After over a decade of working with startups, private equity, and over the last 5 years of deep big 4 client services acting in different executive roles (CISO, CIO Advisor, Board of Directors support) I am certain there is a need and lack of implementation for adapted information security that is reflective of the size, maturity, and capabilities of the business. This applies independently to the the product and the enterprise as a whole. To that end, I have begun building models of activities to match each level of maturity to try and bring clarity or at least a set of guidelines.
As I share with my clients … in some cases a founder is deciding between EATING and NOT. So every function and feature, including security habits, must contribute to the current needs!
I have begun working with several partners and venture capital firms on this model, but wanted to share a nice post that highlights some very informative ‘Patterns in Hyper-growth Organizations‘ and what needs to be considered (employee type, tools, etc..). Please check it out and I look forward to working with the community on these models.
A snippet on her approach and great details:
We’re going to look at the framework for growth. The goal is to innovate on that growth. In terms of methods, the companies I’ve explored are high-growth, technology-driven and venture-backed organizations. They experience growth and hyper-growth (doubling in size in under 9 months) frequently due to network effects, taking on investment capital, and tapping into a global customer base.
Every company hits organizational break-points. I’ve seen these happening at the following organizational sizes:
via Mapping the Startup Maturity Framework | Likes & Launch.
Posted in Boards, Business Agility, Governance, Management, mergers and acquisitions
Tagged @br_ttany, angel, cio, ciso, founders, fund, hyper-growth, information security, james deluccia, jdeluccia, organization, private equity, Security, series a, series b, startup
Longues Sur Mer
At this location on the coast of Normandy you can see the immense naval guns setup to attack oncoming ships in World War II. The Germans expended resources and relied heavily upon on these guns in their defensive strategy. Unfortunately for the Germans, the treatment of the workers and locals, the sheer lack of natural intelligence, and exposure of building such vast emplacements was their downfall.
The Allies often received intelligence on the exact positions of German construction. This was provided by those building and living in the area. Specifically, a local farmer boy who was blind and actually counted each step precisely and then supplied locations through the French resistance and Allied intelligence networks.
The result was a gap in the German defensive strategy, a waste of resources, and ultimately, a failure to defend the coast.
Business Reflections: Innovating and Penetrating the market…
- How are you establishing a product development strategy and running your business as a whole?
- Are there defensible attributes that you deem critical, and how can they be routed?
Practical example: In the information security and intellectual property sector, there are very real threats and running a secure business requires constant new methods of defense. How have you reevaluated these based on the shifts internally of your business and the known threats in the market itself? How did this analysis compare to prior years, and how have the effectiveness of your defenses proven?
From a product innovation perspective – are you developing in features from the highest and lowest levels? What are the high impact:low development efforts underway, and what could be added. Product and innovation requires views on the long and short run – to often we make complexity because we are able to handle complexity, when sometimes the user really only needs something less complex.
Leadership requires action:
Simply acknowledging the risks and accepting the situation does not prevent disastrous outcomes.
What is Battlefield Leadership and what is this series about …
As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.
Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.
Posted in Boards, Business Agility, Governance, Management
Tagged allies, battlefield leadership, cloud practices, cloud strategy, customers, D-Day, france, innovation, insight, leadership, Management, normandy, outcomes, risks, Security, strategy
ComplianceWeek has two examples of implementing ITGRC solutions in two multi-billion dollar organizations. Each interestingly deployed in two unique fashions and had different takeaways from the experience. The article speaks directly about SAP technology, but the successful GRC implementation practices apply to any organization.
In fact, evolving an organization’s risk framework through the adoption of an IT-GRC solution is a benefit to any size organization and even individual lines of business within an organization. Additional support for GRC and it’s business benefits I discussed here for additional insight, and with registration the OCEG documents are quite insightful.
A key point within the article is the focus beyond the risk and security and or compliance benefits that are generally listed for GRC. There are numerous benefits to GRC that help improve profitability, lower failure rates within operations, and enhance business communications – among other benefits. The simple reality is having greater clarity and effective automated systems is a strategic advantage in every business.
The article highlights a few specific GRC implementation tips and can be found here at this link. Below are my ‘next’ three tips to consider:
- Do your pre-planning: Just as in a marathon one does not simply walk to the start line and figure it out as they go. Similarly organizations seeking to integrate an important technology such as GRC (one that will become ingrained into the critical business operations), must consider how things should happen out of the gate. Business leaders and technologists need to identify the specific objectives, parties, and input/outputs required. Such specifics will ensure targeted project management and prevent scope creep. The secondary benefit of this adherence to a plan (and there can be many cycles where the process is enhanced continuously) is the absolute recognition of achieving targeted goals and objectives. An effect that will certainly help to maintain the momentum of the project.
- Training and Paperwork: In order to successfully integrate the technology into your organization it is necessary to know how it is currently being accomplished today, or how it should be done based on the culture and business objectives. Therefore it is best to first work through the components of the GRC program on paper and in collaborative work sessions prior to sitting down in front of an administrative console. These work sessions should produce specific ‘paper’ on how such things as permissions, authorization, business core metrics, and such are to be enabled in the application. The technical specifics of how such will be done should be considered afterward. In most cases – this type of program design can occur prior to the selection of any actual vendor product, and therefore could be used as purchasing criteria when such are defined.
- Seek Professional Help: The article highlighted the benefits of leveraging third parties to augment the business staff to successfully launch these programs. It is critical that such third parties be brought onboard for such work. In lieu of these specialty teams a business could hire individuals with deep experience in the technology and specialty. In either case – focus on experience, targeted delivery, and proper teaming with business teams; tech teams; and other service providers.
The Two Reviews of GRC Software Implementations from ComplianceWeek can be found here.
Other best practices / thoughts?
James DeLuccia IV
KPMG put out a 10 to-do items for Audit Committees that defines excellent areas that should receive attention given the economic and competitive environments. You can find the press release here. Upon reading it I was struck by possible Information Technology business to-do items related to security and risk management, and wanted to share those that struck me.
- IT Strategy should be reset – Nearly all budgets were changed in 2008/9 and required massive shifts from the original 1/2/5 year plans. This shift to the immediate short term to avoid becoming terminal has passed enough to pick our heads up and assess the landscape. Goals should be reviewed; priorities re-evaluated, and teams adjusted to fit the new operating norms. This is not an endorsement to double budgets or blindly return to old plans, but instead a call to refocus and consider the business and operating realities BEFORE moving into new initiatives.
- What was lost during the cutting? – As organizations went through mergers and shrunk budgets certain information safeguards were impacted. They may have been impacted by staff reductions or lapses in maintenance of systems. An inventory of the technology and process canvas is necessary to see what assets exist within the organization. Assets does not only mean hardware, but software, process, and the people that form the glue!
- Consider the Risk Landscape – As the business evolved and adjusted to the challenges of the past 2 years, many changes occurred to the operations and the structure of the business. These may include such things as divestitures; consolidations; new partnerships; outsourcing; cloud computing, and other strategic cost saving strategies. The end result is the creation of new logical relationships and inter-dependencies that require consideration. An enterprise risk analysis can uncover these newly formed risks, and ensure that they are satisfied with the appropriate and necessary safeguards.
- Duck and Cover – An unfortunate consequence of a challenging year (or two) for companies is the natural response for team members to literally put their heads down and avoid making sudden moves that may draw attention. This negatively impacts the business directly – a loss of innovation, good-will, and full engagement of each associate. Leaders can address this by communicating the state of the business and take demonstrable actions that solidify the message.
The most important aspect for IT strategy and business is to re-center, focus on the people, and push/pull/drag the organization to a stronger more secure future.
James DeLuccia IV
Posted in audit, auditing, Business Agility, Compliance, GLBA, Governance, iia, information security, IT Controls, Management, mergers and acquisitions, Payment Card Industry Data Security Standard, PCI DSS, Risk Management, Security
Back in Atlanta after a week in San Francisco for RSA’s annual conference on security. This being my first year in attendance I have no comparison from prior years, but have heard that the crowds were a bit lighter than usual. I spent a great deal of time enjoying the sessions, speaking privately with the incredible roster of speakers in the “speakers lounge”, and engaging the vendors in the expo. Overall I would definitely say it was worth the time and expense. Anyone looking at shortlisting their conference list should include RSA next year. Of course, you make your own conference – I actively sought and engaged experts in areas, and methodically evaluated each solution offered by the vendors. As in any good project I attended with several objectives and action items that proved extremely valuable:
- First, I vetted the speakers and the sessions prior to arriving. This is key to determine the type of presenter and their prior experience (i.e. I prefer to avoid “sales” people giving presentations on areas where their product “happens” to address). I prefer to seek out either the founders (engineers) of companies who play in a space, in-field practitioners, or those who have such a broad range of experience they can speak on a specific topic.
- Second, I set three objectives for attending – any more and you are stretching yourself to thin and won’t enjoy the experience. Mine for RSA this year were to:
- Identify and map each vendor solution into a solutions matrix based on architecture and core controls for the top 50 regulation / standards.
- Seek out practitioners who have successfully established frameworks or governance structures in global corporations
- Identify trends from the strategic perspective.
My takeaways from the conference were a disproportionate focus of vendors on DLP, a lack of comfort in practitioners dealing with multiple regulations, and a steady and unexpected level of confusion in addressing PCI.
This year RSA is posting the recordings of the sessions online for post-conference viewing. Now other conferences in the past year have made these available for the public and hopefully they will follow suit. In any case, be sure to watch for detailed postings on research and notes from the speakers (if you could not attend or are unable to view the archived recordings), and personal / company recaps.
Bottom line – I enjoyed tremendously being an invited speaker on a topic that engaged a capacity room and required the organizers to drag us out of our room to continue it in the halls. My post takeaway is that I have not sufficiently communicated my research, and I hope over the coming months I can provide greater value to the industry at large.
There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance. The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks. There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.
Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)
- Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data – a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
- Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas. (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).
Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”
- Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data. This would provide rapid identification of unauthorized attempts due to the magnetic card attack. Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.
I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls. In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls – Best Practices for Implementation (my newly released book).
Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.
James DeLuccia IV
Upcoming Speaking Engagements:
A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines). A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.
Two nice sources for FSG are the full guidelines themselves – of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”. Here is a link to Google Book Search with some interesting content already highlighted.
As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis. These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection. Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each. An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.
Update: Book Release is now March 19th 2008!! Pre-Order Today