The Security Catalyst

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased - but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding - and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement - speaking or training - receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker - you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

If you enjoyed this post, make sure you subscribe to my RSS feed!

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

The Meeting

It was a pretty exciting morning – I was heading to an initial face-to-face meeting with a potential customer, one of the largest mining companies in the world. My initial contact was with a gentleman who managed their server environment. At my urging he also invited their application and network team. The meeting was scheduled to discuss assessment activities – something they haven’t been doing, and didn’t have the expertise or tools to do in-house. I asked him to invite the other managers because it was important to get their buy-in, and also because our customers get the best value when we test all attackable surface areas.

What I heard during the meeting was one of the variations on a common theme - each group ‘owned security’ for their sphere of responsibility, but there were no overarching standards, and minimal to no coordination. These guys were all professionals – the problem was organizational. Their company didn’t see a need for dedicated security resources.

Well OK, almost all professionals. One of them questioned what they had that was worth someone breaking in to steal. The look from his colleagues was as if he said his company possessed nothing of value, which is more or less what he said.

I pointed out a few things – they’re a mining company, so the list of what sites they are considering buying or leasing because their geological analysis said it would be a good spot was definitely worth something to their international competitors. Also valuable are their supplier lists, customer lists, and employee information, not to mention their reputation.

If it’s Everybody’s Job, it’s Nobody’s Job

Those who know me well, know I have a tendency to devolve a conversation into pedantic comparisons to obscure philosophical and/or historical topics. Lucky for you, Dear Readers, I’m too much of a lazy typist to inflict this habit on you – for too long.

The attitude at the mining company I visited was that security was “everyone’s” job. That may be, but without guidance from an accountable party, there is no incentive for anyone to perform something that they aren’t being measured against.

I’d like to paint a comparison to the relative physical security of a shopping mall vs. a public street. Shopping malls have a financial incentive to police their premises. After all, most people wouldn’t visit a mall after being mugged at spork-point in the food court after the first time, forget about the second. As a result, mall owners will set stricter codes of acceptable behavior on their premises than you’d see on a city street. Meanwhile people will litter the ground with cigarette butts, soda cans, and chewing gum in public places with a frequency you’d never see in their own home.

This is an important side effect of the concept of private property – with ownership comes responsibility. We see the same attitude in the workplace – when security is the responsibility of ‘everyone,’ it’s really owned by no one. People are measured on the performance of their primary job responsibility – meeting development deadlines, system uptime, etc. There is no central coordination of standards, no one who ‘owns’ testing controls, no security metrics, and ultimately little to no security.

Create a Security Team for $4.95, Plus Tax

That’s about the going rate for a dozen donuts. Yes, it’s that easy.

Back to the mining company – I realized that they had a long way to go. Since they didn’t have enough management buy-in for security to form a security organization, had no budget, and no ownership of responsibility, I shared a strategy whereby they could create one using the resources they have available now – themselves.

My suggestion was to pick trusted, interested persons as Single Points of Contact (SPOC) from key parts of their organization, schedule a conference room plus a dial-in conference bridge number for those at different locations, and invite them all to an informal monthly brown-bag lunch.

Pick out a news story related to a security incident or breach at another company from the news - a good place to look is the SC Magazine Breach Blog - and email it to everyone ahead of time. The purpose of the monthly lunch is to do some tabletop war gaming. What you’ll want to discuss is, if a similar incident affected your organization, how would you respond? What controls are in place to detect it? Who would be notified? What actions would be taken?

There are three goals for your Computer Incident Response Team (CIRT) meeting:

1. Identify a Single Point of Contact (SPOC) and backup contact for each part of the organization that should be involved in an incident or breach. In addition to identifying a contact and backup from system administration and network teams, don’t forget to pick points of contact from groups like telecom, finance, human resources, public relations, physical plant security, and any other towers you think you can pull in. Make a phone list, including cell phone numbers, and distribute it to all members.

2. Build an ad-hoc team that can respond to incidents, by building rapport and familiarity. This is an important point – a phone tree does not a team make. The team will learn to work together, and learn what roles they can play in incident response.

3. When (not if) an incident affects your organization, you will have already run through similar scenarios in your tabletop wargaming exercises. You’ll have a response team consisting of members of each part of your organization that might be affected. Most importantly, you’ll have the resources to effect a coordinated response.

Don’t forget the donuts.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.

For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.

2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.

3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.

Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.

By working together, we all become stronger.

If you enjoyed this post, make sure you subscribe to my RSS feed!