Home  |  Sarah  |  Services  |  Blog  Contact

Monday, 16 Mar , 2015

Why Urgency & Budget Beats Security – 2015 Remix

Share this article

....its the all new Trustwave Security Pressures Report. Last year 80% IT pros felt pressure to deliver insecure IT solutions. What's changed?

It’s out! The all new Trustwave Security Pressures Report.

Last year 80% IT pros felt pressure to deliver insecure IT solutions. What’s changed?

Ohhh this one never gets old! This post was first published over a year ago when Trustwave reported last…. GREAT NEWS! That’s now down to…wait for it….77%!
There’s lots of other ‘interesting’ findings in the Trustwave Report (PDF). Here’s a great summary from Norsecorp. Having absorbed that it would be customary to tweak a re-released blog post to fit the new info. Absolutely no need. This is (sadly) just as relevant now as it was then.

It’s a is a long-standing cultural issue and dramatic false economy.  Jane Frankland highlighted it in a paper 10 years ago (one she is likely to update and re-release). At that time she quoted the 2001 IEEE estimate that bug-fixing after release costs up to 100 times more than fixing in-flight.
That figure needs to be viewed in proper context (WhiteHat Security’s Jeremiah Grossman notes bugs are not the same as vulnerabilities and challenges accuracy here), but it’s quoted so far and wide because it contains a huge dose of common sense we all identify with.

So why is this an almost universal problem?

egg-under-pressureIn my opinion, this issue has been so persistent and so pervasive, because associated risks are rarely (if ever) handed over to owners of post implementation services.
I don’t mean the IT bodies, I mean executive business owners, the ones in the financial, regulatory or operational firing line if the service fails, or unfixed problems lead to a security breach.
Most of this is relevant whether you are engaging suppliers and designing solutions for internal use, or putting together something to sell…except that question of risk ownership.  In the vendor world, the risk is largely handed off to the customer. I’ve picked that discussion up in a separate post:  “Are IT Vendors Being Paid To Fail?
Bugs, vulnerabilities and non-compliant controls are created or discovered at a specific point in time. Often out of sight of anyone in authority who cares. The PM, who naturally has his eye on the bonus prize, will also have constant pressure to deliver on time.
Can we pin all of this on PMs? No. It is about the relationship between security and the board.  How well change and procurement security risk is communicated and the openness of the board to listen. If those conversations are not working, bad behaviours, with no evidence of quick consequences, won’t stop.

What can you do about it?

Here’s my take on one way forward, while being mindful the business has to make money and risk assessments have to be realistically weighed against potential benefits: Critically, ensure your security assurance processes enable you to engage early (pre-initiation if possible) . The typical challenge is “We don’t have enough detail in the design yet”. Not a problem.
An early triage questionnaire for scope need only be a handful of very high level questions. The questions can be built in as a mandatory self-service project initiation activity (if you design it cleverly). If the procurement or project team don’t know if work will involve these kinds of things, then they should:

  • Confidential data
  • Credit cards
  • In scope SOx systems
  • New/existing Ecommerce Sites
  • Data handling offshore
  • Messing with high availability systems/processes
  • New suppliers
  • Significant changes to contracts with existing suppliers

Getting in early – key practical steps & aims;

  1. Getting formal buy-in from all interested parties before you start (risk, legal, IT management, business unit CIOs etc).  If work skyrockets or staff numbers get cut, having sign off for an agreed assessment scope opens the door to conversations about flexing resource and deliverables.
  2. Discarding things from scope that pose little or no risk as early as possible.
  3. Saving time spent on detailed triage, by only targeting entities linked to more inherent risk.
  4. Delivering relevant security requirements to projects and procurement teams, before plans take shape and budgets are spent e.g. for pen testing, SOx compliance, PCI DSS requirements, referral for supplier security due diligence.
  5. Pitching the overall assessment scope to balance available resource with inherent risk appetite.
  6. Enabling arm’s length oversight of moderately risky projects, by confirming control requirements and creating clear triggers for re-engagement. Triggers linked to a repeat of the high level triage, done at key project stages, to pick up new or increasing risks.

If stakeholders don’t feel comfortable with entities being put out of scope, assess on request. Make it clear what else has to be de-prioritised or de-scoped.  If stakeholders don’t want to flex existing scope or resource, cross-charge extra resource to the project sponsor requesting the work. When risks emerge, as they will, there needs to be a governance structure ready to deal with them.
With systemic issues like persistent late engagement by security (or lack of engagement with security by projects) changing things is likely to be an uphill struggle.  Things have probably become reactive and political.  However, there is a duly diligent way to claw things back despite ROI for security spend being extremely hard to prove:
Build consideration of outstanding risks into key project gating meetings and  procurement process steps. Then (as a final backstop), into go/no go decisions. Use the ultimate service owner/supplier relationship manager and the project team to predict operational fallout and risk SMEs to input the regulatory and reputational risk perspective. Take the output to the exec sponsor to get sign off.
However, that doesn’t guarantee things will get fixed. You sometimes have to revert to the very un-illustrious path of rock solid “I told you so”, by ensuring it goes on a risk register with regular review with that same sponsor.  Make sure potential impacts are kept up to date and made clear in plain English. At some point there will be a related incident which will focus some minds and may generate the sponsorship needed for a culture change.

Is all the effort worth it?

One natural effect is significantly improved security awareness. It isn’t pure osmosis. While rolling this out you must have visible executive sponsorship, a good communications plan and excellent awareness sessions for all senior and operational stakeholders. Early in the second cycle, calls begin to come in;

“I think you need to be involved with this project”

“Can you help with due diligence for this supplier?”

In other words, the security holy grail. Informed, proactive engagement while there is still time to make a difference.
At about the same stage, statistics from assessments accumulate to the point where trends and persistent hot spots can be identified. Some senior staff will be impatient (expectations have to be carefully managed), but the impact, when meaningful MI is delivered, can be game changing; visible dropping of shoulders, constructive questions about on-going operation, less fear and uncertainty, more collaboration and debate.
Assessment, remediation and risk management activity carries on in the background. Evidencing a month on month improvement in baseline security. This isn’t a pipe dream. I’ve seen it happen. Is there a better way…maybe, but while assurance teams are under the cosh, projects are ever more squeezed for time and money (not to mention the growing use of Agile methodologies) and folk are accumulating ever more suppliers, it’s a solid and cost-effective approach.

But it’s all a question of culture

If security doesn’t hold the right place in the minds of decision makers. If security folk are persistently seen as the grit in the business machine. If it’s a low margin, crowded, and poorly differentiated market where privacy and security are not natural additions to the value proposition…
…well I’ll let you draw your own conclusions. Conclusions that are only likely to be challenged by an event that focuses minds. Too late for customers, but perhaps the next breach induced security-go-round will land something that takes root.
Related articles:

The usual caveats apply. This is entirely my opinion and does not reflect any past or present employer or necessarily represent their opinions.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...