Do not put your faith in what statistics say until you have carefully considered what they do not say.  ~William W. Watt

Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.

Well, they aren’t. Except, of course, they are.

When I wrote Into the Breach, I realized early in the process that “breach” (no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.

The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

If people aren’t the problem, what is?

When introducing the concept of the human paradox in the book, I suggested we face a people problem. Upon further research and considerations, I would write that section differently: we face a human paradox where people are not the problem.

Consider this: “people have been unintentionally and systematically disconnected”

This raises the question, “who disconnected people from the consequences of their actions?”

Short answer: we did. But it wasn’t intentional.

I liken the current experience described by practitioners as  “security pain” to what new parents learn as “short term gain, long term pain” – or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.

The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.

When users rightly questioned changes, the path of “short term gain” was to suggest they wouldn’t understand and take the decision – and resulting consequences – out of their hands.

But it’s okay.

It’s part of human nature.

This means that instead of blaming “users” generically for not knowing and not being good enough, we should first look in the mirror. We played a role in making the situation we lament.

So we recognize it and move on.

The question is what comes next. And that’s where I have focused my passion, blended with my experience and skill as a human ecologist, in security and in the tradecraft of effective communication.

The Path Forward

The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.

So – tell them the consequences and we’re all set, right?

Well, it’s not that easy.

We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

We need more deliberate dialogue: conversation with a purpose that “meets people where they are” and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

We have a lot of work to do. I’m here to contribute and lead the change we need.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 12)

This chapter addresses the challenge of changing first in order to lead and influence change. The concepts introduced and explained in Into the Breach – the Strategy to Protect Information, The Catalyst Method™ (recently updated) and others – produce rapid and lasting results for those who embrace them and implement them in their organizations.

Michael shares two basic analogies to consider while summoning the courage to break from tradition and take action: the process of building a flywheel and reconsidering Newton in a new light.

Into the Breach provides a wealth of ideas and information. The Awareness that Works™ system is the implementation of the guide from the book – and more. Contact Michael today to learn more and explore the guaranteed results.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst) (and he’ll engage back with you)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. 3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

In chapter 3 : Breaking the Security Diet

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Put the power of Into the Breach to work for you

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the Security Catalyst Program – bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening!

On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge.

A few quick notes

1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better.

2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog – with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective

3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling – and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help – shoot me an email: securitycatalyst@gmail.com

Stay tuned for more information.

For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A.

Links at a glance

The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed

Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/

Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/

Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/

Mike’s blog:http://www.guerilla-ciso.com/

Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations

The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html

About the Experts

Mike Smith

Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.

Graydon McKee

Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices. 

Joe Faraone

Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems.

After a great week in Michigan, tonight we pack up and prepare to head to Ohio tomorrow. Friday promises to be busy and exciting – and then on Saturday, we head to Maryland (Metro DC) for a week. Which brings me to the gifts I promised:

Join a conversation, get a free copy (hardcover) of Into the Breach

First – while in Maryland, I am attending CSI next week in support of the CompTIA Security Trustmark. It turns out that a chapter of Into the Breach examines how to evaluate, build and improve “third party trust” – what we need for success with our service providers and other vendors.

CompTIA Security Trustmark is hosting a handful of “catalyst conversations” to discuss my findings and examine how the industry handles this today, and what we can do in the future. This is not a sales pitch; rather, this is an opportunity to come together and work toward a common solution.

For those invited to attend, CompTIA will present you will your own copy of Into the Breach – which I will promptly autograph for you. Drop me an email – securitycatalyst (gmail) if you want to join us.

This leads me to my second offering…

Not going to CSI? Do you want to?

CSI was generous enough to share with me two ways for you to get involved:

* I can offer (I think) a free conference pass with full access – based on response. Here’s the deal – share with me the biggest challenge you face in changing how people protect information. The best answer gets a signed copy of the book and a pass to the show (I’ll hand you the book at the show).

* If you are already planning to attend, you can get 25% off your registration with code: BLOG25

I will do my best to both tweet (twitter id: catalyst) from CSI and report on interesting talks/findings from the floor. I will also be taking a limited number of vendor meetings to learn more about the products and solutions that make it easier for people to protect information. Shoot me a note if there is a product you want me to check out and report back on. 

You can follow along live! At this link:

http://www.microsoft.com/smallbusiness/summit/

I am a day 2 speaker – with an impressive lineup of guests:

http://www.microsoft.com/smallbusiness/summit/guests.aspx

This is a live program, but I have been working with the producers for a few weeks now – and I am excited about the questions, thought process and opportunity to share some different thinking about what businesses need to do to protect them. More, we’re also going to explore how the right approach to protecting your business can actually save money and increase the opportunity for more revenue (as outlined in Into the Breach). To me, that’s a really cool conversation.

I hope you check it out. I look forward to the opportunity continue to conversations through this blog, the podcast(s) and as we fire up the diesel and head out on the road again (Friday – next stop, Kansas City!).

Our guest for this episode is Zach – security professional, friend of the show and curator of the Security Twits list.

Twitter: www.twitter.com

Zach: http://twitter.com/quine

Michael: http://twitter.com/catalyst

Martin: http://twitter.com/mckeay

 

Security Twits: http://n0where.org/security-twits/

 

Next Recording: Saturday, October 11, 2008 @ 10a Eastern – look for the live stream (and your chance to participate) around 10:15.

 

PS: 10 Days after the break-in and theft – we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book – and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot. 

I am confirming some exciting opportunities this week and next – and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!