What is a Security Program?

It occurred to me that after 15 years of consulting, 10 years of public speaking, 3 years of blogging, and saying things like; “All regulatory compliance falls out the back-end of a security program done well.” and; “If you fail to develop an appropriate security program, it’s the CEO’s fault and no-one else’s.” that I have never actually defined what I consider to be a good security program.

In my defence, a good (i.e. appropriate) security program is as unique as the organisation trying to implement one. However, like any other discipline, there are basics that ALL security programs must have to be successful.

All of the best security experts on the planet pretty much agree on these basics. But just try looking for something you can apply to your business and you’ll soon be as confused as I am when trying to read anything written by a lawyer. Regulatory compliance, greedy product vendors, incompetent consultants and a whole host of other factors conspire to take security out of the hands of those who need it most.

Nothing I am about to write has not be said by me many times over, or by a thousand others much smarter than me, but for some reason it never seems to stick. As much as I hate the concept of rebrand-it-to-sell (e.g. a ‘service on the Internet’ is now called The Cloud), I can see the attraction. If we could make security ‘sexy and new’, perhaps we’d have an easier time bringing back the basics. 99% of security lives and breathes in the basics.

For example, everyone knows that there is no security program without senior leadership support (i.e. CEO). This is free, takes a fraction of a percent of the CEO’s time per calendar year, and has benefits well beyond anything you can imagine. But try getting it.

Anyway, on with the program detail, but first; If you don’t believe that a security program is a balance of People, Process, and Technology, stop reading, this will all be lost on you.

8 Steps to an Appropriate Security Program

o

  1. Senior Management Support – Been over this a million times. If you don’t have it, stop here, you’re wasting your time. Can you have some security without it? Yes, but guess who will be blamed when things go wrong.
    o
  2. Governance Committee – Senior stakeholders who will run the program with the full and visible support from senior leadership. Governance runs everything from risk assessments to change control, and without this centralised function your security program will collapse like a flan in a cupboard.
    o
  3. Policies & Procedures – Again, if you don’t know by now how important this one is, don’t bother reading the rest, you’ll never understand.
    o
  4. Risk Management – The primary function of the risk management is to ensure that all security controls meet the organisation’s risk appetite. Risk Assessment, Business Impact Analysis, Risk Treatment, and the Risk Register all sit here.
    o
  5. Appropriate Security Controls – No, I do NOT mean technology! Technology supports security, it does not define it. Your controls will be a direct result of the risks determined by Governance, and the requirements as defined in your policies (requirement for hardening guides for example). Technology purchases are the last resort.
    o
  6. Vulnerability Management / Change Control – I don’t lump these together very often, but from a program perspective, they have similar results. i.e Don’t make things easy for the attacker by a) ignoring the evolving threat landscape, and b) introducing potential vulnerabilities without due diligence respectively.
    o
  7. Testing Program – Test everything, then when you’re done, go back and test it again. Repeat. You simply have no idea whether or not your security program is working until you test it. Test results feed back into everything done before it in order to make the necessary adjustments.
    o
  8. Security Awareness & Training – Again, if this makes no sense, you’re reading the wrong blog. None of the above works unless EVERYONE knows what part they play.

That’s it. Finished. there is nothing more to do for any organisation to develop an appropriate security program. Nothing here is complicated, perhaps that’s why people ignore it, it’s just not dramatic enough.

However, making this process simple can be extremely difficult, as is getting the program in place, and these difficulties should not be underestimated. It’s the difficulty, not the complexity that ruins most security programs, especially when you don’t have the support you need.

FWIW, done well, a security program based on the above will not only make you more secure than most of your competition, but give you demonstrable compliance with every regulation out there. How’s that for an ROI?

[If you liked this article, please share! Want more like it, subscribe!]

PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond; and
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years to write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Those steps may not sound all that radical, but there are two incredibly important facts here:

1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and

2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.

[If you liked this article, please share! Want more like it, subscribe!]

The Next Best Thing to Innovation?

…is the appearance of innovation.

Well, it certainly seems that way; Can’t sell services over the Internet? Call them The Cloud. Can’t sell Risk Assessments and Vulnerability Management? Call it Operational Resilience. Can’t sell data management and access control on mobile? Call it BYOD.

When it becomes clear that there is no-where left to go with your existing product or service, the appearance of innovation seems to be the go-to place for institutions staring down the barrel of obsolescence. Instead of working on their customer service, value-adds, or – God forbid – actually improving their offerings, too many organisations resort to smoke and mirrors to stay competitive.

And the worst part? We let them.

The payments sector is perfect target for this blog, especially given the fact that I know little else. Take these two examples from the last few month; There’s a New Way to Pay With a Selfie, and TD, MasterCard and Nymi Pilot Heartbeat-Authenticated Contactless Payments.

Where is the innovation here, we’ve had biometrics for years? The only thing new is the ability to actually bring the biometrics to bear, which is an advance in mobile technology, not payments. The payment itself  hasn’t changed, we’re still stuck with the same primary account number (PAN) being used by the same intermediaries (Acquirer, Issuer & Card Scheme), over the same systems we’ve had for decades. Even if you build in tokenisation with these systems they’re still mapped to a PAN in the back-end somewhere.

If you accept that a payment is just a transfer of value from one place to another, true innovation must involve the complete disintermediation of almost every player in the current ecosystem except the banks. Sure, there can be service provider intermediaries, but they will be providing true benefits to consumers and banks alike in the fields of identity management / authentication, anti-fraud, customer service, loyalty and reward programs, ratings and reviews, big data analytics and host of others services of which I can barely conceive.

To be worthy of the term ‘innovative’, any service or product offering must have the following attributes:

  1. Be of practical use, and not just theoretical
  2. Provide long-lasting benefit to all stakeholders
  3. Cannot knowingly stifle or exclude competition

For payments, there are a few more:

  1. Be available to the largest portion of the population possible (including those with disabilities)
  2. Be frictionless to the average consumer, or better yet, invisible
  3. Maintain appropriate confidentiality, integrity and availability of all underlying sensitive data, to meet – or exceed – all current legislation, regulation and best practices

Not one, or even ALL of these things at once should be too much to ask, but it’s never that simple. There will always be those existing players whose power and position can make some of these requirements all but impossible for newcomers. And the newcomers themselves rarely do themselves any favours; disruptive innovation, competitive advantage, and blatant greed all prevent true innovation from reaching the mainstream.

In payments, like most industry sectors, collaboration is the key to significant and beneficial change, and in a market worth tens of TRILLIONS of £/€/$, I would have thought there was enough to go around.

 

Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next;
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you;
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like;
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone; and
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.

[If you liked this article, please share! Want more like it, subscribe!]

No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

[If you liked this article, please share! Want more like it, subscribe!]