This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 12)

This chapter addresses the challenge of changing first in order to lead and influence change. The concepts introduced and explained in Into the Breach – the Strategy to Protect Information, The Catalyst Method™ (recently updated) and others – produce rapid and lasting results for those who embrace them and implement them in their organizations.

Michael shares two basic analogies to consider while summoning the courage to break from tradition and take action: the process of building a flywheel and reconsidering Newton in a new light.

Into the Breach provides a wealth of ideas and information. The Awareness that Works™ system is the implementation of the guide from the book – and more. Contact Michael today to learn more and explore the guaranteed results.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst) (and he’ll engage back with you)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. 3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

For me, this means a lifelong study of communication – verbal and written – blended with human ecology and the fundamentals of security. It’s an odd mix, but with my focus on Awareness that Works™, it serves my clients well.

A few months ago, I started a column for CSO Online dubbed the “Career Catalyst.” It allows me to build on my background as a catalyst and role as an advocate for individuals to share ideas, insights and strategies to help shape and develop powerful, effective careers. It turns out to be a perfect compliment to my approach to advancing individuals and organizations at the same time.

My passion in serving others is the driving force for this column.

I routinely listen to the challenges, observe the trends and think about the skills, aptitudes and attitudes for career success. But I also view this as an effort to serve as the catalyst for multiple ideas, experiences and challenges of the entire community.

Looking to improve your career and advance the profession?

• Share your successes or ideas you’d like my take on
• Ask the questions on your mind
• Share your challenges

Connect with me by email, telephone, twitter or through this handy contact form.

You can find my column here: http://www.csoonline.com/topic/41515/security-career-staffing

Here are the last three columns:

Security Careers: The Mic is Always On. Always.

Like politicians who’ve been embarrassed by public microphone mistakes, security professionals need to remember comments that are made in bad taste can put both a career, and an entire security program, in danger

http://www.csoonline.com/article/597056/security-careers-the-mic-is-always-on.-always.-

Cultivating a healthy addiction for career success

Going beyond the typical interview answers and resume claims will help you demonstrate why you stand apart from the pack. Michael Santarcangelo shows the way.

http://www.csoonline.com/article/594229/cultivating-a-healthy-addiction-for-career-success

Are You Making a Security Career or Working a Job?

In his first column as CSO’s Career Catalyst, Michael Santarcangelo outlines three essentials everyone needs to consider to make security work more than just a job

http://www.csoonline.com/article/590096/are-you-making-a-security-career-or-working-a-job-

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

• Learn how to establish appropriate and measurable criteria upon which to make better decisions
• Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
• Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

By Jill Van Zelfden

“Investing in Yourself”… I’m sure we’ve all heard this term at some point in our lives.  But what does it really mean and why should someone care?  And of all things: Why does my employer care?!

First, let’s start with a definition:

“Investing in Yourself” means that you are the driving force behind improving yourself in some aspect in your life in order to move ahead.

Examples:

1. Taking a college course to improve your job skills.
2. Reading a book to solve some problem at work or in life.
3. Listening to an audio podcast via iTunes to improve some aspect of your life.
4. Hiring a trainer to teach you something new.  (And no, although it could be a gym trainer to help get you into shape, I really mean hiring someone to teach you something new like Excel, or underwater basket weaving.)

Non-Examples:

1. Company sponsored training.
2. Company paid college course work.
3. Parent paid college course work.

Note: While it’s always great for these to happen and these all lead to something invested in you, these are examples of someone else investing in you.

Ok, so now that we’re clear on the definition, why is this important, how do I invest in myself, and why the heck does my employer care?!

So, why is this important?  Isn’t it enough that I am a parent, work full-time, do house work, make repairs on my house, eat, and sleep?  In short, the answer is “No.”

As human beings, we all want to achieve the next big thing.  Keep in mind that the next big thing is different for everyone.  What may be my next big thing could very well be different than your next big thing.  But human nature dictates that everyone has a next big thing.  None of us want to remain the same day in and day out.  We all want something more.

What’s your next big thing?

A month long trip to the Bahamas?

A new house?

A job promotion?

So, how to you go from the here and now to your next big thing?  You need to invest in yourself!  Take the time to sit down and figure out what is keeping you from that next big thing.  If you’re unsure, talk to someone who’s there and ask them how they got there or what they would have done differently.  Then take the steps you’ve identified.

For instance, if you’re after a job promotion, figure out why you haven’t been promoted.  Is it because your technology skills aren’t quite up to snuff?  Then take a look into community colleges in your area and find a class that will teach you the needed skills.  Is it because you don’t have experience with a particular skill?  Volunteer with a non-profit group that needs someone with that skill.  Then brag on the great job you’re doing for the local non-profit to your boss!

If I’m investing in myself, how could that possibly affect my employer?

Why is my employer wanting me to invest in myself?

Why does this topic come up in my annual reviews?

All great questions.

Here’s the secret that very few managers want to admit:

An employee who has an idea for their next big thing is more than likely an employee who is motivated in improving something.  This means that they want something from life, are happier, and are less likely to be here for just the next paycheck.

And if an employee’s next big thing is improving their job, then that’s an added bonus for the company.  After all, the more advanced work they can give you, the less they have to spend on hiring, benefits, training, etc on a new employee.  So, in the end, it usually proves to be a cost benefit to promote you instead of hiring someone else.  And if you’re in the right company, that cost savings flows down to you, the employee, in some form or another.  It might be a promotion, it might be a raise, or it might be both!  How awesome is that?!

But the key here is to let your new skills show!

And sometimes, that means identifying a hole in the company, learning the skill needed to plug the hole, and then spending an extra hour or two off the clock proving to management that you can handle more responsibilities.

Investing a few hours in yourself is very evident to those around you.  Because what you’re concentrating on and doing off hours will come up in conversation.  Think about a parent you know and the last time you asked them how their child was.  What was their answer?  Was it a one or two word sentence?  Or was it a story about how great they were at their last play/recital/soccer game/etc?

The same thing happens when you invest in yourself.  Your world all of a sudden becomes bigger and more exciting.  You start trying to relate your current knowledge to your new knowledge.  You start to say things like “See that rainbow?  Isn’t it amazing how light refracts like that?” instead of “Oh isn’t that rainbow pretty.”  And statements that show off your knowledge like that, is hard for your employer to miss.

So, I challenge you to:

1. Identify your next big thing.
2. Invest in yourself.
3. See how long before your family/friends/coworkers/boss notice or reward you in some way for working towards your next big thing.

About Jill Van Zelfden

After more than a decade in technology, Jill Van Zelfden found her passion for Information Security in 2008. Working to advance herself and the profession, she currently holds the Security+ and MCSE: Security certifications and is a member of ISSA.  She resides in the Dallas area and works for NetBoundary as a Security Operations Manager.  She’s available at twitter.com/JillVann.

What the HR system is… and isn’t

The HR system is the source of record for payroll. The HR system is not the source of record for access.

Let me say that again: HR decides who gets paid, not who should have access.

This distinction is critical – here’s why…

Identity management relies on HR for information about new, transferred, and terminated users. However:

• New hire issues: some HR departments do not enter employees into the HR system until after they have started working, to make sure they show up for work. Otherwise, they run the risk of paying someone who never worked. If this is the case, auto-provisioning new access will not be possible if access is needed on the first day of work – unless some workarounds are applied.
• Transfer issues: HR systems can track and report on employee transfers, but:
  • The HR system can’t tell you if the employee needs to keep their previous access for a while to train someone else, or if they’re doing two jobs.
  • What might be considered a transfer from an access perspective (e.g., someone going from Accounts Payable to Accounts Receivable) might not be considered a transfer from an HR perspective (both positions are in the Accounting department).

Both of the above make handling transfers pretty complicated – not impossible, just really tricky.

• Termination issues: an employee is terminated in HR when they stop getting paid, but employees don’t always stop getting paid on the day they stop needing access:
  • Most employees will get some sort of severance if they are laid off or even fired, so they may still show as active in the HR system for days, weeks, or even months after they were escorted out of the building.
  • Employees who resign or retire might take a paid leave of absence or vacation on their way out, again making them active in the HR system for days, weeks, or months after walking out the door.

Relying solely on the HR termination date for access removal opens the organization up to potential security threats from unhappy employees for quite a while.

As if all of the above weren’t enough, the HR system may not be update-to-date or “clean”. Sometimes, line management and even job information data is missing or outdated. It’s also possible that new information is slow to be entered into the system. These limitations will eventually limit the capabilities of the identity management enterprise.

Approach

This month, the goal is to develop relationships with the right people in HR (likely the expert system administrators, not necessarily the reps and recruiters themselves, although it might be both) to identify the following:

• How/when new hires are entered into the system (and how job candidates are handled)
• How/when transfers are handled in the system
• Termination process and reasons
• Reliability of data in general, and accessibility of the data for use by other systems.

In the next article, we’ll begin by tackling the new hire process.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

Think back to the best leader you’ve ever followed.

For me, it was my Professor of Military Science when I was in ROTC during my college stint.

Look at him and at first you’d see him as an “average” Army officer. He’d had a bunch of good assignments, some not so good assignments, and was finishing up his career teaching young men and women the finer art of leadership. If you only knew him casually you’d be wondering why all of these young men and women were so dedicated to the program, the Army, and (in a lot of ways) to him.

The reason I did was simple: the Major was able to describe a vision to me of what the Army could be, what I could be, what all of us – together – could accomplish. He told the stories of what he felt we could do in such clear and compelling language that we were enthusiastic to do some pretty (in retrospect) amazing things. Things that, outside of the context of the vision, made absolutely no sense…like jumping out of perfectly good airplanes while still in flight…like marching through mud, dust, and pollen for kilometer after kilometer…like lying in cold rain for hours waiting for the ‘bad guys’ to show up…and so on and so on.

Casting Vision: It’s Not Just A Sales Job

Without a compelling vision a leader is hamstrung.

They can push and pull the levers of the team, they can make adjustments to the machine that is the team – but they cannot get the team to reach it’s full capability. Without a compelling vision the leader is simply reacting to events instead of shaping the events and circumstances. The leader, without a vision, is not really leading at all.

Just to be clear – we’re not talking about the simple “performance management” task of assigning goals and objectives to individuals and ensuring that there is a cohesive flow to them. We’re not talking about “mission statements” or “purpose statements” (although they may enter the conversation later). We’re not even talking about how to justify the capital expenditure needed to get the “new system” online.

When we talk about casting vision we’re talking about being able to tell a story that accomplishes some very specific goals.

Acknowledge What Is

Any vision must start at the beginning.

You must be able to acknowledge the good, the bad, and the ugly about the current situation. You have to be completely honest about where you are coming from. To do otherwise begins with a foundation that cannot support even the most compelling vision.

Vision, built on false assumptions or denial of the past, collapses in on its own weight. That being said, don’t flagellate yourself (or the team) unnecessarily either.

As Sergeant Joe Friday says “Just the facts”.

Describe What Is To Come

Vision, at it’s simplest, is a story describing how things should (or can) be.

The story needs enough detail without going to deep. It needs to be lofty and idealistic without sacrificing a real sense of reality. The story needs to reach out to your team and show them that they can be much more than what they are today.

But a simple vision is, many times, not enough.

Vision needs to take into account what you want your team to accomplish and also show how that plays into the goals and aspirations of the larger team. Vision, especially for larger teams, needs to be large and sweeping and dramatic and dynamic.

Most importantly, the vision must be Yours.

Demonstrate Your Belief

Only you can effectively get your vision off the ground.

If you do not share it convincingly, if you cannot show that you believe it in the deepest fiber of your being, if you cannot demonstrate you are willing to sacrifice personally to make the vision appear then: You. Will. Fail.

Think back to when you knew the boss was simply mouthing words that the boss thought you wanted to hear. Recall when you could tell exactly which motivational book the boss was parroting. Remind yourself of all those times that you knew (and I mean, YOU KNEW) the boss wasn’t believing what they were saying.

Do you want to be that?

Make The Mental Shift Yourself First

Once you’ve communicated the vision to your team you must make the mental shift in all your communications, thoughts, and presentations and ensure that the tenets of your vision are constantly and consistently communicated.

You need to make your vision, no matter what it is, the focal point of all your activities. You must be “living the vision” every day in every way.

Once your team sees that you believe, once they know that you are not just “saying words”, once they realize that the vision is for real – then you can move on to the next (and, to me, most fun) step.

Help The Team See And Act On The Vision

Once the team sees that you believe and that you are willing to act on the vision they will be prepared to begin really looking at the vision the way you do and will start to act on it in ways that they think will help bring it about.

Your job is easy – you get to be a cheerleader, mentor, and disciplinarian all in one. You get the chance to reinforce the vision with team members and experience what I think is one of the coolest parts of leadership: you get to see your team members grow as people and you get to see your team grow in it’s capabilities.

But that growth doesn’t “just happen”… In our next episode we’ll talk about how to take your vision and use it to build a stronger team.

Did last month’s exercise of mapping primary userIDs kill you?

Is it still killing you?

Unless a number of full-time resources were allocated on a project basis, the cleanup for a large organization can easily take months to complete so if you’re still working on it, don’t worry – you’re not alone!

That said, we need to move on so join us when you’re ready.

The Purpose of Secondary userIDs

Once the primary userIDs are mapped, it is time to continue on with all of the other userIDs in the organization – the ones for the systems that were identified as “secondary” (Priority 2) in January’s exercise.

Secondary systems are systems that need to be integrated to some degree with identity management, but they were deemed “secondary” because the integration might be complex, the system is important but doesn’t have that many users, or the system may be too old to integrate.

There is also another type of secondary account – one most often associated with mainframe or administrative accounts: additional IDs belonging to the same person on a single system.

There are a variety of reasons for this: in some cases, a user of a system may also be an administrator, and there is a security requirement to keep the permissions separate. In mainframe environments, multiple IDs may be needed either because a user has too many permissions to “fit” on a single ID (there are ways to fix this, but that’s outside of the scope of this discussion), or because users need access to the same data for different regions, and switching “views” within one ID is too cumbersome.

There could be other reasons for having multiple IDs on a single system, but the end result is the same: if any user has more than one ID on any key system, that ID needs to identified and linked to the user’s primary account. Otherwise, there will be gaps in the integrity of the identity data.

The task at hand

Cleaning up and mapping secondary userIDs is similar to cleaning up and mapping primary userIDs. The only difference is that the target systems are different. As a result, this effort may be easier…  or harder than the previous one.

Here’s why:

Smaller systems might be easier to map

Systems with fewer users are generally easier to keep clean, and they’re maintained by fewer administrators. There is also the possibility that the administrators know the users personally. If the Priority 2 systems on the list fall into this category, expect this effort to go a lot faster than the one for primary userIDs.

More obscure systems may not be as well-maintained

When cleaning up and mapping primary accounts, the email system is generally the best place to start because it tends to be one of the best-maintained, and for good reason(s):

1. People use their email all the time, if it’s not working correctly and their name isn’t right, they’re very vocal about it. So users’ email data tends to be very clean
2. Mailboxes take up precious disk space and disk space costs money. Email administrators tend to notice and act on inactive accounts in the interest of saving the company some money

The more obscure systems don’t have these luxuries. They tend to be more loosely maintained. Administrators may not be as rigorous about following up on inactive accounts or configuring the system to auto-disable/auto-delete unused IDs. They may also not follow the company’s naming standard when creating userIDs. The worst part is they likely don’t populate much – or any! – personally identifiable information with the userID.

If the Priority 2 systems on the list fall into this category, expect this task to be as painful as the one for primary userIDs – or worse.

The UNIX environment is a can of worms

(For ease of expression, I’ll use the term UNIX here, but this applies to Linux and really any *NIX environment)

The UNIX environment can be one of the most difficult to clean up – especially at large companies with many UNIX servers – because of the tendency for UNIX environments to lack central user administration facilities. Unlike in an Active Directory or mainframe environment, users are typically added to each UNIX server (or cluster) to which they need access. This causes a user administration nightmare – trying to figure out which users are on which systems – especially when access needs to be identified or terminated. This problem is compounded if there is little or no identifying information with the ID, or if the IDs were created on a first-come, first-served basis.

Here’s a true story to illustrate the point:

I helped a client clean up their UNIX IDs on one of my first identity management projects. At the company, there were (among others) three UNIX developers named Trong Nguyen, Trung Nguyen, and Tran Nguyen. Their IDs were tnguyen, tnguyen1, and tnguyen2. They requested access to different UNIX servers at different times, depending on their project needs. The UNIX administrators were in the habit of assigning the next available userID on each server to users as they requested access. As a result, my mapping matrix looked something like this:

In reality, each developer had access to over 25 servers, and they themselves didn’t know which ID they were assigned on which system. To make things worse, their names were not registered with the userIDs, so the only way to figure it out was by trial and error.

UserID correlation is just one problem in the UNIX environment – identifying unused accounts is another. Many n-tiered applications that run on a UNIX infrastructure require the user to have a UNIX account on the underlying servers for the application access to work, but the user only ever logs into the application – not into the server. As a result of this, the UNIX account is never used, nor is the password ever changed. This necessitates changes to the password expiration configurations on those servers, and it precludes auto-disabling/auto-deleting inactive accounts. As a result, it is much easier to accumulate old accounts, and much harder to identify truly inactive IDs.

UNIX also seems to be an environment where developers use their own ID to run batch jobs (instead of requesting a system account for that purpose). The developer leaves the company, but the batch job persists. Disable the ID, break a business function. So then there’s the added work of identifying the job and what permissions it needs to run, creating an appropriate system account, changing the script to reference the new ID, and then finally doing what really needed to be done – cleaning up the userID.

In all fairness, this happens in all environments, not just UNIX, but this is where this information fit in the grand scheme of things.

Did I mention UNIX UIDs?

In addition to an administrator-assigned userID, UNIX systems also automatically generate a numeric UID for each user. What many companies realize too late is that if UIDs aren’t expressly managed, each user will be assigned the next available UID on each server, much like the tnguyen situation I describe above. Having different UIDs on different systems significantly complicates the integration between identity management and the UNIX environment. This situation must be rectified before the integration can occur.

The solution is fairly simple to design but tedious to implement – just like everything else in this process. Basically, you pick a high-enough UID that there is space between any existing UIDs and it, and use that as the starting point. Then you assign a new UID to each user and ensure that that UID “sticks” across all servers. You also design a process to ensure that once a user gets assigned a UID, each UID becomes reserved for the assigned user across all servers.

The details of this process need to be discussed with a good UNIX engineer and the implementation – although it will take time and planning – should be transparent to the end users.

Another note on UNIX integration

Although it’s entirely possible to integrate identity manager directly with the UNIX farm, it’s not the most efficient or cost-effective way to go about it as it would require a separate integration with each server. There are products out there (the one I’m familiar with is Likewise) that will LDAP- or AD-enable UNIX user management so that the existing integration between LDAP or AD and identity manager can be used. There are also products that allow similar functionality between UNIX and mainframe tools such as RACF.

If UNIX is a large component of your environment, start looking into products that will facilitate the integration with identity manager now.

Approach

The approach for cleaning up secondary userIDs is the same as what was outlined last month for primary userIDs. Remember to communicate frequently and clearly with the impacted users and their management, and don’t be afraid to disable IDs (in an organized way, of course) if all other avenues of research have failed.

Parking Lot

There’s a good chance that this second round of cleanups will uncover more interesting issues – as I advised last month, take the time to do something about it.

Updating the requirements list

If a UNIX-identity manager integration is in scope, start planning now. Research integration products and determine if they are appropriate to implement. If not, be sure to update the requirements list to ensure that UNIX integration requirements are captured.

Action Recap

This month’s actions are very similar to last month’s, just on different systems:

1. Identify the secondary IDs, and determine who owns each ID
2. Identify and retire obsolete IDs
3. Connect secondary IDs to the primary IDs
4. Develop (and use!) a process for keeping the IDs clean until identity management can take over

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

clean the data

So roll up the sleeves, find the glasses, and brew a lot of extra-strong coffee – it’s time to tackle those primary userIDs.

Primary userIDs – what are they?

A primary userID is the main ID that each user has in an organization. This is the one ID that they *should* have on all systems, although that is often not the case. Typically, the primary ID is the user’s network ID – that is, the ID that each person uses to log into their computer in the morning, and probably also to log into their email. Many organizations call this the LDAP ID or (for Windows-heavy shops) the Active Directory ID. Organizations that are mainframe-heavy might store their primary IDs on the mainframe.

The task at hand

On the surface, this month’s activity is simple: correlate each user’s primary ID with their name and other identity information, as this will be the basis for the identity repository going forward. Hopefully everyone’s primary ID is already stored electronically somewhere (at least in a spreadsheet) and there is some useful data already associated with each ID – like a name, an employee number, or other identifying information. If not, well, that’s where the extra-strong coffee comes in (or maybe decaf would be better?).

The task may be easy to describe, but there are three significant challenges in this cleanup process:

Challenge #1: mapping primary IDs to people

It is likely that the list of primary IDs (assuming it exists) is missing information, or has data that’s so outdated as to be useless. Worse still is a list of IDs without any information (who are bassfisher68 and jedimaster84?). Equally frustrating is the same-name problem: how many John Smiths, Trong Nguyens, and Juan Gonzalezes are in your organization… and whose name goes with which ID?

Challenge #2: are they even still here?

It is often hard to map IDs to people when the ID has persisted, but the person is long gone. Even more doubt is created when the ID belongs to someone with a common name.

Does jsmith3 belong to that contractor that was in here 2 years ago, or does it belong to the guy downstairs in accounting?

A nasty – but necessary – part of cleaning up primary IDs is identifying orphaned accounts that should no longer be active. On the upside, this is a healthy security exercise that often gets put off – after all, who wants to deal with the screaming users when the wrong IDs get disabled? But for identity management to work, this HAS to be done – no more excuses or avoidance!

Challenge #3: mapping primary IDs to primary sources of record

Once the IDs are mapped to the correct names/people and orphaned accounts are retired, it’s time to map the IDs to the corresponding accounts in the sources of record that were identified in last month’s exercise. Remember, identity management is just a facilitator of actions. A key integration is between identity management and the HR system, as that enables the automation of access creation and removal based on hire, transfer, and termination events in the HR system. Identity management can also facilitate the auto-provisioning or password self-service of a user’s other accounts (like email) based on proper linking.

The biggest difficulty in this exercise is typically matching the userID with the right HR record, due to potential differences in legal vs. preferred name. Very often, email addresses and userIDs are set up based on the individual’s preferred name (e.g., Mike, Trish, Betsy), whereas the HR record will contain their legal name (e.g., Michael, Patricia, Elizabeth).

Is Mike Smith the same guy as Michael Smith – or not?

Guessing is not allowed here – matching up the wrong user with the wrong HR record can have very serious consequences. HR doesn’t take kindly to people seeing each other’s salary information. Getting someone else’s email is generally frowned upon as well, especially if some new junior analyst was confused with a senior VP (believe me, this has happened more than once!)

Approach

There is no *right* or *easy* way to execute this cleanup.

With little starting information and/or a large user base, this will be a painful and time-consuming process, but here are some things to help get organized:

-        Determine the data set that is needed. Make sure it is the bare minimum to start because once identity management is implemented and the records are linked, a lot of additional information will populate automatically. The goal here is to identify which data points are needed to accurately link records between systems – nothing more

-        Start with the cleanest source of record to build some momentum. While this is often the HR record, sometimes email is the best bet. Other sources may also be appropriate (like the mainframe). In general, the cleanest sources of record are ones that are carefully controlled and well automated in a database or a repository.

-        Enlist the help of someone good at scripting to automate some of the searches and comparisons. Done right, this saves immeasurable time!

-        Communication is key!

• Make sure the user base knows a cleanup is underway and why it benefits them
• Solicit assistance from department heads – they can help identify users and their correct/current information
• Ask the leadership to alert their people that they may be polled for information, and specify the name of the team that will do the polling (provide the names of individuals if possible). Users need to know that these requests are legitimate and not a phishing attempt (especially if they just attended training on phishing or Michael has already worked to improve your awareness program)
• Communicate the cleanup process to the leadership so they know the who, what, where, when and why of the effort. This is especially important when the team ends up with a pool of orphaned IDs and no other means of research. The only remaining option is to deactivate those accounts and see if anyone complains. Management needs to understand and support this decision before it can be executed

-        Don’t be afraid to disable IDs if reasonable research has not yielded results. Researching identities is extremely time consuming – there is a point where enough is enough, and the security risk to the company should outweigh the brief inconvenience that a handful of users may experience

-        Engage HR representatives and local technical support personnel. They tend to know the users personally, and can be of great help identifying them

If existing records are already in pretty good shape, sit back and smile smugly while everyone else beats their head against the wall for a while.

Keeping it clean

If there is no current identity management system in place, it is important to keep the new repository of primary userIDs reasonably clean until the new system is in place. Otherwise this fun exercise will need to be repeated.

Staying up-to-date manually requires a process to keep user data in good repair but the process should not be complex or labor intensive. Do the bare minimum necessary to keep the data decently clean. It’s OK if it’s not perfect – a small final cleanup is inevitable.

A word about userID naming standards

If this process reveals the lack of a userID naming standard, or a standard that no longer makes sense for the organization, this is the right time to establish a new, sensible one. This is a large and painful exercise in and of itself, but it is far better to enter into an identity management implementation with a solid and appropriate naming standard than to try to fix it later.

Here are the things to consider:

-        Grandfathering existing users vs. making them change their ID to match the new standard

• Unless there are specific technical reasons for converting everyone, I recommend grandfathering. A primary ID can be created in identity management in the new format and mapped to the untouched existing IDs. This meets the needs of identity management while minimizing impact on the users

-        Helping users with multiple ID formats across various systems consolidate to one ID format

• Although this can be a little painful, many users are happy to undergo the initial challenge in exchange for not having to remember which ID to use on which system

-        Having different ID formats for employees vs. non-employees

• I recommend not doing this. Having visual segregation of ID is much more important in a manual paradigm. With identity management there are many ways to identify a user’s employment status without segregating by ID, and having different ID formats causes more problems than it solves

-        Make sure that the selected format will work on all systems – including those legacy dinosaurs with all their length and character limitations

-        If you choose to have userIDs based on name, establish a clear policy about changing the ID in the case of marriage, divorce, sex change, etc.

• Changing someone’s display name is easy. Changing their userID can be tricky, because on many systems this isn’t possible –the old ID has to be deleted and a new one created, which leaves a lot of room for error in copying permissions, files, scripts, etc. However, some people feel very strongly about their name, especially after a nasty divorce or a sex change, so there has to be a provision for this

-        Make sure the new naming standard scales adequately for the expected growth of the company, and that it addresses situations where users may need more than one ID, or where individuals have the exact same name (possibly even same middle name or middle initial)

Parking Lot

Doing a userID cleanup of this nature can uncover all kinds of interesting issues – like fields being used to store data that they were not meant to store, IDs being created through unofficial channels that probably shouldn’t’ve been created, etc. Some of these discoveries might be security risks, some might just be sloppy administration, and still others might impact the identity management implementation down the road. In any case, it is important to document these discoveries along the way and do something about it – even if that something is just notifying the responsible manager.

Action Recap

This month, we covered the following key actions:

1. Identify the primary ID, and determine who owns each ID
2. Identify and retire obsolete IDs
3. Connect primary IDs to the appropriate records in the target systems identified in last month’s exercise
4. Develop (and use!) a process for keeping the IDs clean until identity management can take over
5. Make sure the current ID naming standard is adequate and fix it if it isn’t

None of these actions is quick and easy, but getting them done sets a firm foundation for a successful identity management implementation.

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up. In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.

This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.

So it starts now.

And we’ll start small.

For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.

More details below:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

• To prepare for a raise
• To receive a promotion
• For career development
• If you are ready to move into the security field
• To find a new position (within your current company or outside it)

Determine your path and venture forth.

Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.

It is a three-step process.

1.            You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.

2.            Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.

3.            With all the background work complete, we will help you follow the compass you built.

We do not judge.

Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.

Why the Compass approach works.

We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.

You will be self-aware.

You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.

The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.

How much time does this take?

Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.

Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.

by Dennis Kuntz

“This isn’t just a legal compliance issue for us. We consider the privacy issue to be an opportunity to reinforce our brand image.” – Tom Warga, SVP and General Auditor, New York Life Insurance Co.

Early in my career I accepted a job rich with challenges and opportunities. It was for a bank that was not yet Y2K compliant (and yes, this was pre-2000), was under a cease-and-desist order from the Office of Thrift Supervision (OTS) and had a very inefficient system that needed to be rewritten from scratch – from the front end all the way to the back.

They wanted the system completed in technologies with which I was cursorily familiar (though I at least had industry experience). In addition to rewriting the system, I was also starting it months after the OTS had wanted new “financial systems” to be completed (which did not enhance their patience in dealing with us).

On my first meeting with the auditor for the OTS to lay out my plan, I thought I’d break the ice by cracking a joke. I told him, “It’s not Y2K that worries me. It’s Y10K – those 5 digit years are going to be a bear.”

My attempt at humor was met with a blank stare, an uncomfortable silence, and then a humorless statement about the requirements we needed to fulfill.

This set the stage for my first real introduction to compliance – putting it in place, those that enforce it, and those holding you responsible for the first two items.

Putting Compliance In Its Place

Focusing only on compliance almost by definition limits its usefulness.

Many compliance standards change in order to encompass tactics that have already been tried. Bruce Schneier has covered this concept within the context of terrorism and explains how ineffective it is.

However, most compliance standards also have a “spirit” (or intent) in addition to the “letter of the law”. For example, HIPAA aims to protect “individually identifiable health information”; PCI aims to protect cardholder data, etc. By focusing efforts on embracing the spirit of the compliance standard, the end result is “compliance” and a vastly superior job at actually protecting information.

Answering for Your Efforts

Having to “answer for your compliance efforts” doesn’t always mean an audit.

Sometimes there is an internal role that oversees compliance efforts for the whole company. In my opinion, the best way to deal with anyone whose job it is to judge your efforts is to be honest (of course), but in a way that first seeks to  understand their role.

When dealing with an auditor, try to understand what it is they are looking for (fellow contributor Jim McFee does a great job of explaining this perspective).

Often, auditors are looking for proof the “letter of the law”  was followed, or otherwise properly addressed. By understanding the auditing procedures and general expectations regarding the compliance standard it is possible to position actions in a way that make sense, demonstrate compliance and reduce friction.

The advantage (albeit sometimes hidden) when working with an internal colleague is the simple fact that everyone shares the same corporate goal: achieve compliance and protect company information. Working toward a common goal makes a difference (along with a deep breath and sometimes a squeeze ball).

Using Compliance for the Greater Good

Information security compliance standards almost always received the attention of those who may not normally be focused on information security risks: legal, management, etc. This is primarily because of the legal and financial implications of not obtaining or maintaining compliance.

This can be an advantage to manage the company’s risk.

Not only may decision makers be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts.

Ultimately our job is to protect company assets and help to manage risk.

While on the surface compliance can simply be a necessary evil, when looked at with some creativity, most compliance efforts present opportunities to improve the security posture of your company beyond the requirements themselves.

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

• Less efficient use of resources
• Less creative solutions (at a time when creativity is even more vital)
• Less productivity

And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.

When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.

Motivation – I know it when I see it

So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?

According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.

Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:

• Positive reinforcement
• Effective discipline
• Fair treatment
• Satisfying employee needs
• Setting work-related goals

Notice something missing from the list?

If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.

But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”

I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:

1. Be the change

Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:

• Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
• Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
• Be curious, ask questions, and develop problem-solving skills by practicing them.
• Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.

Remember, the positive energy and creativity of your team start with you.

2. Size the motivation to the person

Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.

How?

Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.

3. Motivation is a journey, not a destination.

People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.

Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).

It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.

What challenges have you experienced with motivation? What successes have you had? Share in the comments….

Sources:

• Merrian-Webster’s Online Dictionary: http://www.websters.com
• Accel Team Development: http://www.accel-team.com/motivation/
• The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
• The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)

The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?

In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.

Developing a “Culture of Compliance”

Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished.  Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.

This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.

Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.

Sell the concept, reap the benefits

Management responsibility – wait for it –  “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.

Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?

Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.

Building Support

Step one: find the right internal sponsor.  This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.

Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.

Should IT audit and compliance be managed internally?

This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.

Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this  — and he makes it easy for others to do it, too).

One of the best tangible outcomes of this whole process is detailed documentation. Interesting how  there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.

What’s in it for me?

Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!

Sound off

How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.

Leadership. It’s talked about a lot in today’s information security conferences and books – but how much of it is really happening?

Do we, as professionals, really embrace leadership and its inherent risks, rewards, and challenges?  Or, on the other hand, do we really embrace the status quo with its inherent frustration, ennui, and demotivating drag?

Don’t get me wrong – leadership in any field is hard. I’ve led teams that have done such diverse missions as application development to firefighting to deploying the varied weapon systems in platoon of main battle tanks…and I have come the believe that effectively leading teams in today’s information security environment is one of the most difficult tasks I’ve ever taken on. As I look back, around, and forward I’ve made a few conclusions.

Too much focus on the status quo

I wish I had a nickel for every time I heard a “leader” describe a “good day” as one where nothing went wrong, nothing broke, and (truth be told) nobody even noticed she or her team were there.

Why?

I think because for so long the business has seen information security as the “Department of ‘No!’” that any time we fly above the radar we get smacked – or at least that’s the fear. If the systems run today just like they ran yesterday we call that a win and hope that they’ll work tomorrow just the same way.

This primal desire for the status quo is one of the most significant issues that chains down information security leaders today and it’s a topic I’ll address in more detail later – but suffice is to say that the status quo is rarely, if ever, the ally of a successful leader.

Insane focus on a small group of miracle workers

We have developed an almost unnatural dependence in information security on the work and thinking of small groups over very smart people. We rely on that small cadre of “go-to” guys to design and build our systems, respond to incidents, and help develop policies and procedures – but we rarely leverage that small group of folks to develop larger and larger teams of security oriented co-workers.

Whether we realize it or not we begin to live in a cultural echo chamber where everyone listens to the same presentations at the same conferences, reads the same blog post, and anyone who dares speak out against the conventional wisdom for any reason is suspect…

The Status Quo of the Mojo

The last major impediment I’ve seen is a synthesis of the first two. When you combine an overvaluing of the status quo with an over-dependence on small groups the almost inevitable outcome of a culture of “Please $DIETY, don’t let me screw this up!”

Leaders and their teams become so averse to anything negative (especially if it’s outside the accepted norms of the team) that the goal of the team slowly and immutably transforms from providing the best security for the organization to a goal of not wanting to be caught screwing anything up. This fear (and that’s what it is) leads teams to fall into the trap of wanting to build systems that are “perfect” and “unhackable” and resisting efforts to design or implement systems that don’t meet these standards.

The natural progression of this fear eventually leads to leaders and teams developing and attitude that is occasionally indistinguishable from despair. You’ll hear or read comments like “Why should I deploy $SecurityTechnology? HD Moore could hack it in 5 minutes. Rsnake could get root and own me 25 ways from Sunday.”

Rarely will the speaker or writer of such comments even seem to evaluate whether or not $SecurityTechnology will actually help the organization as part of a complete security plan. Defeat, as the philosopher said, is complete even before a shot is fired.

What can we do about it?

For the next dozen or so posts I’m going to address these issues head on and provide you with a (potentially) counter-cultural view of your role as a leader and hopefully challenge you to rise the amazing challenges we face today in information security.

The light you see coming at you – it’s not a train. Trust me.

What are your leadership goals for 2010? Share you challenges and successes in the comments…

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Dennis Kuntz

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

1. There are cliques within the established information security community

2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

In chapter 3 : Breaking the Security Diet

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Put the power of Into the Breach to work for you

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

My career has now spanned almost 12 years, and it still amazes me how so many managers and executives consistently make bad decisions and then are surprised by the results.  As the economy has gone bad, you’d think that people would be a little more judicious about how they spend the small budget they have remaining, but that’s turning out not to be the case.  Surprisingly, I think the vehemence with which we’re shooting ourselves in the foot has increased as the budgets have shrunk.  Now that the economy has bottomed out and is (supposedly) on the rebound, is there any chance of changing some of the behaviors before the upswing takes hold?

Let me ask you a different question: If you lived in Chicago and your house needed a new roof, would you just go out and buy the one recommended by your buddy out in San Francisco, because he’s thrilled with his new roof?  Hopefully, the answer to this is no.  You may take a look at it, but I’d hope that you would confirm that the structural integrity is insufficient for the added wind, cold, and snow weight that Chicago roofs experience.  Once selected, would you allow the contractor to cut corners on your roof installation just to make a specific deadline?  Is a permanently leaky roof worth a couple of weeks?

If you wouldn’t blindly purchase something for your own home based solely on the recommendation of a friend, why would you purchase a product for your company based on the recommendation from a vendor, a colleague in another industry, or a conversation on the golf course?  How can you justify the potential risk?  What happens to your reputation when the product in question doesn’t perform as expected?  Where does the budget come from if you end up having to replace the entire thing?

When budgets are tight, there are better things to purchase with what little you have than bullets for your foot, and there are three very simple rules that can keep your munitions purchases at bay:

1. Don’t ‘ decide’ on a due date, calculate it.  Implementations take time and resources.  As much as you might want something in production by the end of the quarter, it might not be possible to do in a reasonable way.  Before committing to a date that’s just not feasible, spend a little time to determine the effort involved and lead-times for any purchases/installations that may need to be made, and to assess the availability of the resources required.  Then calculate a plausible due date based on the reality of the work effort and be sure to document the consequences of cutting corners, should that still be desired.  Sure, there will be instances when time is of the essence, but those are not as frequent as most people think.  When you consider long-term support costs and the massive adjustments that are usually needed to make a quickly installed product work, the calculated ROI is rarely met, and the costs to reputation and morale are higher than many would like to admit.
2. Don’t ‘make up’ budget numbers, calculate them.  We all instinctively have assumptions about how much something should cost.  Some of us are better than others at guesstimating accurately.  Most of us underestimate – significantly!  So before publishing a number that just doesn’t make sense, do the math.  There’s truly nothing to be gained by setting the expectation that the desired work can be done for half the actual cost.  If the true cost is prohibitive, then the negotiations need to start, and the consequences should be documented and accepted for each item cut.  But if you’ve dug yourself a hole before the negotiations have even started, you’re in for a world of hurt.
3. Don’t fit your problems to a pre-determined solution, pick a solution that fits your problem.  No matter how nice the vendor is or how much you value your golf buddy’s opinion, the product they’re pushing may not be the right one for your company.  The only way to know for sure is to gather requirements first, based on the actual needs, desires, and roadblocks currently being faced by your company.  Then you can assess whether the desired product fits the bill.  If it doesn’t, don’t buy it!  If nothing fits the bill, pick the best option, or consider waiting for future developments.  In any case, be sure to document the trade-offs, and get agreement that they’re acceptable.

Simple, right?   But if we were all doing this, I wouldn’t be writing about it.  The problem is that it has become acceptable to ignore the rules, and anyone who doesn’t follow suit is viewed negatively.  The real challenge is for each of us to take the personal responsibility to follow the rules, regardless of our position in the company.  Only then will we change the expectation and make it unacceptable to ignore the rules.

How often do we take a drive and realize what we see around us? I know I can drive to and from work, or to a familiar destination and never see what is around me. I am not talking dangerously oblivious, mind you, but sometimes you miss the details of what you pass. Then one day you take some time, for whatever reason, to look and actually see. Typically the phrase “I don’t recall seeing that before” comes to mind in these situations. This behavior isn’t just limited to driving, but to any task we may do that could be considered mundane or repetitive. If this becomes commonplace in our routines, it can affect how well we perform our jobs, and potentially lead to critically missed opportunities.

Stick a Fork in it

Occasionally my family decides to have pancakes for breakfast, but more frequently we have them for dinner. My kids favorite of the three varieties I make are chocolate chip. I make three different kinds because you never know when someone is in the mood for one type, and if you make just one or two you are more than likely going to disappoint someone. In addition to the favorite chocolate chips, I also make blueberry and plain. Since the crucial ingredients are not thrown in until the batter is on the griddle it is very easy to make “custom” meals.

Recently, my oldest son decided he likes both blueberry and chocolate chip. It seemed like any other meal, and we had just had pancakes the previous weekend. I made them the same way, all the while to the chanting of three little voices saying “we want chocolate chip” and one little tiny voice saying “dadadadada”. I brought the plates to the table full of pancakes and everyone claimed their favorites. As I was helping my daughter get some pancakes on a fork I heard a sudden surprised exclamation from my oldest son on the opposite end of the table. As I began to turn I could see a look of surprised laughter on my wife’s face. She was trying to hold it back, but as I completed the turn to look at my son I couldn’t help but laugh out loud. All over his face was blueberry, in little speckles indicating something had burst. “I just stuck my fork in it to cut it and it exploded” were his first words. The whole table burst into laughter and we continued to eat our meal, but with caution.

Take it In

When we talk about technology and information security, we know that the landscape for threats is always changing. A person responsible for maintaining systems could sing the horrors of having to make sure all systems are properly patched. Likewise, those who are responsible for monitoring threats to the technology receive new information continuously about areas most at risk. In this fast paced world we try to keep up, but find we are always one step behind. We are left to maintain and defend from the known, while someone plans the unknown. Do we just give up, throw our hands in the air and walk away? Perhaps we need to take in all that we have missed while fighting the fires of the day.

In the information security community, we need to put our fears aside and see all that is around us. Putting ourselves in the mindset of someone who wants what we have can make us feel uneasy but it gives us a new perspective. It helps us identify areas others might want to try as an attack vector, and then makes us evaluate the risk and implement a strategy based on the threat. I know that taking time away from our responsibilities seems like a fantasy, but what we may find is that we streamline our everyday tasks by attacking our own thinking. We marvel at how fast technology moves and lament when we don’t get the features we desire now. For all the lamenting, we tend to keep our thinking a few technologies behind. There will come a time, if we continue on that path, where something will blow up in our face. Better to take in what’s around us at least once in a while to see what we are missing. We might possibly get the upper hand.

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.

Welcome to the Security Catalyst Program – bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening!

On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge.

A few quick notes

1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better.

2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog – with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective

3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling – and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help – shoot me an email: securitycatalyst@gmail.com

Stay tuned for more information.

For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A.

Links at a glance

The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed

Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/

Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/

Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/

Mike’s blog:http://www.guerilla-ciso.com/

Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations

The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html

About the Experts

Mike Smith

Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.

Graydon McKee

Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices. 

Joe Faraone

Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems.

 ”It’s not communication unless the message sent is the message received.”

Wise words from my father. The quote may have originated elsewhere, but the words ring true. Too often, we fall into a trap where once we have “sent” the message, we expect that it was “received”. How do we know? Do we really *want* to know?

 Let me demonstrate:

Recently, my team was charged with placing a way to securely send emails to customers, clients, and partners. Additionally, the solution would need to scan the content and attachments for information the organization wanted to leave only in a secure fashion.

Once implementation was completed, marketing announced the arrival of the tool and how it could impact workflow, taking extra steps to give it a positive spin. To help reduce false positives, we passively monitored and modified settings as needed, then after a few months the system was activated and blocking began. We knew no system was perfect and occasionally communications are prevented that shouldn’t be, so we gave a method to bypass the secure mechanism. The message flow looked something like this:

1. Secure device receives email and encrypts if requested
2. If not requested, scans email and attachments for sensitive data
3. If sensitive data found, blocks email from being sent and provides example to user showing how to send securely or bypass the mechanism if appropriate

Almost immediately, my team received responses from individuals with blocked messages calling the service “stupid”, “idiotic”, or “a waste of time”. Comments were sometimes followed by personal insults as well, even though they were sent to a distribution list with no specific personnel attached.

As I’d only recently joined the organization, I had an extremely difficult time not taking the responses personally despite the fact I had nothing to do with the secure messaging implementation. While I suspect the perceived disassociation of sending to a distribution list instead of more personal contact encouraged the comments we were receiving, it didn’t make them any easier to read.

However, after putting my feelings aside, I started analyzing what the users were trying to communicate and quickly discovered a common theme:

Despite being given an example in the blocked notification, users were frustrated because didn’t know how to use the bypass.

I began digging deeper, trying to figure out *why* the example, and hence the communication, was not effective. It turns out the automated response was extremely wordy, difficult to understand, and very passive-aggressive in regards to auditing and consequences. No wonder we received such heated replies!

I’m in the process of revising the automated response. In addition to making the information more concise, we’ll also being redirecting users to the Help Desk if they need immediate assistance. Once the Help Desk staff is trained on how to respond to their customer’s issues, I hope satisfaction with the secure messaging tool will increase greatly. If it doesn’t, I’ll wash, rinse, and repeat the analysis cycle again to find where the new shortcomings are. Because really, it’s not communication unless the message sent is the message received.

You can follow along live! At this link:

http://www.microsoft.com/smallbusiness/summit/

I am a day 2 speaker – with an impressive lineup of guests:

http://www.microsoft.com/smallbusiness/summit/guests.aspx

This is a live program, but I have been working with the producers for a few weeks now – and I am excited about the questions, thought process and opportunity to share some different thinking about what businesses need to do to protect them. More, we’re also going to explore how the right approach to protecting your business can actually save money and increase the opportunity for more revenue (as outlined in Into the Breach). To me, that’s a really cool conversation.

I hope you check it out. I look forward to the opportunity continue to conversations through this blog, the podcast(s) and as we fire up the diesel and head out on the road again (Friday – next stop, Kansas City!).

To be clear, this does not diminish network security, network operations or anything of the sort. That directly supports my point: done properly, the network operates in a way that does not impose a burden on users.

While at the “Apple Festival” last weekend, we took time to visit one of my favorite exhibits – a museum of working, but retired, farm equipment. Much of it is from turn of the century through the 1960s. Some of the equipment was routinely used in the act of farming and other support roles until the 1980s and 1990s.

I can’t explain why, but I have always been drawn to pickup trucks, tractors and flashlights. So to see a working series of tractors far older than I is simply amazing. As a kinesthetic learner, I am immediate transported back in time – and allow myself to be fully absorbed in the moment. I love learning. Period. But I really love learning about history – and specifically how improvements shifted the way things were done.

That brings us back to security. I have a sense that many organizations have lost sight of what they do, what they provide. The recent break-in and burglary of our RV put us in contact with a lot of different organizations. The responses have been interesting- and illuminating. And when the emotion has had a chance to subside a bit, I’ll post a transparent account of what we learned. What I can share today is that many organizations have lost a sense of who they are, what they do and who they serve.

But it is not too late!

Last Sunday, I watched simple -yet powerful and impressive — machines in action. What struck me most was the fact these machines were designed and used to make it easier for people (farmers, in this case) to do their jobs. It allowed them to do more with less, expand their farms, provide for more people or make more money with the resources they had. These simple machines (especially by today’s standards) were powered independently, easy to understand, use and repair. Did I mention they still work?

In fact, these machines were so simple that my five year old could quickly and easily understand what they were, what they did and how they worked. Can you say the same about the way information is protected in your organization?

The more we travel, the more I meet with people who explain their elegant laptop encryption solutions, extravagant VPNs and others measures to protect information. But when I have the opportunity to work with the people upon whom these ‘solutions’ are inflicted, I find that the solutions were not designed and implemented with people in mind; as a result, it actually makes it harder for people to do their jobs. This brings the unintended consequence of further disconnecting people from their responsibility to protect information – and ultimately creates more risk that is more difficult to assess, measure and manage.

I wrote Into the Breach to present a straightforward solution that any organization can use to make an immediate difference in the way people protect information. We are launching the Protecting Information Program to provide the additional guidance, insight and accountability people need to make the shift. I look forward to the opportunity to meet and support your efforts to make the change and join me in the challenge to change the way people protect information.

Until then, when you can, go check out some old farm equipment – and notice how it made it easier for people to do their jobs. Then ask yourself a simple question: is the solution I am working on going to make it easier for people to do their jobs?

On the ride there, my children asked for some jazz on the radio and then called out the different things they ‘saw’ in the clouds. The list was common (trains, dinosaurs, bull dozers…) – and encouraged my wife and I to gaze up to “see what we could see.”

The ‘apple festival’ was held on some local fairgrounds that are well established, including some museums, pavilions, horse stables and a music amphitheatre (well, it has a stage and benches). The real gem of the day was the music and the freshly cooked food that was a little less than the picture of perfect health.

With a batch of fresh-cut French fries, we sat on some benches and listened to a jazz group entertain the crowd. When the fries were gone, I lay back on the bench and just looked up at the sky. The ride to the festival still fresh in my mind, I started to look for patterns. The first few looked like inkblots to me, then I saw some x-rays and finally, the imagination kicked in and I saw dinosaurs, alligators and a host of other things. Soon, then entire family was looking up at the clouds – in the middle of the festival around us, we celebrated the clouds.

For a few minutes, I was entirely in the moment. I absorbed the fall hue the sky took on, enjoyed the clouds and was content with the world.

Then it hit me – we allow ourselves to be so focused on the technology and the need for immediate solutions that we fail to take the time to let the clouds roll by. This leads to  vicious cycle where the so-called solutions actually create more problems. When we can step back and just let things be – we can see them for what they are. More:

• We can look for simple solutions; the ones that probably work best and require the least.
• We can allow our creativity to come through – and we certainly need more of that in nearly every aspect of life.
• We can relax, experience life and find common, but powerful, ways to connect with those around us – whether friends and family or our colleagues (which for some of us comprise our friends and family)

Technology has a place in our solutions. We live in a dynamic world with some interesting and often complex challenges. Such challenges require equally dynamic – but SIMPLE solutions. The way to get to simple solutions is to step back, gather, absorb, ponder, plan and test. This leads to the right requirements that generate solutions that work.

Want to develop better solutions? Then create better requirements. Here are three steps to get started:

1. Take time to first understand – then engage in conversation to reach a mutual agreement on what the end goal is.

2. Enjoy some time to ‘look at the clouds’ and test a range of ideas – creativity counts. Stepping back with a more complete understanding allows for better requirements, better solutions and less overall complication.

3. Document the requirements independent of the solutions and use them as a guide.

There are more steps – and I will be explaining and using them in the coming months as we take a closer look at the burglary of our RV – and how it has improved our planning and actions on a personal, family and business level.

While you have the opportunity – step outside today and look up at the clouds. If you can’t see trains, dinosaurs, dragons, roller coasters and a heap of other things, then maybe more cloud gazing is the answer for personal and professional success.

Continue the conversation with me

•       On twitter: http://twitter.com/catalyst
•       In the Security Catalyst Community (scc): http://www.securitycatalyst.org/forums/index.php
•       By email or telephone: http://www.securitycatalyst.com/contact.php
•       OnTour – heading back out in a few days: www.catalystontour.tv (and I’ll be updating the schedule and other information this week)

About Michael

Michael Santarcangelo is a human catalyst. An expert who speaks on information protection — including compliance, privacy and awareness that works — Michael energizes and inspires his audiences to change the way they protect information. His passion is contagious and approach gets results that shifts thinking and changes behaviors. Add the Security Catalyst to our organization today to get the results necessary for success.

Our guest for this episode is Zach – security professional, friend of the show and curator of the Security Twits list.

Twitter: www.twitter.com

Zach: http://twitter.com/quine

Michael: http://twitter.com/catalyst

Martin: http://twitter.com/mckeay

 

Security Twits: http://n0where.org/security-twits/

 

Next Recording: Saturday, October 11, 2008 @ 10a Eastern – look for the live stream (and your chance to participate) around 10:15.

 

PS: 10 Days after the break-in and theft – we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book – and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot. 

I am confirming some exciting opportunities this week and next – and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!).

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233. 

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.

Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information.

This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering.

Time is tight – so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute!

Direct Link: TSC-20080716.mp3

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

== Detailed Show Notes After the Break ==

(and by detailed, I mean… wow. Detailed – Thanks to James for pulling the links together!!)

On this episode

5 Critical Life Lessons your can Learn from Kung Fu Panda

http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html

 

The Trojan Horse

•       Defined:  Wikipedia – original Trojan Horse – http://en.wikipedia.org/wiki/Trojan_horse
•       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)
•       Dictionary.com – http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0
•       Whatis.com – http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html

Examples:

Ocean’s Eleven – not the good one with Frank Sinatra, the remake with George Clooney

•       IMDB link – http://www.imdb.com/title/tt0240772/
•       NetFlix link – http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0
•       Trailer – http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297
•       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all

Example of a scene:

the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.

 

Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)

•       IMDB link – http://www.imdb.com/title/tt0155267/
•       NetFlix link – http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0
•       Trailer (Requires Real Player) – http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147

Examples of scene:

Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum

 

Monty Python and the Holy Grail

•       IMDB link – http://www.imdb.com/title/tt0071853/
•       Trailer link – http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769
•       NetFlix link – http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0

Scene:  Attacking the castle the French have taken control of – Trojan Rabbit

This is an example of how some really bad malware is written – the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle

 

Social Engineering

•       Wikipedia – http://en.wikipedia.org/wiki/Social_engineering_(security)
•       Dictionary.com – http://dictionary.reference.com/search?q=social+engineering&x=0&y=0

 

Examples:

Wall Street

•       IMDB – http://www.imdb.com/title/tt0094291/
•       trailer – http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457
•       NetFlix link – http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0

Example scenes:

a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it

b) posing as a janitor to gain information.  Who has access to your office when you are not there.

 

Monty Python and the Holy Grail

•       IMDB link – http://www.imdb.com/title/tt0071853/
•       Trailer link – http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769
•       NetFlix link – http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0

Example of a scene:

Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top

Also the women attempt to use sex to keep the knights at the castle

 

Fletch

•       IMDB link – http://www.imdb.com/title/tt0089155/
•       trailer link – http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105
•       NetFlix link – http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0

 

Chevy Chase/Fletch uses social engineering to obtain the information he needs – he uses disguises, voices and fake ID’s to get what he wants

 

Would you participate in a live, call-in show?

If so, send us an email!!

 

Coming Up

August: Lessons learned from Burn Notice on the USA Network

This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.

•       USA Network – full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/
•       USA Network – Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html
•       Hulu – Clips:  http://www.hulu.com/videos/search?query=burn+notice

If nothing else, check out the interviews with Matt Nix. Brilliant writing!

 

September: Back to School Edition

Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?

 

Movie to watch this month for ideas

Social Engineering – Defcon last year – our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion – available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en

(and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)

 

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

  ]]> http://www.securitycatalyst.com/2008/07/security-catalyst-show-pop-culture-security-edition-july-2008/feed/ 0 catalyst,monty python,PCS,pop culture security,social engineering,thomas crown affair,trojan horse Whether responsible for security awareness training -- or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. Whether responsible for security awareness training -- or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down -- in less than 20 minutes -- how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! The Security Catalyst no http://www.securitycatalyst.com/2008/07/the-july-security-rountable-is-available-battling-botnets-with-botnets/ http://www.securitycatalyst.com/2008/07/the-july-security-rountable-is-available-battling-botnets-with-botnets/#comments Wed, 09 Jul 2008 14:51:31 +0000 Michael Santarcangelo http://www.securitycatalyst.com/blog/?p=473

Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/

The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community. 

 

Thanks to the panel:

• Colin Dixon | http://www.cs.washington.edu/homes/ckd/
• Andrew Hay | http://www.andrewhay.ca/
• Martin McKeay | www.mckeay.net
• Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

Joining the conversation in the Security Catalyst Community

Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) – the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

 

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

 

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

 

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

 

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

 

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger – and more trustworthy – result.

 

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

 

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst – gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

 

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

• sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
• allows vendors higher confidence across their entire channel
• creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

 

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

• Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
• Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?

If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable.

After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you…

Joining us on the program:

 

• Michael Santarcangelo - The Security Catalyst and author of Into the Breach
• Martin McKeay – Host of the Network Security Podcast and Captain Privacy
• Chris Hoff - Luminary and Jogger
• Paul Simmonds (bio below) – Co-Founder Jericho Forum
• Shane Buckley (bio below) – CEO Rohati Systems

 

 

Learn more about Jericho Forum: http://www.opengroup.org/jericho/

 

 

Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI
Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager. 

Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.

 

Shane Buckley, President & CEO, Rohati Systems, Inc.

Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.

 

Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo. 

 

Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.

 

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum – a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful – especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

 

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit – and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable – shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN – DO – REVIEW

I first learned about PLAN – DO – REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use – with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

Not surprisingly, these measures often fail and wind up polarizing our users against your efforts. Nobody likes to be told they are wrong. So we have to find ways to provide constructive and useful feedback that supports the behavior change we seek.

Information to Reinforce Good Behavior
Recently, the USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K. JOHNSON, Associated Press Writer). The point of the article is that people interested in losing weight have good results when they use a pedometer. If you are not familiar with pedometers, they are a simple device that can be worn on the belt, and when adjusted to your stride, help measure the steps you take in a day. It provides a way to measure your effort/output in a given period (normally, over a day).

Five Lessons Pedometers Teach us about Security Awareness Training
1. The pedometer provides an unobtrusive (and generally trusted) measure of the persons actions. Further, they can choose to share or keep their results private.

2. Most users keep a log of their “steps” per day – helping them build a visible trend. They naturally assess these trends and compare what they see to how they feel.

3. Most of us are motivated by a challenge – using a pedometer encourages the wearer to “take a few more steps.” Users get creative in how they are able to meet the challenge, stimulating a desire for more information that they then share!

4. The challenge can be spread to others. Everyone likes healthy competition.

5. Users are aware, they are consciously engaged in the process. That consciousness opens them to new ideas and stimulates their desire for knowledge.

One you stimulate the demand for more knowledge, you have to be prepared to present information that is useful, relevant and meets the needs of your users. Building on these lessons will help you build a highly effective security awareness training campaign.