Into the Breach – Audio Series – Chapter 8 (Measuring Success)
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 
The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.
So how do you measure what matters so you can communicate what counts?
In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.
Learn how to measure what matters and communicate what counts.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!
Go deeper Into the Breach with Michael Santarcangelo with EMC
Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.
Podcast: Play in new window | Download (10.6MB)
On tap at The Security Catalyst for February
Greetings from Myrtle Beach!
February at the Security Catalyst Online
We did it.
The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.
More important, we are liberated. I feel grounded, connected and free.
The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.
In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).
On tap for February
Our contributors have some great insights to share, including:
- The key to effective communication and overall success when working with others from Trish
- Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
- Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
- Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
- Aaron shares how to avoid legal 500 error with privacy policies
And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.
Guest Voices
Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.
We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).
Engagement is the key to success
I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!
Connecting and engaging in person is a rich experience, indeed.
To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.
Are you along the way?
If so, I’d love to explore how we work together.
Security From Scratch: Getting the Lay of the Land
by Dennis Kuntz
“You rush a miracle man, you get rotten miracles.” – Miracle Max, from The Princess Bride
When building Security from Scratch, the challenge is in undertanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. This is not an “assessment” in a formal sense, but is more involved than simply checking for a firewall and antivirus.
Each situation is unique, but here are the areas I consider in my tactical review so I can understand what challenges lie ahead and form my plan of action:
- Information Security Policy
- Network/Perimeter Security Posture
- SDLC Security Policies/Procedures/Practices
- Applicable Compliance Requirements
- Security Awareness
I’ll share my approach and thinking below – but want to hear from you, too. Are there other areas you would include, avoid or otherwise consider? Leave a comment or send an email and we’ll expand together.
Information Security Policy
This is an area open to debate, but I like to check for and review the existing security policies. It provides insight into what, if anything, has been done. It generally provides clues, too, to why decisions were made.
I’ve found two major approaches to Information Security Policies:
(a) a monolithic approach where the policy encompasses all areas with details
(b) a piecemeal approach where you have a very general document that references more detailed documents.
If I get to choose, I prefer the piecemeal approach. It allows employees to get an overview of the policy and all of the areas covered, without overwhelming them with too much all at once with one huge document they’ll never read.
With the “piecemeal” approach, the details can be spelled out in the referenced documents that are easier to draft, update, and distribute.
Understanding the current approach and structure helps form a picture of the current environment. Here are some questions to ask when considering the existing Information Security Policy:
- Does a policy exist?
- Who wrote it, is it strictly boilerplate, and/or has it been reviewed by stakeholders and approved by management?
- Are the policies being followed?
- How are changes made/approved?
- Who currently maintains the policy?
Network/Perimeter Security Posture
Now, while I suggested just checking for firewalls and antivirus aren’t enough, it doesn’t mean they should be skipped. It’s too easy to limit one’s assessment of security posture to just those kinds of elements. With that said though, this is definitely something that should be included.
In addition to getting a good idea of the network architecture (diagrams, etc.), here are some questions to ask regarding the network and perimeter security posture:
- Is remote access allowed? If so, how – VPN, SSH, nothing?
- Are firewalls , WAF’s (Web Application Firewalls), and/or IDS/IPS’s employed? Where? Who manages/maintains them and their rule sets?
- Does your company have/maintain a DMZ?
- Is wireless access allowed from your premises (including both network access as well as “open” wifi)?
- Does your company have any resources/assets in “the cloud”?
- If in “the cloud”, what control does your company have over the security of resources, vs. those that are simply “built in” to the services offered?
This is obviously not a comprehensive list (if you think I missed something key, drop a comment).
The main focus is to get a tactical understanding of the network and potential points of exposure. While tactical, this allows the identification of strengths and weaknesses in the current layout to form the path to advance the posture.
Once the tactical review is done, it is important to run internal and external assessments to test the baseline performance of the existing controls. Ideally, this should include both comprehensive vulnerability assessments as well as comprehensive penetration testing. This can be easily handled in-house if budget is a challenge.
SDLC Security Policies/Procedures/Practices
It should be obvious that companies that conduct business on the “Internet” , develop software, or has any measure of internal development, that SDLC (System Development Lifecycle) practices are important as they relate to security.
However, this also matters to companies with only a web site that was created externally and is hosted/maintained by a third party ASP (Application Service Provider), with no internal development. When getting the lay of the land, take a look at the accepted development practices to make sure they take appropriate security measures into account.
Here are some questions to can ask :
- Who “owns” the SDLC?
- Is security specifically addressed in any SDLC documentation, especially regarding applicable best practices (i.e. OWASP Top 10 for web application development, buffer overflows for vulnerable languages, etc.)?
- Is there any formal secure development training available for developers?
- If third parties/outsourcing is used for development, are security practices published and/or open for review?
- What is the current state of security awareness among the developers, architects, etc. (this can be assessed by one-on-one interviews with developers, architects and managers)?
As with the Network/Perimeter Security Posture section, being able run assessments and have penetration testing done will go a long way toward establishing the effectiveness of current controls.
Applicable Compliance Requirements
If the company is subject to any compliance requirements, it is vital to establish the current state of compliance. I will be covering this topic in more detail in a later post, but here are some questions you should ask:
- Is the company subject to government compliance (SOX, HIPAA, etc.)?
- Is the company subject to non-governmental compliance, such as PCI-DSS?
- Does the company need to remediate any recognized compliance violations and/or is there a deadline for any existing compliance efforts?
- Regarding existing compliance efforts, where/how far in the process is your company?
- Who or what department oversees any given compliance effort?
As noted in the first installment of this series, establishing relationships with other departments –especially regarding compliance – can go a long way toward achieving your company’s compliance goals.
Security Awareness
While “Security Awareness” can mean different – and specific – things to different people, I’m referring to it here in more general terms. In essence, you need to take a look at your company’s current behavioral and cultural stance and openness toward information security. Here are some questions you should ask:
- How much support will you have from stakeholders? From management? From everyone else?
- Related to the previous question, how much latitude will you have in making decisions – will you get to run the show, or will you end up having to be an order-taker?
- Is your position the culmination of a concerted effort to “become more secure”, or is it the result of a begrudging attitude to achieve a bare minimum? The answer to this one may take some effort to answer honestly….
Turning Your Eyes Toward Defining – and Achieving – Success
Once you have all of this in place – your team and a good idea of where you are – you can begin to understand what is needed to define “success” and the metrics needed to quantify that success.
Amplifying the Good: The Security Catalyst Online Experience 2010
As the snow starts to cover the ground in Upstate New York, my thoughts are already turning to the year ahead. I’m not at all disenchanted with the Holidays; I’m just excited about the journey ahead with the Catalyst onTour RV adventure. Equally exciting to me is the programming that will be presented by the Security Catalyst in 2010.
The Security Catalyst is designed to be a clearinghouse of bright ideas from a collection of passionate and thoughtful professionals. I believe that more voices, more perspectives, and more discussions are essential to influencing the positive change we need. To that end, we have spent the last few months sharpening our focus – based on the needs of the industry – and developing themed columns and a revised approach to producing readable, actionable content.
We will introduce the bulk of the series in December, and continue rolling out new features and opportunities to engage as the year progresses. So as I travel the country to meet with as many people as possible, we will shine an increasingly bright light toward the future on the pages of the Security Catalyst Online.
The Security Catalyst Online Experience: Amplify the Good
Our mission is simple: amplify the good. A dozen contributors give of their time and experience to help advance the profession. Take a moment to consider the diverse programming prepared for 2010. Each of the contributors spent a few weeks developing a column and outlining key ideas and concepts to guide what we share in the coming year.
We’re working on a production cycle and are implementing a peer review process in 2010. In the coming weeks, I’ll showcase the contributors, reveal more about their series and provide the opportunity to engage with them – for the benefit of everyone!
We welcome feedback – comments, questions and challenges – to help shape our efforts and provide outstanding value for you and your efforts.
Security Social Worker — by Trish Smith
Trish Smith explores the perspective of a licensed MSW on the information security field. In the overall spectrum of topics, which all center on the juncture of technology and people’s thoughts, feelings, and behaviors, Trish’s focus will be on people and how to turn a change concept into reality.
Foundational Identity Management – by Ioana Bazavan Justus
Ioana Bazavan Justus will share her extensive experience in implementing Identity Management at Fortune 50 companies in a 14-part series that is focused not on the technology, but on the process pitfalls and data preparation – the aspects that, if ignored, will make an IAM implementation fail. I’ve known Ioana for over a decade, and her ability to understand, explain and get results is amazing. I’m really excited about this series.
Organized Fraud Prevention – by Sharon Shaw
Sharon Shaw is more than an expert on preventing fraud – she is passionate about sharing ideas, insights and strategies that bring a new focus by explaining the (sometimes hidden) challenges every organization faces. She then provides thoughtful, straightforward solutions.
Leading from the Front – by Martin Fisher
Martin Fisher is a leader (my word, not his) that has engaged me in great conversations about leadership, management and the future of the industry we both serve. He’s agreed to share his thoughts and the secrets of his success to help influence positive change in 2010.
Security From Scratch – by Dennis Kuntz
Dennis Kuntz is gifted in a lot of ways, and I originally wanted to call this the “one man band” given his musical prowess. However, since he’s embarking on an effort to build security from scratch, we deemed it to be a more fitting title. We’re still tweaking the outline – but the goal is to harness collective experience and provide clear insights to the challenge many of us face: building security into an existing organization. Where to start? What to do? And what really matters… tune in and find out.
The Privacy Advantage – by Aaron Titus
Aaron Titus is focusing on the positive aspects of privacy. Instead of dwelling on the shortcomings of privacy, Aaron will set forth the keys to turning a focus on privacy into an advantage.
Security… Psych! – by Jeff Kirsch
Jeff Kirsch blends security with psychology – not only an interest for him, but a vocation for his wife. Jeff will share insights that improve the way we practice security based on how we think, behave, and learn.
Managing Your Compliance – by Jim McFee
Jim McFee knows compliance. He knows audits. As someone that has sat on “both sides of the desk” Jim is ready to share two decades of experience on how to set up and run and effective compliance and audit program. Emphasis on how to actively manage audit and compliance for outstanding – and harmonious – results.
Awareness that Works – by Michael Santarcangelo
Starting in January, Michael Santarcangelo (your humble Catalyst) will share his unique and effective approach to building “awareness that works.”
Ioana got started in November, and the balance of the contributors will introduce their columns this month, with a nugget or two to ponder and digest over the holidays. By January, we’ll be running full tilt – loaded with ideas, insights and success for 2010.
Continue Playing
by Jeff Kirsch
In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”
During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.
So how does chess fit into my “plan ahead” strategy?
If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self. Those who properly anticipate the other player position themselves for maximum advantage.
The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game. I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.
Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.
Embracing Manjoo’s Madness
by Dennis Kuntz
There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.
The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?
A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4×0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.
The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:
“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “
With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:
- If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
- If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
- If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.
I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.
Into the Breach – Audio Series – Chapter 2 (People Just Want to Do Their Jobs)
Episode 3: Into the Breach: Chapter 2 (People Just Want to Do Their Jobs)
Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 2)
Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.
Go deeper Into the Breach with Michael Santarcangelo on September 16th
On September 16th, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:
- Reveal the ideas and concepts that may have been pared from the chapter you just listened to
- Expand upon or update the elements in the chapter you just listened to
- Answer questions in a candid and direct style – focused on delivering insights that lead to results
Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (dates now in Alaska, NYC and working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte)
Podcast: Play in new window | Download (12.9MB)
Get SMART About Your Security Awareness Program
by Joe Knape
There are a lot of opinions about security awareness programs, what they should look like, what they should cover, whether they work at all, etc. Recently you’ve even read a few posts on the Security Catalyst blog about awareness training. In addition, there has been a lot of “research” and pontificating about why security awareness messages seem to consistently fail in their desired mission and what changes can be made. This research typically focuses on the psychology of the end user and how to craft the message for specific audiences to make it more effective. With all due respect to my fellow Catalyst contributors and to all the awareness “expert” out there, I think they miss the point. The point of security awareness programs is not to see how cool, hip, or clever the message and the delivery method can be but to change the way people think and act about information, both their own and others when applicable. The point is to get people to want to protect that information from prying eyes or accidental disclosure. What I recommend is that instead of looking deeper into the psychology of the user, or trying to find the next viral communications technique, security awareness program developers should look at methods and messages from other areas where communication to a vast number of different people has been necessary and where those messages have been effective over time.
For example, how many of the following messages or sayings do you remember and act on whether you know it or not:
Click it, or ticket; Buckle up for safety; Don’t mess with Texas; Only you can prevent wildfires; Don’t talk to strangers; Look both ways before crossing the street; Friends don’t let friends drink and drive; Loose lips sink ships; Do not leave your bags unattended.
You get the idea. So, what do all of these messages have in common? They’re all S.M.A.R.T messages. What does S.M.A.R.T mean?
S stands for Simple, bordering on the simplistic; the message should not be long, or difficult to understand. It should be crafted in such a way that the mind can register and retain it with very little effort.
M stands for Meaningful; Similar to Actionable below, messages without context are ineffective at best. A meaningful message is one that communicates information that is both useful for the security posture of the company AND for the target audience Take “Only you can prevent wildfires” for instance; the point of this message isn’t only to protect the forests and parks but also to protect the individuals and families in those forests and parks.
A stands for Actionable; the message should have some element of what to do or not, something that the audience can latch on to and start performing immediately; Do lock your computer when you are away from your desk; Don’t let other people enter behind you without a badge.
R stands for Repetitive; No matter how well crafted your message, or how much time and effort you might have put into it, sharing it once a year is not going to be enough. S.M.A.R.T messages are crafted in such a way that they can be delivered over and over again using different venues and methods (e.g. posters, email signatures, phone messages, etc.) without overwhelming the audience.
T stands for Targeted. I said in a previous paragraph that modifying a message to take the psychology of your intended audience into account misses the point. However, targeting the audience based on delivery method is something that works. Some people pay attention to posters, others to emails, and others to phone calls. Targeting specific users with specific messages doesn’t make sense, it’s costly and redundant, but targeting specific users with the WAY the message is communicated, that makes sense and is relatively straightforward to do. Basically you craft the S.M.A.R.T message and communicate it in as many different ways to all of your target audience as you can. Not only does this make sure that the message is transmitted multiple times, but it covers the range of how people learn since they will be seeing it (posters), reading it (emails) and hearing it (telephone, loudspeaker, audio email, etc.).
So there you have it. Keeping your security awareness messages S.M.A.R.T. should make your training and awareness group more effective and more efficient and keep your audience from saying they wanted to follow the program but that the program “missed it by that much.”
Adopting and Adapting to Advance Awareness
By David McCartney
If you that follow on me on twitter (twitter.com/iamthedavil), you may be aware that my Information Security (InfoSec) group is in a bit of a project holding pattern for the foreseeable future due to too many projects and not enough people or funds. Like many companies, we are being asked to “do more with less.” While this is an admirable goal, my personal objective is to be more effective with less, reducing the confusion between motion and progress.
One of my main concerns is the number of security-related emails our InfoSec area is sending out. Since there’s the common concern that frequent communications will be viewed as noise, I’ve been trying to figure out a way to increase the effectiveness and memorability of our alerts.
One of my first ideas was to “adopt and adapt” a color-code system for types of hospital-loudspeaker alerts similar to what the hospital currently uses:
- Bomb Threat – Code Black
- Fire – Code Red
- Missing Child – Code Adam
And so on.
Introduction to these codes begins on the first day of employment during new hire orientation. Additionally all staff, including non-medical personnel, must complete yearly CBTs that review the various colors and their meanings. Furthermore, these codes are printed on cards employees carry with them at all times, so they’re repeatedly emphasized to all hospital employees. I suppose you could even say these codes are imprinted on our DNA…
(I’ll pause for groans and laughter here.)
My idea was to adopt the current announcement method, designed to quickly initiate a response during an emergency, and adapt it for InfoSec purposes. With that goal in mind, I came up with the following potential list based upon the top communications I see the InfoSec team generating:
- Malware/Virus Outbreak – Code Red
- Patch Required – Code Blue
- Disaster Recovery Engaged -Code Yellow
Instead of targeting medical personnel with the communications, Information Systems (IS) staff would be the primary recipients, as they are typically the initial audience for many of the situations mentioned above. By using a “color codes” approach to draw attention to the InfoSec announcements, IS staff will know when to respond to alerts we. Desktop Support would know increased workload may be coming during a Code Red, Server Administrators are informed of a patch through a Code Blue, and all of IS is quickly aware when a Disaster Recovery effort has begun.
Usage would be similar to the following in an email subject:
- InfoSec Code Blue – Emergency Patch Required
- InfoSec Code Yellow – No Power at Southwest Site
A slightly different way of using the system was suggested by Michael Santarcangelo, for an environment when response-time is critical. With his approach, the codes indicate less about the threat, and more about the timeframe with which people need to act:
- Code Red – Immediate (Within 24 Hours)
- Code Yellow – Urgent (Within 48 Hours)
- Code Green – Soon (72 Hours)
- Code Blue – Informational (No Action Taken)
- Code Gray – Personal (Do This At Home)
While the adopt-and-adapt concept seems simple, I do have a confession to make. In my zeal, I made the error of using the same colors as the hospital alerts. Marketing and upper management quickly informed me that the InfoSec Event colors needed to be different than those used by the hospital to minimize confusion and panic. Keep this in mind in your environment.
This is an opportunity for us to work together. What exists in your environment that you can leverage to increase security awareness and visibility? What have you done that’s been successful? What’s failed? Let’s continue to share ideas and learn from each other, especially during these times of limited budgets and resources.
Is awareness really the goal?
By Dennis Kuntz
When I was first asked to write a post on “Security Awareness”, I began really to think what is meant by “awareness”. The conclusion to which I came was a little frustrating: Too often folks think of awareness as an end in itself – as if making folks aware of something is the same as doing something about it.
Now, it may seem obvious that this is not the case, but how often have we – I include myself here – just lobbed something over the wall to make folks aware of an issue? Maybe it was new risk or vulnerability – whatever – and then we washed our hands of it as if we had done our job?
This is obviously not limited to Information Security or IT folks – no particular group has the market on this practice cornered. But that being said, awareness needs to be backed up by two primary things: education, and action.
Education
When you make someone aware of a situation, issue, or risk, how often do you take your audience into consideration? Tech guys and gals are infamous for using jargon in situations where it’s just not understood by others in the room – we’re right up there with doctors and lawyers! Now, that’s not a bad crowd to hang with (well, except for the lawyers), unless of course you want to be listened to, or even better, understood.
If Joe the BizDev Guy walks into a BlackHat conference, I have no sympathy for his confusion (let alone his compromised devices) and would consider him out of luck. However, if I’m in charge of protecting his data at our company, my job requires me to make sure that I communicate important matters to him in ways that allow him to make educated decisions. Plus it’s just the right thing to do.
Action
If I’ve made my data owners and/or boss(es) aware of some important issue, I’m not done with my job. I need to take the necessary actions to follow up on those issues right up to the degree of my authority. If I lack the necessary authority, and especially if the issue is important enough, then I need to take action to be in the faces of those who do have the authority until some resolution occurs.
There are of course times when we cannot get the resolution we want; Far too often I would say that this is the case. But we need to make sure that we’ve done everything we can to address the issues at hand instead of just being content with their “awareness”. Follow through in our jobs is vital – people can lose jobs, or even die without it.
Awareness is great, but not by itself. Combined with thoughtful, communicative education, and resolute action, they become a potent triumvirate.
Engage with Michael
-
Journey Into the Breach
