This blog has been renamed

Wondering why things have gone so quiet lately?

The bloggings continue apace over at https://secawareblog.blogspot.com/ 

Unless you intended to drop out,
please update your blogrolls,
blog trackers, bookmarks or whatever.

Otherwise, goodbye
and thanks for all the fish

This blog is moving to a new home.

Future blog postings will appear as if by magic at:

 
https://secawareblog.blogspot.com/  

To continue receiving this stuff, please update
your bookmarks and blog aggregators accordingly.

 

Rest assured: the bloggings will
continue until morale improves.

 

We have migrated the content as far back as 2007
to the new URL just in case it remains of interest or
entertainment value to anyone.  Paleontologists maybe.

You can browse and search for keywords
at the new URL just as here.
It's the same, only better-er.

If you've had enough already,
this is your big chance: do nothing
and this will be the last blog piece
you'll receive from me.
Chillax.
Don't even lift a finger.
The present blog URL will disappear
in a puff of logic at some point.

 

In the immortal words of Douglas Adams' dolphins,
so long and thanks for all the fish.

Control is ...

 

 

... technical, physical, procedural, legal, social, mechanical, economic, political ...

... applied to processes, systems, machines, people, quality ...

... [a] "measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any
process, policy, device, practice or other conditions and/or
actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the
intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]

... a volume knob that goes all the way to 11

... automated, semi-automated or manual

... an illusion induced by acquiescence

... preventive, detective or corrective

... avoiding or preventing badness

... what happens in the tower

... defining and applying rules

... an action/adventure game

... an availability challenge

... an engineering solution

... local, remote or hybrid

... hitting the sweet spot

... about mitigating risk

... keeping within limits

... a means to an end

... binary or analogue

... providing direction

... setting boundaries

... negative feedback

... power superiority

... being in charge

... being resilient

... an impression

... management

... containment

... proportional

... governance

... oppression

... confidence

... an illusion

... unreliable

... constraint

... regulation

... assurance

... imperfect

... influence

... coercion

... mastery

... the key

... stability

... a belief

... a state

... power

... fragile

... costly

... a key

... finite

... rules

... key

...

The business case for security strategy and architecture

The business benefits of developing an information security strategy and accompanying security architecture/design include:

 

• Being proactive, taking the lead in this area - more puppeteer than puppet;
  
  
• Designing a framework or structure to support the organisation's unique situation and needs;
  
  
• Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...);
  
  
• Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operations, business continuity, knowledge management ...;
  
  
• Defining a coherent sequence or matrix of strategic initiatives (projects, investments, business and technology changes ...) over the next N years, embedding information risk management ever deeper into the fabric of the organisation and strengthening the information security arrangements in various ways (e.g. systematically phasing-out and replacing aged/deprecated security technologies while researching, piloting and then adopting new ones such as blockchain and post-quantum crypto);
  
  
• Driving the development and maturity of the information risk and security management function, covering its priorities, internal structure and external working relationships, governance etc.;
  
  
• Bringing clarity and direction (focus!), reducing complexity and uncertainty associated with myriad 'other options' that are discounted or put on hold;
  
  
• Seizing opportunities to align and support various departments, processes, systems, partners, projects/initiatives, budgets, plans etc., finding and exploiting points of common interest, avoiding awkward conflicts and gaps;
  
  
• Identifying key objectives for information risk and security - important for ISO/IEC 27001 and security metrics;
  
  
• Motivating yourself and your colleagues to think beyond the immediate task list, broadening perspectives and extending timescales.
  
  

A full-blown multi-year security strategy and architecture can work nicely, particularly in larger, more complex and mature/stable organisations whose senior management appreciates or needs the long-term grand view, the bigger picture - provided they have access to the particular expertise needed to do justice to this topic anyway. Strategy is perhaps the most difficult and risky part of information risk and security, as it is for other aspects of enterprise management. 

 

If you're still not convinced, consider that not preparing a security strategy and some form of security architecture/design may be even riskier and costlier in the long run. Failing to plan is planning to fail. Maintaining a state of 'creative chaos' - meaning a purely reactive event-driven approach - is suboptimal. However, with no clear objectives in mind, it may seem OK to those in the thick of it, far too busy treading water to scan the horizon for land. 

 

Can I throw you a lifeline? 

 

Google! Study hard. There are tools and techniques to help with strategy and architecture, just as there are for information risk and security management. Seek professional help if you need it. 

You might for instance start simply by (literally!) sketching out whichever areas of information risk and security management matter most to your organisation, exploring the relationships among them and the obvious links with other areas such as IT and HR. Think about the security processes/activities and systems, paying special attention to the organisation's pain points. Gradually refine and extend the rough sketch into a blueprint encompassing broader aspects such as business objectives and resources ... and pretty soon things magically emerge from the mist. 

Now comes a vital step: debate it with your colleagues. Talk it through. Listen carefully to their questions, objections and concerns, pushing back a little by exploring their strategies, architectures and ideas, steadily refining yours. This is a team game. Take your time.

As the vision takes shape, raise the discussion to senior management levels ... and at that point I'll slip quietly away, job done. 

 

Must dash: others adrift, gasping.

Risk is ...

 

... when threat exploits vulnerability causing impact

... tough to measure, express and control

... the product of probability and impact

... the gap between theory and practice

... the root of pessimism and optimism

... the once-in-a-hundred-years event

... known and unknown unknowns

... needing seatbelts and airbags

... a hair's breadth from disaster

... the possibility of exploitation

... mitigated but not eliminated

... a factor to be borne in mind

... inevitable in the Real World

... what keeps us up at night

... not going entirely to plan

... outcome =/= prediction

... rarely good, usually bad

... rarely bad, usually good

... surprisingly complicated

... looking down the barrel

... necessary to get ahead

... expectation <> reality

... stepping into the dark

... walking the tightrope

... imperfect knowledge

... inherent uncertainty

... exciting (to a point)

... white-water rafting

... being on the brink

... throwing the dice

... adventure sports

... tricky to manage

... skipping a check

... bungee jumping

... poking the tiger

... about causation

... taking chances

... unseen danger

... chances blown

... what might be

... warning signs

... unanticipated

... best avoided

... a card game

... being brave

... de-masking

... opportunity

... lion taming

... life lessons

... hazardous

... adventure

... ambiguity

... investing

... gambling

... black ice

... no limits

... complex

... dynamic

... relative

... thrilling

... thin ice

... danger

... doubt

... luck

... fun!

... life

... ice

...

CISO workshop slides

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning.

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):

Aside from my gripes with the example metrics (see below), the remainder of the presentation has a lot of useful information, lots of details, plenty of busy, thought-provoking diagrams and, as I said, an uncommon polish for free slide decks.

Here's a nice, fairly simple example slide that I could happily present and discuss in some depth as part of a workshop or training course:

 

Naturally, the slide deck emphasises Microsoft's own 'security posture', such as:

• IT, cyber and data-centric, virtually ignoring the wider field of information risk and security management (e.g. protecting and exploiting workers' knowledge and other intangible forms of intellectual property) with limited, almost incidental reference to information risk and security management being truly driven by business objectives;
• Hacking and malware i.e. deliberate, malicious and often targeted attacks, downplaying accidental threats (e.g. floods and fires) and other incidents such as human error, theft, sabotage and fraud, plus enterprise risk management as a whole (e.g. financial risk, market risk, compliance risk, strategic risk ....);
  
• Zero-trust - whatever that means to the presenter and audience;
• Cloud - meaning Azure, specifically;
• DevOps and DevSecOps - whatever those terms mean ;
  
• MS threat intelligence including artificial intelligence/machine learning rapid responses to novel malware (a cool idea, provided it works reliably).
  

I'm intrigued by their choice of example Security Scorecard Metrics (slide 63):

These examples supposedly focus on 'continuous improvement' (of what I'm not exactly sure), so let's take a closer look:

1. Business Enablement appears to refer to IT and IT security services 'enabling' the business, although 'Number of security interruptions in user workflow' implies the need to prevent security getting in the way of business, a curious take on 'enable'.
   
   
2. Security Posture suggests a confusing mix of application and account security metrics. I'm really not sure what 'security posture' even means in this context, and curious as to why those two aspects in particular have been selected as example metrics. Other slides in the deck appear to equate 'security posture' to vulnerability management and software/systems patching - a rather narrow/specific technical concern for metrics suggested to senior management, although arguably it is a major factor in cybersecurity - or to security strategy. Personally, I favour a much broader perspective on the organisation's overall posture (meaning its brands, corporate personality, customer perceptions ...) including security-relevant aspects (e.g. being a trusted partner).  Generally, though, the risk management and security arrangements quietly support and enable the business from the inside, as it were, rather than being exposed externally - unless they fail anyway!
   
   
3. Security Response: the example metrics suggest the classical (outdated!) incident-response-and-recovery line i.e. dealing with business discontinuity, although thankfully later slides (#82-85) discuss resilience:
   
   
   
   
   
4. Security Improvement as a category within this set of example metrics all supposedly focused on continuous improvement, confuses me. If these metrics are about improving security, what are the others improving? The example metrics don't help clarify the intent of this category either, referring to 'modernization' and automation (possibly in the realm of security, but not stated), although '# of Lessons learned from internal/external incidents' could indicate security improvements provided they are counted rationally (e.g. is an incident relating to weak passwords counted as just one incident or one per account compromised?).

For me, continuous improvement implies three things that don't exactly sing out from the example metrics:

1. Clarity on the meaning of 'improve' in the present context, implying the need for management to understand what are the key parameters, as well as being able to measure and control/drive them in a positive direction.
   
   
   
2. Some version of the classic Deming-style Plan-Do-Check-Act cycle.
   
   
3. Process maturity, leading naturally towards maturity metrics.
   

So, I have concerns about the overall thrust, the categories and the individual metrics offered as examples ... which is ironic given that the very next slide hints at an altogether better approach: