Saturday, November 23, 2013

Vendor Kabuki

Recently, a good friend of mine and longtime CISO left the chair to become the chief security strategist at a well-known security technologies company. A few weeks after that transition, my buddy and I sat down for a long overdue dinner with some friends. During the meal we discussed the transition from responsible charge to vendor. My colleague was less than thrilled at all aspects of the transition.

"Overnight I went from being a respected colleague to 'just another vendor,'" my colleague complained. "I'm no longer allowed at CISO events; I am no longer eligible to sit in CISO-exclusive meetings; professional organizations that I have supported for years treat me like a second class citizen; and folks whom I interacted freely and openly with won't return my calls.  Why is it that CISOs treat vendors like dirt?"  

As I about to respond, another colleague of mine who had crossed over to the vendor side nodded her agreement. "You're an anomaly, Kim," she asserted.  "You treat vendors as partners; most of your peers treat us like dirt."

I admit that I was taken aback by these comments...but only a little.  Vendor opinions of me tend to be decidedly bipolar.  My style of engagement tends to be direct and pointed;  While many vendors enjoy this honest dialogue, many more have found me extremely "difficult" to engage with. I didn't pursue the conversation over dinner (I was the only non-vendor at the table and my colleagues were in full rant mode :) ), but I did spend some time mulling over the problem.  

Like most relationship challenges, the problems with the vendor/CISO relationship are two sided.  I would posit that the CISO portion of the relationship dysfunction centers around something I like to call the egoism of motivation.   In an earlier blog post, I posed the question of why security professionals do what they do.   While I left the question open ended, I would submit that the majority of us walk the path we do for semi-altruistic reasons.  While our careers tend to be fairly lucrative these days, most of us end up fighting an uphill battle for resources and understanding with those who would quickly turn us into scapegoats should an adverse event occur.  Yet despite this environment we keep going back into the fray with zeal, passion, and dedication.  We are not cops or soldiers, priests or firemen...but at some visceral level we do share the same passion for service and making a difference as those in the aforementioned professions.  In this context, it is at times difficult to engage with those whom purport to understand our concerns yet do not share our motivations.  CISOs have no objection to money or profit motives -- hell, I have a kid in college and am all about not having my paycheck bounce :)  That being said, it is at times vexing to engage in conversations about a tool or service with vendor personnel who don't share your motivations; who don't necessarily have similar experiences; and who seem more concerned about acquiring your (very) limited dollars versus resolving your near and long term challenges.  

Even for those of us who manage to get past our own egoism, there still exists the challenge of vendor-CISO communication.  Several years ago I came across a webinar by Paul Glen, author of the book Leading Geeks.  In this webinar, Mr. Glen discussed seven "contaxioms"  -- axiomatic ideas and/or concepts for which geeks and non-geeks have contrasting ideas.  Glen's 6th contraxion -- one which I feel is especially relevant to the topic -- centers around the concept of lying. For the geek:

-Lying is evil;  truth is sacred.
-Answering yes to a question when you don't absolutely know if something is true is a lie.
-Exaggeration and opinion stated as fact are lies.

For the non-geek:

-Lying is not good;  it is bad manners.
-Answering yes to a question that you know is false is a lie.
-Exaggeration and opinion stated as fact are simply a part of normal speech.

With such a disconnect in terms and terminology, the CISO oftentimes finds it daunting to trust that which he hears from his vendor brethren.  Our axiomatic differences leave us at an impasse whereby our vendor brethren are often perceived as disingenuous in their dialogue...and the time it takes to determine the proper questions to ask to get to the level of detailed, accurate data desired is time taken away from our daily missions of protection and enablement.  Just yesterday one of my esteeemed colleagues said at a conference:  "Every time a vendor speaks to someone in my organization I lose a week's worth of work getting to the truth behind the sales pitch."

With these types of cultural dynamics at play, it is easy to understand why CISOs and vendors operate at best under a gaurded truce...but it doesn't have to be that way. Indeed, both vendors and CISOs would benefit from an attitude of true partnership on both sides of the equation.  As a CISO, I operate with certain guidelines when dealing with vendors:

-1.  Be Plain Spoken.  Understand what requirements you are trying to fulfill, and communicate them directly. As part of that communication, ensure your vendor understands whether your engagement is exploratory; whether you are trying to fulfill a short term spend; or whether this will be a long term process happening within the next fiscal year.  Your vendors, like you, also have requirements they need to fulfill;  it is disrespectful of their time and mission to have them spend months with you for a supposed potential sale when in reality you have no intention of making a purchase.

-2.  No Loss Leaders.  While I admit freely that I will always try to obtain services as cheaply as possible, I recognize the vendor must make a profit.  I do not insist upon loss leaders or additional free services from a vendor in order to close a deal.  If offered, I will accept them...but I do not make or break deals based upon the amount of free stuff I receive.

-3.  Respect Vendor Budgets.  This one plays in the realm of both ethics and mutual respect.  Vendors will regularly offer up dinners, tickets, etc. to get your attention or your time.  Notwithstanding appropriate legal and corporate guidelines for accepting such gifts, I make it a practice not to accept such offers if (a) I am not interested in the product or (b) I have no budget for such products. 

The vendor reps with whom I operate best also understand my expectations of them:

-1.  Be Plain Spoken.  I would rather be told "No, I can't do that," than have someone tell me that their service or product meets a need of mine that they are not equipped to perform.  Don't attempt to put a square peg into a round hole for the sake of  a near term sale.

-2.  Focus on the Long Term.  While I respect your near-term quota, I am looking for vendor partners who understand my long term needs and constraints.  Don't sacrifice a long term relationship for the sake of a sale.

-3.  Deliver.  Do what your say you are going to do...and ensure your products do what they say they will do, as well.  I expect this level of discipline and results from staff;  I should expect no less from my vendors.

I have met a handful of vendors (Anna, Ed, Gabi, J.R., Jason, Joel..and the late Ryan Richard) who understand and operate comfortably within these expectations.  In return, I have developed strong partnerships with these individuals and the companies they represent. Indeed, as these individuals have moved from company to company they have opened doors to their new products to me;  any company that would employ vendors of their caliber clearly has highly ethical business practices.  These individuals get my most valued resource -- my time -- freely.  Conversely, I have met a plethora of vendors who refuse to be straightforward; who don't deliver on promised functionality; and remain primarily concerned about making a quarterly quota.  These vendors are either relegated as afterthoughts in my strategic planning...or are removed from my environment along with their products.

While I might be considered an anomaly to my vendor collagues, I have found the aforementioned vendors to be anomalies amongst their profession as well. Indeed, I reminded my CISO-turned-vendor that his new company (which had a reputation for arrogant, bullying marketing tactics) only hired him after the better part of a decade in the security space.  Could it be that their incentive is due to having achieved a certain market saturation that they cannot move beyond without a  long-overdue change in approach?

Vendors and CISOs do need to reevaluate their relationship if the collective profession is to improve.  Both sides have work to do in strengthening our ties if we are to succeed.

My two cents...

Sunday, November 17, 2013

Preparing for Black Friday and Cyber Monday

If you don't know who Dan Lohrmann is and you work in security, you're truly missing out. Dan is CISO for the State of Michigan and is one of the thought leaders of our profession. Early on, Dan's leadership challenged him with the classic "figure out HOW instead of telling me NO" dilemma -- and he rose to the occasion with some innovative approaches and solutions.  Dan is a regular speaker and blogger on the business of security and is worth listening to.

What I love about Dan is that he never forgets that security is a personal matter. Addressing security issues and challenges as relate to individuals is just as important as looking at holistic, enterprise technical issues.  In his latest blog post, Dan gives us a "good, bad, and ugly" look at some of the pitfalls and benefits of Black Friday and Cyber Monday shopping.  Definitely worth your perusal...and worth sharing with your friends, colleagues, and security constituents.  You can find Dan's article at this link.  Enjoy!

Monday, November 11, 2013

Solving the Identity Problem

Just last week I ran across an article regarding the FIDO Alliance.  FIDO -- which stands for "Fast Identity Online" -- was created about 18 months ago to address the problem of a lack of interoperability amoungst strang authentication standards/controls/technologies online.  The typical solution to this problem has been multiple authentication credentials...which has lead to weak passwords and the use of a single password across multiple accounts (both conditions which actually weaken security).  The FIDO alliance seeks to correct this problem by promulgaring strong open authentication standards which can be utilized across multiple technologies on multiple platforms.  Currently the FIDO Alliance has begun conformance and interoperability testing for its Universal Authentication Framework and Universal Seconf Factor products

So...why should we care?  Several reasons:

  • The FIDO Alliance has attracted some heavy hitters in the heavily-regulated payments industry such as Mastercard, PayPal, and Oberthur Technologies
  • Michael Barrett, former CISO of PayPal, is president of the alliance.  Love him or hate him, Mr. Barrett has always taken a thought-leading approach to security issues.  He's worth listening to/paying attention to.
  • Multiple passwords are the bane of a security professionals' existence, yet we haven't yet solved the problem;  the Alliance's structured approach signals a beginning to a potentially viable solution.
  • The FIDO solutions represent a potential beginning to the long talked-about concept of "bring your own IDENTITY" which has been banted about in recent months.  BYOI's problem centers around how we truly federate identity across disparate platforms and providers.  FIDO's standards an tools seek to solve this problem.  If they are even mildly successful, it could be a truly seed-changing leap in how we approach issues of security, authentication, and compliance.
Information about FIDO can be found here.  Keep an eye on these guys!




Wednesday, November 6, 2013

Why Do You Do It?

Several weeks ago I sat down with my good friend Jill to discuss security and the security profession.  Jill doesn't come from our world yet she has a keen and sincere interest in what we do.

After a half hour or so of discussion Jill asked me a question that no one else has ever asked me:  "Why do you do it?"  I found myself a bit taken aback and momentarily speechless.  Jill pressed on:  "Several years ago someone asked me why I was an accountant.  She then went on to describe all the ways in which accountants are mistreated and looked down upon in the company I was in, and asked me why I did what I did for a living.  After thinking about it for a week or so, I decided that I didn't want to be an accountant.  

"So why do security guys keep doing what they do?"

I admit I was touched by Jill's question.  Most people view security as a necessary evil and fail to think about what we do every day -- or, rather, they don't think about it until something bad happens.   I have likened the job of the security professional as that of the lone knight defending the drawbridge.  Every day, the knight wakes up and dons his dented armor.  Picking up his rusty sword, he steps out on the drawbridge to defend the castle.  His bones are weary and achy, but he stands tall and faces off against the 100 dragons trying to enter his home.  Now, most of the occupants of the castle don't see the dragons he faces daily...and those that do regularly underestimate their size/capabilities/intentions.  At the end of a good day, the knight holds off the dragons and is only slightly worse for the wear.  He goes back into castle, petitioning for better armor or a newer blade...and for the most part he is ignored. After all, no dragons have entered the castle yet, have they?  Sighing, he goes to his quarters for a brief respite, and gets up to do the same thin the next day...

...and all the while he smiles, happy to do the work and be successful at it.

In truth, for me the answer to Jill's question has always been easy.  I am, by nature, a sheepdog in the way that Dave Grossman defined the term in his essay.  I have an overly-developed sense of justice and a need to keep bad things from happening to good people.  This is why I soldiered when there were (lucrative) options to do other things, and why I chose the profession I did when I hung up my Army greens.  In my current gig, I talk a lot about the Single Mom at Wal-Mart as my motivation.  It goes something like this...

Picture a single mom shopping at Wal-Mart.  She hovering just above the poverty line simply though hard work, determination, and personal resolve.  Her kids don't wear new clothes, but they are always neat and clean.  Their bellies are never hungry, if only through the three jobs she works.

It's shopping day.  She has clipped her coupons and is trying to get her shopping done before she starts her third shift.  The kids are tired, but well behaved.  Her cart is full.  She goes up to the checkout counter and swipes her card...

...and the transaction is DECLINED, either because (a) my systems have been hacked and someone stole all her money, or (b) my systems have been sabotaged and are down so Wal-Mart can't process the transaction.

I get up every morning, smiling, to prevent either scenario from occurring.

That's my story;  what's yours?  Why do you stand in the gap that few others see and even fewer appreciate?  Please post your responses here if you feel like sharing.

Sunday, November 3, 2013

Apple Takes Additional Precautions with its iPhone Fingerprint Sensor

After the release of iOS7 which touted several new security features, I gave Apple some grief for the discovery of a security which was indicative of  some lackadaisical security testing.  In the spirit of equal time, however, I need to give Apple its "propers" regarding some security forethought.  In a recent online post, Mactrast.com discusses Apple's apparent pairing of its TouchID sensor with the specific processor chip contained within its 5S phone.  In other words, swapping out either a touch sensor or the phone's processing chip rendors access to the biometric data useless for accessing the phone's applications.  This clearly showed forethought on Apple's part re: securing biometric information as well as sensitivity to applicable privacy concerns.  

You can read the full article here. Note that the article (correctly) points out the potential issues re: repairing phone screens on the 5S (translation -- if the screen repair damages the TouchID sensor then the sensor and chip will need to be replaced in order for the biometric feature to work...which means that you're basically talking about a whole new phone.)

The Fate of the Security "Profession"

I've been off the air for about a month due to some personal challenges, so I'm just catching up on some of the older stories that have been floating out there since late September.  One that has caught my eye is the National Academy of Sciences (NAS) report regarding the professionalization of information security.  In this report  NAS concludes that cybersecurity is best classified as an occupation rather than a profession;  further, NAS concludes that professionalization of cybersecurity should only occur when "the occupation has well-defined and stable characteristics [and] when there are observed deficiencies in the occupational workforce that professionalization could help remedy."  NAS (and several industry pundits) further pointed out the challenges of our ever morphing enemay as well as the self-taught nature of many of our most seasone professionals.  

What struck me most about this report is that hue and cry that did not occur from security professionals.  There were a small handful of articles and  some (predictable) responses from folks in the who resented the implication that they were not "professionals" (in the strictest interpretation of the word), then...nothing.

It is this lack of commentary that concerns me the most.  Several reasons for this.
  1. One of the criteria for professionalization has been (at least partially) met.  The security profession is facing a shortage of qualified personnel.  The operative term here is "qualified."  In an era where colleges and universities are regularly pumping out folks with computer/information security degrees,  senior professionals are still having difficulty finding people with the KSAs to do the work.  Experience (The "E" that we add over time to KSAs) helps and is supposed to enhance basic skills...but many organizations have taken to ignoring the training and experience offered by colleges and universities as being meaningless to the security utility in the workplace.  Further, there is still a wide variety of degree variance between university programs in Infosec -- and very few security professionals recommend ANY program as being appropriatly constructed to tackle a security gig straight out of the classroom.  To me, this translates to a case of "deficiencies in the occupational workforce" as well as an inability to provide a steady stream of qualified personnel into the workforce.                      
  2. What do we do about it?  Folks, the lack of response from us as a profession seems to indicate either that (a) we agree with the characterization or (b) while we disagree with the report we don't see how to change it. While I will be the first person to admit that there is a portion of our work is art, we cannot surrender the battle for the science lest we lose the ability to maintain the seat at the table that we have fought to occupy over the past 15 years.  When organizations cannot afford to steal senior folks from other organizations, they will turn more and more to technology to substitute for experience.  Should this trend occur, we may find ourselves in a position where the chief security officer position (one of the 3 most senior positions our career progression has to offer) goes the way of the VP of Telephony.  
Think I'm exaggerating?  I am personally aware of three multi-billion dollar entities who have broken up their security responsibilities amongst multiple entities upon the departure of their CSO.  Two of those three seem to be sustaining compliance and security levels within minimal to no difficulty.

The point of this post in a fairly simple one:  we cannot as professionals (even if we aren't technically a profession) to accept the status quo accurately pointed out by the NAS report.  We need to find a method of identifying and fostering the skills and mindset needed to succeed and -- most importantly -- stay ahead of the bad guys.  If we fail to invest in this effort than we do a disservice to our constituents as well as those who are trying to follow in our footsteps.

My two cents...

(Note:  the link to the report above lists a price for the printed version of the report;  downloading the PDF is still free. )