Rational Survivability

Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799.  I said that I would do the sanitizing work and release them if I got a fair response.

I did and here they are.  This is in Microsoft Word Format.  534 KB.

My only caveats for those who download and use these is please don’t sell them or otherwise engage in commercial activity based upon this work.

I’m releasing it into the wild because I want to help make people’s lives easier and if these P&P’s can help make your security program better, great.  I don’t want anything in return except perhaps that someone else will do something similar.

I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document.  To be fair and honest in full disclosure, I did not create the majority of this work; it’s based upon prior art from multiple past lives, and most of it isn’t mine exclusively.

As a level-set reminder:

On September 24-25th, InfoWorld will host their Virtualization Executive Forum in NYC which promises "…two days of
technical breakout sessions, case studies and industry expertise on
server, desktop, application, storage and file virtualization
technologies."

Here’s the overview:

Designed for those
who are evaluating where to begin and for those already implementing
virtualization technologies, InfoWorld’s Virtualization Executive Forum
features:

• Analyst perspectives on innovative uses of virtualization adoption
  rates and trends, and policy-based datacenter automation
  
• In-depth
  sessions examining Virtual Machines and Security, Open Source
  Virtualization, Business Continuity/Disaster Recovery, and more.
• Industry
  Keynotes from IT end users addressing the challenges, pitfalls,
  results, and benefits of their implementations
• A
  spotlight on Green IT practices and its potential for cost savings and
  reducing power and cooling needs in large datacenters.
  

In
addition to the in-depth case studies and industry panels you have come
to expect from InfoWorld’s Executive Forums, this fourth edition has
added another key ingredient to the mix: more opportunities for you and your peers to  collaborate and share experiences.

For an "executive forum" they have an interesting split-track breakout agenda; one track features case studies and the other focuses on technical presentations and panels.

Here’s the rub, did you notice that the word "security" appears only twice in the entire agenda, once in the keynote address and once more in a case-study breakout session on day two regarding applications of virtualization.  While I recognize that this is supposedly targeted at "executives," let’s take a look at the technical track breakout topics:

• 
  Vendor Crossfire: x86 Server Virtualization
• Getting Started with Server Virtualization
• Technical Track: Physical to Virtual Migration
• Leveraging Virtualization for Information Availability and Business Continuity
• Lessons from Big Iron: The Power of RISC UNIX Virtualization
• Open Source Hypervisor: Zeroing in on Xen
• VM Management and Monitoring
• Scaling Virtual Infrastructure

Not a mention of security in the bunch.  This is asinine. If you’re at all curious as to why security is an after-thought in emerging markets, look no further than this sort of behavior. 

…and don’t just tell me that security is "assumed."

If the executives who attend this two day forum walk away with a head full of fun new ideas and cautionary tales regarding virtualization and the closest thing to security they got was the valet guarding the doughnuts during the break, don’t anybody get surprised in 18 months when the house of cards come tumbling down.

InfoWorld, what the hell!?  How about ONE session — even a panel — titled something as simple as "Virtualization and Security – A Discussion You Need to Have."

In fact, you’re welcome to at least just print out my presentation from a couple of days ago and give it to your attendees.  At least they’ll walk away with something relating to security and virtualization.  850+ people from my blog already have more information on security and virtualization *for free* than is being presented at the forum.

Listen, I feel so strongly about this that I’ll speak for free on the topic — I’ll pay my own hotel, airfare, etc…and you can keep the doughnuts during the break.

By the way, I find it deliciously ironic that when I clicked on the "Visit Virtualization Portal" link in the above graphic, I was greeted by this little gem:

I’m sure this is probably running on a "real" server.  A virtualized instance would never have this sort of problem, right? 😉

/Hoff

Nope.  Haven’t changed my mind.  Sorry.  Harrington stirred it up and Chuvakin reminded me of it.

OK, so way back in April, on the cusp of one of my normal rages against the (security) machine, I blogged how Data Leakage Protection (DLP) is doomed to be a feature and not a market. 

I said the same thing about NAC, too.  Makin’ friends and influencin’ people.  That’s me!

Oh my how the emails flew from the VP’s of Marketing & Sales from the various "Flying V’s" (see below)  Good times, good times.

Here’s snippets of what I said:

Besides having the single largest collection of vendors that begin with
the letter ‘V" in one segment of the security space (Vontu, Vericept,
Verdasys, Vormetric…what the hell!?) it’s interesting to see how
quickly content monitoring and protection functionality is approaching
the inflection point of market versus feature definition.

The "evolution" of the security market marches on.

Known by many names, what I describe as content monitoring and
protection (CMP) is also known as extrusion prevention, data leakage or
intellectual property management toolsets.  I think for most, the
anchor concept of digital rights management (DRM) within the Enterprise
becomes glue that makes CMP attractive and compelling; knowing what and
where your data is and how its distribution needs to be controlled is
critical.

The difficulty with this technology is the just like any other
feature, it needs a delivery mechanism.  Usually this means yet another
appliance; one that’s positioned either as close to the data as
possible or right back at the perimeter in order to profile and control
data based upon policy before it leaves the "inside" and goes "outside."

I made the point previously that I see this capability becoming a
feature in a greater amalgam of functionality;  I see it becoming table
stakes included in application delivery controllers, FW/IDP systems and
the inevitable smoosh of WAF/XML/Database security gateways (which I
think will also further combine with ADC’s.)

I see CMP becoming part of UTM suites.  Soon.

That being said, the deeper we go to inspect content in order to
make decisions in context, the more demanding the requirements for the
applications and "appliances" that perform this functionality become.
Making line speed decisions on content, in context, is going to be
difficult to solve. 

CMP vendors are making a push seeing this writing on the wall, but
it’s sort of like IPS or FW or URL Filtering…it’s going to smoosh.

Websense acquired PortAuthority.  McAfee acquired Onigma.  Cisco will buy…

I Never Metadata I Didn’t Like…

I didn’t even bother to go into the difficulty and differences in classifying, administering, controlling and auditing structured versus unstructured data, nor did I highlight the differences between those solutions on the market who seek to protect and manage information from leaking "out" (the classic perimeter model) versus management of all content ubiquitously regardless of source or destination.  Oh, then there’s the whole encryption in motion, flight and rest thing…and metadata, can’t forget that…

Yet I digress…let’s get back to industry dynamics.  It seems that Uncle Art is bound and determined to make good on his statement that in three years there will be no stand-alone security companies left.  At this rate, he’s going to buy them all himself!

As we no doubt already know, EMC acquired Tablus. Forrester seems to think this is the beginning of the end of DLP as we know it.  I’m not sure I’d attach *that* much gloom and doom to this specific singular transaction, but it certainly makes my point:

  August 20, 2007

EMC/RSA Drafts Tablus For Deeper Data-Centric Security
The Beginning Of The End Of The Standalone ILP Market
by
Thomas Raschke

with
Jonathan Penn, Bill Nagel, Caroline Hoekendijk

EXECUTIVE SUMMARY

EMC expects Tablus to play a key role in its information-centric security and storage lineup. Tablus’ balanced information leak prevention (ILP) offering will benefit both sides of the EMC/RSA house, boosting the latter’s run at the title of information and risk market leader. Tablus’ data classification capabilities will broaden EMC’s Infoscape beyond understanding unstructured data at rest; its structured approach to data detection and protection will provide a data-centric framework that will benefit RSA’s security offerings like encryption and key management. While holding a lot of potential, this latest acquisition by one of the industry’s heavyweights will require comprehensive integration efforts at both the technology and strategic level. It will also increase the pressure on other large security and systems management vendors to address their organization’s information risk management pain points. More importantly, it will be remembered as the turning point that led to the demise of the standalone ILP market as we know it today.

So Mogull will probably (still) disagree, as will the VP’s of Marketing/Sales working for the Flying-V’s who will no doubt barrage me with email again, but it’s inevitable.  Besides, when an analyst firm agrees with you, you can’t be wrong, right Rich!?

/Hoff

I have spent a lot of time, sweat and tears in prior lives chipping away at building a template set of IT/Information Security policies and procedures that were aligned to (and audited against) various regulatory requirements and the 10 Domains/127 Controls of ISO17799.

This consolidated set of P&P’s is intact and well written.  Actual business people have been able to read, understand and (gasp!) comply with them.  I know, "impossible!" you say.  Nay, ’tis rational is all…

As part of my effort to give back, I thought that many of you maybe at a point where while you have lots of P&P’s specific to your business, not having to reinvent the wheel by drafting this sort of polished package yourself or paying someone to do it might be useful.

The P&P’s are a complete package that outline at a high-level the basis of an ISO-aligned security program; you could basically search/replace and be good to go for what amounts to 99% of the basic security coverage you’d need to address most elements of a well-stocked security pantry.

You can use this "English" high-level summary set to point to indexed detailed P&P mechanics or standards that are specific to your organization.

Would this be of some use to you?  I would need to do some work to take care of some rough spots and sanitize the word doc, but if there is enough interest I’ll do it and post it for whomsoever would like it.  Just to be clear, the P&P’s are already written, I’ll just make it SEARCH/REPLACE friendly.

I’m not trying to tease anyone, I just don’t want to do the up-front work if nobody is interested.

Let me know in the comments; no need to leave website links (for obvious reasons) just let me know by your comment if this is something you’d like.  If I get enough demand, I’ll "get her done!"

OK, good enough.  Thanks for the comments.  I’ll post it up in the next few days.  Thanks guys.

/Hoff

Serendipity is a wonderful thing.  I was in my local MA bank branch on Monday arranging for a wire transfer from my local account to a Wells Fargo account I maintain in CA.  I realized that I didn’t have the special ABA Routing Code that WF uses for wire transfers so I hopped on the phone to call customer service to get it.  We don’t use this account much at all but wanted to put some money in it to keep up the balance which negates the service fee.

The wait time for customer service was higher than normal and I sat for about 20 minutes until I was connected to a live operator.  I told him what I wanted and he was able to give me the routing code but I also needed the physical address of the branch that my account calls home.  He informed me that he couldn’t give me that information.

The reason he couldn’t give me that information was that the WF "…computer systems have been down for the last 18 hours."  He also told me that "…we lost a server somewhere; people couldn’t even use their ATM cards yesterday."

This story was covered here on Computerworld and was followed up with another article which described how Phishers and the criminal element were spooling up their attacks to take advantage of this issue:

August 21, 2007   (IDG News Service)  — Wells Fargo & Co.
customers may have a hard time getting an up-to-date balance statement
today, as the nation’s fifth-largest bank continues to iron out service
problems related to a Sunday computer failure.

The outage knocked the company’s Internet, telephone and ATM banking
services offline for several hours, and Wells Fargo customers continued
to experience problems today.

Wells Fargo didn’t offer many details about the system failure, but
it was serious enough that the company had to restore from backup.

"Using our backup facilities, we restored Internet banking service in about one hour and 40 minutes," the company said in a statement today. "We thank the hundreds of team members in our technology group for working so hard to resolve this problem."

Other banking services such as point-of-sale transactions, loan
processing and wire transfers were also affected by the outage, and
while all systems are now fully operational, some customers may
continue to see their Friday bank balances until the end of the day,
Wells Fargo said.

I chuckled uneasily because I continue to be directly impacted by critical computer systems failures such as two airline failures (the United Airlines and the TSA/ICE failure at LAX,) the Skype outage, and now this one.  I didn’t get a chance to blog about it other than a comment on another blog, but if I were you, I’d not stand next to me in a lightning storm anytime soon!  I guess this is what happens when you’re a convenient subscriber to World 2.0?

I’m sure WF will suggest this is because of Microsoft and Patch Tuesday, too… 😉

So I thought this would be the end of this little story (until the next time.)  However, the very next day, my wife came to me alarmed because she found a $375 charge on the same account as she was validating that the wire went through.

She asked me if I made a purchase on the WF account recently and I had not as we don’t use this account much.  Then I asked her who the vendor was.  The charge was from Google.com.  Google.com?

Huh?  I asked her to show me the statement; there was no reference transaction number, no phone number and the purchase description was "general merchandise."

My wife immediately called WF anti-fraud and filed a fraudulent activity report.  The anti-fraud representative described the transaction as "odd" because there was no contact information available for the vendor.

She mentioned that she was able to see that the vendor executed both an auth. (testing to see that funds were available) followed then a capture (actually charging) but told us that unfortunately she couldn’t get any more details because the computer systems were experiencing issues due to the recent outage!

This is highly suspicious to me.

Whilst the charge has been backed out, I am concerned that this is a little more than serendipity and coincidence. 

Were the WF anti-fraud and charge validation processes compromised during this "crash" and/or did their failure allow for fraudulent activity to occur?

Check your credit/debit card bills if you are a Wells Fargo customer!

/Hoff

I’m a big advocate of software as a service (SaaS) — have been for years.  This evangelism started for me almost 5 years ago when I become a Qualys MSSP customer listening to Philippe Courtot espouse the benefits of SaaS for vulnerability management.  This was an opportunity to allow me to more efficiently, effectively and cheaply manage my VA problem.  They demonstrated how they were good custodians of the data (my data) that they housed and how I could expect they would protect it.

I did not, however, feel *more* secure because they housed my VA data.  I felt secure enough that how they housed it should not fall into the wrong hands.  It’s called an assessment of risk and exposure.  I performed it and was satisfied it matched my company’s appetite and business requirements.

Not one to appear unclear on where I stand, I maintain that the SaaS can bring utility, efficiency, cost effectiveness, enhanced capabilities and improved service levels to a corporation depending upon who, what, why, how, where and when the service is deployed.  Sometimes it can bring a higher level of security to an organization, but so can an armed squadron of pissed off armed Oompa Loompa’s — it’s all a matter of perspective.

I suggest that attempting to qualify the benefits of SaaS by generalizing in any sense is, well, generally a risky thing to do.  It often turns what could be a valid point of interest into a point of contention.

Such is the case with a story I read in a UK edition of IT Week by Phil Muncaster titled "On Demand Security Issues Raised."  In this story, the author describes the methods in which the security posture of SaaS vendors may be measured, comparing the value, capabilities and capacity of the various options and the venue for evaluating an SaaS MSSP:  hire an external contractor or rely on the MSSP to furnish you the results of an internally generated assessment.

I think this is actually a very useful and valid discussion to have — whom to trust and why?  In many cases, these vendors house sensitive and sometimes confidential data regarding an enterprise, so security is paramount.  One would suggest that anyone looking to engage an MSSP of any sort, especially one offering a critical SaaS, would perform due diligence in one form or another before signing on the dotted line.

That’s not really what I wanted to discuss, however.

What I *did* want to address was the comment in the article coming from Andy Kellett, an analyst for Burton, that read thusly:

"Security is probably less a problem than in the end-user organisations
because [on-demand app providers] are measured by the service they provide,"
Kellett argued.

I *think* I probably understand what he’s saying here…that security is "less of a problem" for an MSSP because the pressures of the implied penalties associated with violating an SLA are so much more motivating to get security "right" that they can do it far more effectively, efficiently and better than a customer.

This is a selling point, I suppose?  Do you, dear reader, agree?  Does the implication of outsourcing security actually mean that you "feel" or can prove that you’re more secure or better secured than you could do yourself by using a SaaS MSSP?

"I don’t agree the end-user organisation’s pen tester of choice
should be doing the testing. The service provider should do it and make that
information available."

Um, why?  I can understand not wanting hundreds of scans against my service in an unscheduled way, but what do you have to hide?  You want me to *trust* you that you’re more secure or holding up your end of the bargain?  Um, no thanks.  It’s clear that this person has never seen the results of an internally generated PenTest and how real threats can be rationalized away into nothingness…

Clarence So of Salesforce.com
agreed, adding that most chief information officers today understand that
software-as-a-service (SaaS) vendors are able to secure data more effectively
than they can themselves.

Really!?  It’s not just that they gave into budget pressures, agreed to transfer the risk and reduce OpEx and CapEx?  Care to generalize more thoroughly, Clarence?  Can you reference proof points for me here?  My last company used Salesforce.com, but as the person who inherited the relationship, I can tell you that I didn’t feel at all more "secure" because SF was hosting my data.  In fact, I felt more exposed.

"I’m sure training companies have their own motives for advocating the need
for in-house skills such as penetration testing," he argued. "But any
suggestions the SaaS model is less secure than client-server software are well
wide of the mark."

…and any suggestion that they are *more* secure is pure horsecock marketing at its finest.  Prove it.  And please don’t send me your SAS-70 report as your example of security fu.

So just to be clear, I believe in SaaS.  I encourage its use if it makes good business sense.  I don’t, however, agree that you will automagically be *more* secure.  You maybe just *as* secure, but it should be more cost-effective to deploy and manage.  There may very well be cases (I can even think of some) where one could be more or less secure, but I’m not into generalizations.

Whaddya think?

/Hoff

The security blogosphere sure is exciting these days.  I can’t decide whether to tune into the iPhone junkie wars, the InfoSec Sellout soap opera or the Security ROI cage match!

I’m going to pick the latter because quite honestly, the other two are about as inflated as Bea Arthur’s girdle…

(edit: link added for Cutaway whose predilection towards Bea Arthur and her undergarments are disturbing at best…) Warning…May Cause Chaffing…)

Unless you’ve been under a rock (or actually, gasp!, working) you’ve no doubt seen Rich Bejtlich’s little gem titled "No ROI?  No Problem" that re-kindled all sorts of emotive back and forth debating the existence of Security ROI.

It was revisited by Rich here and then here…and then picked up by Lindstrom, Hutton, Cutaway and the rest of the risk management cognoscenti.  All good stuff.

It seems that the unofficial scoring has the majority of contributors to the debate suggesting that Security ROI does not exist…sort of.  The qualification of the word "return" really seems to be the important lynchpin here as contribution (margin, profit, etc.) versus cost avoidance really is what sends people off the deep end.

It appears that if we define ‘return’ to suggest that what you get back is a way of avoiding shelling out money, then indeed, one may quantify a return on the investment made.

Fine.  I’m good with that.  To a point.

However, I’ve never used ROI in any metric I’ve produced.  NPV?  Nope.  ROSI?  Nuh-uh.

What I have chosen to use is RROI — the reduction of risk on investment.  HA!  Another term.

Basically, I’ve used various combinations of metrics and measurements to quantify data points and answer the question:

"If I invest in some element of my security program (people, process, technology) — or after I have invested in it — am I more secure than I was before and how much more?  Furthermore, how should I manage my investment portfolio to give me the best reduction of risk?"

One doesn’t hire security guards because of an expectation that this action will cause one to be more profitable; it’s a cost of doing business that allows one to asses the risk based on impact and decide how, if at all, one could or should invest in security to defray the impact and cost associated with the event(s) one is trying to mitigate.

Ah yes, the old "why would you spend $1000 to protect a $10 asset?" question.  Can you answer this question for every security investment you make?

I’d say that I’ve always been able to communicate what the "return" (see above) would be on investments made and done so in a manner that has always seen my security budgets grow when necessary and trim when warranted.  The transparency I strive to produce is communicated in business terms that anyone who can understand basic math and business logic can process.  Maybe I’m just lucky. 

I’m not saying I have the problem licked or that I found the holy grail, but the problem just doesn’t seem to be as daunting as some would have you believe.  Start small, be rational and build and manage your portfolio accordingly.

So, how many of you have risk dashboards that can, in near-time, communicate where you invest, why and how this maps to the business and helps you most effectively manage risk per dollar spent?  This is what’s really important.

I’m just wondering that instead of trying to globally force-feed a definition across a contentious landscape of religion and philosophy, perhaps we could spend the time arguing less about terms and more about solving problems.  Ask the business how they want to see your security value communicated and go from there.  If they want ROI, then fine…define the "R" appropriately and move on.

I’m going to "return" to work now… 😉

/Hoff

Over the last couple of years, we’ve seen the full spectrum of disclosure and "research" portals arrive on scene; examples stem from the Malware Distribution Project to 3Com/TippingPoint’s Zero Day Initiative.  Both of these examples illustrate ways of monetizing the output trade of vulnerability research.   

Good, bad or indifferent, one would be blind not to recognize that these services are changing the landscape of vulnerability research and pushing the limits which define "responsible disclosure."

It was only a matter of time until we saw the mainstream commercial emergence of the open vulnerability auction which is just another play on the already contentious marketing efforts blurring the lines between responsible disclosure for purely "altruistic" reasons versus commercial gain.

Enter Wabisabilabi, the eBay of Zero Day vulnerabilities.   

This auction marketplace for vulnerabilities is marketed as a Swiss "…Laboratory & Marketplace Platform for Information Technology Security" which "…helps customers defend their databases, IT infrastructure, network, computers, applications, Internet offerings and access."

Despite a name which sounds like Mushmouth from Fat Albert created it (it’s Japanese in origin, according to the website) I am intrigued by this concept and whether or not it will take off.

I am, however, a little unclear on how customers are able to purchase a vulnerability and then become more secure in defending their assets. 

A vulnerability without an exploit, some might suggest, is not a vulnerability at all — or at least it poses little temporal risk.  This is a fundamental debate of the definition of a Zero-Day vulnerability. 

Further, a vulnerability that has a corresponding exploit but without a countermeasure (patch, signature, etc.) is potentially just as useless to a customer if you have no way of protecting yourself.

If you can’t manufacture a countermeasure, even if you hoard the vulnerability and/or exploit, how is that protection?  I suggest it’s just delaying the inevitable.

I am wondering how long until we see the corresponding auctioning off of the exploit and/or countermeasure?  Perhaps by the same party that purchased the vulnerability in the first place?

Today in the closed loop subscription services offered by vendors who buy vulnerabilities, the subscribing customer gets the benefit of protection against a threat that they may not even know they have, but for those who can’t or won’t pony up the money for this sort of subscription (which is usually tied to owning a corresponding piece of hardware to enforce it,) there exists a point in time between when the vulnerability is published and when it this knowledge is made available universally.

Depending upon this delta, these services may be doing more harm than good to the greater populous.

In fact, Dave G. over at Matasano argues quite rightly that by publishing even the basic details of a vulnerability that "researchers" will be able to more efficiently locate the chunks of code wherein the vulnerability exists and release this information publicly — code that was previously not known to even have a vulnerability.

Each of these example vulnerability service offerings describes how the vulnerabilities are kept away from the "bad guys" by qualifying their intentions based upon the ability to pay for access to the malicious code (we all know that criminals are poor, right?)  Here’s what the Malware Distribution Project describes as the gatekeeper function:

Why Pay?

Easy; it keeps most, if not all of the malicious intent, outside the
gates. While we understand that it may be frustrating to some people
with the right intentions not allowed access to MD:Pro, you have to
remember that there are a lot of people out there who want to get
access to malware for malicious purposes. You can’t be responsible on
one hand, and give open access to everybody on the other, knowing that
there will be people with expressly malicious intentions in that group.

ZDI suggests that by not reselling the vulnerabilities but rather protecting their customers and ultimately releasing the code to other vendors, they are giving back:

The Zero Day Initiative (ZDI) is unique in how the acquired
vulnerability information is used. 3Com does not re-sell the
vulnerability details or any exploit code. Instead, upon notifying the
affected product vendor, 3Com provides its customers with zero day
protection through its intrusion prevention technology. Furthermore,
with the altruistic aim of helping to secure a broader user base, 3Com
later provides this vulnerability information confidentially to
security vendors (including competitors) who have a vulnerability
protection or mitigation product.

As if you haven’t caught on yet, it’s all about the Benjamins. 

We’ve seen the arguments ensue regarding third party patching.  I think that this segment will heat up because in many cases it’s going to be the fastest route to protecting oneself from these rapidly emerging vulnerabilities you didn’t know you had.

/Hoff

I’ve spent a while in this business and have been doing time on planet Earth in a variety of roles in the security field; I’ve been a consumer, a CISO, a reseller, a service provider, and a vendor, so I think I have a good sense of shared empathy across the various perspectives that make up the industry’s collective experience.

I get to spend my time traveling around the world speaking to very smart people; overworked, tired, cynical, devoted, and fanatical security folks who are all trying to do the right thing within the context of the service they provide their respective businesses and customers.

A lot of them are walking around in a trance however, locked into the perpetual hamster wheel of misery that many will have you believe is all security can ever be.  That’s bullshit.  I love my job; I’ve loved every one of them in this space.  They have all had their ups and downs, but I know that I’ve made a positive difference in every one because I believe in what I’m doing and more importantly I believe in how I’m doing it.   If you want to manifest misery, then you will.  If you want to change the way security is perceived, you will.

Most of the people I speak to all have the identical set of problems and for some reason seem to be stuck in the same pattern and not doing much about trying to solve them.  Now, I’m not going to try and get all preachy, but when I hear the same thing over and over, up and down the stack from the Ops trenches to the CSO and nobody seems to be able to gain traction towards a solution, I’m puzzled as to whether it’s the problem or the answer people are seeking.

In many cases, people feel the need to solve problems themselves.  It’s the classic “Dad won’t pull into the gas station to ask directions when he’s lost” syndrome.  Bad form.   Let’s just pull over for a second and see if we can laugh this thing off and then get back on the road with a map.

I thought that I’d summarize what I’ve heard and articulate it with my top ten things that anyone who is responsible for architecting, deploying, managing and supporting an information security program should think about as they go about their jobs.   This isn’t meant to compete with Rothman’s Pragmatic CSO book, but if you want to send me, say, half the money you would have sent him, I’m cool with that.

These are not in any specific order:

1.    Measure Something
I don’t care whether you believe in calling this “metrics” or not.  If you’ve got a pulse and a brain (OK, you probably need both for this) then you need to recognize that the axiom “you can’t manage what you don’t measure” is actually true, and the output – no matter what you call it – is vitally important if you expect to be taken seriously.

Accountants have P&L statements because they operate around practices that allow them to measure the operational integrity and fiscal sustainability of a business.  Since security is functional service mechanism of the business, you should manage what you do as a business.

I’m not saying you need to demonstrate ROI, ROSI, or RROI, but for God’s sake, in order to gauge the efficiency, efficacy and investment-worthiness of what you’re doing, you need to understand what to focus on and what to get around to when you can spare cycles.  Be transparent about what you’re doing and why to management.  If you have successes, celebrate them.  If you have failures, provide a lessons-learned and move on.

You don’t need a degree in statistics, either.  If you want some good clue as to what you can easily do to start off measuring and reporting, please buy this.  Andy Jaquith, while stunningly handsome and yet quaintly modest (did I say that correctly, Andy?) knows his shizzle.

2.    Budget Isn’t Important
That’s right, budget isn’t important, it’s absolutely everything.   If you don’t manage your function like it is a business burning your own cash then you won’t survive over the long term.  Running a business takes money.  If you don’t have any, well…  As my first angel investor, Charles Ying taught me, “Cash is King.”   I only wish I learned this and applied it earlier.

If you lead a group, a team or a department and you come to the second budget cycle (the first you probably had no control over since you inherited it) under your watch and you open the magic envelope to discover that you don’t have the budget to execute on the initiatives in your security program that align to the initiatives of supporting the business, then quit.

You should quit because it’s your fault. It means you didn’t do your job.  It means you’re not treating things seriously as a set of business concerns.

Whether you’re in a downcycle budget-cutting environment or not, it’s your job to provide the justification and business-aligned focus to get the money you need to execute.  That may mean outsourcing.  That may mean you do more with less.  That may mean that you actually realize that there tradeoffs that you need to illustrate which indicate risk, reward and investment strategies and let someone else make the business decision to fund them or not.

Demonstrate what you can offer the business from your security portfolio and why it’s worth investing in.  You won’t be able to do everything.  Learn to stack the deck and play the game.  Anyone who tells you that a budget cycle isn’t a game is (1) a lousy liar, (2) someone who doesn’t have any budget and (3) nobody you need to listen to.

3.    Don’t Be a Technology Crack-Whore
If you continue to focus on technology to solve the security “problem” without the underlying business process improvement, automation and management & measurement planes in place to demonstrate what, why and how you’re doing things, then you’re doomed.   I’m not going to re-hash the ole “People, Process and Technology” rant as that’s overplayed.

Learn to optimize.  Learn to manage your security technology investments as a portfolio of services that can be cross-functionally leveraged across lines of business and operationalized and cost-allocated across IT.

Learn to recognize trends and invest your time and energy in understanding what, if anything, technology can do for you and make smart decisions on where to invest; sometimes that’s with big companies, sometimes that’s with emerging start-ups.

Quantify the risk vs. return and be able to highlight the lifecycle of what you expect from a product.  Understand amortization and depreciation schedules and how they affect your spend cycles and synch this to your key vendor’s roadmaps.

If your solutions deliver, demonstrate it.  If they fail, don’t try to CYA, but refer back to the justification, see where it blew a gasket and gracefully move on.  See #1 above.

4.    Understand Risk
Please take the time to understand the word “risk” and it’s meaning(s).  If you continue to overuse and abuse the term in conversation with people who actually have to make business decisions and you don’t communicate “risk” using the same lexicon and vocabulary as the people who write the checks, you’re doing yourself a disservice and you’re insulting their intelligence.

If you don’t understand or perform business impact analyses and only talk about risk within the context of threats and vulnerabilities, you’re going to look like the FUD-spewing technology crack-whore in #3 above.

This will surely be concluded because you sound like all you want is more money (see #2) because you clearly can’t communicate and speak the language that demonstrates you actually understand what and how what you do unequivocally contributes to the business; probably because you haven’t measured anything (see #1)

If you want to learn more about how to understand risk, please read this. Alex Hutton is one wise MoFo.

5.    Network
That’s a noun and a verb.  Please don’t hunker in your bunker.  Get out and talk to your constituents and treat them as valued customers.  Learn to take criticism (see #6) and ask how you’re doing.  By doing that, you can also measure impact directly (see #1.)   You should also network with your peers in the security industry; whether at local events, conferences or professional gatherings, experiencing and participating in the shared collective is critical.

I, myself, like the format of the various “CitySec” get-togethers.  BeanSec is an event that I help to host in Boston.  You can find your closest event by going here.

The other point here is that as budget swings towards the network folks who seem to be able to do a better job at communicating how investing in their portfolio is a good idea (see #1 and #2) you better learn to play nice.  You also better understand their problems (see #6) and the technology they manage.  If you expect to plug into or displace what they do with more kit that plugs into “their” network, you better be competent in their space.  If they’re not in yours, all the better for you.

6.    Shut-up and Listen
Talk with one hole, listen with two.

If I have to explain this point, you’ve probably already dismissed the other five and are off reading your Yahoo stock page and the latest sports scores.  God bless and call me when you start your landscaping business…I need my hedges trimmed.

7.    Paint a Picture
Please get your plans out of your head and written down!  Articulate your strategy and long-term plan for how your efforts will align to the business and evolve over time to mature and provide service to the business.  Keep it short, concise, in “English” and make sure it has pretty pictures.  Circulate it for commentary.  Produce a mantra and show pride in what you do and the value you add to the business.   It’s a business plan.  Sell it and support it like it is.  Demonstrate value (see #1) and you’ll get budget (#2) because it shows that you understand you make business decisions, not technology knee-jerks.

This means that you keep pulse with what technology can offer, how that maps to trends in your business, and what you’re going to do about them with the most efficient and effective use of your portfolio.

Most of this stuff is common sense and you can see what’s coming down the pike quite early if you pay attention.  If you craft your business plan and evolution in stages over time, you’ll look like a freaking prescient genius.  You’ll end up solving problems before they become one.  Demonstrate that sort of track record and you’ll have more runway to do what you want as well as what you need.

8.    Go buy a Car
Used or new, it doesn’t matter.  Why?  Because the guys and gals who sell cars for a living have to deal with schmucks like you all day long and yet they still make six-figures and go home at the end of the day after an 8-10 hour shift and get to ignore the office.  They know how to sell.  They listen (#6,) determine what you have to spend (#2) and then tell you how good you look in that ’84 Sentra and still manage to up-sell you to a BMW M3 with the paddle shifters and undercoating.

You need to learn to sell and market like a car salesman – not the kind that makes you feel sticky, but the kind that you want to invite over to your BBQ because he had your car washed while you waited, brought you coffee and called you back the day after to make sure everything was OK.

Seriously.  Why do you think that most CEO’s were salesmen?  You’re the CEO of the security organization.  Act like it.

9.    Learn to Say “Yes” by saying “No” and vice-versa
Ah, no one word with so few letters inspires such wretched responses from those who hear it.  And Security folks just LOVE to say it.  We say it with such a sense of entitlement and overwhelming omnipotence. too.   We say it and then giggle to ourselves whilst we strike the Dr. Evil pinky pose wearing the schwag-shirt we scored from the $5000 security conference we attended to learn how to more effectively secure the business by promoting security as  an enabler.

It’s OK to say no, just think about how, why and when to say it.  Better yet, get someone else to say it, preferably the person who’s trying to get you to say yes.  Use the Jedi mind-trick.  Learn to sell – or unsell.  This is tricky security ninja skills and takes a while to master.

Having someone justify the business reason, risk and rewards for doing something – like you should be doing – is the best way to have someone talk themselves out of having you do something foolish in the first place.  You won’t win every battle, but the war will amass less casualties because you’re not running over every hill lobbing grenades at every request.

10.    Break the Rules
Security isn’t black and white.  Why?  Because despite the fact that we have binary compute systems enforcing the rules, those who push the limits use fuzzy logic and don’t concern themselves with the constraints of 1 and 0.   You shouldn’t, either.

Think different.  Be creative.  Manage risk and don’t be averse to it because if you’re running your program as a business, you make solid decisions based on assessments that include the potential of failure.

Don’t gauge success by thinking that unless you’ve reached 100% that 80% represents failure.  Incremental improvement over time – even when it’s not overtly dramatic – does make a difference.  If you measure it, by the way, it’s clearly demonstrable.

Challenge the status quo and do so with the vision of fighting the good fight – the right one for the right reasons – and seek to improve the health, survivability, and sustainability of the business.

Sometimes this means making exceptions and being human about things.  Sometimes it means getting somebody fired and cleared out of their cube.  Sometimes it means carrot, sometimes stick.

If you want to be a security guard, fine, but don’t be surprised when you get treated like one.  Likewise, don’t think that you’re entitled to a seat at the executive table just because you wear a tie, play golf with the CFO, or do the things on this list.

Value is demonstrated and trust is earned.   Learn to be adaptive, flexible and fair — dare I say pragmatic, and you’ll demonstrate your value and you’ll earn the trust and confidence of those around you.

So there you go.  One Venti-Iced-Americano inspired “Hoff’s giving back” rant. Preachy, somewhat cocky and self-serving?  Probably.  Useful and proven in battle?  Absolutely.   If anyone tells you any different, please ask them why they’re reading this post in the first place.

Think about this stuff.  It’s not rocket science.  Never has been.  Most of the greatest business people, strategists, military leaders, and politicians are nothing more than good listeners who can sell, aren’t afraid of making mistakes, learn from the ones they make and speak in a language all can relate to and understand.  They demonstrate value and think outside of the box; solving classes of problems rather than taking the parochial and pedestrian approach that we mostly see.

You can be great, too.  If you feel you can’t, then you’re in the wrong line of work.

/Hoff

Bejtlich continues to make excellent points regarding his view on centralizing data within an enterprise.  He cites the increase in litigation regarding inadequate eDiscovery investment and the increasing pressures amassed from compliance.

All good points, but I’d like to bring the discussion back to the point I was trying to make initially and here’s the perfect perch from which to do it.  Richard wrote:

Christopher Christofer Hoff used the term "agile" several times in his good blog post. I think "agile" is going to be thrown out the window when corporate management is staring at $50,000 per day fines for not being able to produce relevant documents during ediscovery. When a company loses a multi-million dollar lawsuits because the judge issued an adverse inference jury instruction, I guarantee data will be centralized from then forward. "

…how about when a company loses the ability to efficiently and effectively conduct business because they spend so much money and time on "insurance policies" against which a balanced view of risk has not been applied?  Oh, wait.  That’s called "information security." 😉

Fear.  Uncertainty.  Doubt.  Compliance.  Ugh.  Rinse, later, repeat.

I’m not taking what you’re proposing lightly, Richard, but the notion of agility, time to market, cost transformation and enhancing customer experience are being tossed out with the bathwater here. 

Believe it or not, we have to actually have a sustainable business in order to "secure" it. 

It’s fine to be advocating Google Gears and all these other Web 2.0
applications and systems. There’s one force in the universe that can
slap all that down, and that’s corporate lawyers. If you disagree, whom
do you think has a greater influence on the CEO: the CTO or the
corporate lawyer? When the lawyer is backed by stories of lost cases,
fines, and maybe jail time, what hope does a CTO with plans for
"agility" have?

But going back to one of your own mantras, if you bake security into your processes and SDLC in the first place, then the CEO/CTO/CIO and legal counsel will already have assessed the position the company has and balance the risk scorecard to ensure that they have exercised the appropriate due care in the first place. 

The uncertainty and horrors associated with the threat of punitive legal impacts have, are, and will always be there…and they will continue to be exploited by those in the security industry to buy more stuff and justify a paycheck.

Given the business we’re in, it’s not a surprise that the perspective presented is very, very siloed and focused on the potential "security" outcomes of what happens if we don’t start centralizing data now; everything looks like a nail when you’re a hammer.

However, you still didn’t address the other two critical points I made previously:

1. The underlying technology associated with decentralization of data and applications is at complete odds with the "curl up in a fetal position and wait for the sky to fall" approach
2. The only reason we have security in the first place is to ensure survivability and availability of service — and make sure that we stay in business.  That isn’t really a technical issue at all, it’s a business one.  I find it interesting that you referenced this issue as the CTO’s problem and not the CIO.

As to your last point, I’m convinced that GE — with the resources, money and time it has to bear on a problem — can centralize its data and resources…they can probably get cold fusion out of a tuna fish can and a blow pop, but for the rest of us on planet Earth, we’re going to have to struggle along trying to cram all the ‘agility’ and enablement we’ve just spent the last 10 years giving to users back into the compliance bottle.

/Hoff