How Information Security & Governance Enable Innovation

Over the last 6 months since leaving a 12+ year career at one company, my thoughts come consistently back to one concept; innovation. Making positive change in terms of process and efficiency has always been a passion of mine. Nothing is perfect, and anyone using the phrase; “We’ve always done it that way!” should be fired immediately for gross misconduct.

In much the same way that to someone with a hammer every problem looks like a nail, my natural inclination as a security ‘expert’ is to assign the lion’s share of importance to my area of expertise. While I most likely go too far in this, I think that I have at least some justification for my assertions, if only in the context of this blog.

Innovation is defined as; The act of introducing something new. This is therefore one of the most critical concepts for the human race since it first achieved sentience (couldn’t use the word ‘intelligence’, I think that’s still pending). Whether you believe that was millions of years ago, 6,000-ish year ago, or it was a present from aliens, the speed with which we evolved from hunter-gatherers into what we are now is astonishing (couldn’t use the word ‘civilised’ either, and for the same reason). In just the last 100 years or so we’ve gone from the first flight to the moon, and from computers the size of a room, to mobile devices with more computing power and capacity per unit than existed on the planet just 60 years ago.

All of this was done with one thing as the foundation; information. Yes, that information must be correctly applied to become knowledge – and hopefully in time, wisdom – but everything that has ever been invented, and WILL ever be invented, has information at it’s core. Invention starts with a need, and it does not matter what that need is, someone will feel the urge to fill it. Only a few people create things of no use (we’ll leave Apple and Modern Art out of this), they do it to make money, make a difference, or better the human condition.

The need, in and of itself, is a sort of information; how to take an idea and make something out of it is information; how to build / market / sell / distribute / improve the idea is information; and yes, how to USE the results of the idea is also information.

So why isn’t information better protected?

Why isn’t information seen at the definitive crown jewels in EVERY organisation, especially now that almost every aspect of business is digital, and online? Why don’t CEOs include those in CHARGE of protecting information in the process of business transformation and innovation?

Can’t answer those questions, I’m not smart enough, but seeing as I’m a security expert the why is irrelevant, it’s my job to ‘just get it done’. But that’s the challenge, unless the people ultimately responsible for innovation within a business understand and care about this concept, no-one else is going to care (yes, I’m blaming the CEO …again).

There is an ages old concept in information security; that of Confidentiality, Integrity, and Availability. Some say it’s obsolete and needs refreshing, others try to change the names or add a 4th so that they can be seen to be radical thinkers, but the concept is every bit as valid as it’s ever been:

Confidentiality: If everyone has the information you have, you’re probably not innovating, you’re doing what everyone else is doing. Maybe you’re doing it slightly better than everyone else, but you aren’t going to stay in the lead for long.

Integrity: Not much point innovating if you’re doing it for the wrong reasons, in the wrong place, at the wrong time, or badly. If your information is not accurate and relevant it’s just data.

Availability: You can have all the information in the world, but if you can’t get to it WHEN you need to get to it, it as much use as a politician.

The whole point of IT Security is to take care of confidentiality and integrity, IT Operations takes care of the availability, but it’s the combination of IT Operations,  IT Security and the BUSINESS side to put information into context for ongoing innovation.  That’s what the Governance committee is supposed to be doing; take a business need, help gather the necessary information to devise a solution, measure the business risk, and either move forward with the solution, or move on to the next.

Big data, data mining, predictive analytics and even the much mis-understood ratings and reviews fields would not be experiencing exponential growth if information was not seen as crucial to maintaining competitive advantage. That’s probably why it’s almost incomprehensible to me that organisations don’t take information security more seriously.


The Power of Making Strategically Intelligent Mistakes

Once in a great while, a phrase comes along that immediately sparks a thousand thoughts in your head.  It does’t matter if the thoughts are even relevant to the context in which you heard the phrase, the thoughts are there.  Clearly my written English will give this poor justice, and as my Sister is always kind enough to point out; I’ve never met a grammatical error I didn’t like.

Unfortunately the phrase ‘strategically intelligent mistakes‘ is not mine, it’s Accenture’s, but was brought to my attention in a pending article by Peter Livingstone, a Publisher at Financier Worldwide. I will be ‘advertising’ this article when it comes out so that my enormous following can enjoy it.  I’m fairly sure my 18 subscribers will make all the difference to its success.

Accenture’s context is; “Some companies have recognized that they can allow innovation teams to make strategically intelligent mistakes within a clearly understood governance framework. This, in turn, enables a culture that not only tolerates risk but also embraces failure as an integral part of the innovation process.

Which is perfect for the purposes of this blog, (and my last one on Why Everyone Should Start a Business) because it’s very much the thought of failure that prevents so many good ideas from becoming reality, or causes thoughts to die on the vine. That, and having no idea where to start, but that’s blodder for another time.

Whether the idea is for a start-up, a new service line, or an improvement on something that already exists, fear of failure / ridicule / loss of respect, or any number of fear-based de-motivators prevent those ideas from being freely expressed. The only truly bad idea in business is one that never see’s the light of day. Sure, it might fail, fail spectacularly even, but no-one has just one idea, so the next one will have the benefit of experience for the creator, and everyone around them.

Thomas Edison, arguably the most famous inventor in recent history, failed over 3,000 times to invent the lightbulb (though he certainly didn’t phrase it that way).  My favourite quote of his; “Many of life’s failures are people who did not realize how close they were to success when they gave up.

You do not have to be an entrepreneur and start your own business to make a significant impact with your ideas, there are plenty of examples of an ordinary individuals’ idea making significant positive impact on an organisation. It is the CEO who ultimately holds the key to how ideas are received, and whether or not his/her people feel as though their ideas are welcomed, regardless of the possible outcome.

A recurring theme in my blogs is; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter goal here], it’s the CEOs’ fault, and no-one else’s.

In Accenture’s article, there is this wonderful paragraph; “For instance, a large advertising agency awards a quarterly Heroic Failure trophy to recognize clever, unproven ideas that may not work out in practice, but nevertheless demonstrate creative risk taking. And an online payroll provider offers $400 to the winner of its Best New Mistake award, which goes to an employee who made a mistake but learned from it—and, in doing so, helped other employees avoid similar mistakes. The idea behind both awards is to support creativity by encouraging openness about errors and rewarding those who genuinely learn from their failures.

Can you imagine working for an organisation that rewards and encourages you  regardless of your mistakes.  No, neither can I, but it’s a very pleasant thought isn’t it?


Update 14-Oct-13 15:09: My thanks to Jon Hawes for pointing me at this article;



Governance & Change Control

Security Core Concept 4: Governance & Change Control

You are probably wondering why I have taken a single aspect of the security program; change control, and raised it to the importance of a Core Concept. You are then probably wondering why I placed it under Governance, and not just an ISMS.

If you’re NOT wondering these things, I suspect you are new to security, or a friend of mine who’s reading this just to be nice.

However, if you accept my interpretation of what Governance is, it may make a little more sense; “Governance is where the IT and Business sides have appropriate conversations.” It’s a communication facilitator, where historically the business side rules and the IT side must do as it’s told, often without question.

You must also accept the concept of cybersecurity as a business enabler, and NOT a roadblock to profit or innovation. As I rather facetiously put it in The 6 Security Core Concepts;

Business: “I want this new functionality.”;

Security:“Sure, but do it this way.”

The business side is responsible for maintaining business growth / profit / market standing and a host of other objectives.This is far from easy, so they will do almost anything to meet those goals. It is up to IT and Security to encourage this innovation and out-of-the-box thinking, but do it in such a way as to ensure that the IT and security needs are built in from the beginning.

In a company with a well run Governance program, any ideas the business have will be run by the Governance Committee (or equivalent), which will include at least one, or more likely several members of the IT / Security teams (security, infrastructure, development etc.). The ideas will be discussed, input accepted EQUALLY from all participants, and a specific risk assessment report put together for senior leadership to review.The IT side’s input needs to include not only the risks, but the viability of the concept based on capital cost, resource allocation, outsourcing and so on.

That’s why they are enablers, because they are the ones who put the ideas into practical application. The greatest ideas in the world are useless if they stay on paper, and are potentially destructive if applied incorrectly.

Assuming I’ve made my point on Governance, and that you somewhat agree, I’ll move on to change control…

Change Control is defined by Wikipedia as; …”a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner.”

This needs no simplification, that’s EXACTLY what change control does …if it’s implemented properly. And that’s the issue in many organisations; the concept may be understood, but there are so many exceptions, and / or ways to circumvent the process, that you may as well not have change control at all.

Again, in The 6 Security Core Concepts I said; “If things don’t change, the only increase in security risk is from external sources. The threat landscape changes almost daily, why make things worse by screwing up internally?

That’s really what it boils down to; known, and acceptable change. If you’re following the Core Concept series, you have:

  1. Given Governance full responsibility and maybe some accountability for the institution and maintenance of the security program;
  2. Performed your Risk Assessment with the full knowledge and blessing from senior leadership;
  3. Made all appropriate adjustments to your processes and infrastructure based on the RA’s finding and accepted priorities, and
  4. Initiated the Check and Act portions of the ISMS function to ensure that the controls work, and are on their way to being optimised

So why would you now undo all of that work by changing something without the Governance committee’s blessing?

Change Control includes EVERYTHING that changes; systems, applications, data stores, patching, policies, procedures, new functionality, people …EVERYTHING.

Of course Governance can turn some changes into operational norms; patching for example. As long as the process for testing new patches, and rolling them out across the enterprise is appropriately formalised, the Governance committee does not have to discuss it.

But what about firewall rule-set changes? The business side is demanding the testing of some new functionality that involves “Turning off the firewalls for a couple of minutes.”? The answer is of course, no, or HELL no to be more precise, but who has the authority to tell the business that? Right, the Governance Committee.

The institution of a change control culture is painful and slow, as new processes will always meet with resistance. But this is one area where there is no room for half measures, you either do it (and make the negative consequences clear to all), or don’t bother starting.

Finally, I have not gone into any detail of who should actually be ON the Governance committee, and what its charter should be, but that’s because it varies too much between organisations of difference size, complexity, and function. As long as you have equal representation from the IT and business sides, the individuals themselves will make themselves obvious over time. A limited tenure is important though, or the committee may either stagnate, or be controlled by the most forceful individual.

Governance is the heart and soul of your security program, and change control it’s most potent weapon, neither can be ignored.

[If you liked this article, please share! Want more like it, subscribe!]

The 4 Foundations of Security

So far I have focused on the Core Concepts of security, and how they are the basic building blocks of a security programme.  Well, – and to continue the cliched architectural analogy – these 4 things are the foundations on which those building blocks sit;

1. Management Buy-In / Culture – Hah, weren’t expecting that, were you!?  At least 3 of my posts have placed the vast majority of the responsibility – for everything from PCI compliance to customer service – firmly on the shoulders of the CEO (or equivalent).

Unless your company IS a security company of some sort, security is an expense, and whether or not that expense is seen as a business enabler (which it is) depends on the CEO’s attitude towards it.

Whether you’re starting an assessment at your client’s site, trying to implement a security program at your current employer, or interviewing for a job as a internal auditor, asking what the CEO’s attitude is toward security will determine the difference between success, and banging your head against the wall.

It may well be your JOB to change the CEO’s attitude toward security, if so, you’d better have a VERY good argument, and it had better involve making, or saving a ton a money (or making them look good …or both).

2. Policies & Procedures – Amazing how many people groan at this, and even security professionals cringe at the ‘paperwork’ they have to troll through.

That’s a shame really, because without that paperwork, you will never HAVE security. It’s your company’s instruction manual for how to do what you do, properly, responsibly, and securely.  Anyone who’s put together a chest of drawers from Ikea knows exactly what I mean; maybe, and I mean MAYBE, you could work it out for yourself, but how much more painful would that be?  It’s bad enough WITH the instructions!

Your policies and procedures let all employees know what to do, and as importantly, what NOT to do.  It’s enough that the thieves want to steal your data, why make things worse by not preventing your own employees from giving it away!?

3. Governance – As I have mentioned in previous articles, few phrases in security are perceived to be more ambiguous, open to interpretation, or complicated.

Wikipedia says; “Information Technology Governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management.”  It also says; “IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.”

I can simplify this to; “IT Governance is the business side and the IT side having meaningful conversations.”  Group hug anyone?

It does not have to be complicated, it just has to be appropriate.  You don’t have to hire additional people to run it, you just have to assign the tasks, responsibilities, and accountability.  You don’t have to follow its decisions rigidly, all businesses have an exception processes (usually informal, and often consists of someone very high on the business side telling you to do something anyway).

IT, and especially IT security, are often seen as roadblocks to the business, and circumvented where possible.  The IT departments themselves are often just as much to blame for this.  IT’s job is to help the business do something right the first time, and they can only do this if they are in on the plans from the beginning.

4. Education & Training – While this is closely linked to policy and procedure, I’ve broken this out separately because of its importance.  You simply can’t expect non-security experts to keep up with the latest threats all by themselves, it’s not their job.  In the same way that I do not keep up with changes in the tax codes (that’s my account’s job), or the latest in social media advertising (that’s marketing’s job), everyone else relies on us to tell them what they need to know.

This training and ongoing education cannot become marginalised, and must be kept fresh and interesting.

If your security programme is not where you want it to be, or you are frustrated at the lack of progress, there is a very good chance that one or all of these foundations is missing.

I’m not saying you can’t hope to make ANY progress, but it will be needlessly inefficient, time consuming, and expensive.  Not to mention much harder to maintain.  I have only ever seen organisations achieve Business As Usual security when all 4 of these foundations is in place.

I will be individually expanding on the 6 Security Core Concepts, and putting them into context with these foundations.  Eventually I hope to provide more specific guidance on how to take this theory and put it practical use, but it’s time for dinner…

[If you liked this article, please share! Want more like it, subscribe!]