Complicated

Cybersecurity is Difficult Enough, Don’t Complicate it as Well!

I think enough people are clawing over the Equifax carcass, so I’m just going to rant about how wonderfully simple security is instead.

Actually, it’s REALLY simple, or I would not be doing it! I’m lazy, and nowhere near smart enough to do something complicated. Therefore cybersecurity consultant is the perfect fit because it’s almost entirely common sense, and it’s not me who has to do the work! ūüôā

Not only that, the things that you should be doing to secure your business have been written down for generations. Literally. So anyone who still thinks it’s complicated is not asking the right people the right questions, and anyone who says it’s complicated is probably extorting their clients by making it so.

Take GDPR for example. >96% of the GDPR is related to security of processing (basically privacy), and NOT the security of the data itself. Yet the number of security companies crawling out from under their rocks to capitalise on it increases daily. Anyone who knows the first thing about security would not be fooled by these charlatans. Cybersecurity security does NOT equal privacy, which IS complicated.

So here’s the real problem: If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse! Muddying the waters just to make a few extra quid is utterly reprehensible. But the fact that organisations are ALLOWING them to do this is just plain laziness. The answers are out there.

All that said, making security simple is actually very difficult, and only good consultants have this ability. This is the same in every profession and the sign of true mastery.

Rule of thumb: If you talk to a cybersecurity consultant and afterwards you have no idea how what they do benefits your business, they are the wrong fit for you.

Besides, the only reason you are talking to a consultant in the first place is because there is some business driver (regulatory compliance, contractual obligation etc.), so you’d better know how the deliverables are going to meet the objective. Frankly, if you are not a security practitioner yourself, I can pretty much guarantee you’re asking the wrong questions.

Crap analogy. When you go to the doctor do you:

  1. Tell them exactly what’s wrong with you and what they should be doing to fix it; or
    o
  2. Tell them you don’t feel well and where it hurts?

I assume you chose 2., but if the doctor then prescribes leeches, would you seek a second opinion? Of course you would, then you’d find someone whose solution to your illness made sense, right? Someone who explained things to you, someone who told what to expect (the good and the bad), someone who made sense. Right?

So why would you hire a cybersecurity person who can’t explain, simply, what you need and why you need it? Especially when 9 times out of 10 what they are proposing is likely not what you actually asked for? e.g. You asked a consultant to make you PCI compliant when what you should have asked for is a security program that covers the PCI requirements. Very different beasties.

In 4 years running my own consulting practice I have turned down several contracts because I knew they would go pear-shaped. In each of these cases I explained what it is that I do, what the long-term benefits would be. But in each case it was clear the prospect had absolutely no idea what I was talking about. Sometime simple just doesn’t sell, but it’s the only way I will do business.

I’ve just re-read this blog and I’ve completely failed to make my point. Oh well, I’m off to the pub…

[If you liked this article, please share! Want more like it, subscribe!]

Don't say no

In Cybersecurity? Remove “No” From Your Vocabulary!

In the vast majority of organisations for whom I’ve provided guidance, the security departments¬†are seen as something to work around, not alongside. In not one¬†of those organisations was security actually seen the critical and intrinsic-to-the-business asset is can, and should be.

While I have written incessantly about this all being the CEO’s fault for not creating the necessary culture, the fact remains that most security professionals do themselves no favours. However good intentioned our actions may be, most of us completely miss the point. Like it or not, our entire existence is predicated on achieving¬†the following:

“To provide the business with all the information, and as much context, as we can to enable them to make the best decision they can.”

Yes, that may include decisions that we in security would consider completely unacceptable, and would likely never make ourselves. It also may even include decisions that turn out to be really bad ones, but that’s just as much our failure as theirs.

The bottom line is that if we cannot speak the business’s¬†language, if we are unable to convince them of the risks,¬†we have failed them.¬†There is no room for towering egos or hubris¬†in security, it does not matter what we¬†want, it only what the business needs. This will never be our decision, and we should never expect the business to speak our language.

I’m not saying that if you’re a cybersecurity professional that you have to say yes all the time, but you should avoid saying no whenever possible. Frankly, it’s not your job to do so. And as much as we would love to¬†believe that as security experts we’re here to help, and that we have the best interests of our clients at heart, we will never be anything more than enablers. What’s more, if we’re anything less than that, there’s little point in having us around.

In the movie Office Space, one of the most cringe-worthy moments was when Bill Lumber reveals the “Is this good for the Company” banner. I remember laughing at the ridiculousness of the message, and laughing again¬†when our hero tears it down. Almost 18 years later, here I am expounding the¬†exact same message as that banner.

Why?

Because in security, we rarely have enough knowledge of the company’s big picture to put our guidance and recommendations into the right context. Even if we know that the company’s long-term goals are, unless we sit on the board we are in no position to appropriately address the risk appetite. A Sword of Damocles scenario to us, may well be a necessary gamble to keep the business competitive.

That leaves us only 2 things to do:

o

  1. Explain risk in the format they respond to best; detail the impact of not doing what we suggest; provide suitable alternatives; and
    o
  2. Cover your arse by having THEM sign-off on the residual risk.

The business does not need our approval to proceed with even the most egregious risks, but that does not mean we have to like it. Legal have far more power than we’ll ever have, but even they have to compromise. That said, we are fully entitled to document our objections as part of the final sign-off, but we should never take this personally.

As a corollary to the last paragraph, never, EVER say “I told you so”! Given that it’s likely partially¬†your fault that senior leadership didn’t make the right decision, your only focus should be to help mitigate the negative impact. Take the high road, you’ll be employed longer.

In the simplest terms, map everything on your Risk Register to the business’s goals, and only worry about the things that impact them. Doing the right thing in security is rarely, if ever, measured by security metrics, it’s measured by the company’s success.

[If you liked this article, please share! Want more like it, subscribe!]

The Analogies Project, We Should ALL Be Involved

I’m sure that in an earlier blog I stated that I would never use this medium to promote a vendor or specific product. I cannot find that quote so it clearly didn’t happen, and seeing as this promo is for something that’s actually not-for-profit, I don’t feel like a complete sell-out.

An analogy is defined as; “a comparison between one thing and another, typically for the purpose of explanation or clarification.” and as such is an incredibly powerful tool to provide a necessary context to understand something for which we have limited knowledge or experience. For example, the immortal (well, except for his death and all that) Douglas Adams used what to me was the funniest analogy of all time;

The ships hung in the sky in much the same way that bricks don’t.‚ÄĚ

I have used analogies through my blogs and my career, and frankly, any ‘security expert’ who DOESN’T use them is likely a poor consultant, or just starting out. Too many of us are horribly guilty of the Curse of Knowledge, and end up blaming our clients for what, in the end, can only be our deficiencies.

In a conversation with Bruce Hallas, the founder and passionate driving force behind The Analogies Project, it was not surprising that two famous quotes from Einstein were used to perfectly summarise the issues faced by those giving, and those trying to receive, InfoSec services:

  1. Insanity: doing the same thing over and over again and expecting different results.”, and;
  2. If you can’t explain it simply, you don’t understand it well enough.”

And on further reflection, there’s this one that I have always loved by Alan Greenspan; “I know you think you understand what you thought I said, but I’m not sure you realize that what you heard is not what I meant.”

Any guidance we provide to our clients on information security is only as good as what is understood and retained. Imparted knowledge is meaningless without the listener’s understanding of it (knowledge = seeds, understanding = ploughed field, ooooh an analogy!!).¬†¬†I have long maintained that the ultimate consultant is one who teaches, and there are no great teachers who do not take their audience’s individuality into account. You don’t explain where babies come from the same way to your 5 year old child as you would your teenager would you?

Yes, your client must WANT to learn in the first place, and the constant fight against the lack of security culture is not something we can fix by ourselves, but I firmly believe that a change in culture can only come with a true understanding of the benefits, and that will never be a one-size-fits-all, even within the same organisation.

This is where The Analogies Project could truly shine. Having an analogy for a risk assessment is one thing, but having a series of analogies for Receptionists, the C-level, and everyone one in between, broken down by personal interest or sector applicability and so on, will provide usable experience to everyone. Giver and receiver.

I am signing on as a contributor and will be mentioning The Analogies Project in all of my subsequent training or InfoSec presentations (ISC2, ISACA, ISSA etc.), I urge you to do the same;

Go here to begin; https://theanalogiesproject.org/contact-us/