Superstition in Security

Superstition in Security

Been composing this blog for several months now, and it started when I was thinking about how superstitions begin; It’s bad luck to walk under ladders, or it’s 7 years of bad luck if you break a mirror for example.  And then it occurred to me that these superstitions were probably the only way to scare children into, or out of, certain behaviour.

Walking under ladders, well duh, things fall OFF ladders, so don’t walk under them, and mirrors used to be really, REALLY, expensive, so telling children that breaking them would have horrific consequences makes a lot of sense (in a very negative way of course). I’m surprised that playing with matches didn’t become a superstition, but then again, household-use matches were not readily available until the 1800’s.

Unfortunately, these things have a way of sticking around long after the original cause is either meaningless, or worse, is twisted and perverted by those with a vested interest in the status quo. ‘Heretics’ were burned at the stake for suggesting that the Earth revolved around the Sun, and not the other way around*, and ‘witches’ were similarly killed in horrific ways when they suggested that herbal remedies were better than leaches and other forms of bleeding. Priests and Doctors respectively were very protective of their power.

Human nature has changed very little since then, only societal laws and the more progressive ‘norms’ keep the peace.

I have for years likened information security to insurance, in that no-one wants to spend money on it, but they know it’s a cost of doing business. And more recently I have likened security to the law, because it’s becoming so complex in terms of regulation / legislation / standards etc, that’s it’s often out of reach for the organisations and individuals who need it most.

Now I find myself likening security to superstition, because from the way we’re going, it won’t be long before being in security will have the same stigma as being a tax auditor, a parking enforcer, or a lawyer. QSAs are almost there already because the entire concept of PCI is so limited, but there is no reason true security professionals should not be seen in the same light as those responsible for driving revenue growth or competitive innovation.

Security departments are something people go out of their way to avoid, or to circumvent. They are seen as the department-who-says-no, who will stifle innovation and good ideas, and generally do the one thing that would label them heretics; get in the way of revenue.

Nothing could be further from the truth, as no other department has the knowledge and DESIRE to do the things that make staying is business possible:

  1. Innovation: It’s the 2000s, the vast majority of innovation now is in technology. Who else is best placed to pick the RIGHT technologies to ensure that innovation is implemented in a way that enhances the organisation and not just adds risk?
  2. Business Transformation: Competitive advantage in the information age is now measure in weeks and months, not years, organisations without the ability to adjust critical business processes quickly and appropriately will be left behind. What other department has the knowledge of exiting processes to enable the adjustments?
  3. Revenue Protection: Can you think of anything worse than seeing all your revenue disappear into the hands of regulators because your focus on selling failed to take into account that your processes for doing so were completely inappropriate. I understand completely the pressures, but revenue generation is not about doing what it takes, it’s about doing what’s right.
  4. Reputation Protection: I could have put this under revenue protection, but wanted to break this out as corporate reputation goes way beyond just revenue, and my OCD will not allow for an even number of bullet points. Damage of reputation through loss of data C.I.A. can have long-term negative effects on a business, just ask CardSystems who went from $25M / annum to out of business in less than 1 year after their breach.
  5. Infrastructure Investment Optimisation: OK, long title, but consider that the amount of money spent on PCI is already in the multi-billions, when a huge chunk of that could have been save by adjustments in PROCESS. Technology purchase is the last resort of a true security professional.

I really don’t have an answer to HOW we can ensure our reputations remain unsullied, and there are a lot of so called security experts out there giving the rest of us a bad name, but I think the worst thing to do is fall back one of the phrases I hate most in this world; “It is, what it is.”

Actions speak louder than words, and I will never stop trying to show my clients that security is something to be embraced, not avoided.

Forward this to all your friends or you’ll have 3 years of bad luck.

The 4 Foundations of Security

So far I have focused on the Core Concepts of security, and how they are the basic building blocks of a security programme.  Well, – and to continue the cliched architectural analogy – these 4 things are the foundations on which those building blocks sit;

1. Management Buy-In / Culture – Hah, weren’t expecting that, were you!?  At least 3 of my posts have placed the vast majority of the responsibility – for everything from PCI compliance to customer service – firmly on the shoulders of the CEO (or equivalent).

Unless your company IS a security company of some sort, security is an expense, and whether or not that expense is seen as a business enabler (which it is) depends on the CEO’s attitude towards it.

Whether you’re starting an assessment at your client’s site, trying to implement a security program at your current employer, or interviewing for a job as a internal auditor, asking what the CEO’s attitude is toward security will determine the difference between success, and banging your head against the wall.

It may well be your JOB to change the CEO’s attitude toward security, if so, you’d better have a VERY good argument, and it had better involve making, or saving a ton a money (or making them look good …or both).

2. Policies & Procedures – Amazing how many people groan at this, and even security professionals cringe at the ‘paperwork’ they have to troll through.

That’s a shame really, because without that paperwork, you will never HAVE security. It’s your company’s instruction manual for how to do what you do, properly, responsibly, and securely.  Anyone who’s put together a chest of drawers from Ikea knows exactly what I mean; maybe, and I mean MAYBE, you could work it out for yourself, but how much more painful would that be?  It’s bad enough WITH the instructions!

Your policies and procedures let all employees know what to do, and as importantly, what NOT to do.  It’s enough that the thieves want to steal your data, why make things worse by not preventing your own employees from giving it away!?

3. Governance – As I have mentioned in previous articles, few phrases in security are perceived to be more ambiguous, open to interpretation, or complicated.

Wikipedia says; “Information Technology Governance is a subset discipline of corporate governance focused on information technology (IT) systems and their performance and risk management.”  It also says; “IT governance systematically involves everyone: board members, executive management, staff and customers. It establishes the framework used by the organization to establish transparent accountability of individual decisions, and ensures the traceability of decisions to assigned responsibilities.”

I can simplify this to; “IT Governance is the business side and the IT side having meaningful conversations.”  Group hug anyone?

It does not have to be complicated, it just has to be appropriate.  You don’t have to hire additional people to run it, you just have to assign the tasks, responsibilities, and accountability.  You don’t have to follow its decisions rigidly, all businesses have an exception processes (usually informal, and often consists of someone very high on the business side telling you to do something anyway).

IT, and especially IT security, are often seen as roadblocks to the business, and circumvented where possible.  The IT departments themselves are often just as much to blame for this.  IT’s job is to help the business do something right the first time, and they can only do this if they are in on the plans from the beginning.

4. Education & Training – While this is closely linked to policy and procedure, I’ve broken this out separately because of its importance.  You simply can’t expect non-security experts to keep up with the latest threats all by themselves, it’s not their job.  In the same way that I do not keep up with changes in the tax codes (that’s my account’s job), or the latest in social media advertising (that’s marketing’s job), everyone else relies on us to tell them what they need to know.

This training and ongoing education cannot become marginalised, and must be kept fresh and interesting.

If your security programme is not where you want it to be, or you are frustrated at the lack of progress, there is a very good chance that one or all of these foundations is missing.

I’m not saying you can’t hope to make ANY progress, but it will be needlessly inefficient, time consuming, and expensive.  Not to mention much harder to maintain.  I have only ever seen organisations achieve Business As Usual security when all 4 of these foundations is in place.

I will be individually expanding on the 6 Security Core Concepts, and putting them into context with these foundations.  Eventually I hope to provide more specific guidance on how to take this theory and put it practical use, but it’s time for dinner…

[If you liked this article, please share! Want more like it, subscribe!]

Don’t Get Me Started On ‘Big Data’

Wikipedia describes big data as; “…a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.

So why complicate the already difficult concept of developing an effective security program with a huge lump of data you can neither store, nor put to good use yourself?

I’m not against big data per se, there are some very relevant areas where it’s actually required; weather forecasting, social analytics, brain mapping, economics etc, but in security?  I don’t think so.

Security must be simple to be effective, and less is almost always more.  Good security is baselined, white listed, known good and so on, big data can only be effective when your end goal remains somewhat static.  I very much doubt either the bad guys, or your business will stay still long enough put the results of the big data mining efforts to good effect.

Also, and I’m far from being a conspiracy theorist (I’m just not suspicious enough), but I can’t help but think the ones who really benefit are the those who already have the storage, the bandwidth, and the exiting data mining tools to make it effective, AND are looking for more business.  Security must begin with a business need, then a requirement for specific functionality, it is not falling for a sales pitch or a perceived competitive edge based on the latest buzz-phrase.

Instead of trying to understand your security posture with big data, consider the following;

  1. What kind of sensitive or business relevant data do you have?
  2. Where is it?
  3. Which applications or people access this data?
  4. Do you REALLY need all of the data you have?
  5. Is your EXISTING security programme as effective as it could be?

If you don’t know the answer to ALL of these questions, you should start there.  This doesn’t even qualify for ‘You can’t manage what you can’t measure.’, this is ‘You can’t protect what you don’t even know you have.’

Maybe, years down the road, when your security programme is a well oiled machine, and your Governance department is the paragon of business-to-IT communications, then, and only then, should you consider something as advanced as this.  Though I seriously doubt it even then.

[If you liked this article, please share! Want more like it, subscribe!]