Friday, August 31, 2012

Do security like a start-up or get fired - Own your security

This is part of a blog series. For more details, start with the intro.

Own your security programme

We rarely see start-ups hire consultants to "consult" on IT security (except perhaps if they've had an incident and need to be seen as having done something about it). However, in larger organisations with complex environments this is commonplace. Whether enterprises choose to use external security consultants or outsource certain security functions, the most important thing to remember is this: your external provider must never be responsible for your security.

Unfortunately, in far too many organisations, there is the tendency to fall into the trap of ceding responsibility once they've outsourced something or brought in external consultants. Many forget that outsourcing functions or operations does not imply the outsourcing of responsibility. It is absolutely crucial that the organisations continue to make their own IT security decisions, maintain responsibility and take ownership.

The instant that members of an organisation start thinking that the external provider is responsible for IT security, immediate action needs to be taken to correct the perception (and potentially the processes). A good sign is best illustrated by a question I once asked the security manager of a large bank:
"Why is this security process done this way?"
The answer floored me:
"That's how the outsourcing vendor does it, but we're not sure why. It doesn't actually make sense to us why it's done this way."
How can improvements ever be made if an organisation does not know the reason behind how things are done? This particular issue is not limited to the IT security area. It is a common trap organisations fall into when they outsource anything. But IT security is one of the most critical areas to keep on top of.

There is also the ever-present threat of "analysis paralysis". This is the condition where the consultant or outsourcing provider produces too many documents and designs, which end up gathering dust. All the budget's been spent on producing documents, but there isn't any money left to move forward. Instead of shelf-ware, organisations end up with shelf-paper (figuratively speaking of course, as it's usually a digital shelf in today's environment).

Next up - Evolve.

Wednesday, August 29, 2012

Do security like a start-up or get fired - Manage risk

This is part of a blog series. For more details, start with the intro.

Manage risk appropriately, not compliance

If it was all about compliance, we wouldn’t be hearing about the constant data breaches supposedly PCI-compliant organisations keep being subjected to. Sure, if there are compliance measures to meet and audits to pass, these need to be addressed. But the minute information security becomes more about passing audits and being compliant than managing risk, you’re in trouble. In other words, don't fall victim to check-box security syndrome.

The most important word in the title is: appropriately. Don’t put in security for the sake of it. Just because you can lock something down to the nth degree does not mean it needs to be done. Always bring it back to the question around what you’re trying to achieve. Remember, it’s about trust, brand, reputation.

Next up - Own your security.

Tuesday, August 21, 2012

Do security like a start-up or get fired - Share

This is part of a blog series. For more details, start with the intro.

Share with competitors

Sharing information with competitors: the notion sounds counter-intuitive. But the bad guys do it. Security vendors do it. Of course, I'm not talking about sharing corporate secrets. The bad guys share exploits. Software, solution and technology providers share threats we hear about or come across that we need to deal with.

Essentially, this statement equates to the following:
"Share best practices with the community."
That's it. If you look at it this way, it's not so daunting. We need to remember that at the macro-level, IT security is an ecosystem, not just a silo within one company. Facebook, LinkedIn, Zynga and other start-ups talk to each other (although these companies are technically no longer start-ups, they maintain the mentality of one) all the time about security threats and how they are doing certain things.

A common question vendors get is:
"How are one of your customers in our industry doing this?"
I have news for you. More often than not, vendors are not allowed to tell you. Contracts and non-disclosure agreements (NDAs) prevent this. Vendors may be able to tell an organisation something vague about a similar organisation, but some information is suppressed, even if the organisation's name is not mentioned. Each of you working within an organisation (that is not in the business of providing IT security solutions or consulting services to others) is in a much better position to reach out and talk about issues you are facing and how you are addressing them. Sure, keep the competitive advantage initiatives a secret, but there are things you can share that won’t give the crown jewels away.

The immediate reaction from most will be:
"Yeah, sure but this is easier said than done."
That’s stating the obvious, but the IT security community is relatively small, especially when you look at the community within each country. Most know each other in some form or another. Add in the industry associations (e.g. AISA in Australia), the proliferation of social media like LinkedIn or Twitter and it’s easier than it's ever been to reach out, especially if you’re not trying to sell anyone anything. It’s more difficult from where vendors or consultants sit because everyone keeps wondering when we're going to come out with the "so, about this solution we have from _insert-vendor-name-here_" discussion and break out into the sales song and dance.

Next up - Manage risk.

Saturday, August 18, 2012

Do security like a start-up or get fired - Do

This is part of a blog series. For more details, start with the intro.

Do or do not. There is no try.

Said this, a great philosopher once did. His most famous quote, arguably, it is.

Ok, so Yoda is fictional. But the quote is not. You don't need to have your religion listed as "Jedi" to have heard of this quote. Organisations need to commit to security. Go all in. Do not pretend.

Employees are still the most easily compromised link in the chain. Almost all advanced persistent threats start with a sophisticated phishing attempt. All employees must be tested for security awareness and behaviour on an ad-hoc basis when they are least aware they are being evaluated. For example, many organisations send phishing emails to their employees on a random, periodic basis to see how they react.

Notice I made no mention of education. This is implied, but focusing on education is the wrong way to go about it. Studies have shown that training alone does not work. Even if you haven't seen the figures, as security professionals, we know through anecdotal evidence that this is true. In addition, employees must be made aware when they have failed a test so they know what to watch for and how to better avoid being the weak link.

Gartner's Andrew Walls has a great presentation titled: Why Your Security Awareness Program is Doomed (and What You Can Do to Rescue It). If he's giving that presentation at an event, make it a priority to attend. He talks about ways you can achieve behavioural change in employees (e.g. by using advertising, marketing and social engineering techniques) when it comes to security and why awareness programs just don't work. Basically, people are lazy. Even if we know that something we're doing may not be within policy, we weigh up the risk subconsciously and if it isn't high enough, we'll take the easy route. For behavioural change to happen, the easy way to do something must be the secure way.

Combine behavioural changes with a light slap on the wrist each time an employee does something that's insecure (through ad-hoc testing) and we're on to something that has a chance of working.

Finally, security professionals must be involved with all aspects of IT and at the business level. They should be present at every development meeting, every architecture meeting, every operational meeting, every process meeting and every other meeting you can get a security team member into. If security isn't part of the conversations at the business level, everyone in the organisation is just going to go around the IT security team.

Next up - Share.

Thursday, August 16, 2012

Do security like a start-up or get fired - Say yes

This is part of a blog series. For more details, start with the intro.

Evolve from “no” people to creative “yes” people

The previous post in this series talked about Trust. I referenced Forrester's Laura Koetzle and her definition for an IT security & risk professional's role:
"We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely."
In the eyes of most CEOs, security teams are employed to protect the company’s brand and reputation. But why do so few mention the second part about being used as a business enabler? Those of us in IT security have been rolling this reason out for years. Yet we're still stuck with the perception gap.

It's because...
In case it's not clear, the image reads: "IT security says no."

Sound familiar? We’ve all said it before haven’t we? In fact, it’s almost the default answer because most of the time, the business has no idea about security and keeps making stupid requests! The previous statement may not be always be true, but that’s IT security's perception a majority of the time.

Why don’t we take the time to ask why? And by that, I don’t mean simply ask: “why do you want to do that?" We need to take the time to understand the business reason behind the request. We need to put on our business hats.

Say yes more often. And say “yes” all the time, if you believe it will give the organisation a competitive advantage or access to a new revenue stream. Be creative about mitigating the risk while enabling the business initiatives and leveraging existing security infrastructure. If you can’t, management will hire someone who can. Balance competitive advantage against control. Ultimately, security teams need to understand the business. They need to understand how the organisation makes money.

IT security needs to be seen as a business enabler instead of a support function that always gets in the way. IT security teams need to evolve from “no” people to creative “yes” people, while knowing that risk is the variable in the security and usability equation.

Next up - Do or do not. There is no try.

Wednesday, August 15, 2012

Do security like a start-up or get fired - Trust

This is part of a blog series. For more details, start with the intro.


This is arguably the most important motivation for having an IT security program. As an extension of trust, we also have brand and reputation. But being trustworthy implies a strong brand and reputation. If an organisation loses that trust, their brand and reputation suffer accordingly.

Ask any start-up (an actual start-up, not one with the start-up mentality) what the most important thing to them as far as security is concerned, and almost all will say: “trust”.  If it’s a consumer business, it’s user trust. If it’s an enterprise business, it is investor and customer trust. Trust that they will not go out of business anytime soon. Trust that they will continue to offer a good product. Trust that they will improve the product. Trust that they are not engaged in criminal activity. Trust that any data they hold about us is properly protected. I could go on, but you get the idea.

For companies where the user is the product, like Facebook, the last point is the most important. Remember the saying: “if you aren’t paying for the product, you ARE the product”. For a company like Facebook to continue to grow, they need all of us to continue to use it in a genuine, authentic manner that represents ourselves in real life. That’s why they so ingeniously insisted on the “real name” policy. We are psychologically programmed to be true to ourselves; true to our own brand, right down to our authentic behaviour. Why? So Facebook can use our information to sell more advertising. But we willingly do it, largely because we inherently trust that Facebook won’t intentionally do anything bad with our information. Sure, they violate our privacy all the time, but we continue to use it because we trust they have taken the measures to protect our data and the privacy trade-off is something many of us are willing to live with to enjoy the benefits Facebook affords us (some of which we aren't even consciously aware of).

Forrester's Laura Koetzle defines an IT security & risk professional's role as follows:
"We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely."
I like this definition because I think it defines exactly why we (IT security people) have jobs. What is a security professional ultimately trying to do for their employer? Everyone has their own ideas and views, but if you ask CEOs, they usually say that security teams are employed to protect the company’s brand and reputation. Once again, this is about trust. The simplification of a company's values makes the decision making process much easier. In doing so, one can very quickly decide which IT security projects (or initiatives) are really not adding value to the ultimate goal of maintaining trust, brand and reputation.

This covers off the first part of Laura's definition. But why do so few mention the second part? That’s the ideal situation is it not? As IT security professionals, we would certainly like to think we do that for our organisations. So where’s the miscommunication?

This brings me to the next point - Say yes.

Do security like a start-up or get fired

I've given this presentation twice. The first time was at AusCERT this year. The second was at the Banking, Finance and Technology Forum in Mumbai back in June.

I've since moved on to another topic as I do the rounds at various events, so in the spirit of sharing and hopefully getting your thoughts, I thought I'd turn it into a series of blog posts.


In my travels speaking with and consulting for organisations across the world (including a large volume across Asia Pacific more recently), I've come to observe the good and bad things that organisations do when it comes to security. I won't dwell on the bad. Instead, I've picked out 10 considerations that agile companies tend to focus on in dealing with IT security. I use the term "agile" here purposely as it is appropriate when describing companies that are dealing with the current, external pressures (e.g. cloud, mobility, consumerisation of IT) better than most. Many of the points I highlight should be Security101 for many security professionals. But in limiting this to a list of 10, I'm aiming to focus on what is important in today's enterprise in being better placed to deal with the pressures organisations are facing.


Let's set the context. In using the term “start-up”, I’m talking about a mentality, not necessarily a start-up company. Let me be clear. There are certainly start-ups out there that don’t care about security. But what about those that do? Why do they even care? What are they doing about security? How are they similar to the enterprise? How are they different? Are they doing it right? Can we learn anything from them? In addition, There are some big name companies out there that can hardly be called start-ups anymore, but their culture remains very much in the spirit of a start-up. You don’t necessarily need to be a small little company to adopt the mentality of one. That is the point I'm making: it's all about having the mentality of a start-up so you can start executing like one. Mindset is often the most difficult thing to change.

Here are direct links to the 10 considerations (links will be posted/updated as they are published):
  1. Trust, brand reputation.
  2. Evolve from “no” people to creative “yes” people.
  3. Do or do not. There is no try.
  4. Security is an ecosystem across companies.
  5. Manage risk appropriately, not compliance.
  6. Own your security programme.
  7. Evolving IT security teams.
  8. Identity is the foundation.
  9. Cloud and BYOD are just IT.
  10. Standards & APIs.