Category Archives: Boards

Mapping the Startup Maturity Framework to flexible information security fundamentals

MappingsAfter over a decade of working with startups, private equity, and over the last 5 years of deep big 4 client services acting in different executive roles (CISO, CIO Advisor, Board of Directors support)  I am certain there is a need and lack of implementation for adapted information security that is reflective of the size, maturity, and capabilities of the business. This applies independently to the the product and the enterprise as a whole. To that end, I have begun building models of activities to match each level of maturity to try and bring clarity or at least a set of guidelines.

As I share with my clients … in some cases a founder is deciding between EATING and NOT. So every function and feature, including security habits, must contribute to the current needs!

I have begun working with several partners and venture capital firms on this model, but wanted to share a nice post that highlights some very informative ‘Patterns in Hyper-growth Organizations‘ and what needs to be considered (employee type, tools, etc..). Please check it out and I look forward to working with the community on these models.

A snippet on her approach and great details:

We’re going to look at the framework for growth. The goal is to innovate on that growth. In terms of methods, the companies I’ve explored are high-growth, technology-driven and venture-backed organizations. They experience growth and hyper-growth (doubling in size in under 9 months) frequently due to network effects, taking on investment capital, and tapping into a global customer base.

Every company hits organizational break-points. I’ve seen these happening at the following organizational sizes:

via Mapping the Startup Maturity Framework | Likes & Launch.

Methodology for the identification of critical connected infrastructure and services — SAAS, shared services..

ENISA released a study with a methodology identifying critical infrastructure in communication networks. While this is important and valuable as a topic, I dove into this study for a particularly selfish reason … I am SEEKING a methodology that we could leverage for identifying critical connected infrastructure (cloud providers, SAAS, shared services internally for large corporations, etc..) for the larger public/private sector.  Here are my highlights – I would value any additional analysis, always:

  • Challenge to the organization: “..which are exactly those assets that can be identified as Critical Information Infrastructure and how we can make sure they are secure and resilient?”
  • Key success factors:
    • Detailed list of critical services
    • Criticality criteria for internal and external interdependencies
    • Effective collaboration between providers (internal and external)
  • Interdependency angles:
    • Interdependencies within a category of service
    • Interdependencies between categories of services
    • Interdependencies among data assets
  • Establish baseline security guidelines (due care):
    • Balanced to business risks & needs
    • Established at procurement cycle
    • Regularly verified (at least w/in 3 yr cycle)
  • Tagging/Grouping of critical categories of service
    • Allows for clean tracking & regular security verifications
    • Enables troubleshooting
    • Threat determination and incident response
  • Methodology next steps:
    • Partner with business and product teams to identify economic entity / market value
    • Identify the dependencies listed about and mark criticality based on entity / market value
    • Develop standards needed by providers
    • Investigate how monitoring to standards can be managed and achieved (in some cases contracts can support you, others will be a monopoly and you’ll need to augment their processes to protect you)
    • Refresh and adjust annually to reflect modifications of business values

I hope this breakout is helpful. The ENISA document has a heavy focused on promoting government / operator ownership, but businesses cannot rely or wait for such action and should move accordingly. The above is heavily modified and original thinking based on my experience with structuring similar business programs. A bit about ENISA’s original intent of the study:

This study aims to tackle the problem of identification of Critical Information Infrastructures in communication networks. The goal is to provide an overview of the current state of play in Europe and depict possible improvements in order to be ready for future threat landscapes and challenges. Publication date: Feb 23, 2015 via Methodologies for the identification of Critical Information Infrastructure assets and services — ENISA.

Best, James

The “appearance of trustability” on foo.Github.io

Github is an awesome repository system that is very popular. Basically if you want to work on something (code, a book, electronic files) and then allow others to freely make suggested modifications (think track changes in a Microsoft Word doc), GitHub is the new way of life. I have used on publishing a book, writing code, taking a Python course online, and others are using it at a scale to produce some of the fantastic tools you see online.

I recently saw a post (included below) that clarified how their encryption was setup. Basically encryption allows you to confidentially send data to another party without the fear of others intercepting, stealing, or modifying it. It appears though that for foo.GitHub.io they are presenting the appearance of encryption, but in fact do not have it. Meaning the actual files are sent in the clear.

This is a problem in our structure of security and compliance. Today we have regulations and industry standards that are designed to prescribe specific security safeguards and levels to ensure a baseline amount of security. If organizations don’t meet the true intent of the regulations, do only enough to pass inspection, but create an environment that is susceptible to basic attacks – the user (you and me) are the one’s who suffer.

While it is disappointing for an organization to setup something that clearly creates false trust and checks a box, it is more a call to action for those who operate these systems to embrace pride of the services they are delivering. Much as Steve Jobs desired the insides and outsides of a system to be done correct – the security of an organization should not just look but be right.

We must do better as owners, operators, and security professionals. Trust depends on indicators and expectations being met, and to violate that begs the question… what else is being done in the same manner?

“cben” comment below on github.com issues post:

Turns out there is no end-to-end security even with foo.github.io domain. Got this response from GH support (emphasis mine):

[…opening commentary removed…]

While HTTPS requests may appear to work, our CDN provider is adding and removing the encryption at their end, and then the request is transmitted over the open internet from our CDN provider to our GitHub Pages infrastructure, creating the appearance of trustability.

This is why we do not yet officially support HTTPS for GitHub Pages. We definitely appreciate the feedback and I’ll add a +1 to this item on out internal Feature Request List.

via Add HTTPS support to Github Pages · Issue #156 · isaacs/github · GitHub.

Best,

James

Innovating and penetrating the market – Battlefield Leadership Series – lessons and thoughts

Longues Sur Mer

At this location on the coast of Normandy you can see the immense naval guns setup to attack oncoming ships in World War II. The Germans expended resources and relied heavily upon on these guns in their defensive strategy. Unfortunately for the Germans, the treatment of the workers and locals, the sheer lack of natural intelligence, and exposure of building such vast emplacements was their downfall.

The Allies often received intelligence on the exact positions of German construction. This was provided by those building and living in the area. Specifically, a local farmer boy who was blind and actually counted each step precisely and then supplied locations through the French resistance and Allied intelligence networks.

The result was a gap in the German defensive strategy, a waste of resources, and ultimately, a failure to defend the coast.

Business Reflections: Innovating and Penetrating the market…

  • How are you establishing a product development strategy and running your business as a whole?
  • Are there defensible attributes that you deem critical, and how can they be routed?

Practical example: In the information security and intellectual property sector, there are very real threats and running a secure business requires constant new methods of defense.  How have you reevaluated these based on the shifts internally of your business and the known threats in the market itself? How did this analysis compare to prior years, and how have the effectiveness of your defenses proven?

From a product innovation perspective – are you developing in features from the highest and lowest levels? What are the high impact:low development efforts underway, and what could be added. Product and innovation requires views on the long and short run – to often we make complexity because we are able to handle complexity, when sometimes the user really only needs something less complex.

Leadership requires action:

Simply acknowledging the risks and accepting the situation does not prevent disastrous outcomes.


 

What is Battlefield Leadership and what is this series about … 

As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new bookHow Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

 

Annually Review Governance Control Programs

A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines).  A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.

Two nice sources for FSG are the full guidelines themselves – of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”.  Here is a link to Google Book Search with some interesting content already highlighted.

As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis.  These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection.  Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each.  An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today