Ahyoung An

Brielle Nikaido, Community Manager, Focus

Sharon M. Shaw, CFE, Director Tampa Bay Chapter, ACFE 

The rapid growth and adoption of cloud computing leads to sometimes confusing situations where security remains an afterthought.

At a time when everyone is expected to do more with less, the difference between success and failure hinges upon the ability to communicate effectively. In fact, many people now realize the ability to communicate the value of security, and of their efforts, is the difference between career success and failure.

I recently considered how to cut through the confusion surrounding “cloud security” to successfully communicate the value of our efforts and shared some insights during the BrightTalk cloud security summit. Special thanks to Trend Micro, Symantec, Dave Shackleford and Lori MacVittie for sharing time, research and experience with me.

Blending their insights and experiences with my studies and models of how to effectively communicate value resulted in some interesting findings, including the need to translate our security experiences into the cloud is as (maybe more) important than selecting the right examples. The result is a 45-minute briefing, shared below.

Check out the recording here:

I work to help harness the human side of security; without a doubt, the challenges we face in our journey to the cloud is less technical and more dependent on our ability to successfully communicate with each other, with decision makers and with our colleagues who use the solutions we design, deploy and maintain.

This presentation is only the beginning.

I continue to research, test and help industry, enterprise and individuals to improve how we distill and and effectively communicate the value of security.

How can I help you?

Reach out with comments, questions and suggestions or share your communication challenges with me and we can explore how to solve them together.

It’s something I’ve looked for; the challenge is finding a way to review, distill and curate the best information from a myriad of topics and fantastic conversations. In order to fulfill my passion and purpose to help others harness the human side of security, I devote time each day to consume and process a lot of information.

A few months ago, I started thinking about how to best curate — distill down to the essentials – and share that information with clients, colleagues and friends. More than a simple list of “things I’ve read,” the purpose is to provide some light analysis and ensure the information can be more easily consumed, shared and discussed.

I think I found a format where I can share value and benefit your efforts. I invite you to subscribe to the Curated Catalyst Newsletter and help shape the experience by engaging in the conversation.

Each week, I’ll select and share highlights from articles and resources likely to be of interest to those working to harness the human side of security with a focus on communication, awareness, leadership and the multitude of fields that inform these areas. 

The underlying goal is conversations that count about the insights and ideas that shape our experience. By the way, part of the invitation to engage includes the desire for you to send me ideas, questions and resources of interest, too. I’m the curator of the newsletter, but it’s a larger effort.

While I experiment with the actual format and process (technical and procedural) over the next few weeks, I’m focused on putting forth a weekly summary expected to take 5-10 minutes to scan. More, each should have the analysis/context included to help guide focus and serve as a pre-formatted cut and paste to share with others (individual stories and thoughts).

Sign up for the Curated Catalyst by clicking on this link. Note: your information will not be sold, spammed or treated any differently than I expect my information to be treated. 

More information about the format, schedule and audience is included here: http://www.securitycatalyst.com/blog/curated-catalyst-newsletter/

I look forward to working together and learning from each other!

During the roundtable in July, we defined “security awareness” (recording at link) – an individual’s realization of the consequences of their actions with the ability to assess intention and impact.

So does emphasizing security awareness for a day/week/month make a difference?

Join us on Wednesday, September 21, 2011 at 11am Pacific, 2pm Eastern to find out which members of our panel don’t see the value (and why).

http://www.focus.com/roundtables/security-awareness-roundtable-security-awareness-month-trans/

Then stick around to find out why I now have a different opinion: I see this as an opportunity to turn a lackluster event into a transformed security awareness program.

Join our roundtable and engage with us to find out how to:

• Get buy-in for an event
• Structure an event to solve a single problem (and some suggestions on the problems to solve)
• Set the stage for and define success: why this isn’t a diet, but a lifestyle change
• Determine what elements to include, what elements to skip
• Measure the results to build an effective business case

Get engaged with security awareness

Each month I’ll invite select experts with hands-on experience with security awareness to the roundtable for our discussion. Designed to be more interactive than podcasting, here are some ways to get involved:

• Ask questions in advance
• Participate during the process on the event page or using twitter
• Make comments
• Follow-up with questions and comments after

The current accepted approaches to security awareness mask the real challenge; without understanding and addressing this paradox, the so-called awareness efforts increase risk (instead of decreasing risk).

Building on the last roundtable that defined security awareness, in this episode Steve Ellis and Chris Carpinello join me to explain and explore the real challenge underlying security and security awareness: the “human paradox gap” (HPG).

During this roundtable, I explain the “Human Paradox Gap” and the panel explores the role and impact it plays in their ability to be effective.

Listen to our recording to learn:

• The human paradox gap (HPG)
• How HPG impacts security and security awareness
• Why the gap has to be bridged in order to gain effectiveness

We also answered a question from Bert K:“How do you engage people who just want it to work so they can do their job and go home?”

The audio of the roundtable is now available for download and enjoyment.

We incorporated more stories, examples and considerations – and there is more to come.

I’ll be expanding on key concepts in this blog, my CSO column, and offering some additional resources to help the establishment of effective security awareness programs.

Check out the event page to see what others contributed, ask questions and offer your thoughts (I keep tabs on all questions, comments and contributions for future roundtables): http://www.focus.com/roundtables/security-awareness-roundtable-understanding-real-challenge/

In the meantime, while or after listening to the roundtable:

• Engage with me on twitter to talk about security awareness, effective communication of security or whatever is on your mind
• Send me email or submit questions for this or an upcoming roundtable
• Check out and participate in the security awareness section growing on Focus.com by clicking on http://www.focus.com/topic/security-awareness/

Please mark your calendars to join us for our September Security Awareness Roundtable – September 21, 11am Pacific, 2pm Eastern. Our panel is going to explore how to make the investment in security awareness – including how much is enough and how to make the case to get the funding.

 

The audio of the roundtable is now available for download and enjoyment.

Joined by Justin Bovee and Steve Ellis, we presented the definition of security awareness, explored how it sets the stage for success and offered insights into using the definition to build an effective program.

We also talked about how this definition makes it possible to turn what is often considered a cost into an investment – while satisfying compliance issues and a sometimes sour attitude toward “security awareness training.” We’ll go deeper on that topic in August.

We covered a lot of ground in a short period.

I’ll be expanding on key concepts in this blog, my CSO column, and offering some additional resources to help the establishment of effective security awareness programs.

Check out the event page to see what others contributed, ask questions and offer your thoughts (I keep tabs on all questions, comments and contributions for future roundtables): http://www.focus.com/roundtables/security-awareness-roundtable-defining-security-awareness/

In the meantime, while or after listening to the roundtable:

• Engage with me on twitter to talk about security awareness, effective communication of security or whatever is on your mind
• Send me email or submit questions for this or an upcoming roundtable
• Check out and participate in the security awareness section growing on Focus.com by clicking on http://www.focus.com/topic/security-awareness/

On August 24^th, join us for our second Security Awareness Roundtable and learn how to invest in security awareness, how to get budget and how much it should cost.

The first roundtable addresses a basic challenge: what is security awareness? 

When the concept of security awareness is tossed about without a clear understanding or vision, the results are mixed. The first step to build an effective program is to have the right definition of security awareness.

Join us to explore:

• The definition of security awareness
• How defining security awareness sets the stage for a successful program
• Why the right definition of security awareness moves the program from cost to investment

Check out the details and register here: http://www.focus.com/roundtables/security-awareness-roundtable-defining-security-awareness/

There is no charge to listen in and participate live, and if the time doesn’t work, an on-demand recording will be made available.

Get engaged with security awareness

Each month I’ll invite select experts with hands-on experience with security awareness to the roundtable for our discussion. Designed to be more interactive than podcasting, here are some ways to get involved:

• Ask questions in advance
• Participate during the process on the event page or using twitter
• Make comments
• Follow-up with questions and comments after

No one likes to be a user. Worse, no one wants to be a loser.

Maybe it goes back to the catchy tuned belted out by McGruff the crime dog when he sang, “Users are losers, and losers are users…”

Just last week, a friend pointed out to me that only drugs and IT have “users.”

The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users, eventually shortened to “users.”

Today the situation is different.

Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users, I feel like singing some McGruff.

And I would sing, except McGruff was wrong: users aren’t losers.

We need to break this bad habit immediately to advance our practice of security and influence how people protect information.

Why the label of users creates a distance that makes it harder to practice security

The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.

Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claimingIt’s time to reboot the security industry that reinforces our knowledge, experience and power while shielding us from the knowledge, power and experience of the individuals we work with.

When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex — and expensive.

Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the Human Paradox Gap.

Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we are powerless to hold them accountable. I explore this a bit further in: Why people are not the problem and where to look.

Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.

Dropping the label (protection) of user allows us to build the relationships we need to be successful.

If not users, then what?

We work with and serve people.

As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.

When possible, use direct names or descriptions of real people.

It is important to remember and keep focused on the point that we serve people, not users.

Change the words to change the perspective

By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.

It is a simple, yet powerful shift.

In turn, it changes our demeanor and approach.

For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences (positive, neutral and negative) of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.

McGruff sang a catchy tune. But when we realize our users are people, nobody has to lose. In fact, we can all work together to bridge the human paradox gap and make our jobs just a little bit easier.

When papers like this are released, most of the announcements focus on some quotes, perhaps a general impression and link. After my briefing, I took something else away – and I wanted to share.

Below, I break down my notes in terms of security awareness, security leadership, effectively communicating the value of security and a few thoughts on how a paper like this advances a security career.

The basic concern is clear: smart phones are gaining market share; increased reliance means they are loaded with personal and corporate information. Considering the continued growth of mobile computing, attackers are going to “follow the money” by turning their attention to mobile malware in search of easier, more profitable targets.

The challenge is determining where mobile device security fits into an already crowded and ever-expanding threat landscape.

How big is the risk; how fast do we need to move?

To put it into context, consider the magnitude of the risk: according to the Symantec Internet Security Threat Report there were 163 documented vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. The growth demonstrates the rising attention of attackers.

Overall however, Symantec documented 6,253 software vulnerabilities in 2010 (additional context can be found in the most recent ISTR starting on page 15).

The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.

[pullquote]The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.[/pullquote]

Security Awareness

At this point in the year, the security awareness programming plan should be in operation – and no immediate changes are required at this time. The topic, however, does present itself as a good secondary or opportunistic topic – especially if people are starting to ask about it.

To get started, redefine the concept of mobile telephones: they do more than dial numbers these days. Ask questions about the type of information people store. A simple question gets this dialogue started, “what’s on your device?” Follow up with, “what happens if your phone is lost or stolen?”

Asking, “What happens if a rogue application gets installed on your device?” prompts a more advance discussion. The challenge to this level of security awareness discussion is preparing to talk about how this happens without accusing the individual/audience of being stupid.

Start the dialogue this year, if it makes sense, as an opportunity to learn the challenges people are facing and the language they use. This becomes valuable input for next years programming plan (where it still might not be a prime topic).

Security leadership considerations

Like it or not, mobile devices are connected to the enterprise. The growth of mobile computing coupled with the growth of “the cloud” means personal and corporate information is necessarily stored on the smart phones — approved or not.

Reconsider how devices are treated and then review current security policies, standards and procedures to understand how information is protected. Ask questions and consider how the policies address lost or stolen phones and mobile devices. The user experience matters.

Aside: I’ve tested “remote wipe” with clients before. Despite their assurances it would work perfectly, in each case, I was able to turn off the radio transmitter before the wipe and enjoy full access to the information stored conveniently on the memory card inside the phone. Lesson learned: check the policy, and then test to see if it matches reality.

Making the time now — before this becomes a hurried rush that never leads to good decisions — means the opportunity to consider changing functional and technical requirements.

Given the current average time to change policies and procure new technology solutions, this little bit of a “head start” might make the difference between future success and continued on-going struggle.

In short: do the work now, reap the benefit later.

Effectively communicating the value of mobile device security

As security leadership reviews and makes decisions, consider how to effectively communicate and incorporate the changes to the various audiences in the best possible way (hint: email may not work for everyone).

The key to effective user experience is striking the blend between connecting people to the consequences of their actions — restoring their ability to take responsibility — while providing a technical and procedural backstop that helps make it easier for people to do their jobs.

How this helps advance a security career

We’re in a profession where we need to know something about everything (aside: I believe the path to success, however, requires finding a niche and getting good – in addition to knowing a bit about everything).

Mobile device security and cloud computing are both on the rise. Investing time now to amass and understand facts, figures and the ability to explain the importance of these details to different audiences is important.

Breaking down the salient concepts of mobile device security to be able to teach these basic concepts to others in meaningful and appropriate ways is a way to advance a security career.

Your Turn

What do you think? How are you handling the rise of mobile malware, and the continued integration between mobile and cloud computing?

Share your challenges, and if my perspectives on this paper benefit your efforts (or what you’d like to have seen more of).

Can advice from a movie actually benefit a security career?

Short answer: yes, yes it can. In fact, I applied this advice to my own career long before the movie was ever made.

Building on what I shared in the column, here are two examples of how this advice worked for me, with some insights on how it could work for you, too.

Applying it the first time: Bartending for the win

The first time I really applied this advice was while working as a server at a Ground Round restaurant while home from college on summer break. My role was to provide an exceptional dining experience — the better I did, the better my tips (on average).

As a hungry college student, I picked up as many shifts as I could. Somehow, it dawned on me that the more I knew about the restaurant, the better service I could provide, the more money I could make.

I set out to learn as much as I could.

I volunteered to learn how to host (greet and seat), prep cook, line cook and wash dishes. In turn, I taught others how to take orders, present food and the like. The more I contributed to the restaurant, the more opportunity I got.

And I was right: the more I knew about how to seat people (and set the experience), prepare the food, wash the dishes and handle the entire experience, the more I communicated effectively with everyone around me.

The best part came on what felt like a daring offer: I walked into the general managers office with what I considered a great deal: I would work shifts “off the clock” in return for being taught and certified as a bartender.  In the end, he accepted and my training – which also including training on ordering for the restaurant – began.

For the rest of the summer, I worked pretty much around the clock – waiting tables, pitching in wherever needed and got certified as a bartender before heading back to school.

When I returned to school in August, I happened to meet the owners of Johnny’s – a local bar (and one-time staple in Ithaca; it’s not there anymore). I explained that I had just been certified in bar tending — including setup, ordering, pricing, etc – and asked if they needed a hand. After explaining why they didn’t need help, they asked for my telephone number, “just in case.”

I got a call a week later – they needed help. It turned out they bought the bar without a shred of bar tending experience. My efforts to learn all aspects of the restaurant and bar business turned into a job as the head bartender, with the opportunity to teach what I knew as we worked together to setup, open and run a successful bar.

How this helps you: learning the job of others in security careers is important; but sometimes, it’s the other jobs in the organization that hold the most promise. Learning how others do their jobs — and perhaps getting an opportunity to teach them yours — is a powerful way to build bridges, improve communication and set the stage for a successful career in security.

Source code version control launched my career in information security

After graduating college (and one more brief stint in the restaurants), I landed a job working for Andersen Consulting (now Accenture) on a large software development project. My initial role was manual source code version control: developers would email me requests for code and submit code changes to me. Prior to automated tools, this was a bit of an “interesting” position.

After documenting the process – initially so I had a personal checklist to work from – I started to make improvements in speed and quality. I improved the documentation and started to teach the process to others. While I didn’t necessarily enjoy the role, turns out someone I taught LOVED it. At the same time, I lived locally, and offered to come in early, stay late and work weekends to cover others and help out. I was always learning new roles — to the point where I could backup any member of the team.

It didn’t take long before one of the people I trained was in charge of source code version control and I was moved on to bigger and better things. In fact, one of the roles I got moved to was the direct start of my career in information security (a story for another day).

How this helps you: despite an irrational fear of losing your job because you taught it to someone else, one of the best ways to advance your security career is to actively document your current role. Once documented, teach the position to others. I’ve found no better way to backfill your efforts and free up time to focus on other elements, learn from others and create a path to a new role.

More than advice, this is a mantra

My focus is clear: security awareness that works and effectively communicating the value of security. In my role, I work with organizations of all sizes and audiences of all types and experiences from around the world. As a result, I continually seek out people to learn from, and even offer to “intern” with other professionals to learn their jobs. In the process, I gain the insight of their experience, learn the language of their position and come away a more effective communicator.

This advice makes me a better catalyst, allowing me to better serve others. The more I learn, the more I am able to share what I’ve learned with those I come across… and through keynotes, seminars and consulting.

So while it made for a poignant scene in a movie about war, the observation of Lt. Col Moore is a powerful mantra for building a successful security career. Today is a great day to get started.

It works for me, and it works for you, too.

Let me know how you’re putting this advice to work or if something is holding you back. I’m here to help.

Until today, I’ve not shared this with you. It matters, because my turning point (or what I now consider my first turning point) also revealed my passion to advocate for individuals while advancing organizations through security awareness, effectively communicating the value of security and helping individuals and teams use those blended skills to advance their security careers.

Since first putting my turning point onto digital paper, I’ve experienced at least one more (there is a hint in this piece). I’ll write more about that next week. In the meantime…

My Family at Mt. Rushmore

My Turning Point

My turning point is literal: the rolling wheels under our RV and the steering wheel that allows us, as a family, to explore the country, find new places and meet people “where they are.”

It started with a simple vow: to raise my children through active, daily involvement instead of watching them grow up in pictures.

That vow led to a promise to travel as a family. We started with a pickup truck and progressed, quickly, to a forty-foot “diesel pusher” RV (and we towed a “dinghy” vehicle behind us). While we continued to own a traditional stick house in Upstate NY, we used the RV to travel to speaking, training and consulting engagements. Our RV was our second home (arguably our first).

After traveling by RV for over six years (mainly for business), we’ve managed to explore 43 of the lower 48 states and a brief trip into Ontario, Canada. We found that the more we traveled, the less we wanted to be pinned down to a traditional house. Confronting our fears — and conventional wisdom — we finally decided to let go: of the house, of stuff, of the things we didn’t need in order to live and travel in our RV.

On the road, I live the promise (dare I say the dream) with my entire family as we embark on our quest to collect experiences instead of collecting things. Sometimes we look out and see the tranquil ocean, or a forest of trees. Other days we are treated to majestic mountains.

We are liberated to live deliberately.

By the nature of the physical space, we focus on simplicity. And it turns out that less physical baggage has the unexpected and welcomed benefit of less emotional baggage. The conventional wisdom about the things we own owning us is true, even when we deny it in a feeble attempt to fool ourselves.

Celebrating the “Small Things”

When explaining our decision to live and travel by RV, a lot of people ask, “You must be excited to be there for the big things, right?”

The power of this approach is that while I celebrate the big milestones in life, I never miss the small things either — from losing a tooth (literally) to swinging on a playground, cuddling up by a campfire and nightly bedtime stories. We have it all.

For six weeks we have lived “full time” in the RV as our primary residence. We “wintered” at an amazing campground in Myrtle Beach, South Carolina. Our journey is flexible, and includes planned trips to California, South Dakota and wherever else our turning wheels take us.

On the road this way, we get to sleep in our own bed each night, eat from our own kitchen and even have a complete office and school on board! We conduct road school – where we all set goals and work, as a family, to learn and educate each other.

We also learned quickly that leading a more deliberate life has family and business benefits, too. We have less to maintain and worry about – which translates into more time spent truly living, laughing and learning together. Which, in turn, forces better business decisions. And that leads to more business opportunities.

My Turning Point: Uncovering My Passion

The instinctive need to focus introduced a welcome challenge in the first few weeks of being “full time:” what did I do? What was the purpose of our company?

Beyond “information security,” what inspired me and would allow me to apply my experience and energy to drive value, revenue and still allow time to enjoy seeing the country with my family?

At this point, Into the Breach (amazon link) was published, I accomplished recognition as a professional speaker, and ran a successful seminar teaching others how to effectively communicate the value of security. And yet my consulting practice took me all over the industry. While that was great for the first decade, it felt like it was time to concentrate on doing one thing better than anyone else.

So began my personal journey to find the “one thing” to focus on, something that sparked my passion, that made me feel alive while providing value to my family. I wanted to build on my experience of almost 15 years in information security, communication and my love of advocating for people.

Living in an RV encourages time to get out, move around and connect with the world around you. For me, this meant daily walks around a lake (some days, it meant a lot of laps, too). After my walks, I would often reach out to clients, colleagues and friends to explain the pieces I saw coming together and get their feedback, learn from their insights and listen to their guidance.

My turning point not only brought my family closer together and put us on the path of a more simple life, it also helped me uncover and voice my true passion: the “human side” of security.

On February 18, 2010, it was clear that my focus was blending my background in human ecology, information security and professional communication to focus on security awareness, effectively communicating the value of security and helping people advance their security careers.

Living As We Are

Because of our approach, I invite clients, colleague and friends (anyone, really – I guess I’ve never really met a stranger) to join us at our house on wheels for a meal, campfire and conversation.

There is something powerful about meeting people where they live and sitting around the campfire. Beyond celebrating the simple life, this allows me a rich fabric for story development, genuine connection with any audience and the windshield time to think, make connections and improve my ability to serve others as a catalyst.

On our journey, I hope to sit by the campfire with you (this is an offer with no expiration).

In my next “flashlight” article (imagine me sitting around the campfire, holding a flashlight to my face, telling stories), I’ll share my next turning point, and the continued focus on awareness, communication and career.

I look forward to connecting, sharing and learning from you.

Life is great!

Tokens, Shopping Carts and Security Awareness

What can grocery-shopping carts teach us about building security awareness that works to influence behavior change?

Turns out perhaps more than imagined.

During a recent hotel stay, I took a trip to a local grocery store to buy some snacks. I pulled into the lot, parked and headed to the store. Since I only needed a few items, I walked past the carts toward the entrance.

At the entrance a rather LARGE sign explained, “change machine for the carts inside store.”

Something about the sign encouraged me to stop; I needed to understand the need for change for a cart.

Turns out that the carts had a strapping mechanism that essentially tethered them together when stacked properly. Unlocking the cart required a quarter. When the cart was properly returned, the quarter was released and returned.

But a quarter is only $0.25

At first, this struck me as silly. Even in this economy, a quarter isn’t much and I thought it lacked the value to influence cart behavior. And it seemed like an inconvenience.

In the thick humid dusk of the evening, I took a few moments to look out and scan the parking lot. Not a loose cart in sight. So I looked harder and longer for a loose cart to prove someone bucked the trend and “just didn’t care.” Yet all of the carts were either in use or put away.

The token is engagement

Then it hit me: the quarter was only a token, a gesture. The money, in all reality, meant nothing. People put a quarter in, but they got it back. They weren’t renting the cart. At play was the physical act – the token – to connect individuals to the cart.

The token (the quarter) engaged people, connected them to the use of the cart and essentially redefined normal.

The use of a quarter to unlock and use the cart connected people to the process. Awareness of the condition to use the cart ensured people carried a quarter, sought change from the machine (inside the store) and served as subtle reminder to return the cart – if only to get their quarter back.

So how does this apply to security awareness and influencing behaviors?

With a different perspective, these carts taught me a lot about the value of engagement and commitment. By asking for a small value – which will be promptly returned, in full – the interaction changes.

The key here is the token.

It was more than symbolic – and it required some thought or action, but it was not onerous. I suspect shoppers at the store routinely had a quarter or two in their pockets, purses or cars… without complaint.

The low economic value of the token is important to the function. Engaging people in this way does require a shift in behavior (and the first shift is sometimes the hardest), but make it too complex or otherwise costly, and it will be summarily ignored or revolted against.

In the coming weeks and months, we will continue to explore parallels, amplify the good and advance our ability to address the human paradox, shift thinking and inspire behavior change through security awareness that works.

How are you using “tokens” in your efforts?  More importantly – how did you figure it out, how is it working and how is it evolving?

Share your experiences in the comments, engage me on twitter, send me an email or pick up the phone and call. I’d love to learn about the token in your efforts.

Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows

Considering the meaning, purpose and expression of security awareness is a personal and professional pursuit. In fact, it’s my sole focus and the reason I created the security  Awareness that Works™ system.

As a result, I regularly discuss successful security awareness programs, and I start most discussions with a simple question, “what does it mean to be aware?”

The range of answers – from blank stares and silence on the phone to lengthy lectures – have little to do with awareness. In fact, I had one executive suggest to me that trying to define awareness was akin to US Supreme Court Justice Potter Stewart attempting to define pornography when he wrote, “… I know it when I see it…”

I disagree.

And here is the challenge: without a clear understanding and functional definition of security awareness, it is impossible to obtain (for ourselves, let alone to influence the awareness of others). Worse, this means there is no vision, guidance or purpose to awareness that is easily understood; awareness becomes a burden to fund instead of an opportunity to invest.

Good news – it doesn’t have to be this way.

If the goal is to shape the culture and increase “awareness,” it is essential to understand what awareness is, what it can do, and how to recognize when people are, in fact, aware.

How do others define awareness?

Awareness is not a new concept. Here are three definitions that share common threads, easily applied to the challenge of generating awareness with regards to security and risk:

• Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
• Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
• Marketing is keen on awareness: a measure of respondents’ knowledge of an object or an idea. There are two main measures of awareness: spontaneous (or unaided) and prompted (or aided) awareness.

The common threads with these and other definitions are a sense of individual, recognition of actions and a measurable component related to some sort of message. Also consistent is the notion that awareness can be spontaneous and internal, or external to the person and aided.

These definitions prove a good starting point for considering what it means to be aware. But we also have to consider the underlying challenge individuals and organizations must solve: the human paradox (for more see: Why people are not the problem…).

How The Human Paradox impacts Awareness

When it comes to managing risk, information and the relationships with people, the real challenge is The Human Paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

The human paradox has an interesting impact on awareness: the more disconnected people are from the consequences, the more complicated – and costly – the effort to reconnect them.

This is why traditional “security awareness training” falls short: failure to address the human paradox. In some cases, these programs may actually increase the gap between individuals and consequences, creating more risk, increasing complexity and wasting money.

Security Awareness, Defined

For awareness efforts to be successful, we have to start with a clear definition. After considering awareness and the impact of the human paradox, I propose a short, clean and simple definition for awareness:

Awareness: an individual’s realization of the consequences of his or her actions (or decision).

When Awareness that Worksâ„¢ is obtained, the definition is enhanced by the ability to assess the impact of the consequences. Soon I will explain why we absolutely must reconsider consequences.

This definition of awareness actually shifts the purpose of the program. By improving the vision of awareness (we have more work to do there), the potential for training and other resources to provide measureable return is clearer.

Of course, there is more to consider: how to define the program, generate awareness, measure what matters and communicate what counts. But sometimes the simple shift of a definition and proper use of a concept is the spark that brings change.

So what does awareness mean to you?

Do not put your faith in what statistics say until you have carefully considered what they do not say.  ~William W. Watt

Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.

Well, they aren’t. Except, of course, they are.

When I wrote Into the Breach, I realized early in the process that “breach” (no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.

The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

If people aren’t the problem, what is?

When introducing the concept of the human paradox in the book, I suggested we face a people problem. Upon further research and considerations, I would write that section differently: we face a human paradox where people are not the problem.

Consider this: “people have been unintentionally and systematically disconnected”

This raises the question, “who disconnected people from the consequences of their actions?”

Short answer: we did. But it wasn’t intentional.

I liken the current experience described by practitioners as  “security pain” to what new parents learn as “short term gain, long term pain” – or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.

The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.

When users rightly questioned changes, the path of “short term gain” was to suggest they wouldn’t understand and take the decision – and resulting consequences – out of their hands.

But it’s okay.

It’s part of human nature.

This means that instead of blaming “users” generically for not knowing and not being good enough, we should first look in the mirror. We played a role in making the situation we lament.

So we recognize it and move on.

The question is what comes next. And that’s where I have focused my passion, blended with my experience and skill as a human ecologist, in security and in the tradecraft of effective communication.

The Path Forward

The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.

So – tell them the consequences and we’re all set, right?

Well, it’s not that easy.

We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

We need more deliberate dialogue: conversation with a purpose that “meets people where they are” and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

We have a lot of work to do. I’m here to contribute and lead the change we need.

The moment we judge someone, we forfeit the ability to help.

Seems like a lot of what is being promulgated in so-called “security awareness” today is nothing short of berating people with a list of the things they shouldn’t do, coupled with a non-intuitive list of what they should do.

I read a lot of suggestions to “call people out” and “catch them doing the wrong thing.” For obvious reasons, I’m not going to link to any of these articles, columns and blog posts. My experience and success in changing behaviors suggest a different approach is more effective.

Why the need to embarrass others?

The reason so many focus on lecturing and berating stems from the misguided belief that we know better, know more than other people and will grace them with our wisdom.

Memo

From: the users

To: the security people

RE: get over yourself

Businesses existed without you before, and while perhaps not in the future, we can do better. So can you. Start sharing with us and stop trying to embarrass us and make us feel stupid. Teach us what you know – but in our words – and we will work alongside you.

My practice delivers “Awareness that Works™” – where awareness serves as the catalyst for effective training. I enjoy several conversations a day – and welcome more – on the topics of awareness, training and the broader issues of rethinking how it all works in the organization to go beyond “security awareness” by building a system that cultivates a culture of optimization.

Awareness is generated, not prescribed

In the process of sharing Awareness that Works™, I recently sent a note to a person I met while keynoting a conference. Our dinner discussion suggested to me that he “got it;” that he understood the purpose of awareness and the vital role it played in the organization.

But his reply to my note blew me away: he had no interest in discussing awareness because he simply told people what awareness was, told them what to do and told them how to do it. He saw no need for awareness or training, and no desire to discuss it.

Wow.

How would you like to be the user in that session? Actually, how would you like to be a security practitioner in that organization?

Either way, I suspect the point is lost on that chap and those he is supposed to serve. And that’s too bad for everyone.

In my consulting practice, I ask people about their experiences and what they expect. Turns out people are pretty clever: they do brilliant things; they know they need to change (and are willing to) and have reasonable expectations of you and the organization.

So why the disconnect?

A misguided belief that we know more, are smarter and that users are unable to get it right contributes to the disconnection and failure of “traditional security awareness.”

I’ve read where others suggest inane things like “there is no patch for stupid” and that we need to inflict pain on people in order for them to understand. And then I watch other security practitioners applaud and cheer. Step back and watch it through another lens and perhaps you’ll be as appalled as you should be.

We don’t know better, we just have a difference experience.

In the course of practicing “security,” we literally spend hours a day steeped in risk, understanding actions and trying to successfully solve problems.

But we also make mistakes. Lots of them.

Ever over-hardened a machine (to the point where it is a brick), blown a patch and screwed up configurations, backups and the like?

Spend a night in a data center correcting your own mistakes and things start to look different. As a result, we have cultivated a different language, experience base and set of expectations.

We may have started on a more equal footing in terms of experience, but the nature of our profession changes us. Sometimes, however, that change is a bit harder to see, and even more challenging to consider in context.

But we have hope.

The people we serve are willing to make a change, if and when needed. But they want to be made aware of the consequences of their actions in their words, in their experience and on their turf.

No one likes to be embarrassed or talked down to – and that has to stop. Now!

In the end, we’re all the same. We have an opportunity to all work together. We need to reconsider what awareness means, consider the perspective of our users and work to share and educate, but not embarrass.

Stick with me and I’ll show you how.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 12)

This chapter addresses the challenge of changing first in order to lead and influence change. The concepts introduced and explained in Into the Breach – the Strategy to Protect Information, The Catalyst Method™ (recently updated) and others – produce rapid and lasting results for those who embrace them and implement them in their organizations.

Michael shares two basic analogies to consider while summoning the courage to break from tradition and take action: the process of building a flywheel and reconsidering Newton in a new light.

Into the Breach provides a wealth of ideas and information. The Awareness that Works™ system is the implementation of the guide from the book – and more. Contact Michael today to learn more and explore the guaranteed results.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst) (and he’ll engage back with you)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. 3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

For me, this means a lifelong study of communication – verbal and written – blended with human ecology and the fundamentals of security. It’s an odd mix, but with my focus on Awareness that Works™, it serves my clients well.

A few months ago, I started a column for CSO Online dubbed the “Career Catalyst.” It allows me to build on my background as a catalyst and role as an advocate for individuals to share ideas, insights and strategies to help shape and develop powerful, effective careers. It turns out to be a perfect compliment to my approach to advancing individuals and organizations at the same time.

My passion in serving others is the driving force for this column.

I routinely listen to the challenges, observe the trends and think about the skills, aptitudes and attitudes for career success. But I also view this as an effort to serve as the catalyst for multiple ideas, experiences and challenges of the entire community.

Looking to improve your career and advance the profession?

• Share your successes or ideas you’d like my take on
• Ask the questions on your mind
• Share your challenges

Connect with me by email, telephone, twitter or through this handy contact form.

You can find my column here: http://www.csoonline.com/topic/41515/security-career-staffing

Here are the last three columns:

Security Careers: The Mic is Always On. Always.

Like politicians who’ve been embarrassed by public microphone mistakes, security professionals need to remember comments that are made in bad taste can put both a career, and an entire security program, in danger

http://www.csoonline.com/article/597056/security-careers-the-mic-is-always-on.-always.-

Cultivating a healthy addiction for career success

Going beyond the typical interview answers and resume claims will help you demonstrate why you stand apart from the pack. Michael Santarcangelo shows the way.

http://www.csoonline.com/article/594229/cultivating-a-healthy-addiction-for-career-success

Are You Making a Security Career or Working a Job?

In his first column as CSO’s Career Catalyst, Michael Santarcangelo outlines three essentials everyone needs to consider to make security work more than just a job

http://www.csoonline.com/article/590096/are-you-making-a-security-career-or-working-a-job-

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

• Learn how to establish appropriate and measurable criteria upon which to make better decisions
• Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
• Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

As the son of a son of a sailor

I went out on the sea for adventure

Expanding the view of the captain and crew

Like a man just released from indenture

As a dreamer of dreams and a travelin’ man

I have chalked up many a mile

Read dozens of books about heroes and crooks

And I learned much from both of their styles

–Jimmy Buffet, Son of a Son of a Sailor

With Jimmy Buffet playing on the radio, we set “sail” in January in our forty-foot diesel pusher RV. With the roads as our sea, we set out for adventure, and more: we set out to change our lifestyle.

My family stopped collecting things and starting collecting experiences. And we are liberated.

The process of leaving the house included going through nearly every single thing we “owned.” It was an exhausting process filled with memories, discussions and the sober realization that it is easy to collect things. While we found some great purchases and reminded ourselves of great times over the last decade, we also realized we had unwittingly accumulated a lot of stuff.

The process of simplifying our possessions was powerful. As we fired up the diesel and headed south in search of warmer weather, we resolved to do thee things:

1. Simplify our lifestyle and schooling (road school is for all of us, not just the kids)
2. Streamline our fitness and nutrition
3. Simplify our business

In the short few months we have been “on the road,” we have managed to make great progress on all three goals. Pursuit of these may be a constant journey that evolves over time, but we live each day to the fullest and cherish the time we have with each other and those we meet on our journey.

Streamlining our lives, nutrition and fitness have obvious benefits. For me, the real breakthrough came on the business front.

It started in December, before we left, while speaking with a friend. After listening to my goals, he left me with these words from Bruce Lee:

“I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times.”

Sometimes the right words shared at the right time make the difference. For me, this was instantly profound, powerful and put my quest into context. I had run a successful business practicing a lot of kicks. It was time to mature and find what my “one kick.”

After a few weeks of active thinking, writing/journaling and speaking with friends (including clients), it the path that blended professional speaking, writing, training, information security, adult learning and my background in Human Ecology came into focus. A few more conversations and it became as clear to me as it had been to others: I needed to focus on awareness.

It is no secret I am disappointed with the industry efforts at “security awareness training.” More often than not, the traditional attempts waste money and even increase risk! I refused to simply do what everyone else was doing.

My “one kick” is Awareness that Worksâ„¢

So I took more time to consider my entire experience and the elements that worked. I am excited to share the result: Awareness that Worksâ„¢

Awareness that Worksâ„¢ connects people to the consequences of their actions, creating a shift in thinking that inspires behavior change. Individuals achieve understanding in their own context, and then are guided, shaped, and supported with materials and training tailored to them.

To be effective, awareness needs to be separated from training. This provides some concrete benefits and sets the stage for the right messaging, training and support to not only influence behaviors, but to provide needed insights and information to the organization.

I want to work with people who have a mandate for awareness and are ready to work with me to move the cost of working with people to an investment. The approach I created to guide organizations – tailored to the unique aspects of each – works so well that it pays for itself. In fact, I guarantee it.

This is my focus. 100% of my time, energy, effort, and research go into how we work together. And with this focus, I plan to write and share more.

I’m excited about the initial results – and the conversations about awareness I share every day.

Consider yourself invited!

If you are focused on addressing awareness (and the subsequent training), I want to speak with you. No strings, no selling. Just discussing.

And our journey continues.

The current plan (which is always subject to change) is to spend a few more weeks in Myrtle Beach, South Carolina. We’re enjoying the beach, finishing up repairs to the RV, and focusing on the launch of Awareness that Works™.

Soon, we head back on the roads for adventure. No doubt we’ll “chalk up many a mile” – blending with reading, writing, sharing and learning. The campfires will be many and the conversations plenty.

Life is good.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

I know, as an open, that was lacking. To be fair, I had worked on a few opens, including a poetic reference to campfires to contrast electronic fires. I considered an analogy to Apocalypse Now (“I love the smell of Naplam in the morning…”). Then I decided the direct approach made the most sense. So there you have it.

up in smoke: the burned out inverter

The good news is everyone is safe and we contained the damage to the inverter/charger. The less good news is that all power to the “house” part of our RV runs through that device. Without it, we’re literally dead in the water. We plan to address that this week.

Thursday Morning Fire

Thursday morning (a few days ago) was full of sunshine and started much like other days. As we set about our morning routine, we were alerted by a warning of the electrical system overheat. When I stepped outside to investigate, I was met with the distinct smell of electronics burning and a billowing cloud of smoke escaping from a rear compartment bay.

I opened the bay and heard — but didn’t see — the fire. The sound of crackling electronics was different than campfires and less relaxing.

So I emptied the contents of the bay (hey, my tools are important to me), got everyone out of the coach and grabbed one of our many fire extinguishers. I believe in being prepared, and I found that while I realized it was important to put the fire out (no kidding), no one in the family panicked. I walked back to the inverter/charger to see visible flames (still inside the housing), pulled the safety pin and put the fire out. I had to shoot through the vents to put the fire out, but it went down without a fight.

I turned off power at the main pedestal/breaker and then assessed the damage. With the coating from the fire extinguisher fresh in the bay, I noticed a lot of spider webs and wonder if one happened to build a web inside the housing (it was warm) of the unit — causing a possible short. We hope to do some analysis this week to see if we can figure it out.

The Amazing RV Community

Within five minutes we had a handful of concerned and helpful neighbors at our coach checking on us. I cannot stress how amazing the RV community is, and Thursday simply proved it again. From others who have been through similar events, we talked about potential causes, solutions, costs, repair centers and the like. And we quickly confirmed we were all okay, will be okay and in the scheme of life, this was no big deal.

And it’s not a big deal. It simply is. No one was hurt, the fire was contained and now we have to engage in a straightforward (for someone else) repair before heading back on our way.

What it means now

We’re lucky that we are still in Myrtle Beach; we have use of a family-owned condo that makes it easy for me to work, the kids to school and life to go on. We expect to be here a few weeks to get it diagnosed, repaired and have a few other repairs completed, too. Meantime, we’re relaxing in the condo and looking forward to an opportunity to catch up with a dear family friend this week. In fact, we wouldn’t have that welcomed opportunity without the fire.

We seek to live simply and collect experiences instead of things. Now we have a new experience.

Once the repairs are made, we’re back on the road with planned stops in Atlanta, Dallas (tentative), Bentonville, Sioux City, Indianapolis, and Hershey Park for Memorial Day weekend.

cross posted at Catalyst onTour

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

It is simplicity that makes the uneducated more effective than the educated when addressing popular audiences. — Aristotle

I’ve noticed the instinct lately – of individuals, government and security practitioners — seems to be one of more control.

When something seems broken, or the outcome is alternate than what was desired, the answer comes in the form of regulation, controls and otherwise restricting the options to prevent or influence the outcome.

And when these controls fail, it leads to finger pointing, grandstanding and… you guessed it… the call for more controls.

But what is the net effect of these additional controls?

Sometimes the solution is to strip controls away. To simplify.

I’ve spent the last few months pondering this message, and realize the more we ask ourselves “what is the problem we are trying to solve” the more effective we are. We need a foundation for success – and simple trumps complex.

Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up. In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.

This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.

So it starts now.

And we’ll start small.

For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.

More details below:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

• To prepare for a raise
• To receive a promotion
• For career development
• If you are ready to move into the security field
• To find a new position (within your current company or outside it)

Determine your path and venture forth.

Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.

It is a three-step process.

1.            You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.

2.            Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.

3.            With all the background work complete, we will help you follow the compass you built.

We do not judge.

Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.

Why the Compass approach works.

We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.

You will be self-aware.

You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.

The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.

How much time does this take?

Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.

Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?

In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.

Developing a “Culture of Compliance”

Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished.  Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.

This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.

Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.

Sell the concept, reap the benefits

Management responsibility – wait for it –  “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.

Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?

Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.

Building Support

Step one: find the right internal sponsor.  This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.

Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.

Should IT audit and compliance be managed internally?

This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.

Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this  — and he makes it easy for others to do it, too).

One of the best tangible outcomes of this whole process is detailed documentation. Interesting how  there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.

What’s in it for me?

Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!

Sound off

How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.

While learning about how a large organization detected and responded to a breach, a stark reality suddenly hit me. Looking back at it now, I probably jumped out of my seat when I connected the dots. I was forever changed.

The Black Hole of Data

After initial concern the breach was a focused external attack – and the appropriate authorities alerted – the final conclusion was more pedestrian, and more common: in the course of trying to do their job, an employee took an efficient action to move a file to his home computer – over the Internet – then forgot about it.

It took a few years before the file was discovered.

The discovery – made by an employee, three years later, on a Friday afternoon – triggered a swift, thorough and amazingly competent response. Yet while being briefed on the specific details, costs, actions and findings, what stuck out to me was simple: the root of the breach was someone “trying to do their job.” No external attacker, no disgruntled insider, no nefarious plot.

It was an honest worker finding a way to work from home, on his own time; he wanted to get the job done. He was trying to do the right thing, but managed to do it the wrong way.

This wasn’t a breakdown of controls. In fairness, we have some technologies today that would have prevented this breach – but that doesn’t mean the user wouldn’t have found a better/different way. Technology is important, but more important is the consideration of people and how we factor (or ignore) them into the solution.

This was the spark that led to Into the Breach: Protect Your Business by Managing People, Information and Risk.

Since the book was published, I have presented the concepts in keynotes and seminars, and I have continued to research, reflect, and more importantly, get into the field and work with organizations of all sizes. This has sharpened my focus on – and renewed my commitment to – the human ecology of the organization to help turn insiders into allies who reduce business risk.

As we prepare to leave our stick house and head out full-time in our RV to travel the country and work with individuals, organizations and communities, I invite you to join me on a weekly Journey Into the Breach.

Over the next year, I’ll expand and reflect on elements from Into the Breach through candid and updated thinking.

Ready?

Buckle up. Let’s go.

Who is the intended audience for Into the Breach ?

Into the Breach is for business executives, decision makers, influencers and stakeholders. However, anyone can benefit from the executive level discussions and solutions: it’s been commonly noted to me that the challenges I uncover and solutions we advance address issues broader than security.

It was important to me that I distilled the essence of the book into a form that could be easily consumed, understood and acted upon. The measure of success was to be able to read the book on an airline flight or comfortable afternoon. We hit the mark.

Breaches are only symptoms

When something goes wrong (say, for example, a breach), it is natural to seek someone to blame and a technology to fix what keeps us up at night. After taking the time to go deeper into the breaches all around us, I asked a simple question:

What if breaches are only symptoms?

As soon as I asked it, I realized that breaches and other breakdowns are just symptoms. They are not the problem. I’m not suggesting they don’t create harm; some do. But we don’t have to solve “breaches.”

The fundamental challenge is what I dubbed the human paradox.

The Human Paradox

The challenge we face is simple to state, easy to understand, quick to prove, yet elusive to address.

The human paradox: individuals have been unintentionally, but systematically disconnected from the consequences of their actions. People disconnected from the consequences of their actions do not take responsibility – and are not held accountable for their actions.

To be clear: we do not have a people problem. It is counterproductive to blame people. Yes, people play a role – certainly in the challenge, but more importantly, in the solution.

So what is the problem?

We need to consider the source of the disconnection; in many cases, the best intended actions of security professionals have created the disconnection.

Ironic, isn’t it?

We must reframe the way we consider consequences: what if consequences are neither good or bad, but intended or unintended?

If we keep doing what we’re doing, we’ll keep getting what we’re getting. I don’t want to continue on this path.

What got us to where we are – which has been amazing change and progress in the last 10-15 years – may not be what will get us where we need to go next. The purpose of this column is to reframe and illuminate the challenges we face while suggesting a path forward.

How to prepare for our Journey

1 – Read or listen to Into the Breach (you can listen for free)

2 – Look for – and share – positive examples of where people are CONNECTED to the consequences of their actions

3 – Ponder questions you would ask me if we were sitting together around a campfire. Then make plans to sit with me around a campfire and discuss.

Sound off!

What do you think? Have you found people doing the right thing? What did I miss?

Share in the comments… and always share with me the challenges you face and we’ll work together on this journey to amplify the positive and turn the tide…

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 4)

Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. While looking at each, Michael makes suggestions on how to overcome them, then introduces the concept of managing risk on the efficient frontier.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

In chapter 3 : Breaking the Security Diet

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Put the power of Into the Breach to work for you

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.

If you that follow on me on twitter (twitter.com/iamthedavil), you may be aware that my Information Security (InfoSec) group is in a bit of a project holding pattern for the foreseeable future due to too many projects and not enough people or funds. Like many companies, we are being asked to “do more with less.” While this is an admirable goal, my personal objective is to be more effective with less, reducing the confusion between motion and progress.

One of my main concerns is the number of security-related emails our InfoSec area is sending out. Since there’s the common concern that frequent communications will be viewed as noise, I’ve been trying to figure out a way to increase the effectiveness and memorability of our alerts.

One of my first ideas was to “adopt and adapt” a color-code system for types of hospital-loudspeaker alerts similar to what the hospital currently uses:

•       Bomb Threat – Code Black
•       Fire – Code Red
•       Missing Child – Code Adam

And so on.

Introduction to these codes begins on the first day of employment during new hire orientation. Additionally all staff, including non-medical personnel, must complete yearly CBTs that review the various colors and their meanings. Furthermore, these codes are printed on cards employees carry with them at all times, so they’re repeatedly emphasized to all hospital employees. I suppose you could even say these codes are imprinted on our DNA…

(I’ll pause for groans and laughter here.)

My idea was to adopt the current announcement method, designed to quickly initiate a response during an emergency, and adapt it for InfoSec purposes. With that goal in mind, I came up with the following potential list based upon the top communications I see the InfoSec team generating:

•       Malware/Virus Outbreak  – Code Red
•       Patch Required – Code Blue
•       Disaster Recovery Engaged -Code Yellow

Instead of targeting medical personnel with the communications, Information Systems (IS) staff would be the primary recipients, as they are typically the initial audience for many of the situations mentioned above. By using a “color codes” approach to draw attention to the InfoSec announcements, IS staff will know when to respond to alerts we. Desktop Support would know increased workload may be coming during a Code Red, Server Administrators are informed of a patch through a Code Blue, and all of IS is quickly aware when a Disaster Recovery effort has begun.

Usage would be similar to the following in an email subject:

- Bogus Webmail address

•       InfoSec Code Blue – Emergency Patch Required
•       InfoSec Code Yellow – No Power at Southwest Site

A slightly different way of using the system was suggested by Michael Santarcangelo, for an environment when response-time is critical.  With his approach, the codes indicate less about the threat, and more about the timeframe with which people need to act:

•       Code Red – Immediate (Within 24 Hours)
•       Code Yellow – Urgent (Within 48 Hours)
•       Code Green – Soon (72 Hours)
•       Code Blue – Informational (No Action Taken)
•       Code Gray – Personal (Do This At Home)

While the adopt-and-adapt concept seems simple, I do have a confession to make. In my zeal, I made the error of using the same colors as the hospital alerts.  Marketing and upper management quickly informed me that the InfoSec Event colors needed to be different than those used by the hospital to minimize confusion and panic.  Keep this in mind in your environment.

This is an opportunity for us to work together. What exists in your environment that you can leverage to increase security awareness and visibility? What have you done that’s been successful? What’s failed? Let’s continue to share ideas and learn from each other, especially during these times of limited budgets and resources.

Do you have a documented and tested incident handling program? To my surprise, some a majority of companies lack this basic necessity. Putting something in place may take some time, but here are some tips and suggestions to help get started.

Define: incident

For those familiar with ITIL (Information Technology Infrastructure Library), it is important to note a security incident is not the same as an ITIL incident. ITIL describes and incident as and event that is not a part of the standard operation in these terms an incident is the start of a service delivery or problem management process.

While in security events are the starting point for us, they are issues in the enterprise that could lead up and incident. The best definition of incident that I have read out there is “An incident is any situation that exceeds normal risk management processes.”

Instead of focusing on a specific type of incident, an “Incident handling” process must be designed to be broad enough to support any type of threat or exposure to organizations systems, data, and/or physical infrastructure, etc…. Breaches happen in many forms now days, improper disposal of documentation, lose of equipment, system compromises, all the way to the janitor attempting to sell DOE restricted data. However when you think about it, an incident may not end up in a breach, but a breach will always be an incident. Breaches encompass many forms of data, personal information, financial account information, health care information, trade or governmental secrets, and the list goes on.

Simple is always effective, and it is no different when it comes to incident handling. Good incident handling does not require a novel. To get started, keep terms general, include process flow charts and check lists. When responding to an incident, these will keep everyone on track and ensure all actions are documented.

The process can be broken down in 5 simple steps:

 1.   Prepare (for incidents)

 2.   Identify

 3.   Incident handling

 4.   Recover (from incident)

 5.   Lessons learned

 

Preparation – Proactive

Preparation is the most critical element. Document the guidelines to handle incidents. Preparation ensures you will be better equipped to handle most situations as they come up.

First start by identifying what your organization has that it considers critical assets. This could be technology, customer data, physical assets, even services that are offered. Then you need to identify what types of threats does your company face. Keep it simple here, no need to go into specifics, IS threats, physical threats, insider threats, etc…. Then document your policy, guidelines, and checklists on how to identify, resolve, and recover from them.

Remember to keep it general, there is no way you can identify all possible threats down to exacts.

Identification

This is the most difficult step of this process. The ability to gather “events” is crucial – without it, the incident could be missed. An organization has to know the sources of the events and what their meanings are in order to validate and event and move into the incident handling process. The best piece of advice anyone could get here is “log… and log everything.” Without logs you can and most likely will miss the event that leads to your incident. The last thing anyone wants is for an outside company to discover the incident before you do as a company.

To help you could come up with cheat sheet to assist your employees in identification of incidents.

Incident Handling

Here is where we stop the bleeding. Once the incident has been identified assemble your strike team, move in, and eradicate the incident. Here is where preparation comes in:  if the documentation is in order, including the procedures on how to handle different types of incidents, then dealing with them in a rapid and efficient way will be a snap.

Recovery

“Simply” put things back to normal. Make sure that back to normal does not include the risk that was abused in the first place to create this incident. In a cyber incident this normally means rebuild from scratch. Be careful if you decide to restored from backup, if can not or have not identified exactly when the breach or incident happened, you could restore back to the bad state and have to start all over. It is best to restore your configurations from your configuration management system.

Lessons Learned

Take what you have learned from this and return to the preparation phase and make modifications as necessary. These modifications could also mean changes to the production systems, the physical environment and even the training you give your employees. Sometimes these changes could seem silly, but you still need to heed the warnings and make the change.

http://www.knowledgetransfer.net/dictionary/ITIL/en/Incident.htm

http://securosis.com/2008/08/20/the-best-incident-response-training-you-can-buy-for-free/

http://darkreading.com/security/attacks/showArticle.jhtml?articleID=212902962

Welcome to the Security Catalyst Program – bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening!

On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge.

A few quick notes

1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better.

2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog – with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective

3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling – and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help – shoot me an email: securitycatalyst@gmail.com

Stay tuned for more information.

For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A.

Links at a glance

The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed

Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/

Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/

Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/

Mike’s blog:http://www.guerilla-ciso.com/

Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations

The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html

About the Experts

Mike Smith

Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.

Graydon McKee

Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices. 

Joe Faraone

Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems.

By Ron Simmons

During the last few weeks I had the opportunity to meet and speak with a very diverse group of people. In the process, I learned some important lessons. When it comes to lack of security there are many varying opinions on the subject. Some people suggest “people are stupid,” while others say “there is no accountability or ownership,” and still some say it is a lack of education or knowledge, then there is the “oh well, I will accept that risk”. The challenge is, knowing which one you are dealing with at that moment in time and how to best resolve the issue and move forward in a secure low risk environment.

People are stupid – (not a chance)

I am a firm believer that people always mean well. However, some of them can have warped definitions of meaning well. This is where education, responsibility and accountability come into play. If there definitions are “off” then it is up to a mentor, friend, co-worker, Webster’s, or whoever to help and assist them in changing their paradigm.

Lack of Education/Knowledge

Easy to work with, as long as the person you are working with understands this. Hopefully you have chosen a person for the job that knows their limits and will stand up and say “I don’t know”. If not, one of the best ways to work around this is the power of suggestion. Simple…..

Accountability

There is too much accountability running around today. For every problem it seems that the government(s) needs to put down some law that requires accountability. Had it worked so far – I think NOT. Let’s try moving this paradigm from accountability to enforcement of the laws that are already on file. It is not always understood that it is the spirit of the law that matters, not what is typed on the paper. I have even seen government auditors fail in this. I will leave it to the legal peeps to fight over this one.

Risk Acceptors – Nothing but $$$$$$

These are the types of decision makers that should be smacked upside the head. It doesn’t matter how much the $$ is, it’s just not the right thing to do. However I will admit that some risks, ones that do not affect other lives, can be acceptable.

The point is simple 

We, as a diverse group of professionals, need to look at each situation and attempt to change our focus from blame to responsibility. There is no silver bullet to solve these situations. Your path can only be determined by you — taking into consideration the situation, the people responsible and accountable for the data. What it all boils down to is people and change… plain and simple.

I know I have missed a few of the “reasons” that are used when moving a production system into production with “risks”, but hopefully this short list can stir up some more conversation about this topic. What do you think?

 ”It’s not communication unless the message sent is the message received.”

Wise words from my father. The quote may have originated elsewhere, but the words ring true. Too often, we fall into a trap where once we have “sent” the message, we expect that it was “received”. How do we know? Do we really *want* to know?

 Let me demonstrate:

Recently, my team was charged with placing a way to securely send emails to customers, clients, and partners. Additionally, the solution would need to scan the content and attachments for information the organization wanted to leave only in a secure fashion.

Once implementation was completed, marketing announced the arrival of the tool and how it could impact workflow, taking extra steps to give it a positive spin. To help reduce false positives, we passively monitored and modified settings as needed, then after a few months the system was activated and blocking began. We knew no system was perfect and occasionally communications are prevented that shouldn’t be, so we gave a method to bypass the secure mechanism. The message flow looked something like this:

1. Secure device receives email and encrypts if requested
2. If not requested, scans email and attachments for sensitive data
3. If sensitive data found, blocks email from being sent and provides example to user showing how to send securely or bypass the mechanism if appropriate

Almost immediately, my team received responses from individuals with blocked messages calling the service “stupid”, “idiotic”, or “a waste of time”. Comments were sometimes followed by personal insults as well, even though they were sent to a distribution list with no specific personnel attached.

As I’d only recently joined the organization, I had an extremely difficult time not taking the responses personally despite the fact I had nothing to do with the secure messaging implementation. While I suspect the perceived disassociation of sending to a distribution list instead of more personal contact encouraged the comments we were receiving, it didn’t make them any easier to read.

However, after putting my feelings aside, I started analyzing what the users were trying to communicate and quickly discovered a common theme:

Despite being given an example in the blocked notification, users were frustrated because didn’t know how to use the bypass.

I began digging deeper, trying to figure out *why* the example, and hence the communication, was not effective. It turns out the automated response was extremely wordy, difficult to understand, and very passive-aggressive in regards to auditing and consequences. No wonder we received such heated replies!

I’m in the process of revising the automated response. In addition to making the information more concise, we’ll also being redirecting users to the Help Desk if they need immediate assistance. Once the Help Desk staff is trained on how to respond to their customer’s issues, I hope satisfaction with the secure messaging tool will increase greatly. If it doesn’t, I’ll wash, rinse, and repeat the analysis cycle again to find where the new shortcomings are. Because really, it’s not communication unless the message sent is the message received.

Donald L. Pipkin, CISSP, CISM, CISA, Owner | Halting the Hacker, LLC

“Michael is a gifted security practitioner with a unique combination of security expertise and the ability to communicate complex concepts to a wide variety of business and technical people.”

– Jeffrey Margolies, Partner | Accenture