Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 20, 2018

NBlog April 20 - whistleblower policy

For more than two decades now, I have been fascinated by whistleblowers - people who blow the whistle on various forms of impropriety. 

In my experience, they are  high-integrity, ethically-motivated and aggrieved individuals willing to take a stand rather than put up with Things That Should Not Be Going On. They are powerful change agents. To my mind, they are brave heroes taking significant risks to their careers, personal lives, liberty and safety (nods hat to Ed Snowden among others).

I've blogged about it several times, most recently at the start of this month when I said:

Organizations clearly need strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts. 
And that set me thinking: do we actually offer anything along those lines - any awareness and training materials supporting such activities?

We don't currently have a whistleblower policy as such in our suite of information security policy templates, although the term is mentioned in a few of them, generally in reference to a "Whistleblowers' Hotline".  We envisage a corporate service being run by a trustworthy, competent and independent person or group such as Internal Audit, or a suitable external service provider.

Whistleblowing has certainly come up in the context of oversight, compliance, governance, fraud etc., so we ought to check through the back catalog to see what we have to hand in the way of guidance/awareness content. I'm thinking the incident management procedures might be adapted to suit, but what else is there? I'll be exploring this further, figuring out the common approaches and concerns and perhaps drafting a whistleblower policy.

This is partially relevant to May's materials on GDPR in that compliant organizations are expected to receive and address privacy-related requests and  complaints in a professional manner, a process that arguably ought be in effect today but patently (in my unhappy experience with a certain French hotel chain, for example) it ain't necessarily so. The controversial right to be forgotten, for instance, requires organizations to expunge personal information on request from a data subject, a situation that strongly suggests a serious breakdown of trust between the parties, perhaps as a result of an undisclosed incident.  There may be no formal obligation for individuals to explain why they want their personal information erased, but asking the question at least would seem like a sensible thing for the organization to do.  It might suggest the need for further investigation, even if the person's reasons are withheld or obscure. 

Obvious when you think about it. I wonder how many are?

Apr 19, 2018

NBlog April 19 - looking beyond the horizon [UPDATED]

We are fast approaching an event horizon - May 25th 2018 - beyond which the privacy landscape will be changed forever.

As of today, most of the world respects the rights of individuals to control information about themselves that they consider personal, with the glaring exception of the US which treats personal information as merely another information asset, to be obtained, exploited and traded the same as any other. The changes brought about by GDPR will directly and indirectly affect the whole world, including the US in ways that are not entirely clear at this precise point.

The European Union anticipates the whole world falling neatly into line, playing the privacy game the EU way or facing punitive fines until they do. 

Some players in the US are making noises about continuing their exploitation of personal information with impunity, perhaps grudgingly paying their GDPR fines but only after a massive playground punch-up over whether the EU's rules even apply to the US, and without necessarily falling into line. [Cue cartoon of someone's eyes rolling like a fruit machine, stopping on $$$ $$$ to the sound of a ker-ching cash register or tinkle-tinkle Vegas coin payout.]

Some are talking about fracturing the Internet along the GDPR/non-GDPR boundary, maintaining different privacy rules and approaches on each side and somehow handling the not inconsiderable issue of personal information crossing the boundary. I think this is either fake news, panic, bravado or tongue-in-cheekiness, not dissimilar to those cranky but desperate suggestions to call the year 2000 "199A" followed by "199B" giving a stay of execution for the non-Y2K compliant organizations, perhaps, but a world of pain for the rest of us. 

This strikes me as an interesting perspective to get management thinking differently about GDPR, in strategic business terms. 

Another approach we'll be taking is to treat personal information as a valuable and sensitive information asset not totally dissimilar to secret recipes for herbs and spices, business plans, customer and prospect lists, and more - another opportunity to get management thinking differently about privacy. Securing personal info is not just A Jolly Good Idea for compliance reasons.

Those two concepts, plus the remainder of the NoticeBored materials for May, are all aimed at raising awareness of the privacy and related issues. As always, we'll be supplying a blend of factual information, motivational suggestions, tools and techniques, metrics, strategic options, policy matters, guidance and more: if you think your GDPR project would benefit from any of this, email me soon about subscribing to NoticeBored - if you care about crossing the event horizon at full pelt on both feet anyway, rather than crawling exhaustedly across the line, collapsing dejectedly in a heap on the home straight, or sticking your head in the sand and pretending it won't affect you. We have awareness content on privacy and other information security topics ready to deliver today, and we're working hard on the privacy and GDPR awareness module for delivery to subscribers on May 1st, for sure. Will your GDPR/privacy awareness stuff be done in time? With just 35 days remaining, have you even started preparing it yet?! Good luck Jim.

[Added 20th April] Talking of heads-in-sand, what do you make of this?

Apr 18, 2018

NBlog April 18 - GDPR full immersion

Today I've dived deep into GDPR, poring over, becoming immersed in and trying to make sense of the legislation.

The regulation itself is freely available online - handy really since it is intended to apply and to be implemented and complied-with very widely.

It is an official EU regulation, almost a law, and as such it has clearly been drafted by and for the lawyers.  Readability is clearly not as high on their priority list as making it watertight.

So, the door swings open to interpret and explain it for the common man and, for that matter, the common manager.

Apr 17, 2018

NBlog April 17 - GDPR countdown

A countdown is a common way to align everyone towards some event - the launch of a space mission or start of a new year for instance, or the completion of your GDPR compliance project. As a communications, awareness and motivational technique, countdowns work well for that rather narrow objective, focusing attention on a given point in time.

With a little more creativity and effort, it's not hard to use countdowns to get people to re-assess their progress and maybe prioritize things on the way down to the deadline ... and then to follow-through with count-ups - in other words, keep the timer going past the zero point, displaying the time since the deadline passed or expired. 

This is often done for overdue activities, starting with gentle reminders then steadily ramping up the pressure (red reminders, warnings) and perhaps escalating matters (court orders, bailiffs) as time marches inexorably on. 

Before you know it, the point-in-time spot focus has turned into a zone of concern, with an accompanying sequence of activities, a plan and a process. 

The passage of time can also be used in a more positive manner, in the sense of "Look how far we've come!". It is generally implied in the concept of maturity. It takes time to reach then stabilize and become comfortable at each level before starting the assault on the next, like climbing the stairs or a mountain. [Maturity also implies gaining competence and wisdom, which are the more obvious objectives.]

A related concept is that of momentum or inertia - winding things up to reach a critical speed, then sustaining it as long as possible. This is not just Newton's first law of motion as it literally applies to boulders, wheels and space rockets in the physical world. It's also figurative, applying to organizations and processes, even to individuals. Our energy/activity levels and motivations vary and, to an extent, can be influenced by others. Some things fire us up and get us going. Others wear us out and exhaust us. Understanding the difference goes a long way towards making awareness activities more effective.

I'll end with a simple suggestion to use the countdown to the GDPR go-live deadline quite deliberately as a means to align and drive everyone to May 25th, and perhaps to lead them ever onward and upwards thereafter, having hopefully achieved the specific goal. Privacy is no less important on May 26th!

To the GDPR deadline ... and beyond!

Apr 16, 2018

NBlog April 16 - skunkworks & 7 other awareness strategies

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies.

A skunkworks approach is one possibility.
"The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects."

The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicated resources, with no need for a project team and budget, or even timescale as such. The interest-piquing initial management awareness part can usefully take place in parallel with drafting the formal proposal, saving elapsed time and hopefully ensuring that the proposal aligns with management's evolving perspective. [Hinson tip: it would help if one or two friendly senior managers were brought in on the cunning plan early-on, though, to smooth the way once the strategy comes into view. Most of all, it would need at least one passionate leader, someone with the enthusiasm and energy to fire it up, get it rolling and keep it going for as long as it takes.]

Aside from skunkworks, there are at least 7 other strategies ...

#1 A risky, almost Machiavellian strategy is to engineer a crisis in which unawareness plays a crucial part, more likely seizing upon an opportunity such as an information security incident or an impending compliance deadline (such as May 25th ...) to catch management's attention first, softening them up for the follow-through "What we need right now is {ta-daaaaah} a Security Awareness and Training Program, just like this!". [Hinson tip: suggesting that awareness is The Ultimate Answer To Everything would be unwise but I'm convinced it is a valuable, or rather necessary part of the grand solution. It's hard to imagine anyone seriously suggesting that awareness is unnecessary, let alone detrimental.]

#2 Compliance is a strong driver. Scan applicable laws, regulations, contractual commitments etc. for any obligatory/mandatory requirements to run security awareness and training, plus any recommended/advisory suggestions or other hints that doing so might be A Jolly Good Idea. It's worth systematically assessing internal requirements too, such as corporate policies: aside from any specific mention of security awareness [Hinson tip: ... which the canny CISO or ISM will have previously slipped quietly into the security policies], there's an obvious need to make people aware of the policies if they are expected to know about and comply with them. Security standards such as the ISO27k and NIST SP800 series are further sources of advice, along with PCI-DSS, COBIT and others, although those are aimed at information security pros rather than general management, so would need to be interpreted somewhat to draw out the business advantages ...

#3 ... which leads to another approach: position security awareness as a tool supporting information risk management, information security, compliance, governance, privacy, safety, assurance And All That - or, even stronger still, as a business enabler. Given the choice, this is my preferred approach, directly supporting the idea that information security isn't just something that ought to be done because somebody says so: it is necessary for business reasons, and commercially valuable in its own right. [Hinson tip: it helps of course if management is already sold on the need for information risk management, preferably a structured, comprehensive approach. If they are not, we're heading back to square 1 and the conundrum I raised last week: to get awareness, first we need awareness. The difference here is that although management may not initially be keen on security awareness, hopefully they appreciate the need for information security, if only grudgingly for compliance reasons.]

#4 A related suggestion is to integrate security awareness with other planned business and security initiatives - not just tacked casually on the side as an optional extra (where it is vulnerable to being chopped at the outset, or later on when the going gets tough) but as a necessary core activity, an essential or fundamental part. This is easiest with information security projects, naturally, and not too hard with most IT- and information-related business change projects (e.g. all things cloudy). It takes more creativity, effort and care, though, to position security awareness as an integral part of other business activities, with rapidly diminishing returns, aside perhaps from hooking up with other forms of awareness and training (e.g. health and safety). Again there are risks here in pushing too hard. If management consciously chops out or cuts down on security awareness, it's going to be harder to get them back behind it later on, at least not until they've forgotten what they did! If you ever get to the point of someone saying "Oh not, not that bloody awareness stuff again! Give it a rest!" you'll know you've gone way too far. [Hinson tip: if the awareness stuff is robustly blocked, try to get the blockers to acknowledge that its is 'not appropriate right now' rather than accepting a flat-out "No!", preferably in writing even if YOU have to write it! Leave the door open for a later approach, when the time is ripe. Strategy is a long-term game, so think things through and keep on stacking the deck in your favor. Your time will come, glasshopper.] 

#5 Divide and conquer involves putting effort into persuading specific senior managers, individually at first, of the value of security awareness, then working with them on a plan to convince their peers. As individuals are persuaded, put them in touch with each other. Using management's power and comms structure requires political acumen and drive, which is why I suggest singling-out and collaborating with friendly senior managers: they should know how stuff gets done, and hopefully how to avoid the potholes and barriers that those lower in the pecking order may not even appreciate. They are also a relatively soft-sell: if you can't convince them that awareness is worth doing, what are your chances of persuading the rest of management? [Hinson tip: watch out for those hot buttons - things that catch their imagination, spark genuine interest and hence show real promise. Emphasizing them in subsequent comms makes a lot of sense, perhaps to the point of building proposals around them.]

#6 If the previous strategies seem too much like hard work, here is a low effort low impact approach. Let your awareness and training activities evolve naturally, growing gradually from whatever you are doing already. This is a long, slow, plodding method, but that doesn't automatically discount it. This is the default approach, the straw-man against which to compare the other strategies. [Hinson tip: for more traction, it's possible to accelerate the rate of change using metrics - particularly my favorite, maturity metrics. Measure the current awareness and training activities relative to accepted good practices*, both to define the starting point and to drive improvements. Once things start working more effectively and efficiently, the metrics will demonstrate progress, which in turn encourages more effort - a positive feedback loop that you can use to your advantage. Obvious when you think about it, or when you stumble across it on some random blog ...] 

#7 'Some random blog' brings me to my final strategy: proactively use social networks and social media for security awareness purposes. Email this blog's URL to your colleagues to pump-prime the discussions about strategies that might be worth pursuing. Set up a 'friends of infosec' mailing list or group at work to drip-feed and discuss relevant news, gently and repeatedly reminding people of the value of security awareness, in the sense of spotting emerging risks and avoiding nasty surprises. Publish relevant clips and links to awareness stuff on information security's intranet Security Zone. Mention security awareness in responses and comments to other people's blogs, emails and assorted corridor-comms at work. Drop it casually into your progress reports and management updates. Mention it to your esteemed colleagues from Risk, Privacy, Compliance and Audit over coffee, lunch or beer. Pop it in your newsletters. Be enthusiastic or evangelical like me, hopefully not boring and obnoxious through. [Hinson tip: bring this up in your blog, too. I've scratched your back ...].

* Get in touch for help with that. Awareness metrics are right up my street.

Apr 13, 2018

NBlog Friday 13th

Today is Friday the thirteenth, a classic opportunity to do something special as part of the security awareness program. How about organizing a fancy dress day with a parade, award ceremony and after-hours social event? 

The horror movie theme is obvious, perhaps too obvious ... but it's not hard to think of variants, ranging from the very simplest "Wear black or blood red" through "Dig out your best Halloween costumes" to "Audition to be a horror movie extra". You might give it more of an information risk and security spin by circulating stuff about malware, scams/frauds and nasty incidents, or not: a more subtle association might be good enough, a way to lighten-up a bit.

I appreciate it's far too late now to organize anything special for today but if you are keen, there are lots more awareness opportunities coming up throughout the year:
  • May 25th, GDPR implementation deadline, an obvious candidate for a privacy day (we're already on to that one!);
  • Other Friday thirteenths (the next is in July, then none until 2019) and Halloween (the last day of October, on a Wednesday this year);
  • Black Friday when everybody allegedly goes mad, doing their shopping online in the run-up to Christmas and Thanksgiving. Possible awareness topics are online/Internet security, identification and authentication, performance and availability, business continuity ...
  • Minefield Monday, Super Tuesday, Wonderful Wednesday, Thunderous Thursday, Farcical Friday or whatever: nothing stops you inventing a special themed day (or a week or more) and running activities on some awareness topic that needs a boost. If it is not a public event, though, you and your team will have to do all the publicity yourselves; 
  • Turn a specific awareness topic into a themed event - a backup day, maybe, or patch Tuesday, or ... well hopefully you get the idea;
  • April Fool's Day - how about focusing on social engineering or fraud?
  • Hook in with special events such as "tax day", "world safety day", new year's day, election day and the like, finding and exploiting the information risk and security angles, perhaps in conjunction with colleagues from Health and Safety, Facilities, Finance, Risk Management, Legal/Compliance etc. 
If none of these ideas grabs your imagination, perhaps your colleagues can come up with something better. Turn that into a challenge if you like, opening it up to the workforce to get creative and suggest an information security themed day, event or activity.

NBlog April 12 - bringing managers up to speed

Today I Googled across a thought-provoking opinion piece in Computerworld back in 2008. Jay Cline's top 5 mistakes of privacy awareness programs were:
  1. Doing separate training for privacy, security, records management and code of ethics. 
  2. Equating "campaign" with "program." 
  3. Equating "awareness" with "training." 
  4. Using one or two communications channels. 
  5. No measurement. 
Hmmm, not a bad list that. I've trimmed almost all of it away so if those few remaining words intrigue you, please read the original article.

We've been addressing all those points ever since NoticeBored was launched way back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness. 

We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and we're working on that.

Jay's list of mistakes could be extended. In particular, most awareness programs focus on general employees or "end users". While Jay mentions offering role-based training for particular specialists, I feel that still leaves a gaping hole in awareness coverage, namely management. You could say they are specialists in managing, although there's no hint of that in Jay's piece.

Looking again at the list, all those mistakes could be classed as management or governance issues, being problems in the way the awareness and training programs and activities are structured and driven ... which, to me at least, implies the need to address that. It's a root cause. If management doesn't first notice that mistakes are being made, and then join-the-dots to figure out that the way security awareness as a whole is handled is probably causing the mistakes, then we're unlikely to see much improvement.

So, raising management's awareness of information security, risk, compliance, privacy, accountability, governance, assurance and so forth makes a lot of sense ... which is exactly what we aim to do through the management stream in NoticeBored. If management truly 'gets it', the awareness task becomes much more straightforward, giving the awareness and training program as a whole a much greater probability of success, leading to a widespread culture of security.

That leaves us with a chicken-and-egg conundrum though. If management doesn't quite 'get it', in other words if this security awareness stuff doesn't presently register with them as an issue worth investing in (or, more often, is treated as something trivial best left to IT or HR, with no real support and bugger all resources), then how can we tackle management's lack of awareness and break the deadlock?

I'll leave you now to contemplate that question, as I will be doing over the weekend. Maybe the vague thoughts I have in mind will crystallize into something more concrete for the blog next week. Meanwhile, by all means chip-in through the blog comments, or email me directly. I'd love to know what you think, especially any innovative and effective solutions you can offer. Is this an issue you face? How are you tackling it, or planning to do so? 

Apr 11, 2018

NBlog April 11 - a rich seam

Surprisingly often, a breaking news story falls into our laps at precisely the right moment.

Today, I've been developing a general staff awareness presentation on privacy. Three core messages appeal to me, this time around:
  1. Privacy is an ethical consideration - something we anticipate or expect of each other as members of a civilized society.
  2. Privacy is also a compliance obligation - something enshrined in the laws of the land and imposed on our organizations.
  3. Those two issues together make privacy a business issue.

So, what's been all over the news lately in relation to privacy? Why, the latest Facebook incident, of course. 

I'm not going to re-hash the story now, nor draw out the privacy lessons for you. I've given you more than enough of a clue already, and if you read the press coverage with a slightly cynical and jaundiced eye, you'll find your own take on the incident - as indeed will our subscribers' employees ... which makes it an excellent, highly relevant case study to incorporate into the awareness content.

Thanks to the saturation media coverage, we barely need mention 'Facebook' for people to think of the incident. Almost all will have seen the news reports. Those who use Facebook (a substantial proportion of people, we are led to believe) probably have perfectly reasonable concerns about their own privacy. Those who don't use it are also implicated, although we might need to explain that a little. Either way, it's something they can relate to, a story that resonates and has impact. We can pose a few questions that they can contemplate, in their own way, in their own time.

We will exploit their interest to engage them with the awareness program so, in a way, we are also exploiting the victims' personal information, but (we assert) it's for their own good, for the benefit of their employer and for the sake of human society. We mean well. We are not even vaguely approaching the boundaries of decency or legislation. Public incidents of this nature are perfectly legitimate and in fact rich resources for awareness, training and educational purposes. It would be a waste to let them drift back below our consciousness without milking them for all they're worth.

The real trick is to be constantly scanning the horizon for relevant news items. Information security is such a broad topic that finding stuff is hardly ever the issue - the very opposite in fact. The Facebook incident, for instance, is directly and obviously relevant to privacy, but also to incident management, compliance, governance, information risk, information security, cybersecurity, social engineering, fraud, accountability, business continuity and more.

Ethically speaking, I have no qualms about using reported incidents in this way, particularly where the protagonists are implicated in the incidents rather than merely being the poor unfortunate victims of some malicious third party. I'm currently trying to track down the original source of a quoted Goldman Sachs assessment of the eye-wateringly huge amount of revenue Facebook may forgo once GDPR comes into effect, with the strong implication that they have been making their fortune by exploiting the personal information of their users. OK so it may have been entirely legal, but was it appropriate? Was it ethical? Was it socially acceptable? These rhetorical questions hint at how we might explore the same incident from the business perspective in the management awareness materials, making a link that will hopefully get staff and managers thinking and talking animatedly about privacy.

And that's another security awareness win, right there.

Apr 10, 2018

NBlog April 10 - privacy guide

Aside from revising the materials from the NoticeBored privacy awareness module delivered last November, we're planning some brand new even fresher content this time around.

The imminent go-live date for GDPR is the most obvious reason for updating and re-issuing the privacy materials in May. It's timely. The awareness content should prove useful for organizations that are on-track for the May 25th deadline, helping to explain the hubbub to people who are not so directly involved in the GDPR changes. 

It may also be the final wake-up call for those who are still oblivious, ignorant of the wider effects GDPR will have, both within and beyond the EU. As of today, we're not exactly sure what changes to make though. More research required yet.

Another brand new awareness item we're planning to write and deliver this time around is a 'privacy guide' - a document explaining privacy concepts and practises in a way that hopefully grabs attention, informing and stimulating readers to take account of privacy in how they behave. 

The privacy guide will be a challenge to write, not least because it's a new format we have in mind. When it's done, we'll have a model document to turn into a template or skeleton for future awareness topics, where applicable. I'm already thinking a 'malware guide' and 'social engineering guide' might be worth the effort, provided this first one goes to plan.

Apr 9, 2018

NBlog April 9 - GDPR final countdown

We've started working on May's awareness module - the final episode in a privacy series timed to support the run-up and coincide with GDPR (the General Data Protection Regulation) implementation.

It would be hard to find anything new to say this time around if it weren't for the fact that our customers are in a different situation now than when the privacy modules were released previously. They should all (hopefully!) be in the final throes of their GDPR compliance projects. Some may have had a lot of work to do, clarifying and analyzing the requirements, substantially modifying IT systems and business processes, and liaising with assorted information service suppliers to ensure they too will be compliant by May 25th. Others may have had an easier time with most of the requirements covered already. All will be anticipating the changes in their own organizations, and in others since we are all connected. 

The awareness materials they need now are (to some extent) different to those that were relevant before, with new perspectives and concerns. While the basics about privacy, risk, confidentiality etc. are the same as ever, saturation coverage of GDPR in the mainstream media is likely to grab attention for at least a few days around the 25th, hence we're planning for the awareness materials and activities to complement and build on that. 

Looking further forward, there are likely more peaks in media coverage when the first organizations are prosecuted under GDPR and then penalized for privacy incidents. We're seeing the effect right now with Facebook and Zuckerberg all over the news - and that's a story we can hook into as well.