Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Nov 17, 2018

NBlog Nov 17 - all quiet? TOO quiet?

Don’t just hoard your feedback and metrics: use them! Squeeze every last drop of value from them!

It is all too easy to down-play or dismiss comments and especially criticisms about the awareness program. Resist your natural defensive tendencies. Collate and take another, dispassionate look at your awareness metrics and the feedback you have received in recent months concerning information security and/or the awareness and training program. Try to identify common threads or themes that might have escaped your attention previously, or that seem to crop up repeatedly.

This kind of review is best conducted as a team exercise, better still if you persuade some of your most vocal/persistent critics to get actively involved (invite them to your review meetings, give them the floor and listen hard to what they have to say!). SWOT analysis and brainstorming techniques can help tease out genuine concerns and novel ways to tackle them. For example, if your budget is a serious constraint on the awareness program, there may be free/cheap alternatives and more efficient and effective ways of using whatever you have. 

Metrics and verbatim comments from your audience demonstrating demand for and appreciation of your awareness and training activities should make your status reports more positive and budget requests more compelling.

If you aren't getting much in the way of feedback, don’t sit on your laurels.  Perhaps the awareness program is going extremely well but are you really doing enough to encourage feedback, or are people too lazy or too intimidated to respond? Consider commissioning an independent third party to conduct an anonymous survey on your behalf, or at least set aside a few minutes every day to call or visit people to find out what they truly think. Write yourself a basic script if it helps e.g. start by asking questions about current or recent awareness topics and activities/events.

Nov 16, 2018

NBlog Nov 16 - trust awareness

Among other findings, PwC's "The Journey to Digital Trust" report picks on inadequate attention to awareness and training:
"Many businesses could do more to raise employee awareness and accountability around cybersecurity and privacy. Only 34% of respondents say their company has an employee security awareness training program. Only 31% say their company requires employee training on privacy policy and practices."
Less than a third of companies require training on their privacy policies and procedures? Wow! The other two thirds presumably expect their people to 'just know' this stuff. Perhaps it gets into their heads through osmosis, Vulcan mind melds or magic crystals. Perhaps management is over-reliant on the general news media and public awareness activities, forgetting that we are all awash in a vast ocean of information. Picking out the Stuff That Matters is getting harder and harder by the second.

It is any surprise, then, that privacy breaches and other information incidents occur so often? I suspect a good proportion of the organizations that do provide privacy awareness have suffered already - they've learnt the hard way, whereas the rest of us can and should learn from their mistakes.

It's hardly rocket surgery: if workers are expected to do stuff and not do other stuff in order to secure information, maintain privacy and satisfy all the other requirements to minimize information risks and compliance, surely they need to know what's expected of them. Just as kids need to be told and shown, repeatedly, what's right and what's wrong, adults need instruction and guidance in this area.

PwC offers the following 'Actionable advice for business leaders':
  • "Prioritize raising workforce awareness about cybersecurity and privacy to support business objectives. Use messaging that avoids invoking security fatigue and is memorable enough to influence behavior when busy employees later face phishing schemes and other sophisticated threats.
  • Establish corporate policies governing access to IT assets and data. Enforce the policies at all levels of the company to drive accountability for cybersecurity and privacy."
Well said, PwC! I agree with emphasizing business objectives, although they might also have mentioned personal, team and social objectives: information security and privacy are not just important for our organizations. Protecting the interests of customers, for instance, by adequately protecting their personal information is not purely a strict business matter. Influencing employee behavior is an important goal ... and I might add that influencing decisions (especially management decisions made by business leaders) is one of the most powerful changes that an effective awareness and training program can achieve.

PwC's mention of policies and accountability smacks of the compliance-driven culture which is particularly strong in America and increasing elsewhere in the world - GDPR being a topical example. Noncompliance with the privacy regulations can seriously damage the bottom line and be career-limiting for those held to account for their failures, including management's bad decisions I just mentioned. It's a governance matter. Duck and cover is not a viable response.

Nov 14, 2018

NBlog Nov 14 - lack of control =/= vulnerability

A common misunderstanding among infosec professionals is that vulnerabilities include the lack or inadequacy of various infosec controls e.g. 'the lack of security awareness training'.

No     No!    NO!

Vulnerabilities are the inherent weaknesses that may be exposed and exploited by the threats, leading to impacts. 

In the lack-of-awareness example, people's naivete and ignorance are inherent weaknesses that may be exposed in various situations (e.g. when someone receives a phishing email) and exploited by threats (the phishers in this case i.e. fraudsters using social engineering techniques to mislead or misdirect victims into clicking dubious links etc.) leading to various impacts (malware infection, identity fraud, blackmail or whatever), hence risk. Naivete and ignorance are vulnerabilities. There are others too, including human tendencies such as greed and situations that distract us from important points, such as security warnings from our email and browser software, or that little voice in our head whispering "Too good to be true!".

Vulnerabilities exist with or without the controls. Sure, well-designed and implemented controls mostly reduce vulnerabilities but the lack of a control is not itself a vulnerability. It's a lack of control, something fundamentally different. 

Effective infosec awareness and training compensate for and reduce the naivete and ignorance, in part, and give people the skills and motivation to spot and deal appropriately with threats to  information, such as phishing. The control is imperfect, though - we know that - hence the risk is not totally eliminated, merely reduced ('mitigated' in the lingo). The limitations are two-fold: (1) those inherent issues run deep, and (2) the threats are constantly morphing.

I've blogged about this before and was reminded of it yet again today when checking out some 'infosec threat catalogs' on the Web. There are some potentially useful generic infosec threat lists out there but most also list non-vulnerabilities such as lack of awareness, catching my beady eye and distracting me. Those hijack my attention and wind me up, to the point that I refuse to recommend the associated threat catalogs even if those bits are sound. I won't propagate the misconception that lack of control is vulnerability.

Yes, I'm vulnerable too. I'm human. Allegedly. My button is hot.

To complicate matters further, controls can contain or be associated with vulnerabilities. Controls sometimes fail to work as designed. They break or are broken, get bypassed, misconfigured or turned off, or are simply overwhelmed - a genuine concern for phishing given the sheer number and growing variety of attacks. Nevertheless, I maintain that control weaknesses are not vulnerabilities. They are conceptually distinct.

Weak or missing controls result from inherent weaknesses or flaws in our information security practices, which are vulnerabilities. Misunderstanding "vulnerability" is both a vulnerability and a threat, at which point I'm going to leave this top a-spinning as I stagger back to my morning coffee.

Nov 13, 2018

NBlog Nov 13 - what to ask in a security gap assessment (reprise)

Today on the ISO27k Forum, a newly-appointed Information Security Officer asked us for "a suitable set of questions ... to conduct security reviews internally to departments".

I pointed him at "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002's security controls as he implied. I'd start two steps back from there:
  1. One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place.
  2. Two steps back takes us to the organizational or business context for information and the associated risks. Contrast, say, a commercial airline company against a government department: some of their information is used for similar purposes (i.e. general business administration and employee comms) but some is quite different (e.g. the airline is heavily reliant on customer and engineering information that few government departments would use if at all). Risks and controls for the latter would obviously differ ... but less obviously there are probably differences even in the former - different business priorities and concerns, different vulnerabilities and threats. The risks, and hence the controls needed, depend on the situation.
I recommend several parallel activities for a new info sec pro, ISO, ISM or CISO – a stack of homework to get started:
  • First, I find it helps to start any new role deliberately and consciously “on receivei.e. actively listening for the first few weeks at least, making contacts with your colleagues and sources and finding out what matters to them.  Try not to comment or criticize or commit to anything much at this stage, although that makes it an interesting challenge to get people to open up!  Keep rough notes as things fall into place.  Mind-mapping may help here.
  • Explore the information risks of most obvious concern to your business. Examples:
    • A manufacturing company typically cares most about its manufacturing/factory production processes, systems and data, plus its critical supplies and customers;
    • A services company typically cares most about customer service, plus privacy;
    • A government department typically cares most about ‘not embarrassing the minister’ i.e. compliance with laws, regs and internal policies & procedures;
    • A healthcare company typically cares most about privacy, integrity and availability of patient/client data;
    • Any company cares about strategy, finance, internal comms, HR, supply chains and so on – general business information – as well as compliance with laws, regs and contracts imposed on it - but which ones, specifically, and to what extent?;
    • Any [sensible!] company in a highly competitive field of business cares intensely about protecting its business information from competitors, and most commercial organizations actively gather, assess and exploit information on or from competitors, suppliers, partners and customers, plus industry regulators, owners and authorities;
    • Not-for-profit organizations care about their core missions, of course, plus finances and people and more (they are business-like, albeit often run on a shoestring);
    • A mature organization is likely to have structured and stable processes and systems (which may or may not be secure!) whereas a new greenfield or immature organization is likely to be more fluid, less regimented (and probably insecure!);
  • Keep an eye out for improvement opportunities - a polite way of saying there are information risks of concern, plus ways to increase efficiency and effectiveness – but don’t just assume that you need to fix all the security issues instantly: it’s more a matter of first figuring out you and your organization’s priorities. Being information risk-aligned suits the structured ISO27k approach. It doesn’t hurt to mention them to the relevant people and chat about them, but be clear that you are ‘just exploring options’ not ‘making plans’ at this stage: watch their reactions and body language closely and think on;
  • Consider the broader historical and organizational context, as well as the specifics. For instance:
    • How did things end up the way they are today? What most influenced or determined things? Are there any stand-out issues or incidents, or current and future challenges, that come up often and resonate with people?
    • Where are things headed? Is there an appetite to ‘sort this mess out’ or conversely a reluctance or intense fear of doing anything that might rock the boat? Are there particular drivers or imperatives or opportunities, such as business changes or compliance obligations? Are there any ongoing initiatives that do, could or should have an infosec element to them?
    • Is the organization generally resilient and strong, or fragile and weak? Look for examples of each, comparing and contrasting. A SWOT or PEST analysis generally works for me. This has a bearing on the safe or reckless acceptance of information and other risks;
    • Is information risk and security an alien concept, something best left to the grunts deep within IT, or a broad business issue? Is it an imposed imperative or a business opportunity, a budget black hole (cost centre) or an investment (profit centre)? Does it support and enable the business, or constrain and prevent it?
    • Notice the power and status of managers, departments and functions. Who are the movers and shakers? Who are the blockers and naysayers? Who are the best-connected, the most influential, the bright stars? Who is getting stuff done, and who isn’t? Why is that?
    • How would you characterize and describe the corporate culture? What are its features, its high and low points? What elements or aspects of that might you exploit to further your objectives? What needs to change, and why? (How will come later!)
  • Dig out and study any available risk, security and audit reports, metrics, reviews, consultancy engagements, post-incident reports, strategies, plans (departmental and projects/initiatives), budget requests, project outlines, corporate and departmental mission statements etc. There are lots of data here and plenty of clues that you should find useful in building up a picture of What Needs To Be Done. Competent business continuity planning, for example, is also business-risk-aligned, hence you can’t go far wrong by emphasizing information risks to the identified critical business activities. At the very least, obtaining and discussing the documentation is an excellent excuse to work your way systematically around the business, meeting knowledgeable and influential people, learning and absorbing info like a dry sponge.
  • Build your team. It may seem like you’re a team of 1 but most organizations have other professionals or people with an interest in information risk and security etc. What about IT, HR, legal/compliance, sales & marketing, production/operations, research & development etc.? Risk Management, Business Continuity Management, Privacy and IT Audit pro’s generally share many of your/our objectives, at least there is substantial overlap (they have other priorities too). Look out for opportunities to help each other (give and take). Watch out also for things, people, departments, phrases or whatever to avoid, at least for now.
  • Meanwhile, depending partly on your background, it may help to read up on the ISO27k and other infosec standards plus your corporate strategies, policies, procedures etc., not just infosec. Consider attending an ISO27k lead implementer and/or lead auditor training course, CISM or similar.  There’s also the ISO27k FAQ, ISO27k Toolkit and other info from ISO27001security.com, plus the ISO27k Forum archive (worth searching for guidance on specific issues, or browsing for general advice).  If you are to become the organization’s centre of excellence for information risk and security matters, it’s important that you are well connected externally, a knowledgeable expert in the field. ISSA, InfraGard, ISACA and other such bodies, plus infosec seminars, conferences and social media groups are all potentially useful resources, or a massive waste of time: your call. 
Yes, I know, I know, that’s a ton of work, and I appreciate that it’s not quite what was asked for i.e. questions to ask departments about their infosec controls. My suggestion, though, is to tackle this at a different level: the security controls in place today are less important than the security controls that the organization needs now and tomorrow. Understanding the information risks is key to figuring out the latter.

As a relative newcomer, doing your homework and building the bigger picture will give you an interesting and potentially valuable insight into the organization, not just on the information risk and security stuff … which helps when it comes to proposing and discussing strategies, projects, changes, budgets etcHow you go about doing that is just as important as what it is that you are proposing to do. In some organizations, significant changes happen only by verbal discussion and consensus among a core/clique (possibly just one all-powerful person), whereas in some others nothing gets done without the proper paperwork, in triplicate, signed by all the right people in the correct colours of ink! The nature, significance and rapidity of change all vary, as do the mechanisms or methods.

So, in summary, there's rather more to do than assess the security controls against 27002. 

PS  For the more cynical among us, there’s always the classic three envelope approach.

Nov 7, 2018

NBlog Nov 7 - risk awareness (more)

The controls suggested in Annex A of 27001 and the other ISO27k standards are typical, commonplace, conventional, good practice … whatever. Mature organizations often use them and find them useful. They have evolved into being over decades of experience with IT and millennia of experience with the use of information in a business context, and they are still evolving today. Cloud, BYOD and IoT, for examples, are all relatively new hence the associated risks are still emerging and the controls are a work in progress. Fraud, espionage and hacking are always going to remain challenging because of the ongoing arms-race between defenders and attackers: as fast as the controls are improved, the threats change. 

The published ISO27k standards present a fraction of the accumulated knowledge of thousands of ISO/IEC JTC1/SC27 committee members and helpers around the world with experience in myriad organizations and situations. Most committee members accept the advice is valid, useful and worthwhile, on the whole. The standards development process reaches consensus among the committee, or as close as we can get with the occasional stalemate, truce, abstention or objection!

The standards are generic – deliberately so since they are meant to be applicable to any and all organizations. They need to be interpreted and applied sensibly according to the specific context of each organization. Key to doing that in the ISO27k way is first for the organization to figure out its information risks, consider and evaluate them, then use the advice in the standards (and/or elsewhere) as guidance on how those risks might be treated.

Sounds straightforward in theory, but in practice? 

Any individual organization, manager, or information risk and security professional, may not have experienced all the issues that led to the controls being included in the standards - in other words, some of the information risks have not eventuated for them. Some may have occurred but not been recognized as such (e.g. the risk of losing valuable intellectual property when knowledge workers leave the organization may not be apparent, at least not for some time). Therefore, those risks may not feature at all on their risk landscape, or may be downplayed and perhaps lost among the weeds.

Hopefully, though, the exercise of reviewing the controls outlined in the standards leads to the corresponding risks being considered, although this is far from guaranteed, especially if those using the standards are inexperienced in the field. I would prefer the ISO27k standards themselves to be risk-driven in the same way as the ISO27k approach, explaining what information risks are addressed by the standards and, ideally, each of the controls within.

Failing that, we routinely document the information risks associated with each of the security awareness topics in our portfolio for the same reason: helping our customers' awareness audiences understand the purposes or objectives of the suggested controls in each area.

At the moment, the risks are integrated and discussed within various NoticeBored awareness materials - the presentations, briefings, newsletters etc. Maybe for 2019 we might produce a discrete deliverable for each module specifically on the risks. Hmmmm. That's a thought. I can already picture the format. Drafting the first 'Information risk profile' (or whatever we call it) will be the chance to generate a template to stabilize the format.

That's another thing for my lengthy to-do list. Talking of which, must dash ...

Nov 5, 2018

NBlog Nov 5 - end of year awareness and training review

As we plummet towards the end of another year, now is an opportunity to take a long hard look at your awareness and training program as a whole, thinking forward to next year and beyond. Here are some things to bear in mind.

Is the program pitched appropriately? Is your awareness and training approach polished in appearance? Does it look good? Is it professional? Is the branding and presentation up to scratch? Is it attracting sufficient interest and engagement? Is it reaching all the right people across the organization?

What about the delivery mechanisms and awareness activities: are you making good use of the available corporate communications and training facilities? Consider your Learning Management System, intranet, notice boards, seminar and training rooms, email circulations, newsletters, company magazines, courses, briefing sessions, lunchtime updates, security clubs and so on. By all means focus on the methods that achieve the most benefit for the least effort, but don't completely discount the others including novel approaches. Look around for additional opportunities. Remember, you have a diverse audience with differing personalities and preferences. A diverse comms approach takes more effort but increases the reach.

How well is your security awareness and training program working out, in fact? Is it well-respected and popular with punters? Is it adequately funded and proactively supported by management? 

Critically review relevant metrics such as awareness test results and attendance figures, and study evaluation feedback comments to see things from the perspectives of the awareness and training participants. Look at training records and skills profiles. Run an impromptu survey if you need more data.

As your experience and maturity grows, you will undoubtedly find ways to tweak and refine your awareness and training program, possibly making substantial improvements (such as subscribing to NoticeBored!). Talk to colleagues in HR, Health and Safety, Risk etc. about how their awareness and training programs and activities are doing. Share good ideas and novel approaches. Collaborate and work as a team to address common issues and collectively raise your game.

What about the awareness and training program management and governance arrangements: are there rough edges that need attention? Can the metrics and reporting be improved to deliver better value and efficiency (better outputs from less work!)? Do you have sufficient resources - not just budget but people, skills, sources, systems and so on? If you could wave a magic wand, what would you most like to do with additional resources?

Use all of this to review/update your strategy and plan your awareness and training program for 2019. Make notes on what you intend to:
Outline the most effective bits, the approaches, activities etc. that are working well and delivering real business value.
This is the low-value, outdated stuff that no longer earns its keep, is unpopular and frankly not worth the effort any more.
The things that need revision.
Clarify the need or justification for change, elaborate on the anticipated improvements and (for the plan)
at least outline how the changes
are to be made.
innovation helps keep the awareness and training program topical, engaging and relevant. As well as updating the content, updating
the delivery mechanisms etc. can breathe new life into it.

Regarding innovation, for example, millennials just joining the payroll are likely to be more familiar with mobile devices and social media than the average worker, and being new they are obvious targets for awareness and training ... so ... how can you exploit their interests and technological mastery?  

We, too, are enthusiastically reviewing our services in preparation for the new year. No matter how good we are, we can always do better. That hunger for quality improvement is part of our passion for security awareness and training. We can't help it. We love this stuff!

Nov 1, 2018

NBlog Nov 1 - cloud computing security awareness module released

Cloud computing is a strong and still growing part of the IT industry. It’s a hit!
However, the relative novelty of cloud computing puts inexperienced or naive managers, staff and professionals at something of a disadvantage: lacking appreciation of the technology and the commercial/business context, the information risks and especially the security and other cloud-related controls aren’t exactly obvious.
Information security (in the broadest sense – not just IT or cybersecurity) is a major concern with cloud computing, a source of aggravation and costs for the unaware. The organization's professionals/specialists in areas such as IT, risk, compliance and business continuity should have a deeper understanding of the pros and cons of clouds but have you every wondered how that level of knowledge is achieved? 
Simply put, securing the anticipated business benefits of cloud computing involves addressing the information risks that are associated with it.  If the risks are simply ignored, the benefits may be reduced or destroyed by costly security incidents. 

Learning objectives

We have thoroughly updated/rewritten the awareness materials originally delivered back in 2014 - eons ago in Internet time! So what has changed since then? 
Peer through the fog to learn how to avoid the pitfalls and secure the business benefits of cloud computing, with NoticeBored.
  • Introduces and outlines cloud computing, providing general context and background information (e.g. explaining why so many organizations are eagerly adopting it) with as little techno-babble as we can get away with;
  • Informs workers in general about the information risk and security issues and concerns relating to or arising from cloud computing (e.g. the organization’s partial loss of control over its information), plus the business benefits (e.g. reduced costs, greater resilience and flexibility, plus access to cloud specialists). We’re promoting a balanced view;
  • Encourages those considering, specifying, evaluating, contracting for, using or managing cloud computing to identify, analyze and address the information risks, typically through appropriate controls that secure the business benefits as much as the data;
  • Promotes information risk and security management as a business enabler, without which cloud computing would be unacceptably risky.
Review your organization’s use of cloud computing - the apps, dependent business processes, strategies, policies and incidents. Are there any cloud -related risks on the corporate radar? How well are they understood and treated? What’s missing? What stands out? Talk to the relevant experts about it. Flush any issues and ideas into the open, incorporating them where appropriate into your awareness delivery.

And talk to us about subscribing to turbo-charge your awareness program.