Complicated

Cybersecurity is Difficult Enough, Don’t Complicate it as Well!

I think enough people are clawing over the Equifax carcass, so I’m just going to rant about how wonderfully simple security is instead.

Actually, it’s REALLY simple, or I would not be doing it! I’m lazy, and nowhere near smart enough to do something complicated. Therefore cybersecurity consultant is the perfect fit because it’s almost entirely common sense, and it’s not me who has to do the work! 🙂

Not only that, the things that you should be doing to secure your business have been written down for generations. Literally. So anyone who still thinks it’s complicated is not asking the right people the right questions, and anyone who says it’s complicated is probably extorting their clients by making it so.

Take GDPR for example. >96% of the GDPR is related to security of processing (basically privacy), and NOT the security of the data itself. Yet the number of security companies crawling out from under their rocks to capitalise on it increases daily. Anyone who knows the first thing about security would not be fooled by these charlatans. Cybersecurity security does NOT equal privacy, which IS complicated.

So here’s the real problem: If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse! Muddying the waters just to make a few extra quid is utterly reprehensible. But the fact that organisations are ALLOWING them to do this is just plain laziness. The answers are out there.

All that said, making security simple is actually very difficult, and only good consultants have this ability. This is the same in every profession and the sign of true mastery.

Rule of thumb: If you talk to a cybersecurity consultant and afterwards you have no idea how what they do benefits your business, they are the wrong fit for you.

Besides, the only reason you are talking to a consultant in the first place is because there is some business driver (regulatory compliance, contractual obligation etc.), so you’d better know how the deliverables are going to meet the objective. Frankly, if you are not a security practitioner yourself, I can pretty much guarantee you’re asking the wrong questions.

Crap analogy. When you go to the doctor do you:

  1. Tell them exactly what’s wrong with you and what they should be doing to fix it; or
    o
  2. Tell them you don’t feel well and where it hurts?

I assume you chose 2., but if the doctor then prescribes leeches, would you seek a second opinion? Of course you would, then you’d find someone whose solution to your illness made sense, right? Someone who explained things to you, someone who told what to expect (the good and the bad), someone who made sense. Right?

So why would you hire a cybersecurity person who can’t explain, simply, what you need and why you need it? Especially when 9 times out of 10 what they are proposing is likely not what you actually asked for? e.g. You asked a consultant to make you PCI compliant when what you should have asked for is a security program that covers the PCI requirements. Very different beasties.

In 4 years running my own consulting practice I have turned down several contracts because I knew they would go pear-shaped. In each of these cases I explained what it is that I do, what the long-term benefits would be. But in each case it was clear the prospect had absolutely no idea what I was talking about. Sometime simple just doesn’t sell, but it’s the only way I will do business.

I’ve just re-read this blog and I’ve completely failed to make my point. Oh well, I’m off to the pub…

[If you liked this article, please share! Want more like it, subscribe!]

Don't say no

In Cybersecurity? Remove “No” From Your Vocabulary!

In the vast majority of organisations for whom I’ve provided guidance, the security departments are seen as something to work around, not alongside. In not one of those organisations was security actually seen the critical and intrinsic-to-the-business asset is can, and should be.

While I have written incessantly about this all being the CEO’s fault for not creating the necessary culture, the fact remains that most security professionals do themselves no favours. However good intentioned our actions may be, most of us completely miss the point. Like it or not, our entire existence is predicated on achieving the following:

“To provide the business with all the information, and as much context, as we can to enable them to make the best decision they can.”

Yes, that may include decisions that we in security would consider completely unacceptable, and would likely never make ourselves. It also may even include decisions that turn out to be really bad ones, but that’s just as much our failure as theirs.

The bottom line is that if we cannot speak the business’s language, if we are unable to convince them of the risks, we have failed them. There is no room for towering egos or hubris in security, it does not matter what we want, it only what the business needs. This will never be our decision, and we should never expect the business to speak our language.

I’m not saying that if you’re a cybersecurity professional that you have to say yes all the time, but you should avoid saying no whenever possible. Frankly, it’s not your job to do so. And as much as we would love to believe that as security experts we’re here to help, and that we have the best interests of our clients at heart, we will never be anything more than enablers. What’s more, if we’re anything less than that, there’s little point in having us around.

In the movie Office Space, one of the most cringe-worthy moments was when Bill Lumber reveals the “Is this good for the Company” banner. I remember laughing at the ridiculousness of the message, and laughing again when our hero tears it down. Almost 18 years later, here I am expounding the exact same message as that banner.

Why?

Because in security, we rarely have enough knowledge of the company’s big picture to put our guidance and recommendations into the right context. Even if we know that the company’s long-term goals are, unless we sit on the board we are in no position to appropriately address the risk appetite. A Sword of Damocles scenario to us, may well be a necessary gamble to keep the business competitive.

That leaves us only 2 things to do:

o

  1. Explain risk in the format they respond to best; detail the impact of not doing what we suggest; provide suitable alternatives; and
    o
  2. Cover your arse by having THEM sign-off on the residual risk.

The business does not need our approval to proceed with even the most egregious risks, but that does not mean we have to like it. Legal have far more power than we’ll ever have, but even they have to compromise. That said, we are fully entitled to document our objections as part of the final sign-off, but we should never take this personally.

As a corollary to the last paragraph, never, EVER say “I told you so”! Given that it’s likely partially your fault that senior leadership didn’t make the right decision, your only focus should be to help mitigate the negative impact. Take the high road, you’ll be employed longer.

In the simplest terms, map everything on your Risk Register to the business’s goals, and only worry about the things that impact them. Doing the right thing in security is rarely, if ever, measured by security metrics, it’s measured by the company’s success.

[If you liked this article, please share! Want more like it, subscribe!]

The Analogies Project, We Should ALL Be Involved

I’m sure that in an earlier blog I stated that I would never use this medium to promote a vendor or specific product. I cannot find that quote so it clearly didn’t happen, and seeing as this promo is for something that’s actually not-for-profit, I don’t feel like a complete sell-out.

An analogy is defined as; “a comparison between one thing and another, typically for the purpose of explanation or clarification.” and as such is an incredibly powerful tool to provide a necessary context to understand something for which we have limited knowledge or experience. For example, the immortal (well, except for his death and all that) Douglas Adams used what to me was the funniest analogy of all time;

The ships hung in the sky in much the same way that bricks don’t.

I have used analogies through my blogs and my career, and frankly, any ‘security expert’ who DOESN’T use them is likely a poor consultant, or just starting out. Too many of us are horribly guilty of the Curse of Knowledge, and end up blaming our clients for what, in the end, can only be our deficiencies.

In a conversation with Bruce Hallas, the founder and passionate driving force behind The Analogies Project, it was not surprising that two famous quotes from Einstein were used to perfectly summarise the issues faced by those giving, and those trying to receive, InfoSec services:

  1. Insanity: doing the same thing over and over again and expecting different results.”, and;
  2. If you can’t explain it simply, you don’t understand it well enough.”

And on further reflection, there’s this one that I have always loved by Alan Greenspan; “I know you think you understand what you thought I said, but I’m not sure you realize that what you heard is not what I meant.”

Any guidance we provide to our clients on information security is only as good as what is understood and retained. Imparted knowledge is meaningless without the listener’s understanding of it (knowledge = seeds, understanding = ploughed field, ooooh an analogy!!).  I have long maintained that the ultimate consultant is one who teaches, and there are no great teachers who do not take their audience’s individuality into account. You don’t explain where babies come from the same way to your 5 year old child as you would your teenager would you?

Yes, your client must WANT to learn in the first place, and the constant fight against the lack of security culture is not something we can fix by ourselves, but I firmly believe that a change in culture can only come with a true understanding of the benefits, and that will never be a one-size-fits-all, even within the same organisation.

This is where The Analogies Project could truly shine. Having an analogy for a risk assessment is one thing, but having a series of analogies for Receptionists, the C-level, and everyone one in between, broken down by personal interest or sector applicability and so on, will provide usable experience to everyone. Giver and receiver.

I am signing on as a contributor and will be mentioning The Analogies Project in all of my subsequent training or InfoSec presentations (ISC2, ISACA, ISSA etc.), I urge you to do the same;

Go here to begin; https://theanalogiesproject.org/contact-us/

 

 

It Takes a Consultant, to Hire a Consultant

While this is most likely true in every industry, it is VERY true in cybersecurity.

Most organisations above the ‘corner store’ size have some form of ‘in-house’ IT support, even if it’s just the CEO’s brother-in-law, but only the larger organisation will have dedicated in-house security expertise. It’s simply too expensive.

However, most organisations need security expertise – usually when it’s too late unfortunately – so it’s crucial that they are able to define their specific needs in such a way as to attract the right suppliers of those services. Unfortunately, and all too often, the wrong questions lead to the wrong suppliers who provide the wrong services. If they gave you what you asked for, whose fault is it?

Instead, it makes sense to outsource the choice of your security services to someone best placed to judge; a security expert unhindered by organisational or employment commitments. i.e. they are not employed by a security company and are 100% ‘vendor neutral’ in terms of service or product ‘recommendations’.

Of course, you still have the problem of where to find this person, and ensure that they are the right person to make these choices on your behalf, and the responsibility for this due diligence must begin with the person most accountable. Whether this is the CEO, COO, or IT Manager or whatever, the individual who understands the business goals of the organisation needs to be the one asking the questions.

Many large organisations make the curious choice of allowing their purchasing departments to run the vendor selection process, often without specialist security input beyond the most basic of initial requirement definitions. This leads to an RFP that not only asks all the wrong questions, but also to reviews of the responses by people who don’t understand the answers. The choice is then often based on price and not capability turning the whole thing in a debacle.

You don’t allow your dentist to choose which law firm you use to represent you, why would you have anyone other than a security expert define your security solutions?

Even your in-house security team is under certain limitations, and cannot be truly objective with regard their choices. Whether it be pressure from above, fear of making a mistake, or vendor preference / bias, the choices are rarely the optimal result for the organisation. Nothing nefarious, just human nature.

The development of an overarching security program has many moving parts, and every step must be with a view to the end goals, the current needs (risk priorities), and the bit that’s often neglected; how each piece integrates with the next. The purchase of security services, and especial products/technology must be based on not only cost, but of how it will be installed, maintained, managed, monitored, and measured.

This can only be performed by a Governance function that has access to, and guidance from, a true security expert.

I can’t say that I’ve come across a service like this, perhaps I’ll start my own…

[If you liked this article, please share! Want more like it, subscribe!]