Tag Archives: cio

Tactical Issue: How to handle Executive Assistants and #infosec

Problem Statement: How have you seen companies handle executive assistant's access to C-level and VP accounts? Our executives heavily rely on their admins but don't realize the risk when we go to single sign on.

How does this apply to you?

As organizations grow and expand there is a sensitivity of access to data, and especially if businesses are in an M&A mode, there is much higher sensitivity at the executive level. Data protection and limitaiton of access is dependent upon the specific instance.

If an organization, such as the question above, allows (and most do) admins / executive assistants to access senior leadership files then what do you do?

  1. Trust explicity, same credentials and access as the executives they represent
  2. Trust per instance, same credentials but institute specific 'special handling protocols' for items that are too sensitive
  3. No trust.. this is unlikely to succeed unless there are no admins, given the sneaker-net still works beyond many other cultural and personnel inherent issues at large here

Solution Concepts:

there are many ways to approach this problem statement, but a few responses to each of the above (I'll reference each bullet number above for simplicity)

  1. Admins/executive assistants go through the same background security vetting as their assigned executives, and the systems themselves have escalated monitoring. Essentially deep background checks, ongoing personnel monitoring, and better system security for the end-user devices.
  2. By far the easiest – special handling protocols for executives would be the initiation of secure platforms, encrypted containers, electronic document handling authenticated to specific systems, even project code names, etc ..
  3. These do happen, but definitely require the culture to accept the extreme firewalling (socially) of discussions and work. Not appropriate for many organizations today.

Final Thoughts:

I spend most of my time designing, implementing, and operating global security programs for businesses… so this tactical question was fun to receive. Working in the details is where life happens, and is proof point for many innovations. Smashing together technology, process, and people is an art .. a journey .. and always unique.

Hope this helps.

James

RSA 2014 – 2 themes from Tuesday

A fresh post in a long while ..

So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.

Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.

Onward then …

Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:

  1. Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)
  2. Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering

Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.

Best,

 

James

 

Rethinking what security controls you MUST address

In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.

Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.

Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.

Screen Shot 2013-01-09 at 3.47.49 PM

The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.

A common statement / question: What are all the things we need to compliant with in the world?

Corrected question: What do our clients need to be compliant with when using our services?

(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)

A shift in my thinking over the past year, and one I hope can be further debated and evolved.

Kind regards,

James DeLuccia

Gordian Knot: Perfect Security

An interesting discussion I had the other day raised the point:

What do we need for perfect security?

Defining perfect and security itself is difficult, but let us simply state…

  • Perfect = zero events that cause competitive harm
  • Security = operational integrity of environment

(note this is not restricted to a specific type of system, but directed towards the business concerns as a whole).

Over the dialogue we ended across the use of standards to establish the governance and security architectures; we delved into the pizza box kitchen, and of course serious amounts of detection / prevention activities. Ultimately though we ended at a higher level of abstraction that is far more important… at least initially.

Perfect Security is defined on what the business will permit to occur. How many breaches, of what severity (physical and in person), and by what individuals is acceptable? Understanding the risk tolerance on activity and operating at that state of operations is far more crucial, as the entire security-compliance program results from this level of acceptance.

Thus, as we enter the New Year, and the security summits / executive committees are coming together … ask:

  • What is our risk tolerance
  • What is the straw that will be unacceptable by the stakeholders, stockholders, and simply the community as a whole.
  • Define the feeling of the event, detail the services that are being discussed, and equate possible outcomes.

The idea is to not have days of risk threat discussions, but determine the level of acceptance and allow the practitioners and SMEs in the business to execute. Similar to the hierarchy of documents – Strategy should be defined via policy and then allow the competency centers of excellence to do what they love and are paid to do at the business.

Best,

James DeLuccia

CIOs must address the Culture of Trust Gap

Screen Shot 2012-12-31 at 9.07.14 AM

Information security practices are influenced by the geography of operations, the culture from that area, and the industry in general. The trust found within a community, as highlighted by Bruce Schneier in Liars & Outliers, allows the wheels of society to move forward. Said wheels also myopically continue as researched by Steven Pinker.  To provide a bit of elaboration on these three points, let me elaborate briefly:

  • Geography of Operations – This trust though is based on, in part, on proximity. Individuals are more trusting to those within the same community (however you define this works out to the same result).
  • Culture from that area – “Trust non-kin is calibrated by the society we live in. If we live in a polite society where trust is generally returned, we’re at ease trusting first. If we live in a violent society…we don’t trust easily and require further evidence…” – Pg 37
  • Industry – Familiarity also engenders trust within an industry, i.e, a doctor working with another doctor automatically introduces a level of confidence and trust in the communication and mutual activities.

Ultimately, Culture is King. It is the culture that defines an organization’s DNA and differentiates them in the market space. The experience one encounters with the Culture of a Google vs. Microsoft environment is palatable. One or the other is not right or wrong, but the Culture is different nonetheless. The challenge is that the Culture MUST change in a world where these principles are violated.

History and biology have proven that when an aggressive culture that doesn’t need to trust as it is the aggressor is introduced into a culture that doesn’t share that culture – the Aggressor always wins. This is highlighted across numerous examples of entire societies being destroyed / absorbed in Guns, Germs, and Steel. A biology example would be the Chinese fish that had invaded the ecosystem in the Great Lakes, and is destroying the current biology.

Ultimately, all systems are connected – regardless of the geography, culture, or industry. Therefore the concepts and methodologies of organizing go to market strategies; deployment of new technology, and simply sustaining competitive operations requires a reframing of the trust model. In essence, the culture of the organization where technology is introduced must be adapted to fit the more aggressive, violent, and hostile landscapes in the world.

Strategically speaking enterprises may operate locally, but must be governed with a global perspective. Such can and must include the geopolitical risks globally, the global value of the intellectual property, and be adaptive to the degrees of risk that is introduced at any given time.

Technologically the deployed systems must be considered and ensured that the trust equated into the system controls is configured aggressively. An example – the classic firewall rule strictness and ‘Deny All’ must prevail, yet in some cases I have seen this not to be true. Be mindful of the connectedness of these systems in the global community.

The impact of culture on an organization’s decision to survive competitively starts with trust – in the systems, the people, the process, and the market.

Thoughts?

James DeLuccia

Industrial Control Systems – the new security frontier, a call for Org change

Screen Shot 2012-12-28 at 10.42.40 AM

A quote similar stated that SCADA and basically systems controlling physical machines is the new attack surface.  It struck me as obvious and non-obvious upon reflection.  The security of these systems tends to be Facilities and not under the scope of concern of most CISO and certainly not the CIO.  That is unless the organization is structured where such operating roles are under the General Legal Counsel or the COO.  The structure of the organization as it relates to operational integrity, competitiveness, and ultimately compliance – security depends upon the organizational structures being adapted to the technology age. To often we forget the value of organizational strategy shifts, and this is one that will be necessary and provide valuable returns.

How can this trickle into the tactical operations of the business?

Consider this single example?

  • What controls do you have on checking the version of the HVAC units (software version) powering your data center and or corporate offices?
  • Is there a security control in place to have it; be sure it can handle the load, and testing to ensure it works?  I imagine yes to all 3, as these are ABC of operations

However ….

  • What is the version of the HVAC PLC / SCADA element that is being utilized by the vendor and monitoring teams that is accessible remotely?
  • When audits occur, do they check to be sure the device isn’t the Siemens or other manufacturer that was just highlighted at Defcon or on the news?

If this is the new frontier, we need to start structuring organizations in a manner that are designed to care for these considerations to allow for business to be agile and competitive.

Thoughts (a bit of latitude on the above terminology is requested, given I am simplifying the example to avoid to much technical specification and confusion)?

James

If the CIO / CISO knew they were going to be attacked, could they repel attackers?

Screen Shot 2012-12-27 at 4.35.02 PM

Over the holiday I have been diving into different government information security and cyber scenario studies and research.  An article (pdf) speaking to the NATO pursuit of an early detection system is interesting in of itself.  The analogy is to that of nuclear launch early detection sufficient to allow for leaders to make responsive decisions.

The concept though I wonder is flawed.  A detective responsive for cyber war has an extremely (milliseconds) lead time, and does not leave much for human response capabilities.

The NATO and military stop gap here is to monitor geopolitical activity to provide a barometer of when strikes will be likely – and unlikely.

Two critical points that every CIO and CISO must consider, and is emerging at some of my most impressive and advanced clients:

  • Establish an adaptive security defense model (year over year we have been tactically responding, but there is more strategic elements that must be transparent)
  • “Warnings are not just sounding alarms of a likely or inbound (anonymous or others) attack, but the converse is equally important – having confidence to tell them that for the time being significant attacks are not likely and they should turn their attention [ / funding] to more pressing matters.”

An interesting question I would pose:

  • if you KNEW you were going to be targeted, what actions would you do differently today?
  • Would you deploy technology different?
  • Would the 2 years of projects get reshuffled?
  • What if you had 2 years warning to make preparations, would your vector of response differ?

We are entering an interesting time where business, operational competitive security strategy, and tactical activities are necessary to maintaining sustainable businesses.  The executive must balance this with tact and great care.  Combined together with the awesome new technologies and mobile spaces, a whole new field of competitive business advantage awaits the prepared and willing.

James DeLuccia