Change

Cybersecurity Professionals: Don’t Change by Not Changing at All

Yes, I stole this line from Pearl Jam’s 1993 song; ‘Elderly Woman Behind the Counter in a Small Town‘. But in my defence, I have always loved the line and I did wait for almost a quarter of a century before I stole it.

The very simple, yet extraordinarily powerful message is one that applies equally to your personal and professional lives. Though I for one have never believed that you can keep your work and home life separate. They overlap in just too many ways. We used to have communities to fulfil our Maslow’s sense of belonging, now we have the companies we work for. We used to derive our sense of self-worth from taking care of our families, now it’s from a big annual bonus, a cheap award, or worse, a title.

But I digress. Already.

In a previous blog; So You Want to be a Cybersecurity Professional, I posited that you really only have 2 career choices; 1) specialise, or 2) generalise. “You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.”

Unfortunately, if you’re not careful, both of these choices have a significant downside; if your knowledge stands still, your skill-set will become obsolete. As technology continues to advance, and the corresponding social issues (privacy for example) become more complicated, cybersecurity professionals have to adapt to an ever-changing array of requirements. While I find the vast majority of job descriptions ridiculous in the extreme, you only have to look at what employers are asking for to see the writing on the wall.

In Europe, for example, if you can’t speak at east relatively competently about technology issues as they relate to the GDPR or even PSD2, you are not setting yourself apart. Not in a good way at least. And if you are not adapting to the current cycle of distributed processing (i.e. The Cloud, containers, FaaS and so on), then your ability to administer physical assets is not likely to take you as far as you’d like.

I have never hidden my disdain for our over-reliance on IT/IS certifications. But even I find myself back in the study/test cycle in an attempt to render my skill-set a little more relevant. I have signed up for both the Certified Information Privacy Technologist (CIPT) and the Certified Information Privacy Professional / Europe (CIPP/E) in an attempt to make my individual ‘service offerings’ more attractive. I’m not saying that the certs will do that by themselves, you have to actually read the regulations to which they refer, but it’s a start. So is talking to people in related fields.

I would say that it’s the specialist career which is actually the most at risk, especially given the ridiculous number of ‘new’ technologies that have hit the market. Almost on a daily basis it seems. Tie yourself to one of these ‘acronyms‘ and it’s unlikely you’ll be relevant for more than a year or so. Unfortunately, cybersecurity is not so much an evolution of responsible services, it’s a cycle of vendor-defined demand generation predicated on buzz-words and F.U.D.

Perhaps I’m only seeing all this from my own ‘generic’ and slightly jaded perspective. I have largely removed myself from individual security technologies to focus on the basics. While the basics (or as I call them, the Core Concepts) of security will never change, even these need to be refreshed in light of evolving business needs and priorities.

In the end I think a lot of our problem in cybersecurity is that we think we’re a department alone. I believe we are the exact opposite, we are the one who need to be in on everything. After all are not data assets the crown jewels of most organisations?

With that in mind, here’s how to embrace change:

o

  1. Read – Most of us subscribe to things of direct interest, but few of us subscribe to things outside of that limited sphere. Like it or not, IT and IS departments are only there to enable, so you need to know what impacts other department like finance and legal if you want to stay ahead of the game;
    o
  2. Talk to People – Probably the hardest one for me, but IT and IS do not exist in a vacuum. What scares the crap out of all the other departments? You’ll find out eventually, don’t let it be the hard way;
    o
  3. Training & Certification – While you don’t need to go the whole hog and collect another almost meaningless acronym, at least get yourself trained by an expert in something with which you are currently unfamiliar. GPDR for example, or PSD2 if you’re in the payments space, or even PCI if you’re really desperate;
    o
  4. Self Reflection – Unless you’re one of the lucky ones who’s in a career they chose, you likely found you way into cybersecurity by accident. Or in my case, a comedy of errors. This does not mean it can’t be a perfect fit, you just have to be extra aware of your talents and skills to not find yourself in a position for which you are wholly unsuited;
    o
  5. Find a Mentor – This does not mean you have to get a hands-on mentor, even following a person whom you respect on LinkedIn is a good thing. Find someone(s) who are were you want to be, they’ve already made a lot of the decisions you are going to face.

History is full of people who could not imagine becoming obsolete. I’m going to go out on a limb and say that these people ended up with significant regret.

[If you liked this article, please share! Want more like it, subscribe!]

Disruptive Innovation

Enough With the Disruptive Innovation. Collaborate or Fail.

[This is taken in large part from from an earlier blog, but I feel it needs updating to include more than just payments.]

‘Disruptive Innovation’ has become a common cry for anyone wanting to displace the existing players. It is defined as; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.

Unfortunately the original concept is now grossly misapplied. But like how ‘irony’ now has several meanings, I guess disruptive innovation will have different meaning based on its context.

However, I’ve never heard anyone using the phrase ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So why is everyone so interesting in disrupting the existing ecosystems? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. In payments – as my example -, non-cash payments work [mostly], and you have a large degree of faith in your bank’s ability to protect your monetary assets. Do you really want the whole thing to change? Do you even know what it is that you want that’s different?

But do things even need to change? Well yes actually, they do. And are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. However, can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true [potential] disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be through collaboration and fair competition.

I’ve used payments as an example, because that’s what I know the best, but the same can be said for almost every other industry sector. The drive to take away what others have, instead of providing a better service for the common good, is capitalism at its worst. And no, I’m not proposing some sort of socialism, it’s just logic; What’s easier? Completely replacing something, or improving what we have in collaboration with multiple players?

It’s not like there isn’t enough to go around.

[If you liked this article, please share! Want more like it, subscribe!]

Peerlyst: Essentials of Cybersecurity

PEERLYST e-book: “Essentials of Cybersecurity”

In almost 4 years, and over 250 blogs, I have only promoted something  – other than myself of course – once: The Analogies Project.

I find myself doing the same thing for PEERLYST for much the same reasons; 1) it’s purpose is to educate, not sell, 2) it’s members are incredibly generous with their time, and 3) it’s free. I recommend that anyone already in, or WANTS to be in the field of cybersecurity, to not only join, but actively participate.

To me, an important measure of any of these forums is the output. I’m not looking to promote myself or my business – that’s LinkedIn, I’m not looking to vent – that’s Facebook, and I’m not looking to be as pointless as Donald Trump – that’s Twitter. Therefore, a forum that allows me to share my knowledge to anyone desperate enough to listen, as well as support me in the countless instances where I need guidance, will get my attention.

As for output, PEERLYST recently published a new e-book – their second – free to all members; “Essentials of Cybersecurity[The link will only work if you’re already a member]. It consisted of 10 Chapters, the first of which I was given the honour of writing:

  1. Starting at the Beginning: Why You Should Have a Security Program by me
  2. Understanding the Underlying Theories of Cybersecurity by Dean Webb
  3. Driving Effective Security with Metrics by Anthony Noblett
  4. A Security Compromise Lexicon by Nicole Lamoureux
  5. Building a Corporate Security Culture by Dawid Balut
  6. Why People Are Your Most Important Security Asset by Darrell Drystek
  7. Basic Security Hygiene Controls and Mitigations by Joe Gray
  8. Understanding Central Areas of Enterprise Defense by Brad Voris
  9. Telecom Security 101: What You Need to Know by Eric Klein
  10. Strengthen Your Security Arsenal by Fine-Tuning Enterprise Tools by Puneet Mehta

Some of these folks not only donated significant amounts of their time on this e-book, but have already signed themselves up for one of the THREE new e-books already in the works! THIS is the kind of forum with which I want to be associated.

Go take a look, hope to see you there.

[If you liked this article, please share! Want more like it, subscribe!]

What Will Brexit Mean for Cybersecurity?

No idea.

But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.

This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.

Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.

The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?

Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?

I don’t think so somehow.

Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.

And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.

Not one.

Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.

However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?

UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!

Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.

Don’t know how, ask.

Why I Offer a ‘CEO Discount’

A CEO Discount is when I offer an organisation a 10% reduction on my consultancy day-rate if they can arrange for a 30 minute 1-on-1, face-to-face, with the CEO.

Sound like a gimmick? Well, it is partially, I’m trying to run a business, but it’s only partially a gimmick, as it is also extremely beneficial to both sides. It also addresses to most fundamental of all security challenges; management buy-in.

From the client side; no project, especially ones related to security, get anywhere near the amount of support from all levels of the organisation that they need to be; a) operationally effective, and b) cost effective. If the CEO offers not only their verbal support, but active/pro-active support behind an objective, it becomes everyone’s priority. As I’ve quoted incessantly; “If my boss doesn’t care about something, guess how much I care about it.“. This begins at the CEO level and doesn’t stop until the most junior person is equally infected by apathy, indifference, or both.

If the CEO cares, or is seen to care, security related projects tend to finish in half the time, at half the cost, and with double the effectiveness and sustainability. Yes, I just made these statistics up, but in 15+ years doing this stuff I would be very surprised if I’m off by much.

From my side; If the prospective client is not prepared to even entertain the notion of approaching their CEO, that tells me all I need to know about their security culture. They don’t have one.

A phrase I have used MANY times now; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.

I should UP my day-rate if I DON’T get to see the CEO!

So with just 30 minutes of prep, which will hopefully result in an agreement from the CEO to send just 3 emails over the next 6 months (which I will even draft), I will have removed the vast majority of roadblocks faced by every security person, usually on a daily basis.

Most security people feel, and in the words of the hopefully immortal Billy Connelly; “…as welcome a fart in a spacesuit.”, anything I can do to deflect that stigma is worth a measly 10%.

Anyway, what are the 3 emails I referred to (with gross summarisation)?:

  1. Dear All, a company-wide security program is happening, this is VERY important to me, pay attention and give the implementation team your full support. I will be receiving regular reports.“;
    o
  2.  “Dear All, we have finished the security framework, and released the new policies, procedures and standards that will dictate how we conduct our business from this point forward. An education and training program will be released shortly, and your FULL cooperation is expected. I will be receiving regular reports.“, and (if required);
    o
  3. Dear Some, [and I know who you are from my reports] you are not taking this program seriously, start doing so or there will be consequences.”

Of course, this is all very negative, but there is no reason this could not be organised as more of a ‘carrot’ than ‘stick’ exercise. Marketing/PR should be allowed to focus their communication skills and efforts internally when stakes are this high.

It takes just one visionary CEO in an organisation’s history to get the ball rolling in the right direction, the security program should then become completely self-sustaining as the obvious and ever growing need for security becomes embedded in the culture. There is no security until everyone accepts their individual accountability for it, and are active in doing their part.

With any security program, individual incumbents in ANY role should take a backseat to the company-wide culture, even the CEO. The reason most security programs fail is because they were driven by the security department without the necessary support from senior leadership. From my perspective, if the CEO doesn’t support something, don’t even bother trying to implement it, even if it’s the right thing to do.

Why do you think so many CSOs and CISOs fail? A few are clearly incompetent, but the majority of them just didn’t get enough support to make positive change.

If a few hours a year of the CEO’s time to instill a business saving culture is too much to ask, they will be breached, and they will deserve it.