While not a complicated or strategic topic that I would normally highlight, this one bit of news is from my home airport and personally meaningful.
Basically the report shows that 1,600 badges were lost or stolen in a 2 year period. This seems like a big number (2.6%), but this is a control that should (and not highlighted in broadcast) secondary supportive controls, such as:
- Key card access review logs to prevent duplicate entries (i.e., same person cannot badge in 2x)
- Analytics on badge entries against the work shifts of the person assigned
- Access to areas not zoned for that worker
- Termination of employees who don’t report in 12 hours on lost/missing badge
There are safeguards highlighted in broadcast that are good, but easily modified to the point of not being any value, and include:
- Pin (can be easily observed due to tones and no covering)
- Picture (every movie ever shows how easy this is done)
- An old badge could be re-programmed and be a duplicate of another higher ranking / alternate security zone
Bottom line is organizations, especially those tasked with safety of human life, must have the primary and secondary controls in place. Hopefully the remarks of a minor risk are based on their security assessments with the considerations above (and more perhaps).
Hundreds of ID badges that let airport workers roam the nation’s busiest hub have been stolen or lost in the last two years, an NBC News investigation has found.
While experts say the missing tags are a source of concern because they could fall into the wrong hands, officials at Hartsfield-Jackson Atlanta International Airport insist they don’t pose “a significant security threat.”
via Hundreds of Security Badges Missing From Atlanta Airport – NBC News.com.
Also thanks to the new new aggregator (competitor to AllTops) Inside on Security or the clean new interface.
Posted in audit, Compliance, Risk Management
Tagged 2015, airport security, atl, cio, ciso, cyber, domestic, hartsfield, infosec, inside, james deluccia, jdeluccia, nbc, news, strategy, TSA
TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys.
-The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle.
This news made a number of people upset, but after studying it for several weeks and trying to consider the macro effects to regular end users and corporations I have reached a contrarian point in my analysis.
Who cared? Nobody (enough)
Sure the implications are published and are known, but who ever considered their cell phone encrypted and secure mobile device? I don’t think any consumer ever had that feeling and most professionals that WANT security in their communications use special precautions – such as the Black Phone.
So, if nobody expected it, demanded it, and the feature was primarily used to help billing than what SHOULD happen moving forward?
- The primary lesson here is that our assumptions must be revisited, challenged, valued, and addressed at the base level of service providers
- Second, businesses that depend (if they ever did so for instance on mobile device encrypted communication) on such safeguards – must pay for it
I would be interested in others points of view on the lessons forward. I have spent a good deal of time coordinating with leaders in this space and believe we can make a difference if we drop the assumptions, hopes, and focus on actual effective activities.
Helpful links on the Black Phone by SGP:
Blackphone was created by the best minds in cryptology, security and mobile technology.
The Blackphone is a smartphone developed by SGP Technologies
Posted in Compliance
Tagged chief strategy officer, cio, ciso, cyber, innovaiton, james deluccia, jdeluccia, nsa, privacy, Security, sim heist, strategy, technology
Longues Sur Mer
At this location on the coast of Normandy you can see the immense naval guns setup to attack oncoming ships in World War II. The Germans expended resources and relied heavily upon on these guns in their defensive strategy. Unfortunately for the Germans, the treatment of the workers and locals, the sheer lack of natural intelligence, and exposure of building such vast emplacements was their downfall.
The Allies often received intelligence on the exact positions of German construction. This was provided by those building and living in the area. Specifically, a local farmer boy who was blind and actually counted each step precisely and then supplied locations through the French resistance and Allied intelligence networks.
The result was a gap in the German defensive strategy, a waste of resources, and ultimately, a failure to defend the coast.
Business Reflections: Innovating and Penetrating the market…
- How are you establishing a product development strategy and running your business as a whole?
- Are there defensible attributes that you deem critical, and how can they be routed?
Practical example: In the information security and intellectual property sector, there are very real threats and running a secure business requires constant new methods of defense. How have you reevaluated these based on the shifts internally of your business and the known threats in the market itself? How did this analysis compare to prior years, and how have the effectiveness of your defenses proven?
From a product innovation perspective – are you developing in features from the highest and lowest levels? What are the high impact:low development efforts underway, and what could be added. Product and innovation requires views on the long and short run – to often we make complexity because we are able to handle complexity, when sometimes the user really only needs something less complex.
Leadership requires action:
Simply acknowledging the risks and accepting the situation does not prevent disastrous outcomes.
What is Battlefield Leadership and what is this series about …
As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.
Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.
Posted in Boards, Business Agility, Governance, Management
Tagged allies, battlefield leadership, cloud practices, cloud strategy, customers, D-Day, france, innovation, insight, leadership, Management, normandy, outcomes, risks, Security, strategy
Over the holiday I have been diving into different government information security and cyber scenario studies and research. An article (pdf) speaking to the NATO pursuit of an early detection system is interesting in of itself. The analogy is to that of nuclear launch early detection sufficient to allow for leaders to make responsive decisions.
The concept though I wonder is flawed. A detective responsive for cyber war has an extremely (milliseconds) lead time, and does not leave much for human response capabilities.
The NATO and military stop gap here is to monitor geopolitical activity to provide a barometer of when strikes will be likely – and unlikely.
Two critical points that every CIO and CISO must consider, and is emerging at some of my most impressive and advanced clients:
- Establish an adaptive security defense model (year over year we have been tactically responding, but there is more strategic elements that must be transparent)
- “Warnings are not just sounding alarms of a likely or inbound (anonymous or others) attack, but the converse is equally important – having confidence to tell them that for the time being significant attacks are not likely and they should turn their attention [ / funding] to more pressing matters.”
An interesting question I would pose:
- if you KNEW you were going to be targeted, what actions would you do differently today?
- Would you deploy technology different?
- Would the 2 years of projects get reshuffled?
- What if you had 2 years warning to make preparations, would your vector of response differ?
We are entering an interesting time where business, operational competitive security strategy, and tactical activities are necessary to maintaining sustainable businesses. The executive must balance this with tact and great care. Combined together with the awesome new technologies and mobile spaces, a whole new field of competitive business advantage awaits the prepared and willing.
Posted in Compliance
Tagged 2012, best practices, cio, ciso, Compliance, cybersecurity, executive, it compliance and controls, IT Controls, james deluccia, jdeluccia, mckinsey, Security, strategy
A recent article on Bank Systems and Technology highlights a very difficult and often misunderstood need and method of aligning technology projects to core business requirements. The author is a thought leader in the space and provides great information to consider. There are specific enhancements I would make to their approach.
A common mistake in the technology world is to engineer for engineering’s sake. This is followed based on the idea that if we add more features and increase the throughput, surely the business will be enamored by the results and grateful for the effort undertaken (whether we are buying a product or having developed it internally). This is fundamentally the problem with the discrepancies that result. Technology does not need to simply extend itself, but should be evolving to meet the new challenges – i.e., the same appliance configured and deployed in the same manner may not be appropriate.
Considering this discrepancy in thought, I would suggest an alternate set of project prioritization checklist for business and technologists:
- Technologists and Lines of Business owners should collaborate on the near term challenges of the business -> i.e., identify the problems holding back the business
- Based on this business problem list, identify the possible solutions – considering existing technology and alternate deployments
- Identify the low hanging fruit – i.e., sort the technology solutions by cost/effort with that of the business problems, and tackle the quickest returns first.
- Projects should show returns in weeks, not months
- Projects should be accountable to the Line of Business Owner, and it should be reflected in their P&L
- Repeat steps 3 – 6, and every couple of months restart at the beginning – especially as the business environment and operating environments change (As the business changes, so must the technology contributing to operations).
Thank you to Deb Smallwood and Karen Furtado of SMA for contributing the article that inspired my own process.
James DeLuccia IV