Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 25 Mar , 2016

Death, Taxes & Security Transformation

Share this article

Out with the old and in with the new. Musing on a personal and #InfoSec transformation

My sister and I have recently finished emptying our Mother and Father’s house. Those who followed me in the early days know the blog was initially as much about fighting her pancreatic cancer as security. 18 months on, after two sales dropped through at the last minute, the house is finally sold. That left nowhere to hide from the  job of deciding what we individually keep, sell, store, or dispose off. Anyone who’s been in a similar situation knows it’s the mundane stuff that floors you. The pairs of glasses found in odd places, because she ALWAYS lost her glasses. Old cigar boxes he kept ‘just in case’, some empty, some full of ‘stuff’. The handwritten recipe escaping from pages of an old cookbook. Her expired passport in a handbag, waiting to be renewed for the holiday she never got to take. That kind of thing.

There was also a mountain of tax and accounting paperwork. She ran a holiday let business, and (being an ex company accountant), every ‘i’ was dotted and ‘t’ crossed in tree exterminating detail. Not to mention the books, towers of books, with more value than the contained words. It was something that tied the family together. A passion for both classic and well written popular fiction, plus factual texts of myriad flavours. Things discussed, shared, laughed about, and pored over.

While dealing with that I’ve also been reflecting on security consultancy challenges. More specifically hitting the floor running when you start a job, and dragging coherent actionable sense out of seas of information.

To say it’s been a time of psychological gear changes is to put it lightly. My mental landscape kinda feels like a kaleidoscope in the hands of a hyperactive toddler. And out of those shifting colours, a common theme started to emerge:

Racing to recognise material and qualitative value against a backdrop of rapid change

Switching to the InfoSec context, the biggest challenge on entering any firm is to understand the lay of the technical, procedural, structural and cultural land…well it is if you aim to deliver locally relevant help, rather than a ‘what worked last time’ cut and paste.

The successful creation of fit-for-purpose security capability depends hugely on quality of information available, time allowed for acclimatisation, and how long stakeholders expect to wait for results. Different stakeholders, with different bits of skin in the game, will give you more or less time to prepare vs deliver. That picture also hinges on history. Have you been airlifted into a post-breach maelstrom, or exec driven audit point closure drive? Are you arriving after decades of underspend, or when the security function is seen as overfunded and top heavy? Do the board accept the fundamental role played by security, or have a passing interest stirred up by media FUD, consultants, or regulators?

Embryonic reputations grow or die based on how well new and existing staff manage expectations and balance those BAU, fire-fighting, and strategic development priorities. The people, processes, tools, and vendors blamed for current noise are often casualties of the race for recognition. Deciding how much blame is justified, convenient, or just plain unfair is tough when you are just through the door. Delving into root causes can be seen as a negative…causes might have been miscast as excuses and the remit is to fix things, so roots often remain. Cracks in foundations that can make new growth shaky and invite history to repeat.

Culture, people, and best laid plans

Given the average tenure of a CISO is reportedly 18months, and folk commonly estimate 3-5 years to change company culture, there’s an obvious problem here. Some are savvy and influential enough to create stock-taking space, some try, but are defeated by prevailing politics, and others already have an eye on the next prize and routinely indulge the Alpha lion urge to kill their predecessor’s young. A cycle of perceived or real failure, consultant feeding frenzies, new brooms, and culls.
Circling back to the personal, how do we know what to save? How do we do our ancestors’ effort justice? Is the balance between tradition, future focus, and a desire to just be done with it, well struck? That might be as mundane as sorting paperwork, or as emotive as disputed ownership of most important things. The critical things are time and scrupulous honesty. Looking forward to imagine a future with or without particular things. Being brutal and clear on what’s really needed, versus crumbling in the face of the overall task.

And there is the crux. That split focus. Head, heart, and guts. Keep, bin, defer. Things you can change and things you can’t. Finding space, information, and clarity of mind to differentiate, with the right locally knowledgeable people.
In more formal terms:

  • Staff status quo: remit, experience, skills and workload
  • Current security status: Latest reports to all stakeholders, risks, compliance findings, audit findings and incidents
  • Business priorities & strategic objectives: What’s driving and set to drive security requirements and appetite to get it right.
  • Information assets: Paper, structured and unstructured data. What, how much, where, and who owns it.
  • IT assets: Network, web, server, database, endpoint, mobile, media, documents, software.
  • Security assets: Software, tools, services, both in-house and vendor supplied.
  • Owners: Risk, System, Service, Control and Supplier Relationship owners. Sometimes embodied in the same person, sometimes individually owned.
  • Vendors & strategic partners: Who provides what, where do in-house/outsourced responsibilities split, how well have those responsibilities been defined and how well is delivery managed.
  • Processes & process supporting tools: Vulnerability and threat management, SOC and non-SOC incident management, access management, physical security management, business continuity/disaster recovery management, code management, key management, vendor security, change security, compliance management, risk management. SOC tools, GRC tools, access governance tools, incident management tools.
  • Policies & control frameworks
  • Applicable legislation & regulation
  • Governance and lines of defence: Which masters must be served, what do they get, and how often? 1st line risk, second line risk, internal and external auditors. Who has most influence, what at are the cyclical reports, are they fit for purpose, and is there appetite to change things?

Lack of precedents, standards, visionaries, and planners

Small wonder balls get dropped, dependencies get missed, and plans (created in first flush of new-start optimism) develop slippery delivery dates. The best antidote to that is an independent set of eyes. Someone without long term skin in the game, someone who’s worked through it before, someone free of operational responsibilities, someone who can see bigger pictures, define achievable aiming points, foster support for the planned future, and see the incremental steps required to get there. The trouble is those people are few and far between.

The security industry is still young. Best practice for security function structure and staffing is far from settled. Skill-sets and performance benchmarks are evolving past attempts to add standardisation. ITIL and NIST lessons are good ones to borrow, but are necessarily generalist.

Just like our personal challenge, the fact  it’s such a common occurrence, doesn’t mean best ways to cope are common knowledge. We wished someone could step in and help us, because each step was at risk of growing out of all practical proportion, but the fact is, for us, no-one could. The task of closing one life chapter and moving to the next is all about local culture and the people who understand it. Culture that you can’t wave a magic 2-quarter wand to transform, no matter how many top flight technical people you recruit.

The better news for businesses on that security transformation journey is that more people get their history. Pre-existing stars freed up to invest their local knowledge. Strategic visionaries. Programme managers who can make the vision real. And risk focused communicators who comfort stakeholders that a difference is being made. Some of those skills are still hens teeth rare, but the need for them is better recognised. What’s tougher to find are CISOs and ultimate budget authorisers who see that need in a function still mainly viewed as a technical offshoot of IT.

That’s a whole other challenge. Persuading CXOs that good enough security will never come in a vendor stamped box, and improvement will be a long incremental journey that the whole business needs to support.

I was concerned that some might think it mercenary to twin this very personal story with a professional post. My sister gave her unconditional approval to do so, and when all’s said and done, it’s up to us. Just like for newly appointed CISOs: There are no fully reusable precedents, and each experience is distinct from the last.


Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...