software/application;
  4. Patching and Vulnerability Management;
  5. Data Encryption;
  6. Access Control;
  7. Logging & Monitoring
  8. …and the list goes on.

Whilst finding a single cloud provider to take care of this is almost impossible at this stage, that’s where it’s going. Only the economy of scale available to large providers can make these offerings cost effective enough to be an option for non-enterprise businesses. And frankly, the only businesses who actually care about how data is made available, are the ones being paid to make it happen for someone else.

The motivations behind the referenced article are rather simple to deduce; 1) they have a vested interest in selling hardware, and b) they can make more money through channel than Cloud.

Fair enough, but channel’s loss of market share, and their inability to pivot is entirely their fault. They are now suffering because they have never tried to put their products into perspective. The rush to maximise profit margins was at the expense of making themselves a truly valuable partner.

If channel had only put a consulting wrapper around their offerings, they could still be selling solutions, not stuck trying to flog pieces of metal and plastic.

Perhaps this article will make more sense now they they are feeling the pain; Attention Channels/Resellers, Don’t Forget Consulting Services!

[If you liked this article, please share! Want more like it, subscribe!]