Leading from the Front: Bringing Planned Disruption To The Organization
By Martin Fisher
What is the most important job/function of a leader?
- Inspire the team?
- Use resources effectively?
- Make tough decisions?
- Set an example?
- Develop others?
All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.
But none of these is the most important answer.
The number one job of a leader – the reasons leaders exist – is to bring change to organizations.
“That’s silly!” – is a common reply I hear when I make the statement.
“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”
My response to that, in the words of my teenaged daughter, is “Pssh!”.
Change: If you aren’t doing it, you’re doing Leadership wrong.
Effective leaders are never satisfied with the status quo.
Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.
Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.
Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.
Leadership is “Disruptive change?”
That’s crazy talk!
Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…
Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:
Think, Rethink, and Rethink Again
The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.
This thinking must be complete, honest, and is not done until the leader understands the environment completely.
The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.
Whatever is left — whatever survives the onslaught — forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:
- Changing the organizational structure? Then create a org chart to talk to and demonstrate.
- Changing processes? Then show a picture that details before and after with the benefits.
- Changing the mission? Then create a succinct mission statement and show what is being changed and why.
Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.
Talk the Team Through The Change
The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.
One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.
The effective leader is able to effectively communicate the change to the team.
Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.
Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.
“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”
Is it like sales?
Well, if “sales” means influencing people to see things from different perspectives – then yes.
But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.
The Solution: Leading People, Managing Objects, and Accomplishing Goals
by Martin Fisher
Those who know me have come to expect me to “correct” them whenever they say “manage people”.
“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.
“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”
Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.
The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.
“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”
Sadly, it isn’t enough.
All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.
The key to this is the Leader.
Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.
“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”
This is the point where the friend has reached an almost Matrix-esque moment…
“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”
Which pill, my friend, will you take?
When your employees don’t want to come to work anymore
What happens when people lose their motivation at work?
- Less efficient use of resources
- Less creative solutions (at a time when creativity is even more vital)
- Less productivity
And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.
When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.
Motivation – I know it when I see it
So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?
According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.
Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:
- Positive reinforcement
- Effective discipline
- Fair treatment
- Satisfying employee needs
- Setting work-related goals
Notice something missing from the list?
If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.
But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”
I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:
1. Be the change
Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:
- Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
- Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
- Be curious, ask questions, and develop problem-solving skills by practicing them.
- Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.
Remember, the positive energy and creativity of your team start with you.
2. Size the motivation to the person
Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.
How?
Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.
3. Motivation is a journey, not a destination.
People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.
Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).
It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.
What challenges have you experienced with motivation? What successes have you had? Share in the comments….
Sources:
- Merrian-Webster’s Online Dictionary: http://www.websters.com
- Accel Team Development: http://www.accel-team.com/motivation/
- The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
- The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)
The Leadership Challenge in Today’s Security Environment
Management is doing things right; leadership is doing the right things. ~Peter Drucker
Leadership. It’s talked about a lot in today’s information security conferences and books – but how much of it is really happening?
Do we, as professionals, really embrace leadership and its inherent risks, rewards, and challenges? Or, on the other hand, do we really embrace the status quo with its inherent frustration, ennui, and demotivating drag?
Don’t get me wrong – leadership in any field is hard. I’ve led teams that have done such diverse missions as application development to firefighting to deploying the varied weapon systems in platoon of main battle tanks…and I have come the believe that effectively leading teams in today’s information security environment is one of the most difficult tasks I’ve ever taken on. As I look back, around, and forward I’ve made a few conclusions.
Too much focus on the status quo
I wish I had a nickel for every time I heard a “leader” describe a “good day” as one where nothing went wrong, nothing broke, and (truth be told) nobody even noticed she or her team were there.
Why?
I think because for so long the business has seen information security as the “Department of ‘No!’” that any time we fly above the radar we get smacked – or at least that’s the fear. If the systems run today just like they ran yesterday we call that a win and hope that they’ll work tomorrow just the same way.
This primal desire for the status quo is one of the most significant issues that chains down information security leaders today and it’s a topic I’ll address in more detail later – but suffice is to say that the status quo is rarely, if ever, the ally of a successful leader.
Insane focus on a small group of miracle workers
We have developed an almost unnatural dependence in information security on the work and thinking of small groups over very smart people. We rely on that small cadre of “go-to” guys to design and build our systems, respond to incidents, and help develop policies and procedures – but we rarely leverage that small group of folks to develop larger and larger teams of security oriented co-workers.
Whether we realize it or not we begin to live in a cultural echo chamber where everyone listens to the same presentations at the same conferences, reads the same blog post, and anyone who dares speak out against the conventional wisdom for any reason is suspect…
The Status Quo of the Mojo
The last major impediment I’ve seen is a synthesis of the first two. When you combine an overvaluing of the status quo with an over-dependence on small groups the almost inevitable outcome of a culture of “Please $DIETY, don’t let me screw this up!”
Leaders and their teams become so averse to anything negative (especially if it’s outside the accepted norms of the team) that the goal of the team slowly and immutably transforms from providing the best security for the organization to a goal of not wanting to be caught screwing anything up. This fear (and that’s what it is) leads teams to fall into the trap of wanting to build systems that are “perfect” and “unhackable” and resisting efforts to design or implement systems that don’t meet these standards.
The natural progression of this fear eventually leads to leaders and teams developing and attitude that is occasionally indistinguishable from despair. You’ll hear or read comments like “Why should I deploy $SecurityTechnology? HD Moore could hack it in 5 minutes. Rsnake could get root and own me 25 ways from Sunday.”
Rarely will the speaker or writer of such comments even seem to evaluate whether or not $SecurityTechnology will actually help the organization as part of a complete security plan. Defeat, as the philosopher said, is complete even before a shot is fired.
What can we do about it?
For the next dozen or so posts I’m going to address these issues head on and provide you with a (potentially) counter-cultural view of your role as a leader and hopefully challenge you to rise the amazing challenges we face today in information security.
The light you see coming at you – it’s not a train. Trust me.
What are your leadership goals for 2010? Share you challenges and successes in the comments…
Amplifying the Good: The Security Catalyst Online Experience 2010
As the snow starts to cover the ground in Upstate New York, my thoughts are already turning to the year ahead. I’m not at all disenchanted with the Holidays; I’m just excited about the journey ahead with the Catalyst onTour RV adventure. Equally exciting to me is the programming that will be presented by the Security Catalyst in 2010.
The Security Catalyst is designed to be a clearinghouse of bright ideas from a collection of passionate and thoughtful professionals. I believe that more voices, more perspectives, and more discussions are essential to influencing the positive change we need. To that end, we have spent the last few months sharpening our focus – based on the needs of the industry – and developing themed columns and a revised approach to producing readable, actionable content.
We will introduce the bulk of the series in December, and continue rolling out new features and opportunities to engage as the year progresses. So as I travel the country to meet with as many people as possible, we will shine an increasingly bright light toward the future on the pages of the Security Catalyst Online.
The Security Catalyst Online Experience: Amplify the Good
Our mission is simple: amplify the good. A dozen contributors give of their time and experience to help advance the profession. Take a moment to consider the diverse programming prepared for 2010. Each of the contributors spent a few weeks developing a column and outlining key ideas and concepts to guide what we share in the coming year.
We’re working on a production cycle and are implementing a peer review process in 2010. In the coming weeks, I’ll showcase the contributors, reveal more about their series and provide the opportunity to engage with them – for the benefit of everyone!
We welcome feedback – comments, questions and challenges – to help shape our efforts and provide outstanding value for you and your efforts.
Security Social Worker — by Trish Smith
Trish Smith explores the perspective of a licensed MSW on the information security field. In the overall spectrum of topics, which all center on the juncture of technology and people’s thoughts, feelings, and behaviors, Trish’s focus will be on people and how to turn a change concept into reality.
Foundational Identity Management – by Ioana Bazavan Justus
Ioana Bazavan Justus will share her extensive experience in implementing Identity Management at Fortune 50 companies in a 14-part series that is focused not on the technology, but on the process pitfalls and data preparation – the aspects that, if ignored, will make an IAM implementation fail. I’ve known Ioana for over a decade, and her ability to understand, explain and get results is amazing. I’m really excited about this series.
Organized Fraud Prevention – by Sharon Shaw
Sharon Shaw is more than an expert on preventing fraud – she is passionate about sharing ideas, insights and strategies that bring a new focus by explaining the (sometimes hidden) challenges every organization faces. She then provides thoughtful, straightforward solutions.
Leading from the Front – by Martin Fisher
Martin Fisher is a leader (my word, not his) that has engaged me in great conversations about leadership, management and the future of the industry we both serve. He’s agreed to share his thoughts and the secrets of his success to help influence positive change in 2010.
Security From Scratch – by Dennis Kuntz
Dennis Kuntz is gifted in a lot of ways, and I originally wanted to call this the “one man band” given his musical prowess. However, since he’s embarking on an effort to build security from scratch, we deemed it to be a more fitting title. We’re still tweaking the outline – but the goal is to harness collective experience and provide clear insights to the challenge many of us face: building security into an existing organization. Where to start? What to do? And what really matters… tune in and find out.
The Privacy Advantage – by Aaron Titus
Aaron Titus is focusing on the positive aspects of privacy. Instead of dwelling on the shortcomings of privacy, Aaron will set forth the keys to turning a focus on privacy into an advantage.
Security… Psych! – by Jeff Kirsch
Jeff Kirsch blends security with psychology – not only an interest for him, but a vocation for his wife. Jeff will share insights that improve the way we practice security based on how we think, behave, and learn.
Managing Your Compliance – by Jim McFee
Jim McFee knows compliance. He knows audits. As someone that has sat on “both sides of the desk” Jim is ready to share two decades of experience on how to set up and run and effective compliance and audit program. Emphasis on how to actively manage audit and compliance for outstanding – and harmonious – results.
Awareness that Works – by Michael Santarcangelo
Starting in January, Michael Santarcangelo (your humble Catalyst) will share his unique and effective approach to building “awareness that works.”
Ioana got started in November, and the balance of the contributors will introduce their columns this month, with a nugget or two to ponder and digest over the holidays. By January, we’ll be running full tilt – loaded with ideas, insights and success for 2010.
Identity Management in 13 Easy Steps
by Ioana Justus
If you were asked to throw a few million dollars out the window, would you do it?
If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.
What about companies that, effectively, waste millions of dollars trying to implement identity management?
The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.
If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over: How do we justify the cost? Why do so many companies stop at “single sign-on”? Why do implementations take so long? Why do implementations get halted mid-effort? What’s the true benefit of identity management? What’s the ROI? You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.
But what does it all mean?
Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?
No, we’re not.
IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:
Identity Management in 13 Easy Steps
Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?
An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.
There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.
Are you ready for this journey? If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.
For now, here’s the intended schedule:
December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.
January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.
February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.
March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.
April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.
May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).
June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.
July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).
August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.
September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.
October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.
November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.
December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.
For Information Security Newcomers, It’s More Good than Bad.
by Dennis Kuntz
Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.
A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.
One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:
-
There are cliques within the established information security community
-
Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security
-
As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”
Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?
It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.
However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.
When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.
From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.
The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.
The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.
(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).
Have a workable plan, or else…
by Martin Fisher
As we continue to discuss the Basic Truths of Incident Response Leadership, we’ve briefly gone over the three Basic Truths as well as done a deeper analysis of “Succeeding By Planning to Fail”. This brings us to:
Basic Truth #2: Have A Workable Plan, or Else
As an Incident Response Leader, one of the most valuable parts of your role is to create, test, exercise, and (when called upon) execute Incident Response Plans (IRPs). IRPs run the gamut from a Post-It note on the wall listing contact phone numbers, to plans that take up several 3-ring binders on a shelf somewhere. Plans can be long or short, detailed or vague, paper or electronic, automated or manual…you get the picture. What makes a good plan different from a not-so-good plan can be summed up in a few ways.
First, can you execute the plan using only the resources that you legitimately would have access to during the incident? We’ve all seen plans that call for using network analyzers that aren’t accessible to the organization or that call for numbers of personnel that just don’t exist. You may have written plans that assume that the responding team has skills and experience that your current team just doesn’t have (I have). The key is to map out the current skills and capabilities of your team and employ them as best you can to meet the anticipated incident.
As you identify resources available to you, it pays to be creative. Can other teams identify folks who could temporarily be available during an incident (think of it as an in-house “volunteer fire department”)? Do you have relationships with designated outside incident response consultants? Do you have relationships with local, state, or federal law enforcement? In today’s business environment, Incident Response Leaders need to be creative in identifying resources that can assist during a response cycle.
Second, you have to test the plan. This sounds so intuitive, but many plans never get past the written-down stage before they are needed in an incident, because no leader stepped in to ensure that the plan would work as designed. One of the most effective testing plans for an IRP is also the least expensive – the simple “Talk Through”, where all of the designated players sit at a conference table (pizza is optional, but highly recommended) and talk through the plan, noting any foreseen problems or issues. The team needs to be encouraged to not only point out potential problems, but brainstorm solutions they can implement as-is since (as we talked about in Basic Truth #1) you can only plan on the resources you have, not the resources you want to have.
Plan testing needs to be redone each and every time the plan is modified, or at some regular interval (at least annually). Testing can be announced or (my personal favorite) unannounced. The time spent testing can help the Incident Response Leader assess not only the plan, but the team assigned to execute it. The feedback loop should encompass applications, hardware, processes and procedures, as well as people. Everything is fair game.
Lastly, you need to continually exercise your plan. This, while not as intuitive as testing, is something that many organizations fail to do, claiming “it’s too hard” or “it’s too disruptive” or “it’s already been tested, why should I do an exercise?” Having performed incident response on plans that have been exercised and plans that have not, I can tell you with complete assurance that plans that have been exercised are executed more smoothly, with fewer problems and a better resolution.
Exercises can range from a talk-through (similar to testing but without the constant feedback loop) to a full-on exercise using live equipment. Talk-through exercises can help in quickly familiarizing a team with a new (or newly updated) plan. Talk-through work will also quickly point out assumptions that, while seemingly accurate in testing, don’t fit the way the incident response team works. All other things being equal, I believe that talk-through exercises offer the highest return for time spent in any aspect of prepping for a incident.
Full-on exercises, as powerful and complete as they are, can be very hard to accomplish. Most organizations cannot fully replicate their production systems (even using virtual machines). These exercises, when they can be done at all, are usually done in development or test environments and generate most of their value by allowing teams to actually assess and interpret adversary actions and data. These exercises are an Incident Response Leader’s best chance to simulate the stress and activity of a real incident.
Taking all of this into account, it’s clear that the Incident Response Leader must be able to create, test, and exercise an IRP to be able to effectively respond during the inevitable incident. By creating plans designed around available resources, qualifying the plans with testing, and regularly exercising the plan, you can ensure that you and your organization will be ready when the inevitable incident occurs.
But it’s not over yet. Once you’ve gotten this far you still have one vital task to accomplish. We’ll cover that in the last article on the Basic Truths of Incident Response Leadership.
Getting rid of your best people
by James Costello
A friend of mine recently had a very Dilbertesque experience at work. The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling. Sort of…
Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years. The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office. This was reasonable, and most of the staff saw this as a good business move. Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.
Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date. The new seating chart was printed, offices were assigned, and additional requests were made. Here is where we take a turn for the weird:
Treating your people like they are worthless: Elimination of a position announced through the new seating chart.
One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks. Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”. Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s mouths.
Generate a menial or pointless task.
Actually, this one is a little worse than pointless, it is counterproductive. Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities. This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1. The company wanted real data for that entire time. Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago? 6 days ago? As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections. They were told, effectively, not to worry about it and that the data analysis team would take care of it. To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.” Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.
So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works? Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible. If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say. Don’t make decisions in a vaccum. If it impacts people, get their input. Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.
Shooting ourselves in the foot: Can the bad economy keep us from buying more bullets?
by Ioana Justus
My career has now spanned almost 12 years, and it still amazes me how so many managers and executives consistently make bad decisions and then are surprised by the results. As the economy has gone bad, you’d think that people would be a little more judicious about how they spend the small budget they have remaining, but that’s turning out not to be the case. Surprisingly, I think the vehemence with which we’re shooting ourselves in the foot has increased as the budgets have shrunk. Now that the economy has bottomed out and is (supposedly) on the rebound, is there any chance of changing some of the behaviors before the upswing takes hold?
Let me ask you a different question: If you lived in Chicago and your house needed a new roof, would you just go out and buy the one recommended by your buddy out in San Francisco, because he’s thrilled with his new roof? Hopefully, the answer to this is no. You may take a look at it, but I’d hope that you would confirm that the structural integrity is insufficient for the added wind, cold, and snow weight that Chicago roofs experience. Once selected, would you allow the contractor to cut corners on your roof installation just to make a specific deadline? Is a permanently leaky roof worth a couple of weeks?
If you wouldn’t blindly purchase something for your own home based solely on the recommendation of a friend, why would you purchase a product for your company based on the recommendation from a vendor, a colleague in another industry, or a conversation on the golf course? How can you justify the potential risk? What happens to your reputation when the product in question doesn’t perform as expected? Where does the budget come from if you end up having to replace the entire thing?
When budgets are tight, there are better things to purchase with what little you have than bullets for your foot, and there are three very simple rules that can keep your munitions purchases at bay:
- Don’t ‘ decide’ on a due date, calculate it. Implementations take time and resources. As much as you might want something in production by the end of the quarter, it might not be possible to do in a reasonable way. Before committing to a date that’s just not feasible, spend a little time to determine the effort involved and lead-times for any purchases/installations that may need to be made, and to assess the availability of the resources required. Then calculate a plausible due date based on the reality of the work effort and be sure to document the consequences of cutting corners, should that still be desired. Sure, there will be instances when time is of the essence, but those are not as frequent as most people think. When you consider long-term support costs and the massive adjustments that are usually needed to make a quickly installed product work, the calculated ROI is rarely met, and the costs to reputation and morale are higher than many would like to admit.
- Don’t ‘make up’ budget numbers, calculate them. We all instinctively have assumptions about how much something should cost. Some of us are better than others at guesstimating accurately. Most of us underestimate – significantly! So before publishing a number that just doesn’t make sense, do the math. There’s truly nothing to be gained by setting the expectation that the desired work can be done for half the actual cost. If the true cost is prohibitive, then the negotiations need to start, and the consequences should be documented and accepted for each item cut. But if you’ve dug yourself a hole before the negotiations have even started, you’re in for a world of hurt.
- Don’t fit your problems to a pre-determined solution, pick a solution that fits your problem. No matter how nice the vendor is or how much you value your golf buddy’s opinion, the product they’re pushing may not be the right one for your company. The only way to know for sure is to gather requirements first, based on the actual needs, desires, and roadblocks currently being faced by your company. Then you can assess whether the desired product fits the bill. If it doesn’t, don’t buy it! If nothing fits the bill, pick the best option, or consider waiting for future developments. In any case, be sure to document the trade-offs, and get agreement that they’re acceptable.
Simple, right? 
But if we were all doing this, I wouldn’t be writing about it. The problem is that it has become acceptable to ignore the rules, and anyone who doesn’t follow suit is viewed negatively. The real challenge is for each of us to take the personal responsibility to follow the rules, regardless of our position in the company. Only then will we change the expectation and make it unacceptable to ignore the rules.
Engage with Michael
-
Journey Into the Breach
