Welcome to NBlog, the NoticeBored blog

The blogging will continue until morale improves

Oct 8, 2019

NBlog Oct 8 - 2020 vision

Over the weekend, I wrote about CISOs and ISMs preparing cunning strategies and requesting budgets/proposing investments

During the remainder of 2019, we will be treated/subjected to a number of predictions about what's in store for information security in the year ahead, thanks to a preponderance of Mystic Megs with unsupervised access to the Interweb, gazing wistfully into their crystal balls and pontificating. 

As with horoscopes in the tabloid rags, some of their predix will be right on the button by sheer chance in the sense that, given an ample sufficiency of poo to throw at the wall, some of it will stick. A few more informed pundits, however, will be chucking stickier poo thanks to their experience and insight. 

Trouble is, how are we to distinguish the insightful few with sticky poo from the manifold plain or polished poo propellants?

Years ago, the solution involved tracking or looking back at prior predictions to assess how accurate the pundits were ... although, as with investments, past performance is not necessarily an accurate guide to the future. It's an indicator at best.

These days, the situation is trickier still thanks to the Intarweb, social media and the global information melting-pot that turns pretty much everything into a brown sticky malodorous mess. Independent, honest, experienced, reasonably accurate soothsayers find themselves swimming in an ocean inhabited by marketing whales, a few great whites and vast shoals of me-toos who grasp desperately at any passing thought like a drowning man clutches at a log, only to wring all the life out of it.

So, for what it's worth (almost every penny!), my advice is to consider the credentials of anyone claiming to know what's ahead. Do they know what they speak of? Do they have a clue? Are they usually about right? Do they follow the latest fads, spouting clouds of meaningless drivel from their blow-holes, or are they brave enough to buck the obvious trends, say-it-like-it-is and explain themselves straightforwardly?

And then temper everything with a large dose of good ol' common sense. If your organization is taking its first baby steps into the cloud, guess what: it lacks cloud experience, hence the more extreme cloudiness is likely to be riskier for you than, say, a company that is and has been cloud-first or cloud-everything for years already and knows what it's getting itself into. In other words, choose your battles. Build on your strengths, consider and address your weaknesses. By all means get creative and explore the cutting edge stuff ... but be wary of exposing your jugular to that glinting slicey-slicey sharpness.

Don't neglect your inner-circle of trustworthy advisors, the colleagues and contacts who have proven insightful or at least good listeners in the past ... which hints at a possible strategy for 2020: work hard on bolstering and extending your personal network, ready for your 2021 strategies, proposals and budget requests. The flip side of that ocean of pundits is that it's easier than ever to find potential partners and build relationships. Perhaps even the odd blogger making sense of this turbulent world.

Oct 6, 2019

NBlog Oct 6 - a dozen infosec strategies

This Sunday morning, further to my tips on planning for 2020, prompted by "5 disruptive trends transforming cybersecurity" and fueled by some fine Columbian (coffee not coke!), I've been contemplating information risk and security strategies. Here's a dozen strategic approaches to consider:
  1. Use risk to drive security. Instead of vainly hoping to address every risk, hammer the biggest ones, tap at the middling ones and let the little'uns fend for themselves (relying on general purpose controls such as incident and business continuity management, resilience etc.). 'Hammer the biggest' means going the extra mile for 'key' or 'critical' controls addressing 'key' or 'major' or 'bet the farm' risks, and implies substantial effort to identify and evaluate the risks, as well as actually dealing with them.
  2. Make security processes as slick as possible, using automation, simplicity, repeatability etc. DevSecOps is an example of automating security to keep up/catch up with speeding cyclists. SecDevOps could be security attempting to lead the pack (good luck with that!).
  3. Develop security architectures - comprehensive, coherent, all-encompassing approaches, with solid foundations and building blocks that slot into place as the blueprint comes to life. Requires long term planning and coordination with other architectures and strategies for business, information, IT, risk, compliance, governance etc.
  4. Be business-driven. Let management govern, direct and control things, including cybersecurity, information security, risk and security, or whatever, to enable and deliver business objectives. Encourage and enable management to manage change both reactively and proactively. This strategy requires that management has a decent understanding of the risks and opportunities relating to information security, or at least is well-advised in that area (i.e. manage your managers!).
  5. Make do but improve systematically, in other words take a cold hard look at where you are now, identify the most urgent or serious issues and improvement opportunities, address them. Lather rinse repeat. This may be the only viable approach if management is not interested in being proactive in this area (which might be one of those issues worth tackling!).
  6. Use metrics - specifically, business- and risk-driven metrics - to identify and respond to pain points, trends, imbalances etc., ideally before they become issues. Requires a decent suite of relevant, trustworthy metrics, which implies clarity around the measurement objectives and methods. Also requires enough time to accumulate the data for trends analysis, and sound analysis (e.g. appropriate use of statistics). And beware surrogation.
  7. Employ 'good practices', such as ISO27k, NIST SP800, COBIT, CSA, OWASP and so on ... hinting at the practical issue of deciding which one/s to follow, and to what extent. Standards are reactive in nature, out of date by the time they are published but they generally provide a sound basis, and if used sensibly can be a useful shortcut to get basic frameworks (at least) in place. Not so useful, though, if compliance drives the organization rather than the business - another type of surrogation.
  8. Collaborate. Find and work with internal and external resources to get stuff done (implies shared goals). Maybe cloud-first or cloud-only makes perfect sense after all, for your organization - a current-day version of the old 'best of breed', 'best in class' or 'buy blue' mantras - so be sure information risk and security considerations are an integral part of the cloud adoption process. Exploit cloud security services: push security into the cloud.
  9. Focus and simplify. Stop expanding willy-nilly into the cloud without proper planning and preparation, including risk management. Develop an actual strategy, a clear map of the destination/s and routes. Prioritize resources. Find and employ the best people, methods, systems, standards, tools etc. for the most important jobs. Assemble high-performance teams, give them clear goals, motivate them and give them the space to do their thing (possibly within defined boundaries, possibly not).
  10. Fail small and often. Don't just anticipate failure, expect it. Recover. Learn. Improve. Try harder. Be experimental. Take (appropriate) risks. Invest unwisely. Default to "yes" rather than "no", ask "why not?" instead of "why?". Practice hard to become excellent at identifying and reacting to risks and opportunities of all kinds. Set things up to spot, flag and react to failures effectively and efficiently. Better still, learn from others' failures: gain without pain.
  11. Figure out and do whatever's best for your organization - perhaps some version or combination of the above or other things unique to your organization, its situation, resources, constraints and objectives. Innovate. Think much further into the future. Imagine! Master the topic. Come up with more creative/unconventional strategies, and evaluate them. Write better lists than this one. Share your thoughts through the comments.
  12. Accept defeat. Follow lamely rather than lead, or get by without a strategy. Pass the buck, exploit scapegoats. Let other suckers path-find. Scrabble desperately to implement the current so-called strategy. Hold the fort. Duck the issues. Keep your head down until your watch is over. Preserve the status quo. Do the least amount possible. Summon and wait for reinforcements. Retire or find another career. Use what little remains of your motivation and self-esteem to apply for jobs at more enlightened organizations. Up-skill. Retrain. Read more than just blogs. Think on. Good luck.

Oct 4, 2019

NBlog Oct 4 - tips on planning for 2020

The Security Executive Council is a consultancy specializing in physical security for commercial organizations. Their latest newsletter led me to a nice little piece about business cases, including this: 
Brad Brekke, SEC emeritus faculty and former Vice President of Assets Protection and Corporate Security for Target Corporation, emphasizes that the business case must be built upon a deep understanding of the business and security's role and strategy within it. "I'd recommend you conduct this exercise: Study your business. Know how it operates, how it makes money, how it's set up, what its strategy is – for instance, is it a growth strategy, an expense-driven strategy, a service-driven strategy. Know the culture and risk tolerance of your organization and know the voice of its customer," says Brekke.
That approach makes sense for any substantial strategy, change or investment proposal. All organizations exist to achieve [business] objectives, so being clear about how a proposal supports or enables those [business] objectives is a no-brainer, right?

How to do that in practice, however, may not be entirely obvious, especially to specialists/professionals deeply immersed in particular fields such as information risk and security. Our worldview naturally revolves around our own little world. We perceive things in our own terms. We are inevitably biased towards certain aspects that interest and concern us, hence we inevitably emphasize them while downplaying, ignoring or failing even to notice others. 

That's true regardless of the specialism. For instance, HR pros naturally focus on people, sociology, human behaviour and so on. Finance pros focus on dollars and financial risks. IT pros focus on computing and tech. And, guess what, CISOs and ISMs have their focal points and blind-spots too.

The same is also true of other people with whom we interact at work, including those execs who will ultimately make the big decisions about our big proposals, plus assorted managers and [other] specialists beneath who advise and influence them. We all have our interests and prejudices, our personal agendas, hot-buttons and fear-factors. Despite the title, even "general managers" didn't mysteriously parachute-in to the role out of a clear blue sky but worked their way through the educational system, the ranks and the University of Life, picking up skills and experiences along the way, shaping their personalities today.

So, when proposing something, awareness of our own biases plus those of our audiences (for there are several) presents the opportunity to counteract them on both sides. 

The SEC piece, for instance, offers this advice:
Brekke also cautions security leaders not to undervalue the importance of storytelling. Each organization has a language that resonates with management. Consider the language of the brand and the language of the organization's business as you develop the story you will tell and as you make your business case. You may find it helpful to reframe some security language to better reflect business value. For instance, because one of Target's foundational goals was to focus on the experience of the customer, conversations about shoplifting became conversations about enabling the guest experience.
That's the no-brainer business-focused approach I mentioned earlier, and fair enough: it's not unreasonable to expect everyone in an organization to share a common interest in furthering the organization's business aims. At an overall level, being business-focused makes perfect sense. However, there's more to it in that 'the organization' is, in reality, an assortment of individuals with distinct personalities. 

So, I recommend a more granular, more mature approach. Rather than simply preparing and submitting a business-like proposal then expecting 'the organization' or 'management' to approve it, consider the individual people who will make the decisions, plus those who advise and influence them. Ideally, spend quality time with them during the drafting process, explaining what you are hoping to achieve and finding out what they want or expect or fear from it. Explain things in their terms, if you can. As Brad suggests, use pertinent examples that resonate with them. Tease out their concerns, and emphasize the benefits for them and their areas of interest, plus others (it's perfectly OK to bring up the wider perspective, including opinions and concerns raised by various colleagues). Try not to leave things hanging in mid-air: where relevant, revise your proposals to take account of the feedback and let them know you have done so. Reassure them that you have genuinely responded to their suggestions - even if that means compromising or, on occasions, rejecting them due to competing pressures. This is a negotiation process, so negotiate towards agreement. If it helps, you can even quote those feedback comments, partly because of what they say and partly to demonstrate that you have both listened and reacted.

For bonus marks, collaborate with your colleagues from the outset. Develop joint proposals with other departments. Drive out extra value by optimising your approaches, addressing multiple objectives simultaneously. Work as a team.

Now is an excellent time of year to put this approach into practice as most organizations head rapidly towards the new financial year, hence strategies, initiatives, priorities and budgets are all up for discussion. If your normal approach is head-down, focused on building what you believe to be the best possible business cases and proposals in isolation, then lift your head from the page for once. Consider who your proposals will affect, and go see them for a chat - now, well before the ink is dry. I promise you, it's time well spent. You'll markedly improve your chances of success.

It works both ways too. If, say, Marketing is lining-up for a substantial investment, initiative or change of approach, get actively engaged with the formulation of their proposal concerning the information risk and security aspects. Find out what they are on about. Consider the implications. Where appropriate, push for changes and make concessions to them in return for their support for your objectives and proposals, and vice versa, all the while circling around those common business objectives. 'What's best for the business' is a particularly compelling perspective, hard to argue against. Plotting the best route is easier if everyone is heading for the same destination.