Tuesday, August 15, 2006

Notes from Last ISSA-NoVA Meeting

I realized I never published my notes from the July ISSA-NoVA meeting. This was another managerial-type talk, by James Golden, Manager of IT Governance at the USPS. The USPS is huge -- 153,000 desktops, 22,000 servers, 18,000 laptops, 7,000 offices, 175,000 internal email users, and 2,000 external users. Their Web site gets over one million visitors per day.

Mr. Golden said security is like Y2K -- "If everything fails, critics say you spent too little money. If everything works, critics say you spent too much money." He defined "IT governance" as "doing the right things right." I had never heard of IT governance, let alone the IT Governance Institute. He said the USPS is not covered by FISMA -- "Thank goodness!" -- and that SOX is "the biggest waste of money we spend in IT." By now you could imagine me liking Mr. Golden's style.

Since this was an ISSA meeting, Mr. Golden did discuss aligning COBIT, ITIL, and ISO 17799. Thanks to the APWU you can find the AS-805 series of manuals the USPS uses for information security.

My ears perked up when Mr. Golden discussed metrics. He said "metrics seek to change behavior," and asked "are you getting the behavior you wanted from your metrics?" and "why is performance changing?" I was amazed by the details counts he had for the following:

  • Number of XP workstations with non-standard service packs

  • Number of workstations with latest anti-virus signatures

  • Number of power users or administrators

  • Days of backups missed

  • Number of workstations with ISS RealSecure Desktop (RSDP)

  • Number of CIRT incidents


That last item drew my attention. I asked how the USPS handles incident reporting, and I got an answer similar to that of Dennis Heretick from DoJ -- USPS wants users to report security incidents. Therefore, USPS doesn't track meaningful metrics like those in my previous post -- days since last compromise of type X, system-days compromised, pen-test time, etc.

Again, this is terrible. Somehow we, the security community, must overcome the idea that the number of security incidents is outside the control of the enterprise. I know many of you are screaming at me now, but this is true whether you like it or not. While you cannot have absolute control of your security destiny, you can certainly influence it.

Consider this scenario. What happens to the police chief of a city where crime is out of control? Barring corruption, ignorance, laziness, bureaucratic inertia, and a dozen other problems, the mayor will fire the police chief. What happens to the mayor of a city where crime remains out of control? Barring the same problems, he/she is voted out of office. I could continue, but the point is that people in other fields can be held accountable in security situations. The "customers" of security can exert pressure for improvement, regardless of the power of the objects of their attention to actually do anything about it. It's the "Do something!" impulse, which in many cases yields unintended or sometimes malicious consequences. The fact remains that the choices made by those in power are expected to have a positive effect -- or else they will be removed from power.

Bringing this back to the digital security realm, what is the problem? Unlike physical theft, murder, and other blatantly obvious crimes, it is usually difficult to directly observe digital crime. People are now becoming aware of cybercrime by seeing fraudulent credit card charges (just happened to me again), identity theft, spyware, and the like. This is only the tip of the iceberg, and it's certainly not clear who is at fault. Therefore, customer pressure is unfocused. At some point we cybercrime victims may inflict the "Do something!" impulse, and hold someone accountable.

The CEO of a company that suffered constant intrusion, might direct a "Do something!" impulse at the CISO. If the pressure became too great, the company might decide to abandon its Microsoft Windows systems for something with a better security record. This relates to IT governance, which I've decided is poorly named.

Regarding Mr. Golden's role as "manager, IT governance": those with interests outside security may recognize the term "corporate governance," which in some respects for public companies means safeguarding shareholder interests/assets. Within the corporation, multiple sources of value are resident:

  1. Physical assets

  2. Financial instruments

  3. Brand

  4. Human resources (employees)

  5. Inventory

  6. Intellectual property

  7. Information


Each of those items has a level of governance associated with it, meaning implementation, operation, and maintenance of value. Of those seven items, however, only the last might be considered a mix of value inherent to the company and value inherent to its customers. In other words, part of the value of information is derived from data about customers. Sure, the company feels obligated to protect this data to exploit it for sales, but that does not align with the customers' desire to keep the same data out of the hands of thieves.

In situations with split incentives, poor information regarding abuse of customer data, and a lack of power on the customers' part to influence the company (aside from avoiding future purchases), the government usually regulates. We are seeing this happen now.

The major thoughts I took from Mr Golden's talk were:

  1. We need an independent group to determine the level of compromise in government agencies. Perhaps GAO?

  2. IT governance is really information governance, since the technology is far less important than the data.


Point one reminds me of problems with business financials, water quality, food and drug safety, and related issues; all involve independent agencies which report upon the state of affairs. All of the responsible parties would more than likely prefer to keep the lid on potential problems. Security is no different.

3 comments:

jbmoore said...

Bruce Schneier has pointed out these issues time and again. His thinking is tending towards security is having to take a back seat to economics. There's no penalty other than image loss if it's databases are ransacked. No significant liability for data loss means no incentive to protect customer data.

As far as the government, most of what TSA is doing is eye candy and psychological in value. The securing of cockpits and passengers not meekly complying with hijackers is more secure than making people take their shoes off for inspection. New Orleans is the exception to your argument. Government failed to protect citizens at all levels, yet the local administration was voted back into office even though some of the police committed crimes during the days after Katrina. There seems to be nothing but lip service paid to accountability, be it public or private sector, IT security or plain physical security. With everything being hushed up or classified, it makes it that much harder to determine what works and what doesn't, or even how big the problem is.

jbmoore said...

Bob Lewis has this week's and last week's columns devoted to IT governance: http://issurvivor.com/ . Makes for insightful reading, especially his comments about using IT metrics to evaluate whether you should change the oil in your car.

Donal said...

Economics, econometrics, securitymetrics, statistics, incentives...

"You can't manage what you can't measure..."

Just a list of words and thoughts in no particular order.

One of the reasons I am stepping outside of the industry, for in effect... I do not believe we can "see the wood for the trees."