Saturday, September 27, 2008

Is Experience the Only Teacher in Security?

Another reader asked me this question, so I thought I might share it with you:

I'm really struggling with... how to communicate risk and adequate controls to the business managers at my employer... To put it bluntly, this is the first time the company has really looked at it [security] at all and they don't really want to deal with it. They have to because of the business we are in though... So while I've got a blazing good example of what doesn't work, I still don't know what does.

What are some good resources that you have found in communicating security (or other) risks to business? Are there books, blogs or authors that you would recommend?


I've written about this problem in the past, in posts like Disaster Stories Help Envisage Risks and Analog Security is Threat-Centric. I'll be speaking about this problem in my SANS Forensics Summit keynote next month, with the theme of "speaking truth to power."

Throughout my career, I've found few managers care about security until they've personally experienced a digital train wreck. Until a manager has had some responsibility for explaining an incident to his or her superiors, the manager has no real frame of reference to understand security. For me, this is a strength of the incident response community. We are absolutely the closest parties to ground truth in security, because we are the ones who manage security failures. The only other party as close to the problem is the adversary, and he/she isn't going to share thoughts on the issue.

Therefore, I recommend planning your security improvements, whatever they may be, then waiting for the right moment. Of course you can tell management that you have concerns, but don't be surprised when they ignore you. When a digital train wreck happens in your enterprise, step forward with your plan and say "I have an answer." In most intrusions managers want someone to tell them everything will be ok, especially when it's wrapped in a documented course of action. Be the person with the plan and you'll have greater success moving your security projects forward.

Does anyone else have suggestions for this blog reader?

7 comments:

Gunnar said...

Read Dan Geer's book

Information Security News said...

Where there's a regulatory requirement you can bang the compliance drum for a short while. Ultimately you have to wait for that train wreck to happen before you'll get the traction you need or demonstrate savings.

It sounds to me like you're experiencing a lack of buy-in at the top. Without that buy-in you'll never be able to improve security because the risk appetite is too voracious.

Davi Ottenheimer said...

"Waltzing with Bears" by DeMarco and Lister is an excellent book with many examples of business risk management from a technology perspective.

Fraud examiner, interview and investigation textbooks are also excellent resources. They have endless examples of security breaches.

I would recommend passing on most IT security books for insight as they are not from the perspective of the people you face.

The key to managing execs for security is learning to speak the language of those you are communicating with. In anthro terms, don't just be seen as an observer. I just gave a talk on this at the IEEE Key Management summit in Baltimore last week. In brief, I recommend two steps:

1) figure out what makes a person tick; their values (when making lists you might want A to be the reason for action, but C is often the thing that motives, or even D or G; if you never get to G, you will get no response)

2) recognize yourself as a teacher and then understand what kind of student you are dealing with. if someone is a C or below, they will have a "just show me the checkbox and let me get out of here" mentality, or worse. when you have an A student they will achieve and even overachieve objectives.

It's soft skills and the social sciences are

I would suggest you read my own blog, but that's self-promotion, and these days I often just wax on about out how bad Palin will be for US National Security. If Americans are unfortunate enough to have her in the White House, I do not envy the person who will have to try and educate her on security issues. She is the worst kind of leader -- fired some amazingly gifted people who understand security only because they did not tell her what she wanted to hear.

Steve Lodin said...

This is called the "Show Me Maxim" as defined in Rojer Johnson's presentation on Physical Security Maxims. Roger is on the ANL Vulnerability Assessment Team.

http://www.cl.cam.ac.uk/~rja14/musicfiles/preprints/Johnston/securitymaxims.ppt

(Found in Schneier's blog)

Steve

Francois said...

Sounds like what you really need to start with is security training at a management level.

The post mentioned that the company never looked at security before, but they're beginning to look at it now. Why? What is the impetus for the change? Find out the reason, and apply leverage there. Find out what everyone's real concerns are - whether it's compliance, saving money, other legal concerns, or perhaps there's been some issue that exposed a security gap.

For all you know, there could be some serious problems right now that, because they haven't invested in security, nobody's even aware of. If there's no reliable information either way, someone's probably already taking advantage of that.

Money could be walking right out the door under their noses - or holding the door open for lawyers and regulators to walk in.

OTOH security can be a cost saving measure. Not just in risk management terms but in daily maintenance. E.g., how many virus outbreaks have they had to contain? How much did those incidents cost? How much could they have saved with simple but well-managed antivirus controls?

If you know the reason for the shift in perspective - and what each individual thinks is important - frame the issues in terms they can relate to. Has anyone in the management team had a friend or family member experience identity theft? (Probably so.) What are the consequences of non-compliance? If there's been an incident, could it happen again - and how do they know?

Understand too that security is not just an IT concern. It is everyone's concern and must come from the top. If management does not support policies, they are complicit in risk and must assume that responsibility.

If it becomes known that the company policy is XYZ, but it's never enforced, the complicity could make the situation even worse. A miscreant could argue in court that the culture was deliberately permissive.

Management needs to understand what they're getting into.

Blog Administrator said...
This comment has been removed by a blog administrator.
Blog Administrator said...
This comment has been removed by a blog administrator.