Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Nov 18, 2019

NBlog Nov 18 - enough is enough

Keeping ISO27k Information Security Management Systems tight, constrained within narrow scopes, avoiding unnecessary elaboration, seems an admirable objective. The advantages of ISMS simplicity include having less to design, implement, monitor, manage, maintain, review and audit. There's less to go wrong. The ISMS is more focused, a valuable business tool with a specific purpose rather than a costly overhead. 

All good. However, that doesn't necessarily mean that it is better to have fewer ISMS documents. In practice, simplifying ISMS documentation generally means combining docs or dispensing with any that are deemed irrelevant. That may not be the best approach for every organization, especially if it goes a step too far.

Take information security policies for example. Separate, smaller policy docs are easier to generate and maintain, {re}authorize and {re}circulate individually than a thick monolithic “policy manual”. It’s easier for authors, authorisers and recipients to focus on the specific issue/s at hand. That's important from the governance, awareness and compliance perspective. At a basic level, what are the chances of people actually bothering to read the change management/version control/document history info then check out all the individual changes (many of which are relatively insignificant) when yet another updated policy manual update drops into their inbox? In practice, it aint gonna happen, much to the chagrin of QA experts!

On the other hand, individual policies are necessarily interlinked, forming a governance mesh: substantial changes in one part can have a ripple effect across the rest, which means someone has the unenviable task of updating and maintaining the entire suite, keeping everything reasonably consistent. Having all the policies in one big document makes maintenance easier for the author/maintainer, but harder for change managers, authorisers and the intended audiences/users.

As if that’s not challenging enough already, bear in mind that information risk and security is itself just part of corporate management, with obvious links to IT, risk management, HR, compliance and many other areas, some of which are more obscure or tenuous (e.g. health & safety is an information security issue in the sense that people are information assets worth protecting). The ripples go all the way, and flow both ways: changes in, say, IT or HR policies can have an effect on information risk and security, requiring policy updates there too.

Even within the ISMS, extending your policy management approach to take in the associated procedures plus awareness and training materials multiplies the problems. Extending it to include myriad other ISMS-related documentation makes it worse again. 

Alternative approaches include using a ‘document management system’ or ‘policy management system’ – essentially a database system used to manage and control the materials as a coherent set – and hybrid approaches such as Word’s “compound document” facility – with one master doc linking to all the subsidiary docs, one for each policy. Here again there are pros and cons, not least the costs involved plus the rigidity and red-tape they inevitably introduce.

Rationalising and simplifying the ISMS documentation to reduce the practical problems and costs clearly makes a lot of sense, but be careful: information risk and security is an inherently complex, far-reaching concept. There’s a lot to it. If for instance you drop a given policy from the ISMS suite on the basis that it is only marginally relevant, too narrow, too obscure or whatever, that leaves you without a stated policy in that area, which may have implications elsewhere, implications that may not be immediately obvious. Damn those ripples!

Bottom line: governing, structuring, managing and maintaining ISMS documentation is tougher than you may think. The trick is to find the best balance point for your organization, specifically, and the generic standards can only offer so much guidance on that.

Nov 15, 2019

NBlog Nov 15 - risky business

Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court illustrates the importance of the legalities for such work. 

A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested. 

With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they hadn't.

I hope common sense will prevail and all parties will learn the lessons here, and so should other pentesters and clients. The contract must be air-tight (which includes, by the way, being certain that the client has the legal authority to authorize the testing as stated), and the pentesters must act entirely within the scope and terms as agreed (in doubt, stay out!).  Communications around the contract, the scope and nature of work, and the tests themselves, are all crucial, and I will just mention the little matter of ethics, trust and competence.

PS  An article about the alleged shortage of pentesters casually mentions:
"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can’t think beyond it. They can’t fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."
Hmm. So pentesters are supposed to go beyond the boundaries in their testing, but remain strictly within the formally contracted scope, terms and conditions. 'Nuff said.

Nov 12, 2019

NBlog Nov 12 - on being a professional

While Googling for something else entirely, I chanced across this statement from Darren on a ten year old SceptikLawer forum thread:
"The essence of my job as an information security architect is to understand the balance between risk (legal, practical, and otherwise) and the need for an organization to conduct business efficiently. I think a lot of what I do really does boil down to seeing the other side of things; I know what the “most secure” way is, but I also have to understand that implementing it might mean debilitating restrictions on the way my employer does business. So what I have to do is see their point of view, clearly articulate mine, and propose a compromise that works. There’s a reason a lot of IT security folks become lawyers. "
Nicely put, Darren! While personally I'd be reluctant to claim that I 'know what the most secure way is', the point remains that an information security - or indeed any professional's job revolves around achieving workable compromises. For us, it's about helping or persuading clients and employers identify and reduce their information risks to 'reasonable' levels, then maintaining the status quo through ongoing risk management.

Some of our professional peers struggle with this, particularly inexperienced ones with IT backgrounds. They (well OK, we) can come across as assertive, sometimes to the point of being arrogant and pig-headed, obstinate or even rude. Things 'must' be done in a certain way - their way. They are trained professionals who have been taught the 'most secure way' and are unwilling to countenance any other/lesser approach. Situations appear black or white to them, with no shades of grey.

Along with with Darren, presumably, I view most situations as greys, sometimes multicoloured or even multidimensional due to inherent complexities and differing perspectives. There is almost always more to a situation than it first appears, and often more to it that I appreciate even after studying it hard. I embrace ambiguity. I value flexibility and open-mindedness, and strive to be flexible and open-minded in my work: for me, it's an integral part of 'being professional'. 

Such pragmatism is fine ... up to a point. However there are situations where it gets harder to back down and eventually I may stand my ground, refusing to compromise any further on my core values (particularly personal integrity). That, too, is a part of 'being professional'. 

There are behavioural clues that I'm approaching my sticking point, such as:

  • Doubling-down on the analysis, carefully reviewing and reconsidering the position, searching even harder for those 'workable compromises'
  • Openly acknowledging what I know about the situation, including other perspectives, ambiguities, the limits of my/our knowledge and (ideally) the pros and cons of the range of options available
  • Being explicit about my advice/recommendations, explaining myself as clearly as I can - generally in writing
  • Focusing on 'what's best for the organization' and 'the business' rather than me/us as individuals, or our professional judgement, or best practices, compliance obligations or whatever
  • Trying (not always successfully!) to distinguish the relationship, personal and more subjective or emotive issues from [what I believe to be] the objective situation and decisions at hand
  • Either negotiating the workable compromise, or playing my trump card - usually something along the lines of "They are your information risks, not mine. You are accountable for the risk management decisions you make, but I stand by my advice." That's my reasonably polite but hardly subtle version of take-it-or-leave-it, my-way-or-the-highway - and I mean it. I have literally walked away from untenable situations and don't regret it one bit.

Talking of which, I'm so busy now that I'm turning down new work because I don't the energy and time to do things 'properly'. Must dash, things to do. 

Nov 10, 2019

NBlog Nov 10 - strategic risk management

There's an old old joke about a passing stranger asking for directions to Limerick.  "Well," says the farmer, "If oi was you, oi wouldn't start from here".

So it is with infosec strategies. Regardless of where your organization may be headed, by definition you set out from a less than ideal starting point. If it was ideal, you wouldn't be heading somewhere else, would you? That naive perspective immediately suggests two alternatives:
  1. Bear in mind where you are today, planning your route accordingly.
  2. Regardless of where you are today, focus exclusively on the destination and how to get there.
Actually, those are just two of many possibilities. It's even possible to do both: strategic thinking generally includes a good measure of blue-sky idealist thinking, tempered by at least a modicum of reality and pragmatism. 'We are where we are'. We have a history and finite resources at our disposal ... including limited knowledge about our history, current situation and future direction. What's more, the world is a dynamic place and we don't exist in a vacuum, hence any sensible infosec strategy needs to take account of factors such as competitors, compliance and other challenges ahead - situational awareness plus conjecture about how the situation might conceivably change as we put our cunning strategy into practice (as in chess). 

That's risk, information risk in fact, amenable to information risk management in the conventional, straightforward, systematic manner:
  • Identify and characterise the risk/s, both negative and positive (opportunities, the possibility that things might turn out even better than planned);
  • Quantify and evaluate the risk/s;
  • Decide what to do about them;
  • Do it! Finalise the strategy, negotiate its approval (with all that entails) and make it so;
  • Manage and monitor things as the strategy unfolds and changes inevitably happen;
  • Learn new stuff.
That final bullet is usually an implicit part of the process. We discover flaws in our strategy, things that don't quite go to plan, activities that take longer or go in different directions for all sorts of reasons. 'We are where we are' as a result of past and current strategies, successes and failures, and there's a load of learning points there if you think about it:
  • Do we often over- or under-estimate things? How much variation is there, and is it biased one way or the other?
  • Are we frequently blind-sided by unexpected events?
  • Is it always a struggle to get anywhere, with too little energy to overcome the organization's inertia?
  • Are we resource-constrained/ Which are the tightest? Is there any slack we might redeploy?
  • Do we almost always achieve what we set out to achieve? Are we pushing hard enough?
  • Are we creative? Are we early, middle or late adopters, ahead, within or behind the curve? Do we miss out on opportunities, and if so what kinds, typically? Compared to our peers and competitors, are we usually in the right place at the right time?
That's all in addition to learning about our strengths and weaknesses in information risk and security management, controls, threats, vulnerabilities, impacts, governance, compliance, assurance and so forth: I'm waffling on about gaining knowledge of the process of strategic risk management, figuring out why we ended up right here, lost, floundering about in a blog, looking for Limerick ...

Nov 7, 2019

NBlog Nov 7 - super management systems


ISO 22301, already an excellent standard on business continuity, has just been revised and republished. Advisera has a useful page of info about ISO 22301 here.

There’s quite a bit of common ground between business continuity and information risk and security, especially as most organizations are highly dependent on their information, IT systems and processes. The most significant risks are often the same, hence it makes sense to manage both aspects competently and consistently. The ISO ‘management system’ structured approach is effective from the governance and management perspective. 

Aligning/coordinating the infosec and business continuity management systems has several valuable benefits since they are complementary. 

Extending that thought, it occurs to me that most if not all other areas of management also have information risk and security implications:
  • Physical site security and facilities management (e.g. reliable power and cooling for the servers);
  • IT and information management (dataflows, information architecture, information systems and networks and processes, intellectual property, innovation, creativity);
  • Change management (ranging from version control through projects and initiatives up to strategic changes);
  • Incident management (see below);
  • Risk management (as a whole, not just information risks);
  • Privacy management;
  • Relationship management (relationships with suppliers of goods and services, business partners, customers and prospects, owners/investors, authorities and other stakeholders, communities);
  • Compliance management (laws and regs, contracts and agreements, corporate policies, ethics);
  • Health-and-safety plus HR management (people are invaluable information assets!  Corporate culture, change/initiatives, motivation and compliance);
  • Product and operations management (core business!);
  • Quality management (especially quality assurance);
  • Assurance (reviews, audits, testing and checking functions, both internal and external);
  • Financial and general commercial management. 
Your management might even consider developing a corporate strategy or policy to adopt ISO Management Systems where available, perhaps with an overarching ‘governance committee’, 'executive team', 'board' or similar to drive the alignment, exploit the common ground between them, and address any gaps, conflicts or other issues arising. You probably already have such a beast (commonly but ambiguously known as "senior management", the "C-suite" or "mahogany row"), although it may not consider itself to be operating a super-management-system.

You might even take this a step further, aiming to integrate rather than simply coordinate and align those management systems. An obvious example concerns incident management - even something as basic as having a single multi-function contact point (Help Line, Service Desk or whatever) to receive and assess incident reports, initiate the relevant activities and coordinate communications among those involved.

Or not. The ISO MS approach is not the only option, and there may well be something even better for your organization – other standard methods, ‘best of breed’ solutions, something home-grown or a patchwork. There may be sound business reasons for keeping various areas separate (e.g. if they are, or might be, contracted out). I’m simply suggesting that coordination, alignment and integration between management systems might be worth considering, if and when you and your management are in a position to do so (not necessarily right now … although this is peak season for strategising and planning!).

I'll end today's sermon with a pertinent quote from an interview with Marc Goodman:
"CIOs and CISOs will also have to work much more closely with the executives in charge of functions like HR, facilities, physical security, and loss prevention to close security gaps. The bad guys have repeatedly demonstrated their ability to slip through the gaps created when enterprises segment security across various functions within their organizations."
Marc describes himself as “a global strategist, author and consultant focused on the disruptive impact of advancing technologies on security, business and international affairs”. He holds the Chair for Policy and Law at Singularity University in silicon valley. So no slouch then.

Nov 6, 2019

NBlog Nov 6 - insight into ISO27k editing

Today I find myself poring through ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there’s plenty of good content, I can’t help but notice a few rough edges, such as this:
“Conducting a methodical assessment of the risks associated with the organization’s information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2].

First off, here and elsewhere the ‘27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn’t reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated.

Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn’t that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!). 

Thirdly, do “the organization’s information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organization that holds it. My point is that it’s ambiguous and potentially misleading.

Lastly, I don’t entirely accept the premise of the second sentence. Sure, in business terms, the total cost of controls should normally be less than the total benefits but that’s not what the clause actually says – and anyway, information security is not entirely a matter of net value: some controls are mandated or imposed on the organization.  

If you think I’m being unreasonably critical or anal about this, fair enough: that’s the level of analysis typically used to justify changes to draft standards through JTC 1/SC 27. Now imagine the effort involved to review and comment on, say, ISO/IEC 27002, and to suggest changes (ideally explicitly proposing the replacement text in each case) and you’ll appreciate the time and effort involved as the international project team slogs its way laboriously through hundreds of pages of comments. It’s a wonder anything gets produced at all, let alone anything usable and as well respected as ISO27k!

The lawyers among us will probably appreciate the issue. The legal profession performs this painstaking analysis much more seriously and deeply. Even, punctuation, is ... of-concern. Each new law/regulation has to fit neatly into the existing body of legislation without causing conflicts. We’ve got it easy!

Nov 4, 2019

NBlog Nov 4 - social engineering awareness

December's awareness topic is one of our regular annual topics. Social engineering has been around for millennia - literally, in the sense that deliberate deception is a survival strategy adopted by many living beings, right back to primordial times.

So, what shall we cover this time around? 

In 2018, the NoticeBored awareness module took a deep dive into phishing, a modern-day scourge ... but definitely not the only form of social engineering, despite what those companies pushing their 'phishing solutions' would have us believe. We picked up on 'business email compromise' as well, another name for spear-phishing. 

In 2017, we explored 'frauds and scams' in the broad, producing a set of 'scam buster' leaflets explaining common attacks in straightforward terms, illustrated with genuine examples and offering pragmatic advice to avoid falling victim to similar tricks.

Back in 2016, the 'protecting people' module covered: social engineering attacks, scams and frauds, such as phishing, spear-phishing and whaling; exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.; the use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineer’s tradecraft; and significant information risks involving blended or multimode attacks and insider threats.

Although we already have lots of content to draw upon and update, we always aim to cover current threats, which means this week our research phase draws to a close with a clearer idea of the scope of December's module, plus a bunch of recent incidents to illustrate the materials.

As to precisely what aspects of social engineering we'll be covering this time around, I'll drop a few more hints here on the blog as the module comes together. 

Oct 31, 2019

NBlog November - privacy awareness update

Privacy is a deeper, broader and more complex than it might appear, blending personal, organizational and societal issues. Privacy means different things to different people. Privacy and information security have a lot in common but each goes further. 

Personal information is both sensitive and valuable, hence the associated information risks deserve to be identified, evaluated and treated in the same manner as other information risks. 

Compliance with privacy laws and regulations such as GDPR should be a non-issue if the organization takes privacy seriously. However, there are specific obligations that need to be identified and satisfied.

From an individual’s perspective, privacy is mostly about people retaining control over their own personal information (e.g. being able to restrict its use and onward disclosure).

From the organizational perspective, personal information is acquired, processed and exploited for various business purposes - hopefully within the bounds of privacy laws, regulations and ethics.

Our primary concern in this security awareness module is to help workers (staff, managers and specialists) appreciate and fulfill their respective obligations under privacy policies, laws and regulations (such as GDPR, CCPA and HIPAA), mostly by maintaining the confidentiality of personal information in their care. However, integrity and availability of personal information are also relevant considerations, ensuring that personal information is reasonably complete, accurate and accessible for legitimate business and personal purposes.

  • Introduces privacy, providing general context and background information on privacy concepts; 
  • Expands on the information risks and security controls applicable to personal information; 
  • Emphasizes the legal, regulatory and ethical compliance aspects – particularly given the punitive financial penalties available under GDPR; 
  • Motivates workers to think - and most of all act - in the best interests of data subjects (first) and the organization (second), for example: taking privacy seriously (this is no trivial matter); complying with privacy policies, regulations and laws, plus ethical and social norms; avoiding risky or inappropriate activities that might unduly compromise privacy; respecting data subjects’ privacy rights and reasonable expectations; and reasonably expecting or demanding that their own privacy rights are respected as well.
Consider your learning objectives in relation to privacy. Consult and collaborate with your Privacy Officer (if you have one!). Take into account the particular laws and regulations that apply to your organization. Consider any privacy incidents, breaches or near-misses you have suffered - plus those that might be ongoing right now but have yet to be noticed and reported.

Work with colleagues to spread the word about this topic. Privacy is pertinent to:
  • Everyone regarding their own personal information, privacy rights and expectations;
  • Workers handling or accessing personal information at work, such as those in HR, company medics, and managers;
  • Management in general, given the governance, direction, oversight, compliance and risk management implications;
  • Information owners, risk owners, application owners etc. for privacy-relevant IT systems, services and business processes; 
  • The Privacy Officer or equivalent and colleagues. They should ideally get directly involved in planning and delivering the awareness content, for example checking that the materials and messages support and comply – rather than conflict – with applicable policies, laws, regulations and practices; 
  • IT in respect of personal data stored, processed and communicated on IT systems and networks;
  • Cloud Service Providers for cloud apps involving personal data, and other third party information service providers such as HR, tax and legal services (suppliers should have their own privacy policies, procedures, controls, awareness and training programs in pact, but it may be worth prompting your relationship managers to ask them a few questions this month);
  • Information Risk and Security, plus Risk Management, Legal/Compliance and Audit;
  • Facilities and Physical Security e.g. concerning cleaning rest rooms and other private areas, monitoring workers and visitors on CCTV systems, and personal information held in the card access control systems etc.;
  • Anyone who has personally suffered a privacy breach, identity theft or similar, or is close to someone who has.
The new module is available to download now from SecAware.com

Oct 23, 2019

NBlog Oct 23 - transparency and oversight

Along with increasing legal and regulatory compliance pressures on organizations to implement appropriate privacy controls, popular awareness of the issues appears to be on the up with commercial implications for organizations.

Global IT megacorps such as Facebook, Microsoft, Apple and Google are particularly exposed to public criticism simply because they are household names ... but that's not to say they are powerless, far from it.  Contrast Apple's handling of the FBI iPhone security incident against Facebook's handling of the Cambridge Analytica scandal, plus other privacy incidents.

All the megacorps have to take their own cybersecurity seriously simply because they are such massive targets facing business-critical information risks: it's literally an existential issue. They are also forced to comply with various laws and regulations, for the same reasons as any other organization - to avoid potentially huge punitive fines and other substantial costs arising from noncompliance incidents. In addition, they make strategic and commercial choices on privacy and related matters. Their internal policies and corporate cultures influence the extent to which they satisfy broader ethical obligations towards customers, employees and others.

I see an interesting distinction opening up between reality and perception. Apple has been quite vocal and forthright in public about its concerns for customer privacy, whereas at the other end of the sale Facebook comes across negatively and consequently faces a hammering from the media (both traditional journalism and social media). Google and Microsoft appear (to me) somewhat ambiguous, dithering around the middle of the scale: at times they claim to be highly concerned about security and privacy, yet their actions sometimes indicate otherwise. Given their marketing prowess with huge budgets and global reach, I have the distinct feeling we're all being manipulated on a grand scale, so who knows what's really going on in terms of governance and ethical direction from their boardrooms? 

The same concern applies to our governments, with the added complication of their being able to duck behind 'official secrets'. Whistleblowers such as Assange, Snowden and Manning are just the few with the guts and good fortune to beat the machinery of government to the draw. In regimes such as China, Russia, North Korea and Turkmenistan (plus many others), governmental oppression is plenty strong enough to prove liberty and life-threatening for anyone with the affront to challenge authority. 

So what, if anything, can/should be done about this? Personally, being a reformed/former auditor, I'm a big fan of transparency and accountability, although at the same time I accept that there are genuine reasons for all types and sizes of organizations to retain some measure of privacy about certain aspects of their internal affairs. The audit approach revolves around internal assessment by competent, independent investigators, a strong form of oversight. It is trust-based, in that auditors are granted privileged access to private internal matters, in much the same way that we trust our doctors with intensely private medically-related information ... because it's in our interests to do so. That self-interest is the key, for me, turning public unease through disquiet into pressure to open up, hopefully without the situation degenerating towards anarchy.

In the case of commercial organizations, their profit motive represents a vulnerability: if sufficient customers revolt, lightening their wallets elsewhere, companies appearing deficient in privacy and security may be forced to take more care, or at least open up and prove that they are doing things right.

Investigative journalism is another approach, although independence and bias is a concern given pressures from media moguls, not least to sell more papers, plus various constraints imposed by the authorities and of course the organizations being challenged. As to social media (such as NBlog!), fake news is not just a game played by the big players, raising questions about the competence and integrity of social media pundits (like me!). Is this blog piece fair and reasonable, unbiased and insightful, or am I pushing an agenda and skewing the topic to suit some ulterior purpose? You decide, dear reader. I hope you'll come back for more but if not, it's goodbye from me.

Oct 22, 2019

NBlog Oct 22 - a business case for privacy





This week I'm slugging away at the coal face to complete the management materials for November's privacy awareness module - an update on our previous coverage to reflect current issues, recent incidents and so forth.




As always, we'll be providing a set of goodies specifically aimed at management from which customers can pick and choose to suit their purposes:
1.      Diagrams for privacy - the topic in pictures
2.      Management seminar on privacy - see below
3.      Board agenda on privacy compliance - I blogged about this on Friday
4.      Elevator pitch on privacy - sums up the key points in about 150 carefully-chosen words
5.      Model policy on privacy compliance - a template to customize
6.      Model policy on privacy inquiries, complaints & incidents - another policy template
7.      Executive briefing on privacy - a high-level one-pager 
8.      Management briefing on privacy - a more in-depth briefing/discussion piece
9.      Model job description for Privacy Officer - outlines the typical role and responsibilities
10.  Privacy metric - suggesting how to measure what matters most in this area

I've made solid progress on the management seminar slide deck today, laying out the key messages and telling the story through engaging graphics with enough supporting content to make managers sit up and take notice.

The other day I blogged about substantial penalties for GDPR noncompliance. Today, in writing the speaker notes to accompany a slide about privacy risks from the organization's perspective, I wrote this about the impacts:
The organizational consequences of privacy incidents can include penalties (potentially huge fines under GDPR plus class action) and other consequential business impacts (bad publicity and reputational damage, customer defection, loss of trust and respect, more rigorous scrutiny by the authorities) on top of the direct costs (incident investigation and resolution, hurriedly improved information security, credit reporting and compensation for those affected etc.).
... and, with hindsight, it occurred to me how negatively that comes across, emphasizing the costly nature of being held to account for privacy fails.  

So, how about something more positive to balance that out, emphasizing the gains arising from privacy wins? "Nice idea, Gary, but what are you on about?"

I'd like to elaborate on the business benefits other than the obvious intent to avoid or reduce those costs. Are there any? Well, yet there are, but to be honest they are not exactly overwhelming - things such as establishing a trustworthy, ethical reputation among customers and others (including employees, by the way. Cogitate on that for a moment. Does it matter to the business if employees don't trust their employer to protect personal information, not least their own? I believe it does, but it would be hard to prove or substantiate).

It might not be possible to build a business case for privacy purely on the positives, which perhaps explains why this is such a heavily compliance-driven area in practice. Still, I'll see what I can come up with. I enjoy that sort of challenge.

Oct 18, 2019

NBlog Oct 18 - a universal awareness device

Since the very beginning of NoticeBored back in 2003, one of our regular monthly deliverables has been a "board agenda" - a security awareness item aimed at informing and engaging the most senior managers in an organization.

At that stratospheric level, awareness materials need to be both succinct and relevant to stand any hope of being used. Senior managers are extremely busy people. 

The board agendas are each just one side of paper if printed, as is usually the case for board papers in their briefing packs. We deliberately avoid jargon and lengthy explanation on the basis that the audience is both busy and competent, generally highly experienced and quick-witted people keen to get straight down to business. The audience isn't expected to know everything, but hopefully they can rely on the support of their trusted networks of peers and direct reports, plus of course the remaining security awareness content provided. Oh and Google, naturally. We'd love them to read and consider these papers ahead of the meeting, but if not they are simple enough to figure out on the fly.

The NoticeBored papers all fall within the broad area of information risk and security covering the same topic area as the remaining awareness content in the module, reflecting the design goal of encouraging social interaction and discourse throughout the organization. Security awareness is not just something to be aimed at 'users', treating them condescendingly as mere serfs! We're consciously socializing information risk and security, making it an integral part of the corporate culture, top to bottom, side to side.

Given the specific target audience for the papers, relevance is achieved by emphasizing high-level matters that most concern senior management, namely business aspects such as strategy, governance and compliance ... talking of which, we'll be incorporating this colorful diagram into November's board agenda for the privacy awareness module:

The idea is deceptively simple: following an introductory paragraph briefly outlining the topic, senior managers will be invited to consider their positions on privacy compliance, 'make their mark' somewhere appropriate within the triangle, then discuss the topic with their peers at the next meeting.

The red-amber-green triangle is an elaboration on the linear RAG spectrum figures we use routinely - such as this one from the current awareness module on digital forensics:




Either way, this highly visual approach is an excellent means to set people thinking about the topic, expressing their opinions in a manner that encourages open discussion of their respective viewpoints and concerns. For instance, marks close to any apex indicate strongly held opinions, while marks towards the middle suggest indecision or ambiguity. The wording of the triangle's amber corner is intentionally provocative: we'd like those with more specific views to challenge those who put themselves on the fence, as it were, or fail to engage. Managers with something specific to say on this topic have their opportunity to speak up and make their case, while everyone listens and learns - an awareness win, plus a chance for the whole team to review and perhaps refine corporate positions, strategies and policies in this area through discussion and (hopefully!) consensus.

In case it's not immediately obvious, the stimulating approach I've developed and described here is broadly applicable, almost universal. Pick virtually any topic (within or without information risk and security) and context (awareness session, training course, workshop, meeting, online collaboration ...) and it shouldn't be hard to come up with options that fall across a range in one or more dimensions. Assemble a group of interested people to consider and discuss the matters at hand, using visual devices along these lines, and Bob's yer uncle.

Oct 17, 2019

NBlog Oct 17 - managing privacy compliance risks

This week I'm exploring the compliance aspects of privacy for November's security awareness and training module, hunting down information about the meaty fines meted out for privacy incidents breaching GDPR for starters.  

According to what I've read so far, the regulators determine GDPR fines by considering ten specific factors, most of which a proactive management has the capability to control. Management can therefore (to some extent) influence the GDPR penalty part of the business impact of privacy breaches. The speed of response when notified of a breach, for example, is largely determined by the incident management activities. Incident response can be designed and operated to be more efficient and effective, for instance through sensible policies and procedures, coupled with awareness, training and exercises, plus other aspects such as clear roles and responsibilities plus slick incident reporting, escalation and official notification mechanisms. If the organization is primed and ready, it is more likely to react well than if it merely muddles through, unprepared and shambolic.

Furthermore, some of those ten factors concern preventive controls that should reduce the probability of privacy incidents occurring at all - for example, choosing not to process personal information unless necessary (risk avoidance), especially not the highly sensitive types such as medical data (e.g. by outsourcing medical services for employees to specialists who handle the privacy compliance obligations as part of the contract - a form of risk sharing).

In other words, management has some control over both the probability and impact of a potentially significant information risk relating to privacy and compliance. Nice!

Oct 8, 2019

NBlog Oct 8 - 2020 vision

Over the weekend, I wrote about CISOs and ISMs preparing cunning strategies and requesting budgets/proposing investments

During the remainder of 2019, we will be treated/subjected to a number of predictions about what's in store for information security in the year ahead, thanks to a preponderance of Mystic Megs with unsupervised access to the Interweb, gazing wistfully into their crystal balls and pontificating. 

As with horoscopes in the tabloid rags, some of their predix will be right on the button by sheer chance in the sense that, given an ample sufficiency of poo to throw at the wall, some of it will stick. A few more informed pundits, however, will be chucking stickier poo thanks to their experience and insight. 

Trouble is, how are we to distinguish the insightful few with sticky poo from the manifold plain or polished poo propellants?

Years ago, the solution involved tracking or looking back at prior predictions to assess how accurate the pundits were ... although, as with investments, past performance is not necessarily an accurate guide to the future. It's an indicator at best.

These days, the situation is trickier still thanks to the Intarweb, social media and the global information melting-pot that turns pretty much everything into a brown sticky malodorous mess. Independent, honest, experienced, reasonably accurate soothsayers find themselves swimming in an ocean inhabited by marketing whales, a few great whites and vast shoals of me-toos who grasp desperately at any passing thought like a drowning man clutches at a log, only to wring all the life out of it.

So, for what it's worth (almost every penny!), my advice is to consider the credentials of anyone claiming to know what's ahead. Do they know what they speak of? Do they have a clue? Are they usually about right? Do they follow the latest fads, spouting clouds of meaningless drivel from their blow-holes, or are they brave enough to buck the obvious trends, say-it-like-it-is and explain themselves straightforwardly?

And then temper everything with a large dose of good ol' common sense. If your organization is taking its first baby steps into the cloud, guess what: it lacks cloud experience, hence the more extreme cloudiness is likely to be riskier for you than, say, a company that is and has been cloud-first or cloud-everything for years already and knows what it's getting itself into. In other words, choose your battles. Build on your strengths, consider and address your weaknesses. By all means get creative and explore the cutting edge stuff ... but be wary of exposing your jugular to that glinting slicey-slicey sharpness.

Don't neglect your inner-circle of trustworthy advisors, the colleagues and contacts who have proven insightful or at least good listeners in the past ... which hints at a possible strategy for 2020: work hard on bolstering and extending your personal network, ready for your 2021 strategies, proposals and budget requests. The flip side of that ocean of pundits is that it's easier than ever to find potential partners and build relationships. Perhaps even the odd blogger making sense of this turbulent world.

Oct 6, 2019

NBlog Oct 6 - a dozen infosec strategies (amended x2)

This Sunday morning, further to my tips on planning for 2020, prompted by "5 disruptive trends transforming cybersecurity" and fueled by some fine Columbian (coffee not coke!), I've been contemplating information risk and security strategies. Here's a dozen generic strategic approaches to consider:
  1. Use risk to drive security. Instead of vainly hoping to address every risk, hammer the biggest ones, tap at the middling ones and let the little'uns fend for themselves (relying on general purpose controls such as incident and business continuity management, resilience etc.). 'Hammer the biggest' means going the extra mile for 'key' or 'critical' controls addressing 'key' or 'major' or 'bet the farm' risks, and implies substantial effort to identify, understand and evaluate the risks, as well as actually dealing with them.
  2. Make security processes as slick as possible, using automation, simplicity, repeatability etc. DevSecOps is an example of automating security to keep up/catch up with speeding cyclists. SecDevOps could be security attempting to lead the pack (good luck with that!).
  3. Develop security architectures - comprehensive, coherent, all-encompassing approaches, with solid foundations and building blocks that slot into place as the blueprint comes to life. Requires long-term planning and coordination with other architectures and strategies for business, information, IT, risk, compliance, governance etc.
  4. Be business-driven. Let management govern, direct and control things, including cybersecurity, information security, risk and security, or whatever, to enable and deliver business objectives. Encourage and enable management to manage change both reactively and proactively. This strategy requires that management has a decent understanding of the risks and opportunities relating to information security, or at least is well-advised in that area (i.e. manage your managers!).
  5. Make do but improve systematically, in other words take a cold hard look at where you are now, identify the most urgent or serious issues and improvement opportunities, address them. Lather rinse repeat. This may be the only viable approach if management is not interested in being proactive in this area (which might be one of those issues worth tackling!).
  6. Use metrics - specifically, business- and risk-driven metrics - to identify and respond to pain points, trends, imbalances etc., ideally before they become issues. Requires a decent suite of relevant, trustworthy metrics, which implies clarity around the measurement objectives and methods. Also requires enough time to accumulate the data for trends analysis, and sound analysis (e.g. appropriate use of statistics). And beware surrogation.
  7. Employ 'good practices', such as ISO27k, NIST SP800, COBIT, CSA, OWASP and so on ... hinting at the practical issue of deciding which one/s to follow, and to what extent. Standards are often retrospective, out of date by the time they are published but they generally provide a sound basis, and if used sensibly can be a useful shortcut to get basic frameworks (at least) in place. Not so useful, though, if compliance drives the organization rather than the business - another example of surrogation.
  8. Collaborate. Find and work with internal and external resources to get stuff done (implies shared goals). Maybe cloud-first or cloud-only makes perfect sense after all, for your organization - a current-day version of the old 'best of breed', 'best in class' or 'buy blue' mantras - so be sure information risk and security considerations are an integral part of the cloud adoption process. Exploit cloud security services: push security into the cloud.
  9. Focus and simplify. Stop expanding willy-nilly into the cloud without proper planning and preparation, including risk management. Develop an actual strategy, a clear map of the destination/s and routes. Prioritize resources. Find and employ the best people, methods, systems, standards, tools etc. for the most important jobs. Assemble high-performance teams, give them clear goals, motivate them and give them the space to do their thing (possibly within defined boundaries, possibly not).
  10. Fail small and often. Don't just anticipate failure, expect it, relish it even. Recover. Learn. Improve. Try harder. Be experimental. Take (appropriate) risks. Invest unwisely. Default to "yes" rather than "no", ask "why not?" instead of "why?". Practice hard to become excellent at identifying and reacting to risks and opportunities of all kinds. Set things up to spot, flag and react to failures effectively and efficiently. Better still, learn from others' failures: gain without pain.
  11. Figure out and do whatever's best for your organization - perhaps some variant version, a simplification, elaboration or combination of the above or other things unique to your organization, its situation, resources, constraints and objectives. Innovate. Think much further into the future. Imagine! Master the topic. Come up with more creative/unconventional strategies, and evaluate them. Write better lists than this one. Share your thoughts through the comments below, and of course with your work colleagues.
  12. Accept defeat. Follow lamely rather than lead, or get by without a strategy. Pass the buck, exploit scapegoats. Let other suckers path-find. Scrabble desperately to implement the current so-called strategy. Hold the fort. Duck the issues. Keep your head down until your watch is over. Preserve the status quo. Do the least amount possible. Summon and wait for reinforcements. Retire or find another career. Use what little remains of your motivation and self-esteem to apply for jobs at more enlightened organizations. Up-skill. Retrain. Read more than just blogs. Think on. Good luck.
There you go, food for thought I hope as we plummet towards the new year.

PS  Yet another possibility: implement every control recommended by standards and advisories of your choice - essentially information security control catalogs. I can hardly believe it, but I gather some organizations are doing exactly this, for instance, implementing all the controls in Annex A of ISO/IEC 27001. It's much the same as healthy people taking multivitamin pills on the basis that "they won't hurt and might just help" ... misguided at best, wrong-headed and dangerous at worst. Every additional control increases the organization's costs, so it is not good business to attempt to do 'everything' unless 'everything' has benefits that at least offset the costs. Figuring out those costs and benefits is arguably more important than the controls themselves, for both high and low (or negative!) value controls, and comes with a nice bonus: by understanding your information risks, you might just identify the need for additional or variant controls that are not in the control catalogs you are using.

PPS  Consider a super-management-system strategy, aligning or integrating a suite of ISO-style management systems into a coherent whole.