Certifications

Can Your Career Outgrow Your Cybersecurity Certifications?

In Security Certifications Are Just the Beginning, I tried to explain that collecting cybersecurity certifications at the beginning of your career actually makes sense. However, it’s always your experience that will eventually be the difference between success and mediocrity.

Then, in So You Want to be a Cybersecurity Professional?, I qualified that even at the start of a career, certifications are only a small part of what you need to make a positive impact. Once again, it’s only the experience you gain by doing the work that gets you where you want to be. There are no shortcuts, especially on the ‘technology track’.

I have very recently had reason to reflect on the other end of the career spectrum. Not at the end of a career obviously, but at its height. Are the ubiquitous CISSPs, CISAs, CRISCs and so on certifications of the cybersecurity world actually worth it? Do they add anything significant. Can your career actually outgrow any use you may have had for them?

My current reflection actually germinated a few years ago when I spent an inordinate amount of time ‘collecting’ my Continuing Professional Education (CPE) hours. I spent way too long going over my calendar, email, and other sources to gather this information just to enter it FOUR times; one for each certification. I think I’ve done this every year for the past 4.

Now I’m being audited by a certification body. While I fully accept the reason for this, it means I not only have to gather another year’s worth of CPEs, I now  have to dig out a load of ADDITIONAL information for the previous year’s entries!

Given the nature of my business, I simply don’t have the time. More fairly, I took a serious look at the benefits I get from these certification and have now chosen not to MAKE the time. Basically, there are no benefits that I can see. At least there are no benefits that outweigh a day or more of my billable time.

Benefits need to be tangible to the self-employed. My employer is not paying for me to maintain these certs, this is out of my pocket.  So from my perspective, if you contact me regarding a contract of some sort, and request a list of my generic cybersecurity certifications, I can only assume one or more of the following;

  1. You are a recruiter trying to match acronyms to a job description;
    o
  2. You are a company looking for a cybersecurity expert but have no idea of the right questions to ask; and/or
    o
  3. You have no idea who I am (no arrogance here, cybersecurity is still a surprisingly small community).

In theory, you should aim to be immune to all of the above. If your CV/resume, LinkedIn profile, and/or reputation etc. speak for themselves, it’s your previous accomplishments that will set you apart. If you are still relying on certifications to get you in the door, then there’s a very good chance you should be focusing more on personal PR than studying for your next acronym.

For example, I have been in business for myself for 4 years and still have no website or sales function. The contacts that I have made over the course of my career keep me fully occupied. That suggests to me that the cybersecurity community in general means a hell of a lot more than any association. My peers help me every day.

This is something you have to earn. Not by being liked [thank God], but by being a genuine ‘practitioner’. Certifications can never give you this credibility.

But, I am NOT saying every certification can be replaced, some you have to have to perform a function (like ISO 27001 LA). It’s the ones you get from just reading a book, or receive for free as long you pay the annual fee (I was literally given CRISC for example). Do I really need to maintain a cert that I didn’t even earn?

In their defence, there is a lot more to these certification bodies than just the acronyms, and I have never taken advantage of these extracurriculars. Once again, I am just not prepared to make the time when I have clients paying for my time.

If only the CPEs could be earned by doing your job! Every new client, every new scenario, every new regulation you learn ON the job should absolutely count. I spend at least 3 hours a week writing this blog, but none of that time counts either.

Who knows, maybe this is a terrible mistake, but it’s with a certain sense of relief that I’m letting my certifications die.

[If you liked this article, please share! Want more like it, subscribe!]

Babel Fish

Risk Register: The Only Way to Talk to the Board

Ever wondered how really effective cybersecurity professionals not only get direct access to the CEO / Board of Directors (BoD), but actually manage to get a budget out of them? Better even than that, they get the entire C-Suite to evangelise the organisation’s security program on their behalf!

It’s quite easy actually, they speak the same language as the CEO / BoD. This is not the language of security, it’s the language of business goals. Or to put it crassly, it’s the language of money.

For example, if you are a CSO / CISO and have reported to your Board how many malware attacks your controls blocked, or how well your firewall is working I’m surprised you still have a job. The vast majority of Board members care nothing for the detail, and frankly, nor should they. As much as I have preached about how the CEO /BoD should care about security, what I’m really saying is that they should at least appear to care.

The only ones who actually care about cybersecurity [for its own sake] are those with a vested interest. Practitioners, consultants, and especially product vendors, all say they are passionate about security. They may well be, but as an analogy, are you ever passionate about your car insurance? No, of course not, quite the opposite, you just know you have to have it.

Security is no different to insurance in this respect, it’s not like sales or marketing where there is an obvious correlation between the effort and result. With security, the effects are invariably seen only when things have gone horribly wrong. Even then, the Board don’t care about security itself, they care about how the failure of security affected the bottom line. Coincidently, this is often when they start asking all the wrong questions and throw money at the symptoms not the root cause. Like hiring a CISO for example.

Even as one of those with a direct vested interest in security, I am absolutely fine with this. I know my place, which is to provide a direct link from the individual IT assets to the business’s goals. If I can’t show how a risk to the assets at my level can affect an entire business at theirs, how can I possible expect them to understand what I’m talking about? And to be clear, it’s my job to perform this translation, not theirs.

The Babel Fish that performs this modern day miracle? The Risk Register.

I’d say about 75% of organisations I’ve helped over the years have no risk register at all, 20% have only a business risk register, and the remaining 5% have separate business and IT registers. Not one has a single register that maps the IT risks to the business goals. Not one. Worse is the fact that all of these risk registers were very poorly conceived and resulting in nothing but poor decision-making.

The single risk register I’m talking about is the one where anyone can view their part of it and determine exactly how their actions can affect the whole. Does this mythical creature even exist!?

So how DO you map assets to business goals?

Like everything else in security, it’s actually simple. Bloody difficult, but simple.

Step 1: Do Asset Management Properly – I can already exclude every organisation I worked with, and I’ve only heard rumours of this being done well. Basically, if you don’t know what you’ve got, you can’t manage it, let alone perform any step that follows;

Step 2: Map Your Assets to Your Business Processes – I am often amazed that asset dependencies are not fully mapped. How do you perform change control properly if you have no idea how you’re impacting the business process that the changing assets support? How can you prioritise assets? Dependencies, inter-dependencies and data flows must be fully defined;

Step 3: Perform a Business Impact Analysis on Every Business Processes – If you can’t even take a stab at valuing each of your business processes, how can you prioritise them? Whether you can directly quantify them (e.g. revenue) or only qualify them (e.g. HR) you have to know what they are worth to you;

Step 4: Map Your Business Processes to Your Business Goals – This can be tricky as you’re going from the 100% technical to the 100% business. But if you have no idea whether or not your goals are achievable with your current assets, they aren’t very good goals, are they?

In theory and for example, you now know that if a certain database is lost; a) the business process that will fail, b) the potential losses, and c) the goals that may now become unachievable. Not every goal obviously (e.g. M&A), but definitely the ones that got you this far.

So, when you next talk to the BoD, you can show them the possible impact of not spending money on database redundancy where it hurts the most

Their pockets.

[If you liked this article, please share! Want more like it, subscribe!]

Ignorance

How to Run a GDPR Project

First: If you think that as a cybersecurity ‘expert’ I know how to run a GDPR project a) you can’t be that familiar with GDPR, and b) you have not read any of my previous blogs.

Second: If you have read my previous blogs and clicked into this blog hoping to get advice on how to run a GDPR project, you weren’t ‘listening’. At most I am a first conversation and a pointer to your next.

Then again, would you be reading this right now if the title was; “GDPR: No Idea What I’m Doing, But Here’s Yet Another Opinion.”?

So like everyone else on this little regulatory bandwagon – with the possible exception of privacy lawyers – all I have are opinions, and what I hope is a little common sense. Here in the UK for example, the GDPR is just an expansion of the Data Protection Act of 1998, which in turn was a consolidation of previous acts, some dating back to 1984. And if that’s not enough, ‘The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data‘ published in 1980 by the Organisation for Economic Co-operation & Development (OECD) contained many of the basic tenets upon which the GDPR is predicated:

  1. Collection Limitation Principle;
  2. Data Quality Principle;
  3. Purpose Specification Principle;
  4. Use Limitation Principle;
  5. Security Safeguards Principle …and so on.

That means privacy lawyers have had 37 years to get good at this stuff and pass it on to all fledgling privacy lawyers. The rest of us may have some knowledge, but this will only ever be enough to overlap with the legal profession. This overlap will then hopefully enable us to translate the lawyer’s legalese into a language relevant to our respective departments. This is actually critical to GDPR implementation as lawyers do NOT have the final say, it will always be a negotiation.

Why is this not enough? Why would any non-lawyer even want the task of applying GDPR’s Recitals and Articles into a business’s specific context? Do you think you’ll make enough money to retire before you’re discovered as an incompetent? I have never seen a clearer case for a team effort.

The GDPR Implementation Team

  1. The Lawyer – For some reason everyone assumes that when I say lawyers should lead the effort, they come back with expressions of horror. “Lawyers can’t project manage!”, “Lawyers can’t operationalise GDPR!” and so on. By lead, I mean setting the goals and objectives. You know, leading, not managing. Only lawyers are truly qualified to provide proper context, so they should make their case first.
    o
  2. The Salesman – Like it or not, GDPR will have an impact on your business. Leave the sales team out and you have ruined any chance you have of making that impact a positive one.
    o
  3. The Marketer – As with the salesman, there is no reason that ‘compliance’ with GDPR can’t have a positive impact on an organisation, even its bottom line. The marketing / PR spin is the face of your efforts.
    o
  4. The People Person – Sounds better than the HR person, but I have never understood why these folks have so little part in projects like this. They are the Keepers of the Culture, use them.
    o
  5. The Technologist – While there is very little directly related to technology in the GDPR, it’s clear that technology has a huge role to play in its implementation. There is not compliance without the IT team.
    o
  6. The Project Manager – This one needs no explanation
    o
  7. The Cyber-Peep – Where there is data and technology, there is a need for security wrappers, but this role is no more critical than the others. That’s like saying the wheels are the most important part of a car.

And yes, if there are other departments they should be included too. Privacy cannot be siloed.

What’s missing is something to bring it all together. If only there was an organisational function that took the input from all of these departments and stakeholders and formulated a plan to accomplish the business’s goals! Wait, sounds a lot like Governance, doesn’t it?

It’s already far too late to be proactive, but you have until the 25th of May, 2018 to appear to be proactive. Get your team together and don’t waste this opportunity.

[If you liked this article, please share! Want more like it, subscribe!]

Top 10

Froud on Fraud’s Top 10 Cybersecurity Technologies to Implement in 2017

In direct response to a certain organisation’s ‘Top 10 Cyber Security Technologies to Watch in 2017’, [cough, Gartner, cough], I have come up my own list of bleeding edge security technologies that every organisation should spend millions of $/£/€/¥ on.

Yes, even if you don’t MAKE millions, you should borrow the money and buy them anyway.

Being honest, my fight to bring security ‘back to basics’ has failed – despite my enormous 210 person following – so I have decided to sell-out and promote nothing except buzz-phrases and acronyms. You know, like everyone else.

However, I am convinced that if you buy, implement, and actually take these technologies seriously, you can forget the security basics. The combination of these 10, never-seen-before, shiny new objects will provide the silver bullet you’re looking for:

  1. Directorate Approbation Paradigm (DAP) – Historically, achieving ‘management buy-in‘ was the ultimate goal for anyone attempting to implement a security program. Quite rightly, caring about the future of an organisation was considered naive, and proponents of this stone-aged technology were left begging for work on LinkedIn. Some of these poor souls even became CISOs. Now, with DAP technology, every single person in an organisation will take security seriously, even if their bosses don’t!
    o
  2. Command & Control Commission (CCC) – While not strictly a technology the CCC is responsible taking the output from the EIC below, combining it with the DAP above and obtaining the budget to buy everything else on this list. This is the spider in the middle of the web, making sure that all technologies work together. Called ‘governance‘ in the old days, the new CCC is clearly superior given that you’ve never heard of it, and it’s an acronym.
    o
  3. Protocol, Method, & Archetype Orchestrator (PMAO) – Much as leeches were seen as the go-to technology in medieval medicine, ‘policies, procedures and standards‘ were seen as a foundation for every security program. While clearly nothing more than a quaint superstition, they nevertheless laid the groundwork for the PMAO revolution. Imagine it; a series of artefacts designed to record not only an organisation’s entire security culture, but their process knowledge and system baselines as well! No way just policies, procedures and standards could do all of that!
    o
  4. Exposure Investigation & Computation (EIC) – I almost feel sorry for the poor saps who only had the ‘risk assessment‘ process to measure their risk profile. Can you imagine basing you risk treatment and technology purchasing decisions only on expert opinion and business goals!? Instead, EIC, in combination with AI, big data, The Cloud, and fairy dust, can tell you exactly how many millions to spend on technology! No more embarrassing moments when you try to explain to your boss how you tried to save them money by fixing the actual problem! Like people and process could ever be the problem!
    o
  5. Intelligence Preservation Administration Schema (IPAS) – Can you imagine the nerve of the International Standards Organisation when they came up with the Information Security Management System (ISMS)? A so-called ‘framework’ designed for “systematically managing an organization’s sensitive data” with – and you won’t believe this- “a set of policies and procedures”! How naive! Instead, with IPAS, you can basically ignore the hard work and common sense approach to doing security properly and hide behind an expensive appliance with flashing green lights! Blinking green, you know it’s working!
    o
  6. Transformation Regulation Authority (TAR) – Before the advent of TAR technology, organisations across the globe relied on a ‘change control board’ to ensure that unmeasured risk was not introduced into an environment. As yes, once again, actual humans – apparently those with ‘expert’ knowledge – were allowed to determine what was right for the business. A clearer case could not be made to put this in the safe ‘hands’ of technology written by someone else.
    o
  7. Episode Reply & Adversity Restoration (ERAR) – We’ve all seen those commercials from the 50’s where attractive actors extolled the virtues of smoking? Well, ‘incident response & disaster recovery‘ were just as misleading, and just as dangerous! Like anything involving people and process could possibly help you stay in business! ERAR on the other hand, will not only detect bad things happening, it will keep your business up and running! Surely THAT’S worth a few million all by itself!!
    o
  8. Capital Durability Projection (CDP) – The future of any organisation should never be placed in the hands of those who care. The experiment called corporate social responsibility failed because it was assumed that it’s the people who are the most important aspect of a business. At least now we know it’s money that’s most important, so the old concept of ‘business continuity planning’ can be replaced by EDC and those making the world better with technology. Finally the people can be safely ignored.
    o
  9. Asset Management (AM) – This is one aspect of security where technology is actually sadly lacking. Asset management is the centre of everything, and without it, no other aspect can be truly be done well. Spreadsheets just don’t cut it, and no GRC that I’ve seen gives asset management its due. This much change, even in The Cloud.
    o
  10. Continuous Compliance Validation (CCV) – This is an idea whose time has come, it’s about time technology provides a REAL solution to overly manual processes.

All facetiousness aside, I am a huge fan of technology. Or more accurately, I am a huge fan of the appropriate application of technology. If you buy something based on anything other than 1) the results of your risk assessment, and 2) answers to the RIGHT questions, you have no business being in charge of a budget.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Vulture

Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

First, what do I mean by ‘qualified’? – I mean that the only people truly qualified to lead a GDPR project are lawyers specialising in privacy. That’s it.

EVERYONE else only has a part to play. Often a very significant part, but that’s it for them as well. A part.

I’m NOT saying that every single organisation has to make the significant investment in a privacy lawyer to meet the intent of GDPR. I’m saying that the only ones qualified to determine ‘intent’ in your organisation’s specific context, are privacy lawyers. No-one who is an expert in information technology, or cybersecurity, or any other subject is qualified …unless they are also a privacy lawyer.

To even further labour the point, a qualified person is neverCertified EU General Data Protection Regulation Practitioner …unless – you guessed it – they are also a privacy lawyer.

I’ve seen every type of vendor from Cyber Insurance providers, cybersecurity consultants, to single-function technology vendors, make the most ridiculous claims as to their suitability to ‘help’ with GDPR. All to make a bit more money while the GDPR bandwagon is on the roll.

The prize so far goes to a consultant who maintains that the entire GDPR can be ‘operationalized’ under the ISO 27001 standard. Unfortunately this attitude is pervasive, as no organisation seems to want to share the opportunity with appropriate partners. The attitude of ‘land-the-gig-and-we’ll-work-out-how-to-deliver-it-later’ cannot apply here. GDPR is a law, one with significant penalties attached, so unless you really know what you’re doing, stick to what you know. And ONLY what you know.

For example, I can be [very] loosely categorised as a ‘cybersecurity expert’, so that limits my ability to help with GDPR to:

  1. Data Security – As I’ve said a few times now, of the 778 individual lines of the GDPR Articles, only 26 of them are related directly to data security. That’s only 3.34%. Yes, I can help you implement ISO 27001 to cover that 3.34% (a.k.a. “appropriate security and confidentiality”), but if GDPR is the only reason you have to implement ISO, don’t bother, you’ve missed the point;
    o
  2. Secure Technology Implementation – GDPR is not about technology, but the implementation of GDPR will have significant technology implications. From collection of consent (Recital 32), to age identification (Recital 38), to the rights to erasure and rectification (Recital 39), technology will play a big role. All of this technology will require appropriate security wrappers in-line with demonstrable good security practices; and
    o
  3. Governance Design and Implementation – Any organisation that has a Governance function already has a GDPR Implementation Team in place. Since there can be no true Governance without full departmental representation (Technology, Security, Legal, PMO, Sales, Marketing and so on), it follows that the Security team will have full understanding of GDPR’s impact from the Legal team. In turn, Technology and Security will have significant input to Legal’s decisioning, and it’s this ‘negotiation’ under the Governance umbrella that gives GDPR its ‘organisation specific context’.

This should be more than enough for any security consultant, but apparently it’s not enough for some consultants who want to replace Governance all by themselves. But, what’s wrong with partnering up with others to do the parts you absolutely should not touch? Is it not better to be really good at the one thing you do for a living and be part of a team of experts who can cover the other bases?

To put this another way, do you really want to ruin your reputation by lying to your clients now, or be the resource they come to to solve every similar problem from this point forward? Do you want to sell used cars or be a trusted advisor?

GDPR, like security, is not complicated. It’s actually very simple, just BLOODY difficult to implement. There is not one individual who can simplify this for you, not even a privacy lawyer. So if you’re looking to implement GDPR, you can rest assured that anyone who is a) not a privacy layer, AND 2) not part of a team of experts with collaborative skill-sets, AND 3) trying to sell you something, should be listened to with caution.

As always, I am not going to lay the blame entirely at vendor’s feet, they too have a business to run. In the end, the only people who get the answers they need on GDPR are the ones asking the right questions.

You MUST do your homework!

[If you liked this article, please share! Want more like it, subscribe!]