NBlog April 20 - whistleblower policy

For more than two decades now, I have been fascinated by whistleblowers - people who blow the whistle on various forms of impropriety. 

In my experience, they are  high-integrity, ethically-motivated and aggrieved individuals willing to take a stand rather than put up with Things That Should Not Be Going On. They are powerful change agents. To my mind, they are brave heroes taking significant risks to their careers, personal lives, liberty and safety (nods hat to Ed Snowden among others).

I've blogged about it several times, most recently at the start of this month when I said:

Organizations clearly need strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts. 

And that set me thinking: do we actually offer anything along those lines - any awareness and training materials supporting such activities?

We don't currently have a whistleblower policy as such in our suite of information security policy templates, although the term is mentioned in a few of them, generally in reference to a "Whistleblowers' Hotline".  We envisage a corporate service being run by a trustworthy, competent and independent person or group such as Internal Audit, or a suitable external service provider.

Whistleblowing has certainly come up in the context of oversight, compliance, governance, fraud etc., so we ought to check through the back catalog to see what we have to hand in the way of guidance/awareness content. I'm thinking the incident management procedures might be adapted to suit, but what else is there? I'll be exploring this further, figuring out the common approaches and concerns and perhaps drafting a whistleblower policy.

This is partially relevant to May's materials on GDPR in that compliant organizations are expected to receive and address privacy-related requests and  complaints in a professional manner, a process that arguably ought be in effect today but patently (in my unhappy experience with a certain French hotel chain, for example) it ain't necessarily so. The controversial right to be forgotten, for instance, requires organizations to expunge personal information on request from a data subject, a situation that strongly suggests a serious breakdown of trust between the parties, perhaps as a result of an undisclosed incident.  There may be no formal obligation for individuals to explain why they want their personal information erased, but asking the question at least would seem like a sensible thing for the organization to do.  It might suggest the need for further investigation, even if the person's reasons are withheld or obscure. 

Obvious when you think about it. I wonder how many are?

NBlog April 19 - looking beyond the horizon [UPDATED]

We are fast approaching an event horizon - May 25th 2018 - beyond which the privacy landscape will be changed forever.

As of today, most of the world respects the rights of individuals to control information about themselves that they consider personal, with the glaring exception of the US which treats personal information as merely another information asset, to be obtained, exploited and traded the same as any other. The changes brought about by GDPR will directly and indirectly affect the whole world, including the US in ways that are not entirely clear at this precise point.

The European Union anticipates the whole world falling neatly into line, playing the privacy game the EU way or facing punitive fines until they do. 

Some players in the US are making noises about continuing their exploitation of personal information with impunity, perhaps grudgingly paying their GDPR fines but only after a massive playground punch-up over whether the EU's rules even apply to the US, and without necessarily falling into line. [Cue cartoon of someone's eyes rolling like a fruit machine, stopping on $$$ $$$ to the sound of a ker-ching cash register or tinkle-tinkle Vegas coin payout.]

Some are talking about fracturing the Internet along the GDPR/non-GDPR boundary, maintaining different privacy rules and approaches on each side and somehow handling the not inconsiderable issue of personal information crossing the boundary. I think this is either fake news, panic, bravado or tongue-in-cheekiness, not dissimilar to those cranky but desperate suggestions to call the year 2000 "199A" followed by "199B" giving a stay of execution for the non-Y2K compliant organizations, perhaps, but a world of pain for the rest of us. 

This strikes me as an interesting perspective to get management thinking differently about GDPR, in strategic business terms. 

Another approach we'll be taking is to treat personal information as a valuable and sensitive information asset not totally dissimilar to secret recipes for herbs and spices, business plans, customer and prospect lists, and more - another opportunity to get management thinking differently about privacy. Securing personal info is not just A Jolly Good Idea for compliance reasons.

Those two concepts, plus the remainder of the NoticeBored materials for May, are all aimed at raising awareness of the privacy and related issues. As always, we'll be supplying a blend of factual information, motivational suggestions, tools and techniques, metrics, strategic options, policy matters, guidance and more: if you think your GDPR project would benefit from any of this, email me soon about subscribing to NoticeBored - if you care about crossing the event horizon at full pelt on both feet anyway, rather than crawling exhaustedly across the line, collapsing dejectedly in a heap on the home straight, or sticking your head in the sand and pretending it won't affect you. We have awareness content on privacy and other information security topics ready to deliver today, and we're working hard on the privacy and GDPR awareness module for delivery to subscribers on May 1st, for sure. Will your GDPR/privacy awareness stuff be done in time? With just 35 days remaining, have you even started preparing it yet?! Good luck Jim.


[Added 20th April] Talking of heads-in-sand, what do you make of this?

NBlog April 18 - GDPR full immersion

Today I've dived deep into GDPR, poring over, becoming immersed in and trying to make sense of the legislation.

The regulation itself is freely available online - handy really since it is intended to apply and to be implemented and complied-with very widely.

It is an official EU regulation, almost a law, and as such it has clearly been drafted by and for the lawyers.  Readability is clearly not as high on their priority list as making it watertight.

So, the door swings open to interpret and explain it for the common man and, for that matter, the common manager.

NBlog April 17 - GDPR countdown

A countdown is a common way to align everyone towards some event - the launch of a space mission or start of a new year for instance, or the completion of your GDPR compliance project. As a communications, awareness and motivational technique, countdowns work well for that rather narrow objective, focusing attention on a given point in time.

With a little more creativity and effort, it's not hard to use countdowns to get people to re-assess their progress and maybe prioritize things on the way down to the deadline ... and then to follow-through with count-ups - in other words, keep the timer going past the zero point, displaying the time since the deadline passed or expired. 

This is often done for overdue activities, starting with gentle reminders then steadily ramping up the pressure (red reminders, warnings) and perhaps escalating matters (court orders, bailiffs) as time marches inexorably on. 

Before you know it, the point-in-time spot focus has turned into a zone of concern, with an accompanying sequence of activities, a plan and a process. 

The passage of time can also be used in a more positive manner, in the sense of "Look how far we've come!". It is generally implied in the concept of maturity. It takes time to reach then stabilize and become comfortable at each level before starting the assault on the next, like climbing the stairs or a mountain. [Maturity also implies gaining competence and wisdom, which are the more obvious objectives.]

A related concept is that of momentum or inertia - winding things up to reach a critical speed, then sustaining it as long as possible. This is not just Newton's first law of motion as it literally applies to boulders, wheels and space rockets in the physical world. It's also figurative, applying to organizations and processes, even to individuals. Our energy/activity levels and motivations vary and, to an extent, can be influenced by others. Some things fire us up and get us going. Others wear us out and exhaust us. Understanding the difference goes a long way towards making awareness activities more effective.

I'll end with a simple suggestion to use the countdown to the GDPR go-live deadline quite deliberately as a means to align and drive everyone to May 25th, and perhaps to lead them ever onward and upwards thereafter, having hopefully achieved the specific goal. Privacy is no less important on May 26th!

To the GDPR deadline ... and beyond!

NBlog April 16 - skunkworks & 7 other awareness strategies

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies.

A skunkworks approach is one possibility.

"The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects."

[Wikipedia] 

The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicated resources, with no need for a project team and budget, or even timescale as such. The interest-piquing initial management awareness part can usefully take place in parallel with drafting the formal proposal, saving elapsed time and hopefully ensuring that the proposal aligns with management's evolving perspective. [Hinson tip: it would help if one or two friendly senior managers were brought in on the cunning plan early-on, though, to smooth the way once the strategy comes into view. Most of all, it would need at least one passionate leader, someone with the enthusiasm and energy to fire it up, get it rolling and keep it going for as long as it takes.]

Aside from skunkworks, there are at least 7 other strategies ...

#1 A risky, almost Machiavellian strategy is to engineer a crisis in which unawareness plays a crucial part, more likely seizing upon an opportunity such as an information security incident or an impending compliance deadline (such as May 25th ...) to catch management's attention first, softening them up for the follow-through "What we need right now is {ta-daaaaah} a Security Awareness and Training Program, just like this!". [Hinson tip: suggesting that awareness is The Ultimate Answer To Everything would be unwise but I'm convinced it is a valuable, or rather necessary part of the grand solution. It's hard to imagine anyone seriously suggesting that awareness is unnecessary, let alone detrimental.]

#2 Compliance is a strong driver. Scan applicable laws, regulations, contractual commitments etc. for any obligatory/mandatory requirements to run security awareness and training, plus any recommended/advisory suggestions or other hints that doing so might be A Jolly Good Idea. It's worth systematically assessing internal requirements too, such as corporate policies: aside from any specific mention of security awareness [Hinson tip: ... which the canny CISO or ISM will have previously slipped quietly into the security policies], there's an obvious need to make people aware of the policies if they are expected to know about and comply with them. Security standards such as the ISO27k and NIST SP800 series are further sources of advice, along with PCI-DSS, COBIT and others, although those are aimed at information security pros rather than general management, so would need to be interpreted somewhat to draw out the business advantages ...

#3 ... which leads to another approach: position security awareness as a tool supporting information risk management, information security, compliance, governance, privacy, safety, assurance And All That - or, even stronger still, as a business enabler. Given the choice, this is my preferred approach, directly supporting the idea that information security isn't just something that ought to be done because somebody says so: it is necessary for business reasons, and commercially valuable in its own right. [Hinson tip: it helps of course if management is already sold on the need for information risk management, preferably a structured, comprehensive approach. If they are not, we're heading back to square 1 and the conundrum I raised last week: to get awareness, first we need awareness. The difference here is that although management may not initially be keen on security awareness, hopefully they appreciate the need for information security, if only grudgingly for compliance reasons.]

#4 A related suggestion is to integrate security awareness with other planned business and security initiatives - not just tacked casually on the side as an optional extra (where it is vulnerable to being chopped at the outset, or later on when the going gets tough) but as a necessary core activity, an essential or fundamental part. This is easiest with information security projects, naturally, and not too hard with most IT- and information-related business change projects (e.g. all things cloudy). It takes more creativity, effort and care, though, to position security awareness as an integral part of other business activities, with rapidly diminishing returns, aside perhaps from hooking up with other forms of awareness and training (e.g. health and safety). Again there are risks here in pushing too hard. If management consciously chops out or cuts down on security awareness, it's going to be harder to get them back behind it later on, at least not until they've forgotten what they did! If you ever get to the point of someone saying "Oh not, not that bloody awareness stuff again! Give it a rest!" you'll know you've gone way too far. [Hinson tip: if the awareness stuff is robustly blocked, try to get the blockers to acknowledge that its is 'not appropriate right now' rather than accepting a flat-out "No!", preferably in writing even if YOU have to write it! Leave the door open for a later approach, when the time is ripe. Strategy is a long-term game, so think things through and keep on stacking the deck in your favor. Your time will come, glasshopper.] 

#5 Divide and conquer involves putting effort into persuading specific senior managers, individually at first, of the value of security awareness, then working with them on a plan to convince their peers. As individuals are persuaded, put them in touch with each other. Using management's power and comms structure requires political acumen and drive, which is why I suggest singling-out and collaborating with friendly senior managers: they should know how stuff gets done, and hopefully how to avoid the potholes and barriers that those lower in the pecking order may not even appreciate. They are also a relatively soft-sell: if you can't convince them that awareness is worth doing, what are your chances of persuading the rest of management? [Hinson tip: watch out for those hot buttons - things that catch their imagination, spark genuine interest and hence show real promise. Emphasizing them in subsequent comms makes a lot of sense, perhaps to the point of building proposals around them.]

#6 If the previous strategies seem too much like hard work, here is a low effort low impact approach. Let your awareness and training activities evolve naturally, growing gradually from whatever you are doing already. This is a long, slow, plodding method, but that doesn't automatically discount it. This is the default approach, the straw-man against which to compare the other strategies. [Hinson tip: for more traction, it's possible to accelerate the rate of change using metrics - particularly my favorite, maturity metrics. Measure the current awareness and training activities relative to accepted good practices*, both to define the starting point and to drive improvements. Once things start working more effectively and efficiently, the metrics will demonstrate progress, which in turn encourages more effort - a positive feedback loop that you can use to your advantage. Obvious when you think about it, or when you stumble across it on some random blog ...] 

#7 'Some random blog' brings me to my final strategy: proactively use social networks and social media for security awareness purposes. Email this blog's URL to your colleagues to pump-prime the discussions about strategies that might be worth pursuing. Set up a 'friends of infosec' mailing list or group at work to drip-feed and discuss relevant news, gently and repeatedly reminding people of the value of security awareness, in the sense of spotting emerging risks and avoiding nasty surprises. Publish relevant clips and links to awareness stuff on information security's intranet Security Zone. Mention security awareness in responses and comments to other people's blogs, emails and assorted corridor-comms at work. Drop it casually into your progress reports and management updates. Mention it to your esteemed colleagues from Risk, Privacy, Compliance and Audit over coffee, lunch or beer. Pop it in your newsletters. Be enthusiastic or evangelical like me, hopefully not boring and obnoxious through. [Hinson tip: bring this up in your blog, too. I've scratched your back ...].

* Get in touch for help with that. Awareness metrics are right up my street.

NBlog Friday 13th

Today is Friday the thirteenth, a classic opportunity to do something special as part of the security awareness program. How about organizing a fancy dress day with a parade, award ceremony and after-hours social event? 

The horror movie theme is obvious, perhaps too obvious ... but it's not hard to think of variants, ranging from the very simplest "Wear black or blood red" through "Dig out your best Halloween costumes" to "Audition to be a horror movie extra". You might give it more of an information risk and security spin by circulating stuff about malware, scams/frauds and nasty incidents, or not: a more subtle association might be good enough, a way to lighten-up a bit.

I appreciate it's far too late now to organize anything special for today but if you are keen, there are lots more awareness opportunities coming up throughout the year:

• May 25th, GDPR implementation deadline, an obvious candidate for a privacy day (we're already on to that one!);
• Other Friday thirteenths (the next is in July, then none until 2019) and Halloween (the last day of October, on a Wednesday this year);
• Black Friday when everybody allegedly goes mad, doing their shopping online in the run-up to Christmas and Thanksgiving. Possible awareness topics are online/Internet security, identification and authentication, performance and availability, business continuity ...
• Minefield Monday, Super Tuesday, Wonderful Wednesday, Thunderous Thursday, Farcical Friday or whatever: nothing stops you inventing a special themed day (or a week or more) and running activities on some awareness topic that needs a boost. If it is not a public event, though, you and your team will have to do all the publicity yourselves; 
• Turn a specific awareness topic into a themed event - a backup day, maybe, or patch Tuesday, or ... well hopefully you get the idea;
• April Fool's Day - how about focusing on social engineering or fraud?
• Hook in with special events such as "tax day", "world safety day", new year's day, election day and the like, finding and exploiting the information risk and security angles, perhaps in conjunction with colleagues from Health and Safety, Facilities, Finance, Risk Management, Legal/Compliance etc. 

If none of these ideas grabs your imagination, perhaps your colleagues can come up with something better. Turn that into a challenge if you like, opening it up to the workforce to get creative and suggest an information security themed day, event or activity.

NBlog April 12 - bringing managers up to speed

Today I Googled across a thought-provoking opinion piece in Computerworld back in 2008. Jay Cline's top 5 mistakes of privacy awareness programs were:

1. Doing separate training for privacy, security, records management and code of ethics. 
2. Equating "campaign" with "program." 
3. Equating "awareness" with "training." 
4. Using one or two communications channels. 
5. No measurement. 

Hmmm, not a bad list that. I've trimmed almost all of it away so if those few remaining words intrigue you, please read the original article.

We've been addressing all those points ever since NoticeBored was launched way back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness. 

We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and we're working on that.

Jay's list of mistakes could be extended. In particular, most awareness programs focus on general employees or "end users". While Jay mentions offering role-based training for particular specialists, I feel that still leaves a gaping hole in awareness coverage, namely management. You could say they are specialists in managing, although there's no hint of that in Jay's piece.

Looking again at the list, all those mistakes could be classed as management or governance issues, being problems in the way the awareness and training programs and activities are structured and driven ... which, to me at least, implies the need to address that. It's a root cause. If management doesn't first notice that mistakes are being made, and then join-the-dots to figure out that the way security awareness as a whole is handled is probably causing the mistakes, then we're unlikely to see much improvement.

So, raising management's awareness of information security, risk, compliance, privacy, accountability, governance, assurance and so forth makes a lot of sense ... which is exactly what we aim to do through the management stream in NoticeBored. If management truly 'gets it', the awareness task becomes much more straightforward, giving the awareness and training program as a whole a much greater probability of success, leading to a widespread culture of security.

That leaves us with a chicken-and-egg conundrum though. If management doesn't quite 'get it', in other words if this security awareness stuff doesn't presently register with them as an issue worth investing in (or, more often, is treated as something trivial best left to IT or HR, with no real support and bugger all resources), then how can we tackle management's lack of awareness and break the deadlock?

I'll leave you now to contemplate that question, as I will be doing over the weekend. Maybe the vague thoughts I have in mind will crystallize into something more concrete for the blog next week. Meanwhile, by all means chip-in through the blog comments, or email me directly. I'd love to know what you think, especially any innovative and effective solutions you can offer. Is this an issue you face? How are you tackling it, or planning to do so? 

NBlog April 11 - a rich seam

Surprisingly often, a breaking news story falls into our laps at precisely the right moment.

Today, I've been developing a general staff awareness presentation on privacy. Three core messages appeal to me, this time around:

1. Privacy is an ethical consideration - something we anticipate or expect of each other as members of a civilized society.
2. Privacy is also a compliance obligation - something enshrined in the laws of the land and imposed on our organizations.
3. Those two issues together make privacy a business issue.

So, what's been all over the news lately in relation to privacy? Why, the latest Facebook incident, of course. 

I'm not going to re-hash the story now, nor draw out the privacy lessons for you. I've given you more than enough of a clue already, and if you read the press coverage with a slightly cynical and jaundiced eye, you'll find your own take on the incident - as indeed will our subscribers' employees ... which makes it an excellent, highly relevant case study to incorporate into the awareness content.

Thanks to the saturation media coverage, we barely need mention 'Facebook' for people to think of the incident. Almost all will have seen the news reports. Those who use Facebook (a substantial proportion of people, we are led to believe) probably have perfectly reasonable concerns about their own privacy. Those who don't use it are also implicated, although we might need to explain that a little. Either way, it's something they can relate to, a story that resonates and has impact. We can pose a few questions that they can contemplate, in their own way, in their own time.

We will exploit their interest to engage them with the awareness program so, in a way, we are also exploiting the victims' personal information, but (we assert) it's for their own good, for the benefit of their employer and for the sake of human society. We mean well. We are not even vaguely approaching the boundaries of decency or legislation. Public incidents of this nature are perfectly legitimate and in fact rich resources for awareness, training and educational purposes. It would be a waste to let them drift back below our consciousness without milking them for all they're worth.

The real trick is to be constantly scanning the horizon for relevant news items. Information security is such a broad topic that finding stuff is hardly ever the issue - the very opposite in fact. The Facebook incident, for instance, is directly and obviously relevant to privacy, but also to incident management, compliance, governance, information risk, information security, cybersecurity, social engineering, fraud, accountability, business continuity and more.

Ethically speaking, I have no qualms about using reported incidents in this way, particularly where the protagonists are implicated in the incidents rather than merely being the poor unfortunate victims of some malicious third party. I'm currently trying to track down the original source of a quoted Goldman Sachs assessment of the eye-wateringly huge amount of revenue Facebook may forgo once GDPR comes into effect, with the strong implication that they have been making their fortune by exploiting the personal information of their users. OK so it may have been entirely legal, but was it appropriate? Was it ethical? Was it socially acceptable? These rhetorical questions hint at how we might explore the same incident from the business perspective in the management awareness materials, making a link that will hopefully get staff and managers thinking and talking animatedly about privacy.

And that's another security awareness win, right there.

NBlog April 10 - privacy guide

Aside from revising the materials from the NoticeBored privacy awareness module delivered last November, we're planning some brand new even fresher content this time around.

The imminent go-live date for GDPR is the most obvious reason for updating and re-issuing the privacy materials in May. It's timely. The awareness content should prove useful for organizations that are on-track for the May 25th deadline, helping to explain the hubbub to people who are not so directly involved in the GDPR changes. 

It may also be the final wake-up call for those who are still oblivious, ignorant of the wider effects GDPR will have, both within and beyond the EU. As of today, we're not exactly sure what changes to make though. More research required yet.

Another brand new awareness item we're planning to write and deliver this time around is a 'privacy guide' - a document explaining privacy concepts and practises in a way that hopefully grabs attention, informing and stimulating readers to take account of privacy in how they behave. 

The privacy guide will be a challenge to write, not least because it's a new format we have in mind. When it's done, we'll have a model document to turn into a template or skeleton for future awareness topics, where applicable. I'm already thinking a 'malware guide' and 'social engineering guide' might be worth the effort, provided this first one goes to plan.

NBlog April 9 - GDPR final countdown

We've started working on May's awareness module - the final episode in a privacy series timed to support the run-up and coincide with GDPR (the General Data Protection Regulation) implementation.

It would be hard to find anything new to say this time around if it weren't for the fact that our customers are in a different situation now than when the privacy modules were released previously. They should all (hopefully!) be in the final throes of their GDPR compliance projects. Some may have had a lot of work to do, clarifying and analyzing the requirements, substantially modifying IT systems and business processes, and liaising with assorted information service suppliers to ensure they too will be compliant by May 25th. Others may have had an easier time with most of the requirements covered already. All will be anticipating the changes in their own organizations, and in others since we are all connected. 

The awareness materials they need now are (to some extent) different to those that were relevant before, with new perspectives and concerns. While the basics about privacy, risk, confidentiality etc. are the same as ever, saturation coverage of GDPR in the mainstream media is likely to grab attention for at least a few days around the 25th, hence we're planning for the awareness materials and activities to complement and build on that. 

Looking further forward, there are likely more peaks in media coverage when the first organizations are prosecuted under GDPR and then penalized for privacy incidents. We're seeing the effect right now with Facebook and Zuckerberg all over the news - and that's a story we can hook into as well.

NBlog April 8 - the value of forms

Assorted vendor questionnaires and/or other audits, surveys, inquiries, pre-contract assessments, compliance reviews, self-assessments, invitations to tender etc. received by the organization indicate various issues that are evidently of concern to third-parties such as customers, suppliers and stakeholders. Likewise those sent out by the organization to third-parties. 

The forms and responses are part of the assurance processes associated with:

• Selecting between and contracting with third parties;
• Establishing, checking on and maintaining ongoing business relationships;
• Communicating relevant information, in the hope of concealing or identifying possible issues and concerns (depending on who is providing and consuming the information!);
• Due diligence or due care, satisfying compliance obligations and clarifying liabilities (in the same way that failing to declare relevant matters on an insurance application or claim form can invalidate the cover, the information exchanged or withheld in the course of contracting may become significant in the event of a later incident ... which );
• Increasing understanding and trust between the parties concerned.

Given its importance and value, the associated information (both the blank forms and the responses) perhaps ought to be included in information inventories, leading to the associated risks being managed in the same way as other information risks. 

For example, an engineering company might issue a set of specifications and ask a bunch of possible titanium suppliers a set of questions exploring their capabilities to deliver titanium of the specified quality. The criteria that matter most to the customer can be directly inferred from the questions asked, including the way they are worded (e.g. massive clues such as some being identified as "mandatory" requirements, and more subtle cues such as the order of the questions). Other potentially relevant issues that aren't even mentioned on the form are probably of lesser or no concern. Therefore, the blank form gives insight into the customer's key specifications.

A given titanium supplier would handle several such exchanges in a year, gradually gaining a view on their customers' requirements. If, say, the metal's hardness was an issue that came up in every case, that would clearly be a more important product criterion than, say, malleability, ductility, density or purity that were only brought up occasionally. Likewise for vendor capability questions such as financial stability. Is that a universal concern? How does it stand in relation to, say, years of trading or size of company? 

So, do you manage the information risks associated with vendor questionnaires and the like? Is this stuff on your risk-radar, or off the screen? I must admit if this hadn't come up on the ISO27k Forum so soon after we had completed the awareness module on assurance, it may not have occurred to me.

By the way, similar considerations apply to other kinds of forms, questionnaires, surveys, audit or self-assessment checklists, questionnaires etc. Both the blank and the completed forms reveal valuable/important information that may be relevant to information risk and security. The questions asked on, say, a passport application form plus the credentials requested tell us something about what the passport agency considers important in relation to establishing an applicant's identity, just as an applicant's responses tell the agency about the applicant: it's a two-way exchange of information. 

NBlog April 5 - fail fast, fail often

'Fail fast, fail often' is the creative idea that businesses (or business units, departments, teams, projects or even individuals) can deliberately push the envelope, innovating and taking chances (knowingly accepting some risks) to the point that they are prepared to fail.

'Fail often' is about being well-practiced at dealing with failure, having the appropriate arrangements in place, and responding positively - bouncing back on the front foot rather than being knocked back and landing in a heap, nursing their wounds. It's certainly not about wanting or trying to fail, nor being inept, incompetent or reckless - far from it. It's about consciously and deliberately choosing to get into some risky situations for sound business reasons, based on information and projections about the risks and opportunities, the costs and benefits. That takes a mature approach to risk management, business continuity management in particular. More than simply accepting that shit happens, it involves being or getting ready to deal with it, and having the fortitude to press ahead anyway. 

Those last two clauses are linked by the way. 'Being ready for whatever may happen' supports 'pressing ahead anyway' - it's assurance. It's the reason fast cars have good brakes. Would you hurtle if you didn't think you could stop smartly?

'Fail often' also implies taking bigger/more chances where the consequences of failure are lower - little fails are dealable-with. Total balls-out disasters are organization-, career- and maybe life-threatening. The point is to gain experience and become well-practiced under relatively limited or controlled conditions before heading out on to the highway in your brand new Bugatti.

'Fail fast' means spotting (at the earliest opportunity) when things look like they are going tits-up and dealing effectively with that developing situation to forestall and either avoid or minimize the damage, rather than failing to notice and respond both in good time and appropriately. This is another angle to risk management. It's mostly about situational awareness - spotting the little dog or kid about to run across the road, or the concrete lorry swerving desperately to avoid it. Knowing how to respond is another part of it.

Security awareness supports both 'fail fast' and 'fail often' ... or rather, given the right approach, it can do:

• Being more aware of the things that might possibly go wrong makes managers and other business people and advisers more able to plan and prepare for them - and more likely to spot them coming (just as the driving instructor says "Watch out for kids" near a school or playground); 
• Having the knowledge and the tools/methods - the competences - to explore and treat information risks improves the quality of decision making and actions. Knowing that there are options, alternative approaches, other possibilities, means less likelihood of being driven down a dead-end street by someone too blinkered to appreciate there might be other routes;
• Being better informed raises the game for everyone involved. Even something as simple as being familiar with terms such as resilience, recovery and contingency gives risk and security-aware managers the advantage over their less clued-up peers. It certainly makes discussion more fruitful, less frustrating!;
• Understanding the wider context gives security-aware people a broader perspective on things, with less chance of literally 'being caught unawares'.

An obvious application of this in the IT/information sphere is agile software development - a suite of methods that aims to make changes to software systems much more frequent, albeit smaller, than through the traditional waterfall approach. There are numerous information risks associated with all software developments, and of course with the systems being developed. There are also numerous ways to deal with those risks. Security-aware people know this and are in a good position to take advantage of the possibilities and shortcuts, while avoiding the potholes. Security-ignorant people risk being taken advantage of, misled, hoodwinked into unwise decisions, led down the garden path and perhaps dumped unceremoniously down the well.

Less obviously, risk awareness supports decisions and actions in a far wider range of situations. I'm a big fan of prioritization as a universal approach, particularly risk-based and value-based prioritization: identify and deal with the most risky, most valuable stuff first and then work your way down to lesser priorities, constantly re-evaluating and monitoring for changes. If at any point you are stopped - maybe run out of money, suffer an incident or experience a dramatic change of circumstances - at least you can say you've secured the big wins already.

NBlog April 4 - 7 top tips on documentation

This piece was inspired by a disarmingly simple request on the ISO27k Forum.

Tom is implementing an Information Security Management System using the ISO27k standards, in a small company with fewer than 25 employees. 

Tom said "I think I need to understand better what should be documented and what not".

Good question, Tom!

1. Documenting stuff forces you to concentrate and think carefully about whatever you are writing about. You focus on the topic at hand. It involves and requires a deeper level of analysis than simply doing stuff.
   
   [Hinson tip: preparing documentation is an intellectual process that benefits from experience and expertise. Don't leave it to the office junior, or the person who is generally considered useless and hence has time on their hands. Don't leave it 'til the last minute. Invest in doing it properly and reap the rewards.]
   
   
2. For anything formal (such as policies and procedures) the documentation process generally involves a sequence of activities, several of which get other people involved e.g. in preparing, reviewing, authorizing and using the documentation … so the end products capture and bring together the knowledge of several people. It’s a team effort, a collaboration, a meeting-of-minds. Working together, you are greater than the sum of the parts.
   
   [Hinson tip: assemble a productive team, aligned on common goals and motivated to do a good job. Manage the documentation process and see tip 7.]
   
   
3. The documentation acts as a proxy for the decisions and activities described.
   
   [Hinson tip: you can explain stuff to the auditors using the documents. You can guide and train people using the documents. You can review and update the decisions and activities by reviewing and updating the documents. Within reason, documentation is good ... however ...]
   
   
4. The value of documentation depends on the extent to which the decisions and activities (what people actually do) match the documentation (what they should be doing). This critical control involves aspects such as training, oversight, compliance enforcement and reinforcement, plus the wider business and organizational context – the culture. Do your people read and follow documentation, on the whole, or do they only reluctantly refer to it if there’s a problem, or because the auditors are coming? The way stuff is written and used is extremely important here: it has to be clear and motivational. It needs to be well structured (both the individual items and the overall suite of materials), well designed, well written. It will probably work better if supported by guidelines, training materials and so on.
   
   [Hinson tip: you can even develop metrics to drive these things in a positive direction, if that’s important to you. Ask me how.]
   
   
5. The auditors will object if people don’t do what they are supposed to do, according to the documentation. It's not (just) that auditors are objectionable or sticklers for details. The auditor’s nose is like a bloodhound’s, seeking out these little discrepancies which are legion. Any substantial discrepancies will be reported and may be A Problem for you.
   
   [Hinson tip: counter this by being smart about the way things are written: if people have choices and other options, say so – give them discretion in the documentation. If some things are definite rules and requirements (especially your key controls), be crystal clear about the mandatory bits. For example, reserve “must” and “must not” for absolute mandatory requirements and prohibitions, using “may” or “should” or "ought" or "can"  or other such phrasing for the advisory stuff … and have a process to deal with exemptions (authorized non-compliance) and exceptions (unauthorized non-compliance incidents). If the auditors complain about discretionary things not being done as per the documentation, push back by pointing out that they are discretionary for good reason: business comes first. Business people are grown-ups! They are not just empowered, they are expected to do what's best for the organization, within the constraints of the mandatory bits.]
   
   
6. It’s all too easy for docu-philes to write and write [and write] but that can be costly and counterproductive. Keep it simple especially at the start. You can always elaborate later if things are unclear or are not working as planned, or if you discover workable short-cuts and improvements (that's 'maturity'). If you don’t write enough, there is not enough guidance for the people who need it, with gaps and omissions that force them to make stuff up. If you write too much, it won’t be read and it’s expensive to maintain, while inconsistencies and conflicts are more likely. There are information risks either way … which you need to manage. This is something only you can do: without more information about your situation, I can’t advise you on the volume, depth and breadth of your documentation, other than to start small.
   
   [Hinson tip: use diagrams and illustrations, not just words. It takes extra effort and different skills to draw neat process diagrams, for instance, but they make the sequence clearer for users and act as a tl;dr; summary for those who aren’t sure they want to read the whole thing. A picture paints a thousand words, and can be 'a work of art', eh Picasso?] 
   
   
7. Designing, building, using and maintaining the documentation suite is itself a process that can be managed, formally designed and documented … but don’t lose the plot. ISO/IEC 27009 is a prime example of when the formalities go a step too far: an internal committee advisory about how to write industry-specific variants of the ISO27k standards unwisely became a published standard, causing problems for the very committee that wrote it! There is some advantage in making the documentation process effective and efficient (especially if you are doing a lot of important documentation, in a big company), but don’t go overboard.
   
   [Hinson tip: take a look at how other policies and procedures in your organization are managed for clues about how to make it work best. Let the process evolve naturally until it works well for you and then capture it in writing only if there is a genuine need for the red tape.]

If this seems too hard, too much effort, there are shortcuts such as employing competent professional authors me and using templates. Treat it as a small investment to get to a better result more quickly and efficiently than you would otherwise achieve.

NBlog April 3 - blowing the whistle

No, Panera Bread Doesn’t Take Security Seriously is a heartfelt piece by Dylan Houlihan regarding a company that was notified responsibly of a privacy breach but apparently failed to act until, some 8 months later, it was informed by Brian Krebs. Then, all of a sudden, it reacted. 

This is far from the first time a whistleblower has been rebuffed.

Organizations clearly need strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts. 

Doing so makes sense for several good reasons:

• Business reasons e.g. hacking, fraud, privacy breaches and other inappropriate disclosures;
• Compliance reasons e.g. PCI-DSS and [soon] GDPR;
• Ethical/social reasons e.g. offensive/inappropriate behavior or bribery & corruption by workers, failure to uphold corporate social responsibilities;
• Bringing those responsible for various issues to account. 

So why don't they? Lame excuses include:

• It's not the done thing;
• We can't be bothered - we don't give a hoot - we simply don't care;
• It hasn't occurred to us;
• It is too risky to open Pandora's box;
• It positively invites trouble;
• It is too expensive;
• It is not a priority - there are More Important Things we'd rather do;
• We didn't invent it;
• We are not formally required to do anything of the sort, therefore we won't even consider it - it's not on the table.

More sinister reasons include:

• We are scared of being found out and held to account;
• We know we have big issues already - telling us won't help;
• So long as we have our eyes closed and fingers in our ears, we can pretend everything is alright.

NBlog April 1 - no foolin

We have published the security awareness module on assurance, I assure you. Rest assured, the module is on its way to NoticeBored subscribers. For sure.

This is not a test. We're no April fools, har har.

Assurance is a broad topic, stretching well beyond the obvious assurance-related functions such as Audit and Quality Assurance ... which makes it a surprisingly strong subject for security awareness purposes - our 64th topic in fact. 

Although we haven't produced an assurance module as such before, we've certainly touched on it in subjects such as integrity, trust, audit and oversight. We have seized the opportunity to focus-in on and explore assurance in more depth … while at the same time reinforcing core awareness messages on the integrity, trust and control value of assurance, for business, compliance, management (including risk management) and governance reasons.

In uncertain situations or circumstances, assurance can be extremely valuable, particularly where uncertainties concern information that is important to the organization. Assurance reduces the uncertainty element of risk. It closes the gaps between

perception                   and                    reality

Assurance is a relative, not an absolute state: there are levels or degrees of assurance depending on factors such as:

• The competence and integrity of those providing assurance (e.g. whereas professional penetration testers may seem more likely to find network security issues than amateurs, amateurs may be more numerous, more motivated, more competent and more inclined to try risky forms of testing);
• The nature of the assurance measures (e.g. audits, tests, reviews and simple claims or assertions affect the amount of assurance gained);
• The record or experience (e.g. if an IT system passes all its pre-release tests but subsequently fails in service, that naturally calls into question the testing performed and the way it was managed; if a test laboratory is found to have been faking or manipulating tests, current and prior results are less credible, perhaps untrustworthy).

Assurance is relevant to business relationships, and to the organization as a whole in the sense of being perceived by others as a trustworthy organization, reliable and safe to do business with. Assurance measures such as certification of organizations by accredited certification bodies not only demonstrate their competence in various fields, but also drive up standards through the adoption of widely-acknowledged good practises.

Looking further afield, outside the organization, assurance is also of concern to third-parties such as:

• External Audit and similar external inspection functions such as certification auditors for ISO27k and PCI-DSS;
• Customers - who need to know the products they are buying will deliver the benefits promised and anticipated;
• Suppliers - who need to know they will be paid and would like to rely on future business;
• Owners of the organization, with an obvious interest in its health and prosperity;
• Various authorities, the tax man for instance and industry regulators concerned about compliance;
• Society at large - since discovering something unexpected and untoward about any organization is generally shocking.

Module listing

Get in touch to purchase this module and take your security awareness and training program to a higher level of assurance.

NBlog March 30 - quality assurance

Our own assurance measures kick into top gear about now with the impending completion of the next awareness module - specifically proofreading and final corrections on the awareness materials before they are packaged up for delivery.

Like any craftsmen, we take pride in our work. It's what we do, our specialism. We strive to make our output as good as we possibly can, a perfectionist streak that probably goes beyond what's strictly necessary. It flows from our deep-set belief in the value of integrity, both as individuals and as a business.  It matters.

Quality assurance is integral to our production process. Checking our finished work (quality control) is the final stage and an opportunity for me to take stock. Having had my head inside the topic all month, it's good to step back for a look at the whole package of awareness goodies as it comes together. Provided the proofreading reveals few issues, I'm reassured that we did a good job, bringing the month's activity to a satisfying close. Hearing that there were "No errors found, no changes needed" always raises a smile.

As an awareness specialist and information security professional, it worries me when I hear people recommending awareness materials freely available on the Web because I know what that means. Sure there is stuff out there, plenty of volume and some variety, but what about the quality? I'm naturally critical thanks to that perfectionist streak I mentioned. I see everything from technical flaws, biases and glaring omissions, down to grammatical errors and speling misteaks - things that will surely confuse, distract and mislead readers if the materials are used.

I see a curious reluctance to invest in awareness, given that the substantial investment in antivirus software, firewalls, security guards and all the rest is enabled and enhanced by awareness and training.  Does penny-pinching on awareness content reflect a lack of understanding and appreciation by management of the business value of awareness (due, I guess, to their own lack of awareness)? And what does it say about organizational commitment to information risk, security, privacy, compliance etc.? 

While there are some gems, among the free materials I often spot logical errors, bad advice, inconsistencies, outmoded concepts and outdated examples ... and I worry about the same issues in our own materials, especially when we are pushing the boundaries by exploring new topics. We're not immune, we have our constraints and biases too. So when customers come back to renew their subscriptions, recommend us to their peers and express their gratitude for the materials, that's a real confidence-booster - the ultimate in assurance you could say.

NBlog March 29 - smart assurance

With just days to go to the delivery deadline, April's NoticeBored security awareness module on assurance is rounding the final corner and fast approaching the finishing line.

I've just completed updating our 300+ page hyperlinked glossary defining 2,000+ terms of art in the general area of information risk management, security, privacy, compliance and governance. Plus assurance, naturally.

As I compiled a new entry for Dieselgate, it occurred to me that since things are getting smarter all the time, our security controls and assurance measures need to smarten-up at the same rate or risk being left for particulates. Emissions and other type-testing and compliance verification for vehicles needs to go up a level, while the associated safety and technical standards, requirements, laws and regulations should also be updated to reflect the new smart threats. In-service monitoring and testing becomes more important if we can no longer rely on lab tests, but that creates further issues and risks relating to the less-well-controlled environment such as problems with inconsistencies and calibration, as well as the practical issues of testing products while they are being used. Somehow I doubt in-service testing will prove cheaper and quicker than lab tests!

Product testing is a very wide field. Take medical products for instance: there are huge commercial pressures associated with accredited testing and certification, with implications on safety and profitability. Presumably smart pacemakers or prosthetics could be programmed to behave differently in the lab and in the field, in much the same way as those VW diesel engines. Same thing with smart weapons, smart locks, smart white goods and more. I'm not entirely sure what might be gained by beating the system although it's not unreasonable to assume that 'production samples' provided for approval testing and product reviews will have thicker gold plating than the stuff that makes it to market. 

The more things are software-defined, the greater the possibility of diversity and unanticipated situations in the field. The thing that passed the test may be materially different to the one on the shelf, and it could easily change again with nothing more than a software update or different mode of operation.

At the same time, testing is being smartened-up. For decades already, lab test gear has been increasingly computerized, networked and generalized, allowing more sophisticated, reliable and comprehensive tests. I guess the next logical step is for the test gear to communicate with the equipment being tested to interrogate its programming and configuration, supplementing more conventional tests ... and running straight into the assurance issue concerning the extent to which the information offered can be trusted.

The various types of assurance required by owners/investors, authorities and regulators can be made smarter too, through the use of more sophisticated data collection and analysis - with the same issue that fraudsters and other unethical players are increasingly likely to try to beat the tests and conceal their nefarious activities through smarts. Remember Enron and Barings Bank? There are significant implications here for auditors, inspectors and other forms of oversight and rule-checking.

"At what point would you like your product to comply with the regulations, sir?"

The Iraqi/US WMD fiasco is another strong hint that deadly games are being played in the defense domain, while fake news and reputational-engineering are further examples of the information/cyberwars already raging around us. Detecting and hopefully preventing election fraud gets tougher as election fraudsters become smarter. Same with bribery and corruption, plus regular crimes.

Despite being "weird" (I would say unconventional, creative or novel), assurance has turned out to be a fascinating topic for security awareness purposes, with implications that only occurred to me in the course of researching and preparing the materials. I hope they inspire at least some of our customers' people in the same way, and get them thinking more broadly about information risk ... because risk identification is what launches the risk management sequence. If you don't even recognize a risk as such, you're hardly going to analyze and treat it, except by accident - and, strangely, that does not qualify as best practice.