The Solution: Leading People, Managing Objects, and Accomplishing Goals
by Martin Fisher
Those who know me have come to expect me to “correct” them whenever they say “manage people”.
“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.
“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”
Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.
The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.
“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”
Sadly, it isn’t enough.
All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.
The key to this is the Leader.
Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.
“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”
This is the point where the friend has reached an almost Matrix-esque moment…
“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”
Which pill, my friend, will you take?
Identity Management in 13 Easy Steps
by Ioana Justus
If you were asked to throw a few million dollars out the window, would you do it?
If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.
What about companies that, effectively, waste millions of dollars trying to implement identity management?
The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.
If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over: How do we justify the cost? Why do so many companies stop at “single sign-on”? Why do implementations take so long? Why do implementations get halted mid-effort? What’s the true benefit of identity management? What’s the ROI? You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.
But what does it all mean?
Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?
No, we’re not.
IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:
Identity Management in 13 Easy Steps
Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?
An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.
There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.
Are you ready for this journey? If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.
For now, here’s the intended schedule:
December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.
January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.
February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.
March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.
April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.
May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).
June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.
July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).
August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.
September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.
October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.
November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.
December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.
For Information Security Newcomers, It’s More Good than Bad.
by Dennis Kuntz
Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.
A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.
One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:
-
There are cliques within the established information security community
-
Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security
-
As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”
Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?
It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.
However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.
When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.
From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.
The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.
The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.
(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).
Getting rid of your best people
by James Costello
A friend of mine recently had a very Dilbertesque experience at work. The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling. Sort of…
Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years. The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office. This was reasonable, and most of the staff saw this as a good business move. Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.
Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date. The new seating chart was printed, offices were assigned, and additional requests were made. Here is where we take a turn for the weird:
Treating your people like they are worthless: Elimination of a position announced through the new seating chart.
One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks. Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”. Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s mouths.
Generate a menial or pointless task.
Actually, this one is a little worse than pointless, it is counterproductive. Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities. This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1. The company wanted real data for that entire time. Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago? 6 days ago? As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections. They were told, effectively, not to worry about it and that the data analysis team would take care of it. To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.” Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.
So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works? Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible. If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say. Don’t make decisions in a vaccum. If it impacts people, get their input. Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.
We’ve come a long way, baby…Or maybe not
by Trish Smith
Although at times I complain about it, I do truly enjoy my status as the only person in the Catayst writers’ group without a formal background in IT. I believe that it does, as Michael tells me time and again, give me a unique perspective on the field.
It is from that perspective that I write my articles; none more so than today.
Recently, I had the not-so-pleasant experience of trying out different software for my blog. I run a personal website that I’ve recently expanded from a simple blog to a source for information on cooking and food preservation. Not only did I have some immediate needs for the new information I was puttting on the blog, but I also anticipated having needs that my current software (Wordpress) would not be able to fulfill (things such as fillable forms, searchable lists, and more). At least, not in any easy or elegant way.
So the search began. I investigated two other website-building options: Joomla and Drupal. Well, to be perfectly honest, I only truly investigated Drupal; I looked into Joomla briefly and determined that it wouldn’t fit my needs. More precisely, I tried Scribd and found that it was too difficult for me to grasp quickly (of course, this is just my own experience; others may find they absolutely love it).
I spent an entire day exploring Drupal; I downloaded it and installed it on my server, and then began building my website.
Twenty-four hours later, I’m back on Wordpress (much like a misbehaving spouse, grateful to their partner for giving them a second chance after having strayed: “Oh Wordpress, I’m so sorry and it will NEVER HAPPEN AGAIN.”), and appreciating it more than ever.
So what have I learned from this experience that you could learn from (because really, why else woud I write about it if not to help all of you out)?
First, I learned that “more complex/difficult/advanced” does not necessarily mean better. I thought that the increased flexibility (and as a result, increased complexity) of Drupal would be an advantage to building my website, but this is not always the case. Think of this phenomenon as occurring on a curve; not enough flexibility will hinder you, but more flexibility is useful only to a certain extent. After that point, more flexibility/complexity will begin to get in your way just as much as not enough of it will.
Second, I learned (firsthand) the adage about test-driving software on a local host (such as your desktop computer) before installing it on your server (and deleting your old software). If things don’t work out, you’ll have a LOT less work to do. Think of this as a safety net, just in case you need to change back. I would have easily saved myself four or five hours of work, even though some of the work was unavoidable because I changed my theme.
Third, I learned that failure is always an option. Specifically, I learned not to be so tied to the success of any new venture that I can’t admit that it’s not working, and that I need to try something else (or even return to my old software). Perhaps a better way to think of it is not as failure, but as a way to explore and determine the best option for you and whatever you’re developing. Would it have been better for me (and my website) to stick with Drupal, becoming increasingly frustrated with my own inability to grasp it (and becoming increasingly vociferous about it on Twitter, which really helps no one)? In this case, giving up the Drupal experiment was the best option (for me and for all 1800+ of my followers on Twitter).
Finally, I learned the best lesson of all: Try it, try it all, because it’s the only way you learn. I may have switched back to Wordpress from Drupal, but I’ve taken the lessons I learned from my Drupal experience and used them to improve my website on Wordpress. And ultimately, isn’t that the lesson we should learn in all our endeavors – on- and offline?
The key to successful organizational change
By Trish Smith
The recent activity in the economy has brought to the public’s attention some controversial issues regarding how organizations change (or in this case, how they don’t). The 700 billion dollar bailout (just for a start) of the financial and automotive industries has focused the spotlight on a very specific issue in the arena of organizational change management: externally directed change vs. internally directed change.
Every day, in industries around the world – financial, manufacturing, health, education, IT – change efforts are initiated. One of the most critical factors determining the success or failure of these efforts is whether the change was initiated from outside the organization (government agencies and legislative bodies) or from within (Boards of Directors, departments within an organization, or individuals). Unfortunately, significant change is often initiated from without, despite the fact that experience shows us that change from within is more effective, longer lasting, and more efficiently implemented.
Why drive change from within?
Why are internally driven change efforts more successful than externally driven change efforts? There are several reasons for this. The most important is the fact that nearly every organization, even one in need of major change, has the resources, knowledge, creativity, and drive needed to successfully implement a change effort. Failing to tap into those resources is not only wasteful, but communicates to the members of the organization that their abilities and knowledge are not valued.
Additionally, when change is driven from within by those at the upper levels of the organization, employees feel a connection with the change effort at every level of the organization. Their perception that there is buy-in on the initiative by those at the highest levels will lead to them committing to it more fully. Conversely, if employees feel that the “head honchos” are not fully committed to the effort, they will not fully commit to it themselves, and the initiative will fail.
Finally, for change to be truly persistent, it must be rooted within the culture of the organization. Organizational culture determines how people within the organization do everything from handling customer complaints to celebrating birthdays. The reality is that whether the culture is positive or negative, healthy or unhealthy, it will drive the manner and methods of everything that is done within the organization. Any change that is not connected to the organization’s values, beliefs, and behaviors will not succeed. A significant change initiative must, therefore, be solidly connected and in sync with the culture for it to succeed.
Three reason to initiate change internally?
1. To profit from employees’ skills, creativity, and resources.
2. To ensure a sense of buy-in at every level of the organization, which leads to employee commitment to the change.
3. To connect change on the deepest level with the culture of the organization, helping to ensure the success of the effort.
Successful change must be directed from within. Other factors also impact the effectiveness of a change effort, but without an internally-driven endeavor, such efforts cannot succeed, and valuable time and resources will be wasted. Perhaps this is a lesson that Citibank and GM could bear to learn.
Vacuums and Security
By Adam Dodge
This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.
That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of – let’s call it crud – crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.
So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.
One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.
However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.
Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.
The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.
So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.
Welcome Patrick Romero to the Security Catalyst Team!
You may have noticed the new look and feel for the Security Catalyst Blog. We’re in the process of rolling out a brand new website, as well as a more focused blog and podcast. To help, I am pleased to welcome Patrick Romero to the team. He has an impressive background, has served our country well – and is passionate about information protection. Patrick is currently in law school, and will be contributing on a weekly basis.
Meet Patrick
Patrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal. He speaks Spanish, French and Arabic.
Change is Good, Part II
Communications
“You must be the change you wish to see in the world.”
-Mahatma Gandhi
In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.
Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:
• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club – unique coaching, job-aids and the ability to practice and improve
The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.
We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.
Watch for ‘Change is Good: Part III’ next week.
Engage with Michael
-
Journey Into the Breach
