When papers like this are released, most of the announcements focus on some quotes, perhaps a general impression and link. After my briefing, I took something else away – and I wanted to share.

Below, I break down my notes in terms of security awareness, security leadership, effectively communicating the value of security and a few thoughts on how a paper like this advances a security career.

The basic concern is clear: smart phones are gaining market share; increased reliance means they are loaded with personal and corporate information. Considering the continued growth of mobile computing, attackers are going to “follow the money” by turning their attention to mobile malware in search of easier, more profitable targets.

The challenge is determining where mobile device security fits into an already crowded and ever-expanding threat landscape.

How big is the risk; how fast do we need to move?

To put it into context, consider the magnitude of the risk: according to the Symantec Internet Security Threat Report there were 163 documented vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. The growth demonstrates the rising attention of attackers.

Overall however, Symantec documented 6,253 software vulnerabilities in 2010 (additional context can be found in the most recent ISTR starting on page 15).

The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.

[pullquote]The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.[/pullquote]

Security Awareness

At this point in the year, the security awareness programming plan should be in operation – and no immediate changes are required at this time. The topic, however, does present itself as a good secondary or opportunistic topic – especially if people are starting to ask about it.

To get started, redefine the concept of mobile telephones: they do more than dial numbers these days. Ask questions about the type of information people store. A simple question gets this dialogue started, “what’s on your device?” Follow up with, “what happens if your phone is lost or stolen?”

Asking, “What happens if a rogue application gets installed on your device?” prompts a more advance discussion. The challenge to this level of security awareness discussion is preparing to talk about how this happens without accusing the individual/audience of being stupid.

Start the dialogue this year, if it makes sense, as an opportunity to learn the challenges people are facing and the language they use. This becomes valuable input for next years programming plan (where it still might not be a prime topic).

Security leadership considerations

Like it or not, mobile devices are connected to the enterprise. The growth of mobile computing coupled with the growth of “the cloud” means personal and corporate information is necessarily stored on the smart phones — approved or not.

Reconsider how devices are treated and then review current security policies, standards and procedures to understand how information is protected. Ask questions and consider how the policies address lost or stolen phones and mobile devices. The user experience matters.

Aside: I’ve tested “remote wipe” with clients before. Despite their assurances it would work perfectly, in each case, I was able to turn off the radio transmitter before the wipe and enjoy full access to the information stored conveniently on the memory card inside the phone. Lesson learned: check the policy, and then test to see if it matches reality.

Making the time now — before this becomes a hurried rush that never leads to good decisions — means the opportunity to consider changing functional and technical requirements.

Given the current average time to change policies and procure new technology solutions, this little bit of a “head start” might make the difference between future success and continued on-going struggle.

In short: do the work now, reap the benefit later.

Effectively communicating the value of mobile device security

As security leadership reviews and makes decisions, consider how to effectively communicate and incorporate the changes to the various audiences in the best possible way (hint: email may not work for everyone).

The key to effective user experience is striking the blend between connecting people to the consequences of their actions — restoring their ability to take responsibility — while providing a technical and procedural backstop that helps make it easier for people to do their jobs.

How this helps advance a security career

We’re in a profession where we need to know something about everything (aside: I believe the path to success, however, requires finding a niche and getting good – in addition to knowing a bit about everything).

Mobile device security and cloud computing are both on the rise. Investing time now to amass and understand facts, figures and the ability to explain the importance of these details to different audiences is important.

Breaking down the salient concepts of mobile device security to be able to teach these basic concepts to others in meaningful and appropriate ways is a way to advance a security career.

Your Turn

What do you think? How are you handling the rise of mobile malware, and the continued integration between mobile and cloud computing?

Share your challenges, and if my perspectives on this paper benefit your efforts (or what you’d like to have seen more of).

For me, this means a lifelong study of communication – verbal and written – blended with human ecology and the fundamentals of security. It’s an odd mix, but with my focus on Awareness that Works™, it serves my clients well.

A few months ago, I started a column for CSO Online dubbed the “Career Catalyst.” It allows me to build on my background as a catalyst and role as an advocate for individuals to share ideas, insights and strategies to help shape and develop powerful, effective careers. It turns out to be a perfect compliment to my approach to advancing individuals and organizations at the same time.

My passion in serving others is the driving force for this column.

I routinely listen to the challenges, observe the trends and think about the skills, aptitudes and attitudes for career success. But I also view this as an effort to serve as the catalyst for multiple ideas, experiences and challenges of the entire community.

Looking to improve your career and advance the profession?

• Share your successes or ideas you’d like my take on
• Ask the questions on your mind
• Share your challenges

Connect with me by email, telephone, twitter or through this handy contact form.

You can find my column here: http://www.csoonline.com/topic/41515/security-career-staffing

Here are the last three columns:

Security Careers: The Mic is Always On. Always.

Like politicians who’ve been embarrassed by public microphone mistakes, security professionals need to remember comments that are made in bad taste can put both a career, and an entire security program, in danger

http://www.csoonline.com/article/597056/security-careers-the-mic-is-always-on.-always.-

Cultivating a healthy addiction for career success

Going beyond the typical interview answers and resume claims will help you demonstrate why you stand apart from the pack. Michael Santarcangelo shows the way.

http://www.csoonline.com/article/594229/cultivating-a-healthy-addiction-for-career-success

Are You Making a Security Career or Working a Job?

In his first column as CSO’s Career Catalyst, Michael Santarcangelo outlines three essentials everyone needs to consider to make security work more than just a job

http://www.csoonline.com/article/590096/are-you-making-a-security-career-or-working-a-job-

It is important to understand personality types and traits when working with and managing other people (check out my article about that here). There are two traits with the strongest influence on personality style. An understanding of these provides advantages for managing and communicating – advantages that are essential for success.

The two types?

You guessed it: extrovert and introvert

While the words introvert and extrovert are used often – and often used to justify behavior – it is useful to take a step back and consider the two types in a different light.

The extrovert
Extroverts are known for their assertive and outgoing nature. But extroverts aren’t assertive just because they like telling people what to do; they actually thrive on external sources of energy.

They seek out human interaction and lean toward the gregarious. They enjoy activities that give them the opportunity to interact with larger groups, both business and social, such as conferences, parties, community activities, public demonstrations, and highly active membership groups – all strong sources of energy they can feed on, amplify and contribute to.

In the workplace, extroverts are less likely to find reward in individual projects. They enjoy work that involves large groups and will engage in activities that introverts might consider risky, such as public speaking and assuming leadership positions. They are often comfortable expressing opinions confidently and vocally. This can give others the impression that extroverts have a greater self-image, which is not always the case.

The introvert
Classically, introverts tend to be more reserved in behavior. But consider this: introverts generate their own energy – and sometimes need to step back in order to do it.

They seek out fewer social interactions; this does not mean they are asocial, but rather that they prefer interacting with smaller groups or individually than with larger groups. They also take more pleasure in solitary activities such as reading and writing than their extroverted counterparts.

At work, introverts enjoy projects that allow them to work on their own or in small groups. They tend to prefer working on one project at a time (or on fewer projects at one time), and will be more likely to observe a situation before jumping right in. They tend to speak only after they can validate what they are about to say. Introverts need time alone to “recharge”; it is essential they be provided with opportunities to do this.

Successfully managing the two personality types
It’s important to leverage extroverts’ innate sociability. Their outgoing nature makes them naturals as salespeople, account managers, or in any other position where they deal with clients, potential clients, and other members of the organization – where they can thrive on available energy.

Take advantage of their leadership tendencies by providing them with opportunities to take the reins on projects.

Extroverts often make very good team members, so don’t feel that it’s necessary to always put them in a leadership position. Often, extroverts in team situations will serve to improve the energy of fellow team members.

Introverts, by contrast, usually prefer to be given projects they can manage individually, or with one or two others. They also tend to be more detail-oriented, and do better with projects that do not require them to perform many tasks simultaneously. Use their high level of focus to the business’s (and their) advantage. Introverts can often be quite taciturn until they produce desired results, so do not assume that lack of communication means they are not concerned with the outcome of the project; quite the opposite. Much of the processing that introverts do is internal, so they sometimes forget to communicate progress on the project to others.

As a team, these two temperaments can balance each other out well, if each can remember that the other has different work styles. Extroverts might find introverts’ natural analytical style to be too confining, and introverts might consider extroverts’ risk-taking to be too reckless. But if each can remember that the other has something to bring to the project, and that “different” can be beneficial, then these kinds of partnerships can be worthwhile – and even educational – for everyone involved.

Have you ever been in a position to manage these two temperaments? How have you used their natural strengths to the project’s advantage? And do you recognize yourself as one or the other – or do you feel you have elements of both extroversion and introversion in your own personality? Share with us in the comments!

Think back to the best leader you’ve ever followed.

For me, it was my Professor of Military Science when I was in ROTC during my college stint.

Look at him and at first you’d see him as an “average” Army officer. He’d had a bunch of good assignments, some not so good assignments, and was finishing up his career teaching young men and women the finer art of leadership. If you only knew him casually you’d be wondering why all of these young men and women were so dedicated to the program, the Army, and (in a lot of ways) to him.

The reason I did was simple: the Major was able to describe a vision to me of what the Army could be, what I could be, what all of us – together – could accomplish. He told the stories of what he felt we could do in such clear and compelling language that we were enthusiastic to do some pretty (in retrospect) amazing things. Things that, outside of the context of the vision, made absolutely no sense…like jumping out of perfectly good airplanes while still in flight…like marching through mud, dust, and pollen for kilometer after kilometer…like lying in cold rain for hours waiting for the ‘bad guys’ to show up…and so on and so on.

Casting Vision: It’s Not Just A Sales Job

Without a compelling vision a leader is hamstrung.

They can push and pull the levers of the team, they can make adjustments to the machine that is the team – but they cannot get the team to reach it’s full capability. Without a compelling vision the leader is simply reacting to events instead of shaping the events and circumstances. The leader, without a vision, is not really leading at all.

Just to be clear – we’re not talking about the simple “performance management” task of assigning goals and objectives to individuals and ensuring that there is a cohesive flow to them. We’re not talking about “mission statements” or “purpose statements” (although they may enter the conversation later). We’re not even talking about how to justify the capital expenditure needed to get the “new system” online.

When we talk about casting vision we’re talking about being able to tell a story that accomplishes some very specific goals.

Acknowledge What Is

Any vision must start at the beginning.

You must be able to acknowledge the good, the bad, and the ugly about the current situation. You have to be completely honest about where you are coming from. To do otherwise begins with a foundation that cannot support even the most compelling vision.

Vision, built on false assumptions or denial of the past, collapses in on its own weight. That being said, don’t flagellate yourself (or the team) unnecessarily either.

As Sergeant Joe Friday says “Just the facts”.

Describe What Is To Come

Vision, at it’s simplest, is a story describing how things should (or can) be.

The story needs enough detail without going to deep. It needs to be lofty and idealistic without sacrificing a real sense of reality. The story needs to reach out to your team and show them that they can be much more than what they are today.

But a simple vision is, many times, not enough.

Vision needs to take into account what you want your team to accomplish and also show how that plays into the goals and aspirations of the larger team. Vision, especially for larger teams, needs to be large and sweeping and dramatic and dynamic.

Most importantly, the vision must be Yours.

Demonstrate Your Belief

Only you can effectively get your vision off the ground.

If you do not share it convincingly, if you cannot show that you believe it in the deepest fiber of your being, if you cannot demonstrate you are willing to sacrifice personally to make the vision appear then: You. Will. Fail.

Think back to when you knew the boss was simply mouthing words that the boss thought you wanted to hear. Recall when you could tell exactly which motivational book the boss was parroting. Remind yourself of all those times that you knew (and I mean, YOU KNEW) the boss wasn’t believing what they were saying.

Do you want to be that?

Make The Mental Shift Yourself First

Once you’ve communicated the vision to your team you must make the mental shift in all your communications, thoughts, and presentations and ensure that the tenets of your vision are constantly and consistently communicated.

You need to make your vision, no matter what it is, the focal point of all your activities. You must be “living the vision” every day in every way.

Once your team sees that you believe, once they know that you are not just “saying words”, once they realize that the vision is for real – then you can move on to the next (and, to me, most fun) step.

Help The Team See And Act On The Vision

Once the team sees that you believe and that you are willing to act on the vision they will be prepared to begin really looking at the vision the way you do and will start to act on it in ways that they think will help bring it about.

Your job is easy – you get to be a cheerleader, mentor, and disciplinarian all in one. You get the chance to reinforce the vision with team members and experience what I think is one of the coolest parts of leadership: you get to see your team members grow as people and you get to see your team grow in it’s capabilities.

But that growth doesn’t “just happen”… In our next episode we’ll talk about how to take your vision and use it to build a stronger team.

What is the most important job/function of a leader?

• Inspire the team?
• Use resources effectively?
• Make tough decisions?
• Set an example?
• Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

• Changing the organizational structure? Then create a org chart to talk to and demonstrate.
• Changing processes?  Then show a picture that details before and after with the benefits.
• Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

by Martin Fisher

Those who know me have come to expect me to “correct” them whenever they say “manage people”.

“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.

“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”

Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.

The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.

“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”

Sadly, it isn’t enough.

All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.

The key to this is the Leader.

Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.

“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”

This is the point where the friend has reached an almost Matrix-esque moment…

“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”

Which pill, my friend, will you take?

• Less efficient use of resources
• Less creative solutions (at a time when creativity is even more vital)
• Less productivity

And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.

When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.

Motivation – I know it when I see it

So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?

According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.

Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:

• Positive reinforcement
• Effective discipline
• Fair treatment
• Satisfying employee needs
• Setting work-related goals

Notice something missing from the list?

If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.

But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”

I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:

1. Be the change

Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:

• Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
• Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
• Be curious, ask questions, and develop problem-solving skills by practicing them.
• Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.

Remember, the positive energy and creativity of your team start with you.

2. Size the motivation to the person

Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.

How?

Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.

3. Motivation is a journey, not a destination.

People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.

Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).

It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.

What challenges have you experienced with motivation? What successes have you had? Share in the comments….

Sources:

• Merrian-Webster’s Online Dictionary: http://www.websters.com
• Accel Team Development: http://www.accel-team.com/motivation/
• The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
• The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)

Leadership. It’s talked about a lot in today’s information security conferences and books – but how much of it is really happening?

Do we, as professionals, really embrace leadership and its inherent risks, rewards, and challenges?  Or, on the other hand, do we really embrace the status quo with its inherent frustration, ennui, and demotivating drag?

Don’t get me wrong – leadership in any field is hard. I’ve led teams that have done such diverse missions as application development to firefighting to deploying the varied weapon systems in platoon of main battle tanks…and I have come the believe that effectively leading teams in today’s information security environment is one of the most difficult tasks I’ve ever taken on. As I look back, around, and forward I’ve made a few conclusions.

Too much focus on the status quo

I wish I had a nickel for every time I heard a “leader” describe a “good day” as one where nothing went wrong, nothing broke, and (truth be told) nobody even noticed she or her team were there.

Why?

I think because for so long the business has seen information security as the “Department of ‘No!’” that any time we fly above the radar we get smacked – or at least that’s the fear. If the systems run today just like they ran yesterday we call that a win and hope that they’ll work tomorrow just the same way.

This primal desire for the status quo is one of the most significant issues that chains down information security leaders today and it’s a topic I’ll address in more detail later – but suffice is to say that the status quo is rarely, if ever, the ally of a successful leader.

Insane focus on a small group of miracle workers

We have developed an almost unnatural dependence in information security on the work and thinking of small groups over very smart people. We rely on that small cadre of “go-to” guys to design and build our systems, respond to incidents, and help develop policies and procedures – but we rarely leverage that small group of folks to develop larger and larger teams of security oriented co-workers.

Whether we realize it or not we begin to live in a cultural echo chamber where everyone listens to the same presentations at the same conferences, reads the same blog post, and anyone who dares speak out against the conventional wisdom for any reason is suspect…

The Status Quo of the Mojo

The last major impediment I’ve seen is a synthesis of the first two. When you combine an overvaluing of the status quo with an over-dependence on small groups the almost inevitable outcome of a culture of “Please $DIETY, don’t let me screw this up!”

Leaders and their teams become so averse to anything negative (especially if it’s outside the accepted norms of the team) that the goal of the team slowly and immutably transforms from providing the best security for the organization to a goal of not wanting to be caught screwing anything up. This fear (and that’s what it is) leads teams to fall into the trap of wanting to build systems that are “perfect” and “unhackable” and resisting efforts to design or implement systems that don’t meet these standards.

The natural progression of this fear eventually leads to leaders and teams developing and attitude that is occasionally indistinguishable from despair. You’ll hear or read comments like “Why should I deploy $SecurityTechnology? HD Moore could hack it in 5 minutes. Rsnake could get root and own me 25 ways from Sunday.”

Rarely will the speaker or writer of such comments even seem to evaluate whether or not $SecurityTechnology will actually help the organization as part of a complete security plan. Defeat, as the philosopher said, is complete even before a shot is fired.

What can we do about it?

For the next dozen or so posts I’m going to address these issues head on and provide you with a (potentially) counter-cultural view of your role as a leader and hopefully challenge you to rise the amazing challenges we face today in information security.

The light you see coming at you – it’s not a train. Trust me.

What are your leadership goals for 2010? Share you challenges and successes in the comments…

If you were asked to throw a few million dollars out the window, would you do it?

If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.

What about companies that, effectively, waste millions of dollars trying to implement identity management?

The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.

If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over:  How do we justify the cost?  Why do so many companies stop at “single sign-on”?  Why do implementations take so long?  Why do implementations get halted mid-effort?  What’s the true benefit of identity management?  What’s the ROI?  You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.

But what does it all mean?

Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?

No, we’re not.

IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:

Identity Management in 13 Easy Steps

Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?

An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.

There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.

Are you ready for this journey?  If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.

For now, here’s the intended schedule:

December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.

January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.

February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.

March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.

April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.

May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).

June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.

July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).

August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.

September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.

October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.

November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.

December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.

by Dennis Kuntz

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

1. There are cliques within the established information security community

2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

As we continue to discuss the Basic Truths of Incident Response Leadership, we’ve briefly gone over the three Basic Truths as well as done a deeper analysis of  “Succeeding By Planning to Fail”. This brings us to:

Basic Truth #2: Have A Workable Plan, or Else

As an Incident Response Leader, one of the most valuable parts of your role is to create, test, exercise, and (when called upon) execute Incident Response Plans (IRPs).  IRPs run the gamut from a Post-It note on the wall listing contact phone numbers, to plans that take up several 3-ring binders on a shelf somewhere.  Plans can be long or short, detailed or vague, paper or electronic, automated or manual…you get the picture.  What makes a good plan different from a not-so-good plan can be summed up in a few ways.

First, can you execute the plan using only the resources that you legitimately would have access to during the incident?  We’ve all seen plans that call for using network analyzers that aren’t accessible to the organization or that call for numbers of personnel that just don’t exist.  You may have written plans that assume that the responding team has skills and experience that your current team just doesn’t have (I have).  The key is to map out the current skills and capabilities of your team and employ them as best you can to meet the anticipated incident.

As you identify resources available to you, it pays to be creative.  Can other teams identify folks who could temporarily be available during an incident (think of it as an in-house “volunteer fire department”)?  Do you have relationships with designated outside incident response consultants? Do you have relationships with local, state, or federal law enforcement?  In today’s business environment, Incident Response Leaders need to be creative in identifying resources that can assist during a response cycle.

Second, you have to test the plan.  This sounds so intuitive, but many plans never get past the written-down stage before they are needed in an incident, because no leader stepped in to ensure that the plan would work as designed.  One of the most effective testing plans for an IRP is also the least expensive – the simple “Talk Through”, where all of the designated players sit at a conference table (pizza is optional, but highly recommended) and talk through the plan, noting any foreseen problems or issues.  The team needs to be encouraged to not only point out potential problems, but brainstorm solutions they can implement as-is since (as we talked about in Basic Truth #1) you can only plan on the resources you have, not the resources you want to have.

Plan testing needs to be redone each and every time the plan is modified, or at some regular interval (at least annually).  Testing can be announced or (my personal favorite) unannounced.  The time spent testing can help the Incident Response Leader assess not only the plan, but the team assigned to execute it.  The feedback loop should encompass applications, hardware, processes and procedures, as well as people.  Everything is fair game.

Lastly, you need to continually exercise your plan.  This, while not as intuitive as testing, is something that many organizations fail to do, claiming “it’s too hard” or “it’s too disruptive” or “it’s already been tested, why should I do an exercise?”  Having performed incident response on plans that have been exercised and plans that have not, I can tell you with complete assurance that plans that have been exercised are executed more smoothly, with fewer problems and a better resolution.

Exercises can range from a talk-through (similar to testing but without the constant feedback loop) to a full-on exercise using live equipment.  Talk-through exercises can help in quickly familiarizing a team with a new (or newly updated) plan.  Talk-through work will also quickly point out assumptions that, while seemingly accurate in testing, don’t fit the way the incident response team works.  All other things being equal, I believe that talk-through exercises offer the highest return for time spent in any aspect of prepping for a incident.

Full-on exercises, as powerful and complete as they are, can be very hard to accomplish.  Most organizations cannot fully replicate their production systems (even using virtual machines).  These exercises, when they can be done at all, are usually done in development or test environments and generate most of their value by allowing teams to actually assess and interpret adversary actions and data.  These exercises are an Incident Response Leader’s best chance to simulate the stress and activity of a real incident.

Taking all of this into account, it’s clear that the Incident Response Leader must be able to create, test, and exercise an IRP to be able to effectively respond during the inevitable incident.  By creating plans designed around available resources, qualifying the plans with testing, and regularly exercising the plan, you can ensure that you and your organization will be ready when the inevitable incident occurs.

But it’s not over yet. Once you’ve gotten this far you still have one vital task to accomplish.  We’ll cover that in the last article on the Basic Truths of Incident Response Leadership.

A friend of mine recently had a very Dilbertesque experience at work.  The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling.  Sort of…

Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years.  The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office.  This was reasonable, and most of the staff saw this as a good business move.  Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.

Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date.  The new seating chart was printed, offices were assigned, and additional requests were made.  Here is where we take a turn for the weird:

Treating your people like they are worthless: Elimination of a position announced through the new seating chart.

One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks.  Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”.  Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s  mouths.

Generate a menial or pointless task.

Actually, this one is a little worse than pointless, it is counterproductive.  Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities.  This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1.  The company wanted real data for that entire time.  Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago?  6 days ago?  As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections.  They were told, effectively, not to worry about it and that the data analysis team would take care of it.  To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.”  Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.

So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works?  Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible.  If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say.  Don’t make decisions in a vaccum. If it impacts people, get their input.  Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.

My career has now spanned almost 12 years, and it still amazes me how so many managers and executives consistently make bad decisions and then are surprised by the results.  As the economy has gone bad, you’d think that people would be a little more judicious about how they spend the small budget they have remaining, but that’s turning out not to be the case.  Surprisingly, I think the vehemence with which we’re shooting ourselves in the foot has increased as the budgets have shrunk.  Now that the economy has bottomed out and is (supposedly) on the rebound, is there any chance of changing some of the behaviors before the upswing takes hold?

Let me ask you a different question: If you lived in Chicago and your house needed a new roof, would you just go out and buy the one recommended by your buddy out in San Francisco, because he’s thrilled with his new roof?  Hopefully, the answer to this is no.  You may take a look at it, but I’d hope that you would confirm that the structural integrity is insufficient for the added wind, cold, and snow weight that Chicago roofs experience.  Once selected, would you allow the contractor to cut corners on your roof installation just to make a specific deadline?  Is a permanently leaky roof worth a couple of weeks?

If you wouldn’t blindly purchase something for your own home based solely on the recommendation of a friend, why would you purchase a product for your company based on the recommendation from a vendor, a colleague in another industry, or a conversation on the golf course?  How can you justify the potential risk?  What happens to your reputation when the product in question doesn’t perform as expected?  Where does the budget come from if you end up having to replace the entire thing?

When budgets are tight, there are better things to purchase with what little you have than bullets for your foot, and there are three very simple rules that can keep your munitions purchases at bay:

1. Don’t ‘ decide’ on a due date, calculate it.  Implementations take time and resources.  As much as you might want something in production by the end of the quarter, it might not be possible to do in a reasonable way.  Before committing to a date that’s just not feasible, spend a little time to determine the effort involved and lead-times for any purchases/installations that may need to be made, and to assess the availability of the resources required.  Then calculate a plausible due date based on the reality of the work effort and be sure to document the consequences of cutting corners, should that still be desired.  Sure, there will be instances when time is of the essence, but those are not as frequent as most people think.  When you consider long-term support costs and the massive adjustments that are usually needed to make a quickly installed product work, the calculated ROI is rarely met, and the costs to reputation and morale are higher than many would like to admit.
2. Don’t ‘make up’ budget numbers, calculate them.  We all instinctively have assumptions about how much something should cost.  Some of us are better than others at guesstimating accurately.  Most of us underestimate – significantly!  So before publishing a number that just doesn’t make sense, do the math.  There’s truly nothing to be gained by setting the expectation that the desired work can be done for half the actual cost.  If the true cost is prohibitive, then the negotiations need to start, and the consequences should be documented and accepted for each item cut.  But if you’ve dug yourself a hole before the negotiations have even started, you’re in for a world of hurt.
3. Don’t fit your problems to a pre-determined solution, pick a solution that fits your problem.  No matter how nice the vendor is or how much you value your golf buddy’s opinion, the product they’re pushing may not be the right one for your company.  The only way to know for sure is to gather requirements first, based on the actual needs, desires, and roadblocks currently being faced by your company.  Then you can assess whether the desired product fits the bill.  If it doesn’t, don’t buy it!  If nothing fits the bill, pick the best option, or consider waiting for future developments.  In any case, be sure to document the trade-offs, and get agreement that they’re acceptable.

Simple, right?   But if we were all doing this, I wouldn’t be writing about it.  The problem is that it has become acceptable to ignore the rules, and anyone who doesn’t follow suit is viewed negatively.  The real challenge is for each of us to take the personal responsibility to follow the rules, regardless of our position in the company.  Only then will we change the expectation and make it unacceptable to ignore the rules.