…at least for a while.
I wrote about business culture eating cybersecurity for breakfast in four sizeable parts last week. This is the partner post promised, including suggestions and pleas for change (while respecting the fact that change requires a long-term commitment).
But back to that title…what do I mean? I mean that many firms have been pushed some distance from reality when they talk about and report on security. The upshot: smoke, mirrors and handcuffs on people begging to throw their weight behind constructive plans. Here’s one very practical symptom of that:
Are you familiar with this? Everlasting greenish reports and risks shared with stakeholders month after month, quarter after quarter. It’s something I explored in more detail in a post entitled Schrodinger’s Risk.
It is a very tangible symptom of a broken security culture. Indicating that history and politics has hobbled the people in charge of keeping your business safe from hackers, malware and staff misadventures. No-one wants to see a green risk turn red, but that’s exactly what should happen to some if the truth is allowed to come out. The noise that creates can be deafening and often messengers are held at gunpoint, if not summarily executed.
The eventual result is lies, damn lies and statistics (a neat segue to Jerry Bell’s excellent Peerlyst post on bias around stats), with occasional blips when expensive external experts are allowed (usually prompted by an incident or audit) to give you a glimpse at the truth. Consider this 2007 article quoting Jason Spaltro, Sony’s then head of security:
A company relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,”
Sadly that reflects real legacy attitudes to security related business risks, allowing for the fact we catagorically have to make some risk based compliance compromises (something the rest of that CIO Online article rationally explores). My informal benchmark for a reasonable vs. unreasonable compromise (a.k.a risk acceptance) is how much it reminds me of this scene from Fight Club:
A tad uncomfortably relevant in a month where hacked cars and resulting recalls crashed hard into the mainstream media.
If risks are poorly stated, ignoring broader tangible and less tangible impacts, it allows security debts to accumulate and can scupper current staff who want to pitch for budget to do better. They’re caught between the devil and the deep blue sea – tell it like it is and get nailed for not previously doing so (or for your predecessor not doing so) vs. sustaining the half-truth status quo and maybe being outed as a liar by a hired gun or an incident.
My plea to businesses on this front: Have a risk amnesty. Create space for your best and brightest (perhaps with some selective help from kosher outside specialists) to ensure you get the whole truth. I suggested a place to start in this post. Then be ready to accept things are broken and will likely need capital spend to recover from the state you’ve let them get into.
The biggest part of that? Bump the blamestorming on the head. It might lead to some uncomfortable conversations with recipients of old reports, including regulators, but…
Would you rather do the mea culpas proactively and constructively, or wait until you’re under the full post-breach (Sony, OPM, Ashley Madison, Carphone Warehouse) glare of the social and mainstream media?
What’s to be done?
Suggested ingredients in a recipe for improvement, focusing on people and things driven by people (it will be warm bodies rather than machines that enable first steps on the journey towards culture change):
A commercially savvy, deeply knowledgeable, risk vs compliance focused and broadly experienced security leader. One who has the means to garner and retain enough political currency to resist spurious demands and demand time to build sustainable and repeatable technical, procedural and governance solutions. Someone who shelves the new broom long enough to understand what’s right with the security management status quo and invests significant time in understanding the business as a whole.
Buy-in across the board
Time needs to be made to listen. All groups from the board down have to give themselves permission and space to be educated. If you pick the right security leader they will be talking your language. Most notably admitting security isn’t as important as many externals and vendors tell you it is – won’t that be a refreshing change? What can feel like constant bleating and scare mongering from security is usually because they’ve been squeezed for years beyond squeaking point and felt they had no option but to try and shout.
In that same vein, resist the urge to shoot messengers and try being less impatient about getting things fixed. You don’t materially increase your risk of a breach by waiting 3 months instead of 3 weeks to solve a 5 year old problem.
Keep an eye out for surprises
You need a subset of security staff with the skills and freedom to check the horizon for threats and resulting risks that might not relate to ANY pre-existing concerns (or be detectable by any of your existing or lusted after tech solutions). For that hacker skills and knowledge of what goes on in the real cyber world are not a nice to have, they are a need to have
People risk, education and communications nous
There have to be staff who understand the motivation and modus operandi of both insider and external threat actors as they apply to manipulating both people and tech. Guys and girls who should stand with one foot in the security camp and the other in the business. Able to translate the tech and stats into language and content that grabs attention. People who really can (to use that overused phrase again), act as your human firewall, change hearts and minds and in doing so enable others to do the same.
No more “Recruiter says no”
In this era of cyber skills shortages (“REALLY?!” I hear you cry “never heard that before!), we need to shout louder about good recruiters and bad recruiters. We also have to push back when ticking qualification and acronym boxes outweighs assessment of potential. Also consider the fact your HR function many not be well suited to recruiting security experts for you, either in terms of skills assessment or in terms of benchmarking pay and rewards. Network with industry peers and push people out of the picture if they are doing your business and great candidates a disservice.
We are gasping, in my opinion, for a review site for security recruiters that both businesses and candidates can contribute to. Some nominally exist, but none include experience and capability profiles and practical assessment mechanisms put together by experts in the trade. Profiles and assessments that could be freely shared and improved by the people who know what makes a great security leader and excellent specialist staff of various flavours.
Our critical cybersecurity friends
An audit team with at least one or two security specialists with knowledge to rival that leader, who are given space and time to regularly update their view of real risks and industry good practice, rather than the usual tickable boxes. How (I asked openly inviting responses in this past post) can a line of defence judge adequacy of something they don’t understand? Blind application of compliance benchmarks without grasping the ‘why’ has caused more than it’s fare share of problems.
Then, to top that off, you need regulators to do the same: Invest in and retain folk with top-notch current security smarts and leave to be pragmatic and patient – qualities essential to oversee a field as quickly evolving as security.
There also needs to be explicit acknowledgement of the role played by culture. Reported standards of security are utterly dependent on rafts of controls operated outside the security function and risk decisions made by a plethora of different stakeholders. That evolution of the regulatory relationship can’t be influenced unilaterally, but if a critical mass of influential bodies have the right conversations, relationships can be shifted in this direction.
Risky risk management
We have to have risk functions that get the difference between financial, IT and security related risks, especially the huge quantification and probability estimation challenge (the risk system asking for operational risks in pounds and pence and percentage probability doesn’t make it doable). There’s also a gulf of difference between a ‘data loss-ish’ risk bubble on an executive risk map and the plethora of contributory and interlinked people, process and technology related vulnerabilities/threats/incidents that can influence it’s status.
Judge ye not lest thee be judged
Your financial risk management experience is not producing a useful yardstick as I explore in depth in this article. I can’t, as I pointed out then, offer a magic way to draw a direct line between high and low level contributory risks. That’s because there isn’t one – it’s a many faceted matrix relationship that can only start to be explored with complex models and more reliable data than we have at the moment. There are firms making inroads on that basis who may soon be able to help (if the information shared with insurers doesn’t give them a view they protect as IP first).
What you can do is take a coherent look at high level risks with key stakeholders. Then explore what the business may or may not deem tolerable. Insight that feeds into a rational spending strategy. The methodology that stands out for me is FAIR (Factor Analysis of Information Risk).
Nail the basics
Until then there’s a strong argument for viewing effective control operation as an acceptable benchmark for a sizeable subset of controls. You have plenty who’s value is in no doubt to get right before fretting too hard about costed risk reduction delivered by the latest machine that goes beep: Access management, vulnerability monitoring, vulnerability management, data governance, incident management, change assurance, supplier assurance, security education – to name a few.
If you benchmark the starting point in terms of detectable risk indicators (e.g. poor passwords, clicked phishing mails, outages, helpdesk activity, pre-release bug fix/post-release issues, device loss/theft, unauthorised accesses, unauthorised data transfers etc) you start to gather data on the difference improvements might be making. Data to inform development of a broader strategy.
Mapping the path to mature security
Overall there has to be recognition that security is a journey not a destination. In the beginning the most critical activity is creating a reliable map that properly reflects your threat and vulnerability landscape.
There’s a reason why maps were so highly valued in the early days of sea and land exploration (an era analogous to our current IoTed, perimeter agnostic, direction-poor, piecemeal solution overloaded cyberworld), but most folk are only just working out we’re not going to sail over the edge. No matter what anyone says uber sophisticated billion dollar breaches are not 10 a penny.
Alex Stamos (formerly CISO at Yahoo, now at Facebook), agrees in this recent Gizmodo article. Then he and others draw out a useful list of some basic security priorities.
Hiring a big ship, sticking the chap with the best hat at the helm and pointing it in a popular direction hasn’t worked out too well for us so far. Something explored by Robert Duncan, CISO of Euronext, in this post (outing the fact you get comfort, but not necessarily security when all comply the same way) and one by my good friend Claus Houmann here (looking at that helmsman role as analogy for security leadership).
So lets invest in recruiting and developing an experienced crew, start charting the security territory, assessing local risks as a compass, then heading in a chosen direction for more than five minutes. That may give us a fighting chance of gaining secure business growth promoting mometum
Cartographers and guides
There are some fantastic organisations and initiatives out there who tackle this culture question head on and there are mountains of insights to borrow from the more general guides to building positive working environments and constructive medium/long-term strategies. On the security-specific front I list a number in this LinkedIn post.
What I find deliciously and positively ironic is that a new wave of awareness raising experts (improving education and more general communication based on sound psychological principles), may end up driving the seismic shifts some businesses need.
Ironic because ‘security awareness’ has so often been an afterthought. A quarter of the day job for a busy pro, or a quiet corner to shuffle a less favoured staff member towards on their way out of the door.
Thank goodness all of that is changing. As I said in Information Security Buzz when asked about ways to improve culture:
Distrust is a natural response to rules and regulations that are imposed in a language you don’t understand, a sentiment often compounded by weak justifications that make no business or personal sense. By contrast, understanding quashes prejudice and opens the door for respect and trust – essential ingredients when trying to embed constructive consideration of security throughout an organisation.
Can we regulate and oversee our way round all of this? Perhaps in part. If we start to be honest about the critical role played by culture in building good enough security, create some rational maturity indicators for that and guidance to improve it. Then we need to free all of our lines of defence from the half-truth delivering trap they’re in.
We’ve also got to learn what a great security leader looks like and ditto great security staff, then set them the task of bringing the board along for the ride. But that won’t make a blind bit of difference if there’s not equivalent quality and depth of knowledge in audit functions and regulatory bodies.
That, all of that (including the preceding four-parter) is why I grew weary of listening to all of the snack-size ephemeral security advice. However there is light at the end of this tunnel. A light you ignite through superb and patient communication. That’s how we start to bridge the gulf between great ideas and sustained secure reality.
Ignoring the length of that journey and blaming everyone else for piecemeal and transient results is – at least to my mind – the most significant weight holding us back.