Superstition in Security

Superstition in Security

Feeling lazy, this is a re-blog, but the last few weeks at work has made this especially relevant;

I started when I was thinking about how superstitions begin; It’s bad luck to walk under ladders, or it’s 7 years of bad luck if you break a mirror for example.  And then it occurred to me that these superstitions were probably the only way to scare children into, or out of, certain behaviour.

Walking under ladders, well duh, things fall OFF ladders, so don’t walk under them. Mirrors used to be really, REALLY, expensive, so telling children that breaking them would have horrific consequences makes a lot of sense. I’m surprised that playing with matches didn’t become a superstition, but then again, household-use matches were not readily available until the 1800’s.

Unfortunately, these things have a way of sticking around long after the original cause is meaningless. Or worse, is twisted and perverted by those with a vested interest in the status quo. ‘Heretics’ were burned at the stake for suggesting that the Earth revolved around the Sun, and not the other way around. ‘Witches’ were similarly killed in horrific ways when they suggested that herbal remedies were better than leaches and other forms of bleeding. Priests and Doctors respectively were very protective of their power.

Human nature has changed very little since then, only societal laws and the more progressive ‘norms’ keep the peace.

I have for years likened information security to insurance, in that no-one wants to spend money on it. They just know it’s a cost of doing business. And more recently I have likened security to the law, because it’s becoming so complex in terms of regulation / legislation / standards etc, that’s it’s often out of reach for the organisations and individuals who need it most.

Now I find myself likening security to superstition, because from the way we’re going, it won’t be long before being in security will have the same stigma as being a tax auditor, a parking enforcer, or a lawyer. QSAs are almost there already because the entire concept of PCI is so limited. However, to me, there is no reason why true security professionals should not be seen in the same light as those responsible for driving revenue, growth, or competitive innovation.

Security departments are something people go out of their way to avoid, or to circumvent. They are seen as the department-who-says-no, who will stifle innovation and good ideas, and generally do the one thing that would label them heretics; get in the way of revenue.

Nothing could be further from the truth, as no other department has the knowledge and DESIRE to do the things that make staying is business possible:

  1. Innovation: It’s the 2000s, the vast majority of innovation now is in technology. Who else is best placed to pick the RIGHT technologies to ensure that innovation is implemented in a way that enhances the organisation and not just adds risk?
  2. Business Transformation: Competitive advantage in the information age is now measure in weeks and months, not years or decades. Organisations without the ability to adjust critical business processes quickly and appropriately will be left behind. What other department has the knowledge of existing processes to enable the adjustments?
  3. Revenue Protection: Can you think of anything worse than seeing all your revenue disappear into the hands of regulators because your focus on selling failed to take into account that your processes for doing so were completely inappropriate. I understand completely the pressures, but revenue generation is not about doing what it takes, it’s about doing what’s right.
  4. Reputation Protection: I could have put this under revenue protection, but wanted to break this out as corporate reputation goes way beyond just revenue, and my OCD will not allow for an even number of bullet points. Damage of reputation through loss of data C.I.A. can have long-term negative effects on a business. Just ask CardSystems who went from $25M / annum to out of business in less than 1 year after their breach.
  5. Infrastructure Investment Optimisation: OK, long title, but consider that the amount of money spent on PCI is already in the multi-billions, when a huge chunk of that could have been save by adjustments in PROCESS. Technology purchase is the last resort of a true security professional.

I really don’t have an answer to HOW we can ensure our reputations remain unsullied, and there are a lot of so called security experts out there giving the rest of us a bad name. But I think the worst thing to do is fall back one of the phrases I hate most in this world; “It is, what it is.”

Actions speak louder than words, and I will never stop trying to show my clients that security is something to be embraced, not avoided.

Forward this to all your friends or you’ll have 3 years of bad luck.

[If you liked this article, please share! Want more like it, subscribe!]

What’s Next For The PCI Security Standards Council?

I don’t think anyone in the payments arena has any doubt that credit/debit cards, in their current form, will die over time in favour of mobile devices. It’s a natural next step to replace something ubiquitous with something even more ubiquitous.

So where does that leave the SSC, and the card schemes themselves for that matter?

You only have to look at Visa Europe’s website Visa Vision to see that they are moving towards mobile (and other innovations), and articles like The Revolution is Here, do not even mention EMV, and the only reference to plastic is in a future past-tense.

It also begs the question as to why the card schemes are pushing EMV when they themselves see an end to their reign-of-plastic. But the answer is obvious, the cost of fraud over the next 5 – 10 years far outweighs the cost of the transition. The US alone saw $7.1B in credit card fraud in 2013 (according to Business Insider), and I have estimated that the cost of EMV transition in the US is ‘only’ $12B (Why the US Will Not Adopt EMV (Chip & PIN), EMV in the US, a 12 BILLION Dollar Mistake).

So why am I so anti-EMV? Because there are technologies NOW that can replace it, are in more hands, and more widely distributed than cards ever were. Your mobile phones.

So back to my point; what WILL the cards brands and the SSC do once the plastic dies? Clearly the brands have an enormous leg-up on any new player in the cashless game, and have massive amounts of capital to invest in meeting every aspect of this [so-called] disruptive innovation; research on innovation, testing proofs-of-concept, garnering adoption within the finance community, and of course, rolling it out to end users.

Mobile phone companies made a small play, and missed, banks could have done it, and didn’t, and large retail could have had a huge impact, and haven’t. Probably because in these three case – even banks – payments is not a core function. Being PAID is core, making the payment is not, so only the card schemes have payments as their entire reason-to-be, and therefore the most motivation.

OK, so if we assume that the card schemes are going to make a huge play in every cashless payment innovation from this point forward, where does that leave the SSC? Probably in exactly the same place, with only one change in title; From Payment Card Industry Security Standards Council, to Payment Industry Security Standards Council.

Regardless of the form of payment there HAS to be a security standard around the protection of the data. Not that the current standards are anywhere near adequate, even for cardholder data, but the SSC has significant experience adopting and implementing standards globally. From mobile apps, to software PINs, to identity management (for KYC, AML etc.) to crypto-currencies, everyone developing technologies must adhere to a minimum set of protective baselines.

So am I really proposing, after so many less-than-positive blogs related to the PCI DSS and the SSC, that they be a standards body for every form of payment globally? Well, no, I’m not, but I think that if they don’t TRY to be just that (with the card brand’s backing), there is no-where else for them to go.

Despite my voluble criticisms of the card brands and the SSC alike, they ARE well placed to do good. I hope they take the opportunity now, because it won’t come again.

[If you liked this article, please share! Want more like it, subscribe!]

Want to Save 1/3 Off Your Annual Security Costs?

Get your CEO involved.

That’s it, you won’t need anything more than that, just get your CEO to take security seriously and everyone else beneath them will too. It does not matter if they actually CARE, but knowing that the CEO is watching you is usually enough to motivate every layer beneath them. Unfortunately, most CEOs either have no idea that they have this power, are too busy to give it a seconds’ thought, or are too arrogant to waste time on something so mundane.

You just have to look at human nature to understand why CEOs lack this particular vision; They ARE human, with all the usual faults, weaknesses, and insecurities. The only difference is that they happens to be in charge. They focus on what they know well and avoid the things with which they are either unfamiliar, or crap at doing.

Just like us.

What this means is that every organisation focuses on the things that mean most to the CEO. That’s fine, and the natural order of things, but it also means that the things that are equally important – sometimes even more so – get less attention. A CEO focused on innovation and not customer service will fail every bit as spectacularly as a CEO focused on profit and not the security of the data that is the foundation of it.

The thing that most people forget is that the majority cost of security is not capital (technology etc.), it’s the people who end up costing you more. From the wasted effort endemic to the reinvention of the wheel for every simple process, to the gross inefficiency of ‘Doing the way we’ve always done it.’, to the cleaning up of the mess after things have gone badly wrong, the people-element is where the good money is thrown after the bad.

And it’s all so simple. If you accept that it’s the CEO who sets the culture of an organisation, from the policies, to the priorities, to the direction, then they have the power, in a ridiculously easy way, to stop the waste. When the vast majority of security itself is also people and process driven, all the CEO has to do is pay a little more attention and these things become second nature to everyone within a remarkably short time.

Think of it this way; If your boss could not care less about something, how much do you care about it? Now imagine that from the very top down. Every time I’m at a new client the security program is a constant battle of middle-management trying to manage up. Unless the CEO manages down through his Executive Team (C-level), who in turn enforce culture at the department head level, no-one is going to do anything new.

So why not just title this blog; “Want to be Secure, Ask Your CEO to Help?” Be honest, would you have read this far, or, more likely, did the saving money aspect get your attention? You think the CEO is any different?

The greatest challenge we have in security is trying to talk the language of those in whose hands our success depends. Talk security or even compliance and you’ve already lost them, but talk increased efficiency, reputation protection, business transformation, or even financial control and you have a better chance of turning their heads.

But only from the top down.

I have already written on the myriad business benefits of a security program done well (How Information Security & Governance Enable Innovation, Security Done Well, The Ultimate ROI), but shockingly enough my 58 followers have not been able to change the industry as I had hoped. [embarrassed silence]

What I would like to see however, is every middle-manager in charge of a security program draft a email for their CEO to send out to the entire organisation, in which s/he stresses just how important security is to him/her. I think you’ll be amazed at just how much more receptive people will be to your security concepts.

IT and IT Security are here to enable the business, nothing more, but it’s usually the business that lets the side down.

Security Vendors Offering Guarantees Is Totally Irresponsible

Who has seen a “Zero Malware Guarantee“, or something like it?

More to the point; who saw this and thought what a load of bull$#@?

Anyone who knows even the most basic aspects of information security knows that the ONLY guarantee is that nothing is safe. Ever. To throw out a word like guarantee is nothing except the most despicable attempt to drive business in a field where the experts are SUPPOSED to be trusted!

What is the guarantee?; …to detect and stop 100 percent of malware that propagates over the web and is scanned by the [blah blah] Managed Anti-Malware Service“. Could this ‘guarantee’ be any more pointless? Who wrote this? Lawyers?

What’s worse, here’s what you get if they fail to detect and stop 100% of the malware; “…one-month extension of the service at no cost, up to four times per year.“.

Seriously? It didn’t work, but you get one more month for free? And why would you possibly need to do this FOUR times in a year? Would you seriously still pay for the service after a second failure, let alone a third?!

Doctor to dying patient: “The drugs we gave you aren’t working, but here, have some more on the house.”

Surely if the product is that good, this vendor and vendors like them (there are many) should WARRANTEE their products. “If we screw up we’ll pay for the fix AND give you your money back.” Now THAT’S something I can get behind!

You can guess how often that will happen.

The reason this is so offensive to me is that security is already seen as something to spend money on only because you have to. Like insurance. And this crass commercialisation of yet another security PRODUCT just makes everyone in the information security field look like ambulance chasers. Incompetent ones at that.

Eradication of malware (as in the above example) STARTS with policy and procedures, continues on with parallel efforts in security awareness training and control definition, and is maintained by a security program done well. Just like every other aspect of security. So the only reason security companies keep coming up with these snake oil ads is because people keep buying stuff from them.

Don’t. Do. It.

I can empathise with organisations struggling to understand security and buying what they think is the right thing for their business. What I cannot even begin to condone is any organisation selling something TO those organisations when the seller damned well DOES know better!

You never need guarantees in security, you only need appropriate security. You can start by avoiding any organisation that begins with making empty promises.

[If you liked this article, please share! Want more like it, subscribe!]

Security ROI

Security Done Well, The Ultimate ROI

To accept anything I’m going to say in this post, we need to agree on the definition of ‘investment’. The OED has 3 definitions;

  1. The action or process of investing money for profit;
  2. A thing that is worth buying because it may be profitable or useful in the future; and
  3. An act of devoting time, effort, or energy to a particular undertaking with the expectation of a worthwhile result.

For the purposes of this blog, I’m taking the word ‘useful’ in definition 2. and the entirety of definition 3. I’m not that biased toward my chosen profession that I believe spending money on security will actually make you money, but I do believe that any effort to stay competitive in this day and age requires the current perception of security to be completely overhauled.

In my career I have compared security to insurance, the law, and to chewing tinfoil; you only do it because you have to, it’s too complicated, and it’s very irritating, respectively.  It’s no wonder that it gets the short-shrift that it does, especially when one or all of these comparisons come from the CEO him/herself.

If you can also accept that not LOSING money is also a ROI, then we can begin.

I was recently told that unless we security experts can put security into terms the business side of an organisation can understand, we’re wasting our time. I’ve done that my whole career I thought, but I missed the trick of putting security into a financial CONTROL perspective, mostly because finance is not my background. So thank you Jeff Hall for that.

These are my Top 5 reasons that security provides an ROI well above that of almost all other individual departments, including sales:

  1. Competitive Advantage
    I have touched upon this in several blogs, but the basic premise is that in the information age, the majority of businesses are almost entirely based on the manipulation of some form of data. Data in context is information, information in context is knowledge, and knowledge applied correctly is wisdom, and so on. It follows therefore that the ages old concept of Confidentiality, Integrity, and Availability (C.I.A.) very much applies. So if your data is the foundation of all of your businesses services, why is it not treated accordingly?
  2. Business Transformation
    Similar, but different enough from Competitive Advantage to warrant its own section. Again, seeing as data is central to all things, the ability of an organisation to order, compile and retrieve their accurate data faster gives them the ability to adjust their processes in the face of customer needs, or competitive threat. If you don’t know what you have, or in detail how you do what you do WITH what you have, you cannot make change fast enough. Competitive advantages in the Information Age last weeks / months, you simply don’t have years to  catch up.
  3. Financial Control
    All finance these days is just data in context, and while security will never be able to provide that context, access TO, and the integrity OF the data can provide a much welcome check and balance for the control of an organisation’s financial data assets. Regulations like SoX have security as part of their requirements, but it goes no-where near far enough to provide much benefit. A security program done well would cover this and a whole lot more.
  4. Avoidance of Fines / Loss of Reputation
    Globally, more and more regulations are in the works that can have significant negative monetary implications. PCI is probably the best known, but the Information Commissioners Office (ICO) here in the UK can fine up to £500K per event for the loss of personal data. The EU General Data Protection Regulation (GDPR) can impose fine of up to 2% of GLOBAL revenue for a similar loss. These fines are monetary, but the loss of reputation can potentially be far worse.
  5. Cheaper IT Infrastructure and Maintenance
    This may seem strange, even counterintuitive, but you only get real security when all the processes are simple, and you can only achieve simple if everything you have is a known-good, or baseline. These baselines are hard to achieve, and can be expensive in the short-term, but the long term costs are significantly lower than trying to either constantly work with too much (technology, data, people etc.), or fix what’s broken because you couldn’t detect a problem in time to prevent it from becoming a disaster.

Security is simple, and done well provides benefits way beyond what most business people can possibly envision, but ignorance of this has always been, and will always be, the CEO’s fault;

“Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter goal here], it’s the CEOs fault, and no-one else’s.”

Just ask Target’s or Equifax’s outgoing CEOs if they wished they had paid more attention to security.

[If you liked this article, please share! Want more like it, subscribe!]