PsyFi - Psychological & Science Fiction

PsyFi – The Wizard of FUD – Olympics and Cloud Risk and Cyber…Oh My!

tinman

Make yourself a cuppa for this one.  13 odd pages in print.

Some fanciful faction: What happens to the minions and masters in a business when the press goes nuts about a new cyber threat?  This is a left field look into that world following the story of The Wizard of Oz. Not exactly, but I think you’ll recognise some key characters.

The Wizard of FUD – Olympics & Cloud Risk & Cyber – Oh My!

One fine day, on the way to attend the monthly board meeting, Dorothy is distracted from the sunshine and blue skies by thoughts of the IT budget she has responsibility to allocate.  Applications are in for the current financial year from everyone including the information security team and as usual she can’t make sense of their benefits statement.  The advertised reduction in security risk never quite seems to tie back to what they want to spend.  Spend it’s already hard to defend when the pot of cash is shrinking and they’re competing against things with a far easier to prove ROI.

It doesn’t help, she knows, that all’s been very quiet on the security front of late.  No material incidents.  Minimal media noise. No regulatory issues.  No new compliance requirements.  A few seemingly everlasting audit points, but as they age with reportedly negligible remaining risk and no big related incidents, a certain tolerance creeps in. An informal tolerance anyway.

Holding the reins on overhead spend is a poison chalice, thinks Dorothy, especially when the justification is so damn woolly.

CRACK! “What the..?!” looking in her rear view mirror the previously blue sky is rent by a spectacular bolt of lightning.

“AND IN OTHER NEWS, QUESTIONS ARE BEING ASKED ABOUT ANY RISK TO CUSTOMER DATA AFTER HACKERS BROKE INTO SYSTEMS BELONGING TO ONE OF BOARD ROOM’S PARTNER COMPANIES. AT PRESENT THE CIO CANNOT BE CONTACTED FOR…..”

She smacks the dash with her hand, shutting off the radio that had somehow turned on at top volume.

With an almighty rolling boom, sheets of rain begin to hammer down, forcing her to pull over into a layby.  Her phone rings “Dorothy, we’re getting questions from everyone including the media about this security incident at Partner company.  What the hell happened and are we at risk?!” after a beat, the steel in her spine flows back “I’m on it! Let me get back to you” “It had better be soon!” growls the voice before hanging up.  BEEP, BEEP, BEEP, BEEP, BEEP, BEEP…She stares at her blackberry as the screen turns black with unread messages.

Ignoring the phone, she allows herself a moment with eyes closed to breathe, then squares her shoulders and looks up to the mirror to check her makeup.

“UH…………..” it’s like all the air has been sucked from her lungs.

There, framed in the rear view mirror, is a tornado.  A huge, inexorably twisting, rapidly approaching, tornado.

Almost unconsciously she turns the key, bangs the car into first gear and aquaplanes out of the layby onto the open road, not caring about other drivers forced to swerve.

It’s no use.  It’s catching her.  She watches horrified as a car behind her is lifted, boot first, into the maelstrom.  The driver’s face frozen in a silent scream.  Her knuckles shine white as she struggles to build speed while retaining control.  So focussed it takes her a few moments to realise it’s all over.  The fishtailing rear of the car slowly, almost gracefully, lifts.  The car hangs momentarily vertical, before vicious centrifugal force kicks in.  Smashing her face into the side window and whipping the car into the centre of the cyclone.

Painfully dazed she spots something out of the corner of her eye.  She shakes her head, but it’s still there.  Something in the swirling dark.  A figure sitting astride something….what the hell is it?….A broomstick?!  Trying and failing to process this, her last thought before passing out is of the CEO, knowing he’ll never swallow this as an excuse for not calling back.

Not in Essex any more

Some unknown time later she comes to and is amazed to find the car in one piece and on solid ground.  She has an almighty bump on the side of her head, but as the rest of her feels intact, she takes off her belt and stumbles out of her car tripping over something on the way.  She looks down, then screams.  Two stockinged legs are protruding from under the driver’s side door.

Oh my god I’ve killed someone, she thinks, but in the same moment another bizarre thought crosses her mind.  These legs look familiar.  Just like a pair I saw wrapped round a broomstick in the tornado.  Get a grip woman! She tells herself, refocusing on what needs to be done.

Crouching down she is terrified at what she will find.  There’s no blood and the legs are still attached to a body, but that’s where the good news ends.  No movement, no sound of breathing, no nothing .  Using the door for support, she stands up and turns around, hoping to see someone, anyone, who can help.

It’s only then she realises she is most definitely not in Essex any more.

The scene is like something across between a flight deck and Willy Wonka’s Chocolate Factory.  Unnaturally primary coloured grass, trees and rocks interspersed with banks of computers and huge LCD screens.  Slowly, very slowly, faces begin to emerge.  Strange little people speaking to each other in a language Dorothy doesn’t understand.  Drawing on the emotional resilience that earned her a place on the board, she puts her shock in a box and makes herself concentrate on the immediate problem.  “I hit someone, she’s under the car, please help her!” she shouts at the growing crowd.

This doesn’t get the reaction she expected.  The diminutive folk ignore Dorothy, but en masse they make their way towards the car.  One is pushed forward.  Advancing by tiny increments he stops, pauses, then kicks one of the victim’s feet as hard as he can, jumping quickly backwards.  Everyone, including Dorothy, holds their breath.  Then, when whatever they feared doesn’t happen, a whisper begins.  Too hard to hear at first, but soon it builds to a roar. “She’s dead!” they shout gleefully, hugging and beginning to dance.  “She’s dead! She’s dead! She’s dead!

“What are you doing?! She needs medical attention! What is wrong with you people?!” Dorothy screams, but she can’t make the jubilant hear her.  Looking round to see if there is anyone sane she can appeal to,  she spots something else out of place. It’s a gleaming sphere floating in the blue sky.  At first it is tiny, but it moves towards her growing rapidly until finally it resolves into a glowing figure.  A woman dressed in white, holding what appears to be a tablet.  It looks like mine, Dorothy thinks, then wonders why, in a world turned upside down, this of all things should surprise her.  Her head swimming with the utter craziness of her situation, it takes a moment to realise the figure is speaking.

“Don’t be afraid, I am CISSPA, the good witch.  Do not judge the ISkins harshly.   The person under your car is the Olympic DDOS witch.  2 years ago she stole much of their Information Security Budget, limiting their ability to maintain BAU operations. Then, when the threat the witch warned of did not materialise, the value of the work done by the ISkins was questioned.  Since then their numbers have been cut and day to day workload has crushed their loyal spirit”

I have to get out of this madhouse thinks Dorothy, while another part of her recognises a shred of truth in these words.

Enter the wicked witch

CRACK! Dorothy is slow to react, her capacity for surprise worn out.  When she does look to the source of the noise, the plume of green smoke has mostly cleared, to revealing another witch, closely resembling the one lying under her car.

“My sister!” the witch screeches in anguish, fixing Dorothy with a murderous stare “You killed my sister!” Reeling back, Dorothy finds herself next to CISSPA “I didn’t mean to” she replies in an uncharacteristically weak voice, but already the witch’s attention has shifted to the car.  She moves quickly, kneels down and reaches forward.  Dorothy catches a glimpse of what she is after.  It’s a bag clutched in the dead witch’s hand, but as soon as the new witch’s fingers brush the bag, both it and her sister crumble to dust.

“Yeeaaaaagghhh” she yells at the sky, before wheeling round and stalking over to Dorothy.  The pointy nailed finger shakes with fury an inch from Dorothy’s nose as she hisses “You did this and I will have my revenge!”.  With that there is another loud crack and she is gone.

Gently, CISSPA turns Dorothy to face her.  “This is not your fault” she says.  “This is just what happens when witches of FUD are debunked.  You have done us all a great service and in your pocket you will find something from the witch’s bag”

Sure enough, when Dorothy, still shaking, reaches into her trouser pocket there is something there. An envelope.  Opening it she is astounded to see a cheque for a large number of thousands of pounds.  “What…? She says, again lost for words.

“It is a good portion of the 2011/2012 information security budget Dorothy” CISSPA gently tells her.  “Money rightfully yours now this witch is dead.  It could be argued it belongs to the ISkins, but you have the trust of Board Room residents to spend this money wisely”.

“I just want to go back” Dorothy says with slight tremor in her voice. “Now!”

“I understand” says CISSPA, “but you cannot return the same way you arrived.  However I do know of someone who can help. The Wizard of FUD. He lives in the Pragmatic Palace at the end of the Credible Tech Road.

“The what road?”

“The Credible Tech Road dear.  Look, there” Dorothy turns and sure enough she can see a path that widens in the distance to a good sized road.  Looking more closely she realises the shiny green asphalt, isn’t in fact asphalt, it’s actually circuit boards laid end to end and overlaid with glass”

“How far is it?” she asks “I have to get back for an urgent meeting”

“Just far enough to find what you need” CISSPA says cryptically “and you will find friends to help you on your way, but don’t loiter.  The wicked Cyber witch is a threat while she still has credibility and she will try to stop you”

And with that, CISSPA dematerializes.  The glowing orb rapidly shrinking then disappearing into the distance.

Looking once more at the now subdued ISkins, Dorothy fights the urge to get back in her car, close her eyes and wish all this away.  Instead she brushes herself down, squares her shoulders, runs her fingers through her hair, bids the ISkins a shaky goodbye and takes her first steps towards some nutter she doubts exists in his ridiculously named palace.

If I only had a brain

Not 100 yards down the road she realises she is already tired.  She spies a field of hay just ahead and decides to rest her aching feet.  Sitting down, cushioned by the hay and warmed by the sun, she can almost forget the madness.  Almost, but not quite.  What she thought were birds in the sky are in fact folded sheets of A4 paper.  She watches as more and more come down to settle on top of a big pile in the middle of the field.

“Can you help?”

She whips round, looking for the source of the muffled voice.

“Excuse me! Over Here!”

It’s then she realises the sound is coming from under the pile of paper.  Going closer she sees some trainers and hands just peeking out.

“Uh, please, whoever you are, I’ve been here for ages.  I can’t seem to scare the damn things away”.

She almost turns around and leaves.  She really can’t handle another complication right now but her conscience does finally kick in and she sets to work unburying him.

“Ahh, thank you!” he says smiling at Dorothy.  “I thought I’d never get out from under that lot.  I would have got the ISkins to help, but they’re so busy I’ve been taking more and more off their hands”.  “Who are you?” says Dorothy.  “Oh sorry” he says, wiping a hand on his jeans and holding it out “I’m Sec Tech Man.  Who are you?” “I’m the CIO of Board Room” Dorothy replies.  “Oh my goodness, oh my goodness, no-one told me you were coming” he says scurrying around, trying and failing to make the papers disappear.

“Stop!” says Dorothy “Do you know me?” “Well not face to face, says Sec Tech Man, but I have exchanged the odd email and I help put the budget application together for Information Security every year”

“Oh” Dorothy replies “Did you realise that stuff makes very little sense to me? I can never work out exactly how it’s going to do what you say it will, or how it links to our strategic objectives.  Makes it a hell of a job selling it to the board”. “Ah” says Sec Tech Man, looking utterly crestfallen, “I thought it was obvious” “Um, no, not really” says Dorothy more gently.

“It’s the workload you see” he mumbles, “I don’t have time to explain it properly.  Oh who am I kidding?  I just don’t get what you need to know.  It’s so hard!” With this he sinks to the ground and hugs his knees.  “I know you need it to make sense compared to all the other things competing for money, but how? My poor ISkins, I’ve let them down!” oh my god he’s going to cry, thinks Dorothy.  “I give up, I just can’t do it, I’ll never have that kind of commercial brain”

He looked so miserable, Dorothy decided to change the subject “How did you get here?” “Ummmm, I live here” he replies. “I know it’s not what you’re used to, but it feels like home.  Or at least it did until we got spread so thin I got buried by BAU”.

Deciding to sidestep that conversation, Dorothy asks if Sec Tech Man can help her.  “Of course”, he replies “I know the Credible Tech Road well and often visit the Pragmatic Palace, but I have never met the Wizard.  CISSPA has and I’ve read lots he’s written, but I guess that doesn’t matter.  I’m sure he’ll agree to see someone as important as you.”

“Shall we go then?” says Dorothy.  “What now!?” says Sec Tech Man turning to look at the mountain of paperwork “What about all that mess I’ve got to clear up”.  “Forget it” says Dorothy “You have my permission to leave it and you never know, perhaps the Wizard can help me get home AND give you your commercial brain” Visibly brightening, Sec Tech Man heads off towards the fence “Well what are you waiting for?” he says “Let’s get this show on the road!”.

Inexplicably warming to this odd, but surprisingly resilient chap, Dorothy smiles and follows.

In need of courage?

Lost in their individual thoughts and enjoying the sun, they both jump when a figure in a suit leaps out at them and shouts “CYBER!”.  Quickly over the initial shock, they look at each other, raise their eyebrows, then look back to the chap in the road who’s now waving his arms madly.   “CYBER!” he shouts again.  He’s going to do himself a mischief in a minute, thinks Dorothy.  When neither of them show any sign of reacting, the man’s shoulders slump and he sits down hard, in the middle of the road.

“Why aren’t you scared?” he says beligerantly.  “Scared of what?” says Dorothy “Of the inevitable cyber-attack that’s going to cause significant damage to the reputation, profits or regulatory compliance status of Board Room of course!” “Oh” says Dorothy “I am very concerned about that, but I’m hoping to get some good advice on what to do about it.” “Good idea!” says the man, “Call the consultants, they’ll sort it out”.

It’s only then that Dorothy puts two and two together. “Roger?” she says “Is that you?” “In the flesh” says Roger. “No idea what the heck I’m doing here, but it’s bloody strange and no-one seems to be taking this threat seriously.  If what that Cyber witch says comes true, we’re all in deep shit”.

This looks like Roger, but he’s not acting like Roger. He’s always been a hard-nosed corporate lion with a reputation for making excellent commercial decisions.  But then again, it’s usually him that brings media stories about security threats to the board, complete with expensive consultants.  They charge a fortune to tell them how bad it is then write a plan for a plan. The kicker? It comes out of her IS budget.  It sometimes saves the business a lot pain, but other times it stirs up the board unnecessarily and she can’t head them off at the pass.  Bang goes her IS budget and little is gained. In fact, come to think of it, the effort thrown into dealing with the Olympic DDOS threat was sponsored by him, despite her voicing doubts.

“Unlikely” pipes up Sec Tech Man, interrupting her thoughts and apparently shocking himself by speaking up  “You see we have state of the art layered firewalls, malware protection, comprehensive patching regimes, decently hardened build standards for OS and app dev, plus IDS, IPS, DLP, good IdM and EUC controls, not to mention the outsourced monitoring and alerting linked to robust incident management, so really, even if something gets through, it shouldn’t be a disaster.  Having said that, changes, new suppliers, cloud apps and legacy stuff, all introduces insecurity, because the ISkins are crumbling under the weight of design, assessment and support work.”

By now, both Dorothy and Roger have that all too familiar vacant look.  Then Roger shakes himself and fixes Mark with a sceptical, narrow eyed look.

“How do you KNOW we won’t get hit by an attack?” he says.

“We don’t” says Sec Tech Man,

“I rest my case!” Roger bites back, folding his arms to underline the point.

Dorothy looks like she’s about to say something, but both she and Sec Tech Man think better of it.  It’s an old standoff in new clothes.  She’s itching to underline the distinction between an attack and a successful attack.  He wants to describe in detail how all the kit and people minimise their risks, but to his weary shame he’s never worked out how to measure effectiveness of all that in a way that makes pounds and pence sense to the board.  Something that perennially hobbles Dorothy’s attempts to negotiate an increase in the IS budget

Despite the tension, Dorothy values Roger’s counsel on all things commercial so they ask if he wants to accompany them to the Pragmatic Palace. “He can probably get us home Roger and perhaps he can ease some of your concerns, by putting the threat of cyber-attacks in context” says Dorothy.  “I’m perfectly capable of doing that myself” says Roger with a slightly acidic edge  “and if I need more information I know we can always rely on our consultancy firm”

The tension doesn’t entirely dissipate.  Roger continues to throw “Who do you think you are anyway” looks at Sec Tech Man, who, to his credit, simply ignores him and tries to enjoy the scenery.  But before long they’re interrupted again.

What no heart?

Someone is mumbling.  A low nervous monotone.  “What’s that?” says Roger looking nervous.  “Over here!” shouts Sec Tech Man.  He’s already clambering over the fence into the field “Look, apples! I’m starving”.  Remembering her lack of breakfast, Dorothy hurries after Sec Tech Man, putting thoughts of the strange noise to the back of her mind.

No sooner have they started picking the ripe apples, than the nose begins again.

“Too much, just too much. What can I cut?  What can I cut?”

They look around, trying to find the source.  It’s Roger who finally spots it.  “Look” he says, pointing to what appears to be a statue. It’s not a statue it’s another figure in a suit apparently frozen to the laptop in front of him.

“Hello” Says Dorothy “Are you ok?

“How can I be ok?” says the man “We’ve got a 30% overspend and we’re only half way through the year.  What can I cut? What can I cut?”

It slowly dawns on Dorothy that this man also looks strangely familiar.

“What’s your name?” She asks quietly.  “Alan” he replies “Finance. In charge of advising the board on potential savings”

Ah, thinks Dorothy, I know Alan.  Everybody knows and most people learn to dislike Alan, but remembering they are all in a strange discomfiting situation she offers him help.

“Can you move Alan?” She says

“Don’t know, been looking at these accounts for so long I’m kind of frozen”

“Don’t worry” Says Dorothy, “we’ll sort you out” and they do.  Roger, Sec Tech Man and Dorothy gently detach him from his computer and help him to his feet.   After a wander and a stretch he’s begins to feel better.

“Where are we?” he asks “Good question” Dorothy replies “The good news is I think I know someone who can get us home.  Do you want to come along?”

“How much will it cost?” says Alan “Perhaps don’t worry about that for now” replies Dorothy, unable to help adding “The cuts you recommended to the IT budget should more than cover it”.

“You should have presented a better business case if you wanted to avoid those cuts Dorothy and you know it”  he barks back “How am I meant to care about the impact of cuts if no-one can fully explain the impact to me? Damned overhead spend.  I understand investments and sales, change are good at putting a benefits statement together, heck I even understand marketing, but with IT and especially security I can’t bring myself to care.  What is the benefit of spending more on it for our bottom line.  Can you tell me? No-one else seems to be able to.”

“Suit yourself” Dorothy retorts and takes a bite out of her apple.  Not really caring if Alan follows on behind.  Eventually she starts to feel guilty about the way she treated him.  It’s his job, she reminds herself, and when something has to give the best business case naturally wins so I can’t lay it all at his door.  When she looks around Alan has decided to come along.  Dropping back she holds out an apple as a peace offering and he accepts it with good grace.

Script monkeys attack

Suddenly an ear piercing screeching tears through the peace.  “What now!” thinks Dorothy wondering if they’re ever going to make it to the palace.  “It’s a Cyber-attack” yells Roger, “A what?!” says Alan.  “Don’t worry” says Sec Tech Man “I know what to do”.

He herds them all quickly into the solid looking brick structure they had just passed by the side of the road.

The next moment there are a series of loud thumps followed by the sound of nails scrabbling, and more ear piercing screeching.  “What the hell are they” shouts Dorothy over the noise. “Script monkeys” says Sec Tech Man.  “Sound worse than they are.  These are decently built firewalls.  Don’t worry, they’ll try and find a way in, get bored and go away”.

Roger is crouched in a corner looking extremely nervous and sceptical.  “How do you know they won’t break in?” he challenges. “Because it’s my job to know” replies Sec Tech Man with more confidence than Dorothy has yet seen him show.  “How much do these firewalls cost?” asks Alan.  “Not now Alan!” All three of them retort.

Dorothy, trusting Tech Sec Man’s summing up of the situation sits down next to him to ride out the attack.  “I never asked your name” she says.  “Mark” he replies, seeming surprised at the enquiry.  “Dorothy” she responds putting out her hand for him to shake.

After what feels like hours, everything goes quiet and Mark volunteers to go outside to see if the coast is clear.  It is.  “Bloody lucky I call that” booms Roger “I want to know how we stop this happening again!” “Actually Roger, if you think back, it’s not luck, it’s exactly what Mark said would happen” Dorothy says in a voice that belies her irritation “and as we were going to explain earlier, we have very little influence over internet attacks, instead we focus on defending ourselves and minimising the impact if we can’t”   Roger is very quiet as they leave the building and Mark has the good sense to hide his smile.  “I still want to know how much this costs” says Alan, but they all ignore him and get back on the road.

Dorothy makes a point of catching up with Mark to thank him. “No thanks needed, honestly” he says.  “I’m pleased none of them broke through”.  Noting her concern he continues “even then we would have been ok.  We have hundreds of attempted attacks or at least people sniffing around our firewalls every day.  Only a fraction of those attempts succeed and we have plenty more ways inside the network to defend ourselves and prevent things causing any significant impact.  “Also” he says with a smile “script monkeys are not very smart”.  Rapidly developing a solid respect for Mark, Dorothy thinks herself lucky he’s along for the ride.

It’s plain sailing for most of the rest of the journey and just when Dorothy is starting to feel really tired, they crest a hill and are presented with the glorious sight of the Pragmatic Palace.

“Here we are” says Mark, “told you it wasn’t too much further”

Between them and the palace is a valley full of beautiful flowers.   On closer inspection, each one is different and each has small words written inside their petals.  Some large and impressive, obviously well established and well nourished.  Others small and delicate.  Yet others gathered up into their own mini fields with protective fences around them.

Soporific SaaS Flowers

“Welcome to the SaaS fields” announces Mark.  These have grown in the last 3 or 4 years into the amazing display you see here.  Go on have a look.  Each one has different qualities. Some can deal with all of your CRM needs, some are robust risk management applications, others allow you to deal with all of your procurement workflow, but many offer something very specific, like the ability to build your own surveys.

Dorothy is intrigued, she’s aware of the growing number of applications for funding to buy SaaS offerings, but doesn’t really have the opportunity to see them up close much.  They are so attractive and so easy to pick!

“Have you seen the price of these!” says Alan.  “A tiny portion of the cost of all the servers you keep buying and staff you keep recruiting to keep our in-house applications running Dorothy.  Think of the savings!”

“Don’t get too carried away” says Mark.  Trying to stop them picking too many too quickly.  “It’s called cloud for a reason, your sensitive data disappears into the ether behind these applications and the ability to track it and get it back is still limited.  Also you don’t know how resilient all the linked together networks are that service some of these things.  Real time monitoring and quick resolution of downstream connectivity problems is still a challenge, so you must be cautious picking SaaS apps for things with high availability requirements.

Don’t forget you have lots of complex interlinked systems.  You will need to invest much thought in working out where you can properly leverage cloud applications to take over functionality.  If you don’t plan well and then start demanding vendors change their applications to work with your own, all cost savings can quickly be wiped out.

Bear in mind too that some of these SaaS apps are still very young and fragile.  Do you want to indirectly fund their development, by helping them weed out the bugs? Equally, how much pain would it cause if a young firm goes out of business?  Contracts are well and good, but it doesn’t get you the application back.

Finally, while most SaaS offerings are secure enough, there will be some that are not fit for purpose for the data you put in them, or, just occasionally vendors will be too cheap or too inexperienced to build in adequate security and resilience.  How will you know the difference?

Each one you pick without proper due diligence adds to your risk and without a robust well understood policy for cloud usage you will see more and more Shadow IT.  Users ducking under procurement and security assurance processes to buy applications, because it is so easy and cheap.  These apps offer marvellous opportunities, but please, balance your risks!”

“Why aren’t they listening” says Roger, clearly affected by Marks words. “This could lead to a regulatory breach and a huge fine” “Possibly” says Mark, “but we do keep a handle on this as far as we are able with limited resource.”

“Stop” shouts Roger at Dorothy and Alan “you need to listen to what Mark is saying”, but it’s too late.  Still with armfuls of enticing SaaS apps, both Dorothy and Alan sink to the ground.  Then Mark and Roger also start to feel groggy.  “Damn” says Mark “It’s the scent of quick, cheap and easy.  It’s lulling them into a false sense of security” and those were his last words before he too threw caution to the wind and succumbed.

Trapped by Fear Uncertainty and Doubt

When they wake up, they are horrified to find themselves trapped in the Cyber Witch’s castle.  Each in a separate cage.  “Don’t try to escape” taunts the witch.  “Those cages are built from fear, uncertainty and doubt, the strongest combination of paralysing forces known to man.  I warned you of the threat of Cyber. My other sister, the Cloud witch, has been warning you of the dangers of careless cloud usage, but she is too weak to be here.  That meddling Sec Tec Man drained her powers with his balanced risk based arguments, but did you listen?  No!”

“Well look at you now” she says before throwing back her head and cackling.  “It’s not all bad news my lovelies, I will set you free, for a price.   I have much to tell you about your Cyber risk and I can show you magical tools and processes that will keep you safe.  If you don’t pay, you will stay in these cages.  Forever fearful that script monkeys, malware beasts or cyber terrorists will break down your old defences and steal all that you value.  “I told you!” said Roger.  “We need to stop these things happening”. Then to the witch “What do you want?”

“The information security fund that you stole from my sister.  All of it.”  Dorothy up to this point has said nothing.  The way the cyber witch talks about the threat makes her doubt the ability of in-house experts like Mark to deal with it, but still she keeps some faith it is not as bad as the witch is making out.  “Dorothy, give her what she wants” pleads Roger. “The rest of the board, our shareholders and our customers deserve peace of mind”  “Hold on” says Alan, “Is this really worth all that money? Think carefully Dorothy”.

Dorothy turns to look at the cage where Mark is trapped.  “Don’t” he mouths, weakened and diminished by the witch’s presence.  It’s no good, thinks Dorothy, this witch will have access to the board.  If I am barely keeping sight of the value of our existing defences, they won’t stand a chance.  Reaching into her pocket, she brings out the cheque and hands it through the bars to the witch.  “You have done well” she purrs. “How wise you are to see that you need better advice and better defences.  With my help, you will have the support of your board and they will see what I can offer is far superior to what Mark and all his ISkins can give you.

And with that she disappears, no doubt to source the promised tools.  At the same moment the cages open and the door to the outside world swings wide.  As they leave, both Mark and Alan are very subdued, whereas Roger catches up with Dorothy and warmly shakes her hand. “Good decision” he says “I think Mark here is a good chap, but we did needed help from a real expert”

Although she is back on the road home and knows a few new tools and a bit of extra consultancy probably won’t hurt, doubts about Board Room security remain.  How is she going to fund Mark’s BAU effort now?  Yes there’s no sign right now of  script monkeys, malware monsters and cyber terrorists,  but without her budget, how is Mark going to maintain all the pre-existing IS services, deal with new threats and implement and support these new tools?

Done is done, she thinks, better to move on and make the best of it, but at the same time she wonders how badly she has let Mark and his team down.

The Wizard of FUD

When they get to the Palace it is magnificent.  They wander through the courtyard blinded by the ornate architecture and stunning decoration.   It looks like they are expected. They are quickly ushered into a sumptuous room.  After a brief wait, curtains that reach the ceiling of the vaulted hall begin to slowly open finally revealing the monstrous image of the Wizard of FUD.   A global information security expert feared and revered by all.

His terrifying voice enquires as to why they seek his counsel and Dorothy tells their story. On hearing of Dorothy’s deal with the Cyber witch the Wizard appears enraged.  Dorothy is roundly criticised, told she is not worthy of his advice and ordered to leave.  Not one to be bullied, Dorothy stands her ground and lets his tirade wash over her.  Mark is useless, he’s too in awe of this man.

Becoming bored with the self-interested monologue she looks around the room and spots a very discrete little door in the wall in front of her.  The Wizard is too pleased with the sound of his own voice to notice her disappear.  It’s only when Dorothy marches into his inner sanctum that he realises the game is up.

“Who are you to criticise us?” she challenges “YOU SHOULD HAVE BEEN MORE CIRCUMSPECT” he booms, but stops and continues in a normal voice when he realises it sounds ridiculous.  “So help us”, she pleads.  “Actually, call me Ian” says the Wizard, “seeing as you’ve got this far”.  “Ian” she says far more confidently  “I have done my best for the security function for many years, but they don’t sell themselves well and it’s a dog eat dog world at budget time these days.  I know some of my choices might seem foolish, but please don’t sit in your ivory tower and judge.  I recognise your deep expertise, so please do me the courtesy of recognising my deep understanding of my firm and the competing financial and political tensions within it.

“Fair play” says Ian.  “I can’t do much about your budget. You’re going to have the chalk that one up to experience, but I can get you home and perhaps help you and your crew gain the right perspective to make better choices next time.  How does that sound?” “Spot on. Thank you”  replies Dorothy and they walk back through to the grand chamber together

Mark literally does not know what to do with himself.  This is a man he only dreamed of meeting.  He can’t help thinking about his years of experience and unrivalled depth of information security expertise surpassed only by a handful of others worldwide.  He’s just about decided the best thing to do is bow, when Dorothy catches his eye, realises what’s coming and makes a throat cutting motion that stops him making an idiot of himself..

“Mark” says Ian…

…and that is as far as he gets, for at that very moment a huge, befanged malware monster crashes straight through one of the palace firewalls.

Witches and malware monsters attack

Not knowing whether to run or fight Dorothy slowly registers a calm voice next to her.  It is CISSPA.  “Let me help you” she says.  “Be my guest!” says Dorothy, “Quick as you like”.  Expecting cannons, guns or at the very least a sword she is somewhat underwhelmed when CISSPA pulls out a net from her pocket.  It is a broad flat net made of some kind of metal fibre “And how exactly is that going to help?” Dorothy hisses out of the corner of her mouth” not wanting to draw the attention of the monster

“This is your information security awareness, defence in depth and incident response net.” Says CISSPA in a calm and reassuring voice. “I found it outside your land of Board Room.  You had neglected it and it was full of holes.  Access holes, network configuration holes, end user computing holes, security awareness holes and holes made by jagged old apps and rapid delivery changes that had forced their way through the net, but I have mended it for you.  Mending it and maintaining it will cost less over time than buying new magic tools and paying for the consultancy and FTE count to make them work.

“Say that again” says Alan, suddenly very interested.

“Err, it’s my what net?” Says Dorothy, not at all convinced.

“Work with me here” says CISSPA “it’s an analogy”.

“Whatever you say” says Dorothy taking a few steps back for every giant step the monster takes towards her.

CISSPA hands the net to Mark and simply says “You know what to do”.  Without a second thought, Mark throws the net with enormous strength and expert aim at the malware monster.  Once captured, the monster quickly shrinks and the palace guard are able to drag it away.

“That was amazing!” says Roger, uncurling himself from the corner where he’d fled when the excitement began.  “Didn’t know you had it in you Mark”

“Yes Mark, that’ was incredible” agrees Dorothy “To be fair it doesn’t always work” says Mark with his characteristic honesty “but it does more often than not”.

Ian then steps forward again. “Mark, before we were so rudely interrupted I was going to say….

CRACK, with a sound now familiar to Dorothy the Cyber witch suddenly appears.  “Oh, what do you want now!?” says Dorothy.  Not a good choice of words as the Cyber witch is boiling with rage.  Striding forward and catching by the lapels of her jacket, she almost wrenches her off her feet.

“HOW DARE YOU!” she roars.  “How dare you undermine my efforts to serve your Board Room residents!”.   The witch is so eye poppingly furious that Dorothy is scared she will be strangled, but again CISSPA steps in.

“Look Dorothy” she somehow whispers in her ear from a good 10 feet away. “Look at Mark” and true enough here he comes, not with a net this time, but with a bucket.  “What the hell is that?” Dorothy manages to croak.

“It’s the accumulated knowledge about your local network and systems and the combined security expertise of your ISkins and I”

“It’s the wha….”Dorothy begins before changing tack “I know, work with you, it’s an analogy.  Just get your arse in gear and do something with it!”

He doesn’t need to be asked twice.  With a warrior yell he rushes the witch and she turns just in time to get the bucket full in the face.

Her screams could be heard from miles around.  She throws Dorothy to one side and clutches at her face “I’m melting!  I’m melting!” she shouts in anguish.  Soon there is nothing left of her but her hat, dress, stockings and boots swathed in dying tendrils of green smoke.

Soaked, but jubilant, Dorothy can’t stop herself giving Mark a thorough hugging.  When she let’s go his face is flaming red.  “Uh thanks” he mutters before taking a few steps away to avoid a repeat performance.

Good advice and the journey home

“Right” says Ian “Third time lucky. Mark will you come here please.  Also you Roger, you Dorothy and you Alan.  I have something to say to all of you.

Mark, you do Board Room a great service every day, but you fear you cannot make yourself understood.  You worry you are not smart enough or don’t have a commercial brain.  You do.  You just need to learn how to use it.  Roger, Alan, will you help Mark to develop his understanding of the business so he can bring you better justifications for future IS spend?

“We will” they both agree.

“Alan” Ian continues “I don’t think you are heartless and no-one expects you to love IT and Security, but will you seek advice from CISSPA if a business case for cutting or increasing the IS budget comes across your desk?  All they ask is a level playing field with profit generating functions.  Not a simple thing to achieve.

“I will” says Alan, somewhat grudgingly, until Dorothy fixes him with a withering stare “I said I will ok!” says Alan, looking like he might sulk for a while.

“And you Roger.  You have to be praised for your diligence in bringing news of information security threats to the board, but will you work with Dorothy, CISSPA and Mark to moderate those messages?  Get some local context for the real level of risk.   Apply some healthy scepticism to things you find in the media and things you hear from your consultants.  Remember, all salespeople, no matter how straight down the line they appear, will use a dose of fear, uncertainty and doubt to close a deal.

“Sounds fair” concedes Roger.

“And last but not least will you, Dorothy, continue as you are.  Showing diligence and open mindedness in balancing risks, costs and benefits and finding commercially viable ways to support the IT and IS function?

“I will” replies Dorothy “and thank you for recognising my efforts, but I will also take the advice offered to Roger and support him to pass these messages on to the board”

“It looks like it’s time to get you home then” says Ian, smiling at Dorothy and offering her his hand.

With that, he waves towards an intact wall of the palace and a previously invisible doorswings open.  Dorothy is amazed to see Board Room just the other size.

As she, Roger and Alan make their way towards the door, she turns and notices that Mark isn’t following.

“Why aren’t you coming?” She asks.  “I don’t belong in Board Room” he said.  I need to stay here and guard the land of the ISkins and all of your defences.  “What about you” she says to the Wizard of FUD?”.  “Me?” he replied.  “I’ll do what I’ve always done.  I’ll keep on top of the best ways to keep you and others safe and I’ll be here if you or your staff need me”

Then, coming to a decision, she turns finally to CISSPA “I realise your home is this strange technical land, but you also helped me gain the perspective I needed on this problem and reminded me of the worth of my staff.   Would you consider joining me in Board Room?”

“I don’t know” replies CISSPA “Will you give me real authority to spread the information security message, manage your IS staff as I chose and trust me to spend the Information Security budget wisely?”.  “I certainly will” says Dorothy.  “In fact a break from being the main security spokesperson would be great.  It goes without saying I’ll be 100% behind you, if you work with Mark and the ISkins to bring me meaningful MI and risk information.  Without that I can’t support your efforts to negotiate with the board”

“Done” replies CISSPA “and you should probably check your pocket again”.  Puzzled, Dorothy reaches down and pulls out the cheque she thought she had lost to the Cyber witch.  “Thanks to Mark’s quick thinking we can now put that to good use” says CISSPA.  “I believe, based on our last discussion, that’s mine”.  With a wry respectful smile, Dorothy hands the cheque over, quashing any small remaining doubts.

Alan and Roger say their goodbyes and go through the door first.  CISSPA turns to go next, but Dorothy catches her.  “Hang on” she says “I can’t keep calling you CISSPA, you’ve got a reputation to establish.  What is your real name?” “CISSPA” says CISSPA somewhat puzzled. “Oh well” says Dorothy “We can work on that before we make first introductions to the board.

Chuckling, Ian gently closes the door behind them, turns to Mark and says “I’d call that a pretty good day’s work wouldn’t you?” “Just a bit!” replies Mark “Thank you for everything, but I must get back to the ISkins.  There’s lots of news to share, plus the small matter of a witch to sweep up and dispose of before I start a rather bizarre incident report”.  “On you go then” says Ian. “and keep up the good work”.

Epilogue

RRRRIIIIIIINNNNNG! RRRRIIIIIIINNNNNG! “Huh…….?! What the?”  On autopilot Dorothy opens her eyes, answers her and immediately wishes she hadn’t

“Where the hell are you!?” the CEO’s voice drills through her tender head.  “You’re late and no-one has been able to contact you!” Thinking on her still pretty wobbly feet she replies “I’ve had car trouble and my phone died, only just got both up and running again”

What time is it anyway? She thinks, looking at the screen of her Blackberry. 10AM! No wonder he’s fuming.

“Just get your arse in gear and get here soon.  You’re lucky, we managed to get hold of your Senior Information Security Officer and she’s doing a pretty good job keeping the board calm in your absence”

Still not sure which way is up Dorothy reaches up to her head and feels the now familiar bump.  It’s still there, but how did I get back here, she thinks, in this layby, with my car?  Perhaps I skidded and hit something swinging in here?  Concussion can make your mind play very strange tricks.  Of course, that makes sense.  But at the same time, it felt so incredibly real.  Perhaps I should swing by the doctors after work, just in case?  Taking a deep cleansing breath and shaking the last of the fug from here head, she turns the ignition and sets off to face the inevitable.

For the first mile, she drives extremely gingerly, but regains confidence and makes it up to the boardroom on the 7th floor by about 10.30.  “Nice of you to join us” barks the CEO.  From that point on she says nothing, watching with increasing respect as Lisa her SISO takes the board through the circumstances of the security breach at their partner company.  Logically and simply she lays out the risk to their company, before saying there’s no evidence their defences were breached, carefully qualifying her summary as investigations were still on-going.  That’s when there’s a knock at the door and who should walk in but Mark.  Looking pretty nervous, he walks to Lisa, hands her a paper, then turns to leave, but not before winking at Dorothy.

She starts.  Did I just imagine that? she thinks, but no there’s a little wave through the glass as well.  She’s shaken by this and isn’t able to make it make sense.

“So ladies and gentlemen, our team have just confirmed we have not suffered any ill effects practically from the breach, but there is still the question of managing customer, shareholder and partner expectations.  We are already working with the corporate communications team to make sure they have enough expert input to do just that. Any questions?”

“One” says the CEO “How do we stop this happening again?” Lisa opens her mouth to reply, but before she can do so, Roger steps in “If I may” he says to Lisa, who nods to indicate he should continue.

“The simple answer is that we can’t Peter”.  He holds up his hand to halt immediate objections “what we can do, is ensure we have robust layered defences, including excellent incident management processes – as demonstrated impressively by the team today –  to minimise our risk of being impacted.  If something should slip through the net…” At this point Dorothy is sure he throws a smile Lisa’s way, or is she imagining things. “….If something should slip through the net, we can make sure the impact is as small and short lived as possible. Back to you Lisa”

“Thank you Roger.  That was an excellent summary of the current position.  I’m delighted this ended well, but that might not always be the case.  Underinvestment has left some holes in your defences.  Your information security staff are all working at or over capacity.  This won’t improve without direct action, so I am building a business case to tackle this over the next two to three years”.

“Shouldn’t we get our consultancy firm to do that?” challenges Peter.  “It depends”  Lisa bats back. “Do you want to leverage your in-house information security expertise, or pay money to consultants, money that could be diverted to fund security improvements?  I’m not questioning the value of expert consultancy.  It can quickly fill gaps in our knowledge, but will always come with a pitch for afterwork, diverting yet more funds away from BAU information security services”

Dorothy can see Peter is mulling this over.  This can go either way, but then Lisa expertly closes him down.

“How about this Peter; I show you a year on year improvement in our security status, if you approve Dorothy to up my budget by 15%.  You, then cut your specialist consultancy budget by the same figure.  This will work.  I’d bet my CISSP on it”

That made Dorothy’s ears prick up.  Squinting at her SISO she turns her head to one side…maybe, in the right light?  Stop that right now! She thinks, firmly quashing more crazy thoughts.   .

“I admire your guts young lady. Dorothy, you could learn a thing or two from this one! Ok,  let’s give it a shot” and with that he calls the formal business of the meeting to an end.

Roger makes a point of catching Lisa on her way out, thanking her for a prompt response to the incident and an excellent presentation.  He then respectfully asks that she let him know when plans are finalised so they can talk it through. He tells her he’s keen to help get this past Alan in finance and sponsor the work

Still deep in conversation, they leave together.

Dorothy suddenly realises she’s the only one left in the room.  Still not feeling quite herself she pinches her arm.  Yep, definitely not dreaming.  Time to get on with the day.

When she gets to the lift she’s pleased to see Lisa still waiting.  She can’t let her go without thanking her too.

“That was an impressive performance Lisa” Dorothy says with complete sincerity “I think we’ve been wasting your talents” then she pauses and adds with a wry smile “and you saved my skin today”.

“I know” Lisa replies with disarming grin.

“If you’ve got a minute I’ve got something else to discuss”

“Sure” says Lisa, “fire away”.

“Well” says Dorothy “I had a bit of an…er…epiphany on the way to work this morning and realised we could really do with a CISO, a CISO with a seat on the board.  Do you think you’d be interested?”

Lisa thinks for a moment, then her smile widens. “I’d be delighted Dorothy.  In my humble opinion you, me, Mark, Roger, Alan, my ISkins and a certain world famous IS expert will make a pretty unbeatable team. But now I really must dash.  Outside of our BAU effort there’s mounting excitement amongst board members about cloud security and Shadow IT.  Media hype is rather fanning those flames, so I’m rounding up our accumulated in-house IS expertise to throw a bucket of water on that as soon as possible”

“Does that make sense to you?” she asks, with a cheekily raised eyebrow.

“Uh..yep..you..er..do that” stutters Dorothy, starting to feel quite unbalanced again.

After stepping into the lift, Lisa turns back, concerned. “Are you ok?” She says as the doors begin to close, “because that’s very big bump.  You’ve got to watch out for concussion, it makes it very hard to tell what’s real and what’s not”.

“You can say that again” mumbles Dorothy to the departing lift, at the same time pulling out her blackberry and hoping that her doctor can fit her in soon.

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s