- For the team of consummate security professionals that I work with now and have worked with over the years, I wish for them at least one week's worth of uninterrupted sleep. These are some of the finest sheepdogs (a la the Dave Grossman definition) that I've had the privilege of serving with; they deserve some worry-free rest from the fight, if only for a moment.
- For the spouses of every security professional that I know (including mine), I wish for them a refilling/replenishing of that seemingly endless font of patience and understanding that they continuously display. It is said that the wives of Spartans are the secret pillars which hold up the world; the significant others of security professionals prove this day-in and day-out as meals are interrupted, special dates are missed, and date nights are cancelled in our quest to keep the dragons at bay in the organizations that we are charged with protecting. May they never lose their love of -- or patience with -- us as we continue to stand in the gap.
- For my son and those of his generation, I wish for a vigorous, pointed, and decidedly uncomfortable discussion on the true concept and meaning of privacy in 2016. While accepting that the definition (and expectation) of that term is evolving, the impacts of big data, data analytics, and the internet of things on the "Minority Report Generation" are only beginning to be felt and understood. If nothing else, I believe an acceleration and increase in the discourse is long overdue.
Thursday, December 17, 2015
My Christmas Wish List
Sunday, September 27, 2015
Speaking the "Language of Security"
Recently, I've come across a spate of articles discussing the need for security professionals to "speak the language of the business." This phrase has been used often to describe the underlying reason that CSOs and CISOs are not considered strategic partners to the business leadership (Taylor Armerding's recent article in CSO summarizes the situation rather nicely.). Sure, we can all do better at dumping the professional technical jargon (and this has gotten much better over the past decade); but even as we summarize risk tradeoffs in plain English, we Warriors of the Light are still met with this biting (and trite) criticism regarding our inability to communicate with out most important constituent. When I've asked senior business professionals what "the language of the business" means to them, I've gotten inconsistent, nebulous answers. The best answer I received regarding this topic came from a former CEO who came up through the finance ranks. "The answer is dollars," he said to me. "Until you can tell me with absolute certainty what not patching that system will cost me in dollars, or what the absolute risk in dollars will be of not giving you a new tool or another body, I will always question the truth of your calculus." This calculus makes us slightly different from our IT brethren, who can link their costs more directly to revenue via availability and/or new business.
A hard truth, to be sure. Our profession will continue to struggle against this perspective. This truth will become harder still as the scrutiny of senior leaders and even the Board of Directors increases around security issues due to external regulatory and consumer pressures. Yes, we security professionals still own the bulk of the communication challenge…
…but we do not own it alone.
While I applaud, support, and participate in the efforts of the security community to bridge the communications gap -- and let's be clear, it is our gap to bridge -- it's time to address the other side of this equation: the business itself. Communication, by definition, is two-way. While it's incumbent upon me to learn the language of the environment in which I operate, it is equally important for our business brethren to understand and appreciate some of the equally hard truths that exist within security's operating space.
Here are some hard truths that security professionals would like business leaders to understand:
- I Don't Want to Be Your Top Priority. I recently heard a former storied CEO and current board member of several prominent tech companies say, "I want to know enough about security to know that we are okay, so I can go on to the next marketing problem." Frankly, I feel this attitude and approach is healthy. He hired a CSO to take security off his mind. If that CSO does his job correctly, the CEO's concerns will fade considerably. There are, however, some upfront costs to that approach. The CEO and CSO need to work together to decide how to depict data in a manner which resonates with his concerns. My tools and processes can measure dozens of data sets, but what are truly the best way to show the amount of work it's going to take to defend the network? Or the daily normalcy of attacks that occur (and our success rates against them)? As your security professional, I will work hard to determine the correct metrics to depict an appropriate understanding of the landscape, as well as a holistic picture of our security posture…but this will take some trial-and-error and some back-and-forth between us. Be willing to make the time for that collaborative discussion, as I am truly terrible at mind reading Just ask my wife.
- While I Don't Need You To Agree With Me, I Do Need You to Listen To What I Have To Say. Contrary to anecdotal opinion, I'm not an alarmist. The sky is not falling, nor are the evil hacker hordes storming the gates RIGHT NOW. If I express a concern about a business practice or operational decision, don't dismiss me as a paranoid zealot who sees disaster around every corner. Just like business leaders, security professionals hone their craft over the course of many years. Our understanding of risk issues is as valid as a business leader's understanding of market opportunities. Give us the courtesy of your focus when we express a concern, even when we can't necessarily present data analytics. Be aware that sometimes empirical data only becomes clear in the aftermath of an event, versus being a predictive indicator.
- Compliance is Not the Same Thing as Security. Too often businesses hire security professionals either (a) in the wake of a breach; (b) to stay ahead of regulatory demands; or (c) to appear 'focused' on security challenges due to external pressures. Nothing wrong with these incentives in the slightest, but the mindset of the business in these situations tends to be focused on staying ahead of regulatory/compliance issues versus addressing security needs. Actions which address truly securing the environment but which aren't explicitly stated as a regulatory requirement are seen as excessive or needless. We still run up against this quite a bit in companies seeking to meet PCI-DSS requirements; many business clearly see the need for a control applied against their credit card data, yet struggle to see the need for similar controls against the petabytes of non-anonymized personal data within their environments. Businesses should be honest with themselves and transparent with their security professionals: if what you're looking for is just compliance, tell us. It'll keep us from banging our heads against the wall as we attempt to bring secure solutions to your enterprise.
- Stop Asking Us "Are We Secure?" The security professional defines "security" as freedom from risk. No matter how good s/he may be, as long as its doors are open for business a company will never achieve a zero-risk state; stop expecting me to tell you that you will. This also applies to operational objectives such as "never being breached" or "zero operational impacts due to security events;" even if you gave me every dollar I requested in my budget, I could never guarantee you such absolute success. Now, asking me if our controls are up and running or how our controls/performance compares to others in our business vertical is fair and reasonable (though the latter may be hard to determine due to a lack of information sharing about security issues).
- Let's Make Tradeoffs Together. The security professional's job is rooted in the principles of risk management. This means making hard choices regarding risk versus return. While we're comfortable with this, some circumstances do and will require additional resources in order to keep the risk at its current level. The business, not the security professional, makes the ultimate decision either to (a) reallocate resources, or (b) accept the risk. This is an important point to emphasize, because security professionals are facing multiple challenges in this area.
At the end of the day, the function of a business is to make money. Business leaders can be reluctant to acknowledge an increase in security risk, since risk mitigation may be costly and blame can be the market's first reaction in the event of an incident. Security professionals do understand the risk tradeoffs, and accept them as part of growing a profitable business. We need open, honest dialogue with you regarding risk tradeoffs.
- I Will Support & Defend the Business, Regardless of the Decision You Make. Once I've been heard and we've discussed tradeoffs, I will support your decision and execute it to the best of my ability. Your decision to accept additional risk does not give me a free pass to let bad things happen in the environment. A security professional will always fight to keep the evil hacker hordes from storming the gates, regardless of the risk decisions made. Period.
While the bulk of the communication burden rests with the security professional, I believe business leaders also have a responsibility to come to the table ready for an honest, open dialogue. Not wishing to burden the company with costs not associated with direct revenue benefit is not a sufficient reason to avoid the expertise and knowledge your CSO brings to any discussion. Give him a listen - he might just surprise you.
My two cents…
Monday, August 17, 2015
One CEO's View on a Point-of-Sale Breach
Tuesday, June 23, 2015
Fitbit Data Helps Disprove Rape Claim
Monday, June 8, 2015
Security IPB
Monday, April 27, 2015
Thoughts on The Irari Rules
I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now. Both are quality and insightful security professionals who raise the bar within our industry. As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.
Winkler and Gomes’ latest contribution to the fight are “The Irari Rules” (named after a combining of their first names). The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated; it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors. That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.
Think about what the Irari rules are advocating for a second:
- Use anti-virus or anti-malware software
- Patch your systems
- Use multi-factor authentication
- Change passwords frequently
- Create detailed, realistic, holistic education programs
- Turn on and monitor your alert mechanisms
- Segment your networks
- Aggressively manage user accounts and their privileges
None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results. Yet clearly something has changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness. So if it’s not the sophistication of the technical attack…what’s going on?
Winkler and Gomes posit that the “new normal” for organizations should be to “expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.” This would seem to support an argument for the efficacy of a more sophisticated attacker as opposed to a more sophisticated attack – which results in higher levels of risk overall to an organization. Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor. Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place. While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.
There’s another factor in the risk equation that Winkler and Gomes have failed to consider: asset value. While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically. As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level.
Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point. Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues. Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero. As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data. In this environment, yesterday’s locks and windows (read: yesterday’s security program implementation) won’t keep the bad guys away.
My two cents…