Recently in Governance Issues Category

Compliance is not security but has its place

| No Comments | No TrackBacks
| More

Several weeks ago an Australian friend of mine sent me a delightful note pointing out how recent events and media reporting had confirmed some controversial points I had made last year in the Australian press 

There is now growing evidence that compliance does not guarantee security, though the reverse can sometimes be true. For many years I have been lecturing on the difference between real security and compliance. Most security professionals instinctively get it. But the distinction is not addressed adequately in training courses or acknowledged by institutes, so the practice remains riddled with misconceptions about the roles effectiveness of security and compliance. 

The reason we have compliance is because people do not willingly spend time or money on security. Business has no appetite for spending money to dodge risks that have yet to materialise. And there is no guaranteed return on investment for security. It's a leap of faith, the type of thing that finance managers hate. Without compliance there would be little or no security in today's more demanding commercial environment.

But a compliance programme cannot make an enterprise secure. On the one hand it's designed to improve matters, so one could argue it's better than nothing. On the other hand it can be counter-productive as it diverts scarce resources from addressing more immediate, specific risks. (This is a debate I regularly have with Professor Fred Piper.) In the absence of a major incident, however without compliance nothing would get done. So we need it and we would demand it if it was not there.

Compliance can make a difference but it's painfully slow and expensive. The PCI DSS standard comes in for lots of stick. But without it, the level of payment card fraud would be higher. It might not be perfect or efficient but it motivates a lot of security improvement in an area that has traditionally been dangerously open to compromise.

It would be nice to think that good security would guarantee compliance. Unfortunately that's not correct either. Regulators and auditors require a large number of small boxes to be ticked and an unreasonable amount of processes, paperwork and evidence to support security claims. Smart, slick operators do not survive audits. Compliance rewards bureaucratic security managers.  

If you take a look in any leading financial enterprise today you are likely to find hundreds of security professionals being driven by thousands of auditors of varying kinds. Twenty years ago these functions were a tiny fraction of their size today. Yet security has not visibly improved. Ninety percent of the work is focused on developing content-free processes, counting assets, assessing risks, writing policies that go unread, measuring last year's performance or generating evidence that a control is in place. Very little work is focused on implementing real countermeasures.   

Efficient and effective security will only happen following three things. Firstly, a great big incident or liability that scares directors into spending money on countermeasures that actually work. Secondly, an understanding by the security profession of the root causes of incidents and the approaches needed to eliminate them. And thirdly, the recognition that large-scale culture changes are possible if top management is sufficiently motivated.

Some supporting evidence for these claims can be found in the history of industrial safety. In the early part of the last century many production methods were unacceptably dangerous, especially in the United States. It took many decades to drive through change, but by the end of the century safety was transformed and embedded across manufacturing industries. Some of this was driven by compliance but the largest cultural changes were directed by executive boards and shaped by an understanding of the root causes of incidents, the nature of an effective safety culture, and a genuine recognition that safety is everybody's responsibility. In the security profession we are a long, long way from achieving that goal.

Enhanced by Zemanta

Yet another contents list

| No Comments | No TrackBacks
| More

For the past decade the real enemy of security practitioners has not been the hackers and malware that threaten our systems but the numerous best practices, compliance demands and audit actions that take up all of the time and resources of the security function.

Security standards and frameworks add to the burden of security managers by insisting that evidence of governance, assessments and controls are presented according to a structure laid down by standards authorities, many of whom might have little sharp-end experience.

And so we have the latest distraction: a "Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology, which appears to contain not a single new control, technique or technology, but one that merely restructures existing controls and guidance according to a new contents list.

Anyone who truly understands the rare art of designing models and architecture will appreciate that the top levels of any model are shaped purely for political or cosmetic purposes. They add little real value to the purpose or content of the guidance.

And of course there is an unlimited number of ways of structuring a set of controls. It can be done by lifecycle, process, technology, organisation, etc. Ideally the structure should be based on the purpose of the framework, as it is primarily a means to an end, not an end in itself. Unfortunately this rarely happens.  

The original set of baseline controls designed by Donn Parker in the 1980s contained several different contents lists, reflecting different needs. When drafting the original BS7799 we decided to have a single structure. Having presented over a dozen different structures to the BS7799 team, we all agreed unanimously to base in on "natural subject areas", i.e. the structure most of us had already adopted for our own security manuals.

There's nothing wrong of course in experimenting with new structures. But these should only be a accepted when there is clear, added value. Otherwise it's a case of, as Eric Morecambe might say, of using all the right words but not necessary in the right order.  

Enhanced by Zemanta

Let's get real about cyber security

| No Comments | No TrackBacks
| More
This week I was speaking at FIC 2014, a leading French International Conference attended by 3,000 people, including Ministers, privacy experts and leading CSOs. 

It was refreshing, prompted  by a valiant theme of "Has cyber security failed". The speakers were reasonably balanced and the audience were informed. They voted two thirds in agreement of failure. 

It's a major admission of the need for change by governments and regulators. We need radical change and innovation. France has kicked off a debate. Let's hope that all countries pay attention. The consequences are too important to ignore.    
Enhanced by Zemanta

Jericho Forum declares success

| No Comments | No TrackBacks
| More

It's not often that an institute decides that its mission has been accomplished, declares success and steps down. But that's what the Jericho Forum has done after a decade of evangelising the message of de-perimeterization.

Originally a private club of CISOs meeting to exchange views on security architecture, the forum quickly became a highly influential user/vendor circle of leading international experts, publishing guiding principles and commandments on how to develop secure information systems for an open networked environment.

Ten years ago this was revolutionary thinking. Today it's generally accepted that enterprise systems and data need to be hardened to mitigate the threats presented by shared networks. It's time therefore to move on to new security challenges.

The forum was officially dissolved at a meeting of the Open Group in London on Monday. The founding fathers (myself included) were presented with plaques commemorating our contribution. Fittingly the meeting was hosted at Central Hall Westminster, the location of the first meeting of the United Nations General Assembly in 1946. 

Enhanced by Zemanta

Even more on the History of BS7799

| No Comments | No TrackBacks
| More

nthony Freed has now published the final article in his series on the true background of BS7799 on his Tripwire blog. There are real lessons to be learned from these postings. I hope that students of regulatory compliance will take note. 

Enhanced by Zemanta

Back to reality

| No Comments | No TrackBacks
| More

My apologies for radio silence on this blog. It's been due to an exceptionally busy workload coupled with an extended holiday I'm now back with lots of views about what's going on and what's going wrong with cyber security.

Over the last month I've been concerned about the press coverage about the Snowden case. Privacy advocates and journalists have lauded his efforts, often with little understanding of the consequences to national security. I was surprised for example to read that Bruce Schneier had nailed his colours firmly to the Guardian mast and was advocating large scale whistle blowing.

There are strong arguments from both the security and privacy sides. We clearly need a more informed public debate about both the dangers and the benefits of large-scale communications surveillance. We're now seeing the beginnings of a reaction from senior figures in the intelligence community suggesting that serious damage to national security has been done. Pundits and journalists cannot assess or refute such damage without evidence to the contrary. And there seems to be little if any evidence of government misuse of intercepted data. So who is right? 

I've always taken the view that the security professional should be above the political debate. I care about national security as well as citizen privacy. And society seems equally divided on the importance of both. These requirements need to be carefully balanced. A public debate is well overdue. Unfortunately the Snowden revelations have gone further than is necessary to provoke a debate. And they have not delivered evidence that access to citizen data is being misused. 

One day there might be terrorist groups with access to weapons of mass destruction. When that transpires we will be grateful to agencies that can prevent such attacks though smart data mining. That's not of course to say that controls to prevent potential abuse of intelligence data should be ignored. But continuous releases of details of interception methods and platforms can only serve to undermine the high ground claimed by the whistle blowers.

Enhanced by Zemanta

Security versus privacy - a difficult and uncomfortable balance

| 3 Comments | No TrackBacks
| More

I've not bothered to comment so far on the numerous news reports on the NSA's PRISM programme. It's not because I have no views, but simply because it's revealed nothing surprising to the security professional, generated little visible citizen reaction and presented no new issues in ethics or policy.

The ethics of eavesdropping is certainly not a new debate. Back in 1929, Henry Stimson, US Secretary of State and a military hawk who went on to direct the building of the atom bomb, closed down a code-breaking bureau on the grounds that "gentlemen don't read other gentlemen's mail", demonstrating that you can be both a military hawk and a privacy advocate.  

Personally I'm neither an advocate nor a critic of covert eavesdropping. I appreciate both sides of the debate. In my view security and privacy are opposing aims and it's a hard balance to strike. Intelligence agencies are tasked with the goal of acquiring secret information on individuals. In contrast regulators are tasked with a more challenging objective of preserving human rights. Unfortunately in practice this becomes a zero-sum game. You can fully achieve one objective, but not both.  

Civil liberties are important: the rights of individuals to be free from government interference, to be free to associate, to speak freely, and to maintain privacy are fundamental liberties, enshrined in constitutions, charters, covenants and bills of rights going back eight centuries. But national security is also important: the need to identify and combat criminal, espionage or terrorist threats. A balance has to be struck. In practice this will depend on which of these conflicting issues is the most burning one of the moment. But wherever you strike it will be challenged by supporters of both causes.  

Some people are prepared to sacrifice their security for freedom. But not everyone thinks that way. Society is polarised on this issue. I suspect that public opinion follows a normal distribution curve: for every person who is paranoid about privacy, there's probably another one who couldn't care less, and perhaps two or three others who have rather mixed views.

An important and largely overlooked need is to educate and consult the public before laws and policies are developed. This is a fundamental flaw in most countries. Security professionals can certainly help to educate laypersons. I've tried it. Several years ago I served as a technical adviser to the Royal Society's "Science in Society" programme, which consulted a cross-section of UK society on their views on this subject. One thing that struck me then was the high level of trust that people place in government agencies to safeguard their interests. More informed experts might disagree. And citizen opinions change over time and across generations. But, if put to a vote, I doubt that privacy would win the day.

For more than ten years I've been predicting that privacy will lose the argument. The reason is simple: there aren't enough sponsors, lobbyists and supporters of privacy to capture the imagination of the public or overturn the combined interests of the law enforcement, defence and intelligence communities. Our only realistic hope therefore is that our politicians and leaders of public sector agencies adopt responsible practices and behaviours.   

But don't forget that the everyday decisions of ordinary security managers can also have an impact on the civil liberties of employees and customers. Security technologies can block or intercept information, and detect and report inappropriate behaviour. Decisions of how to configure these filters should certainly not be left in the hands of individual administrators. They should be developed through a responsible and informed process including all stakeholders. 

Enhanced by Zemanta

Information security for non-technical managers

| No Comments | No TrackBacks
| More

It's surprisingly hard to find good quality guidance for business managers on information security, and even harder to find material that is free. Far too much essential reference material is priced beyond the budgets of small enterprises or individuals.

I was delighted therefore to hear that Eduardo Gelbstein has published a free book "Information security for non-technical managers".

For those of you that don't know Ed, he's a highly experienced CIO, former Director of the United Nations International Computing Centre and a fountain of streetwise knowledge on IT Governance. Ed as a good grasp of how to bridge the gap between management theory and business reality.

The book is a good overview of the subject for business managers, IT staff or auditors. It also very kindly references my Wiley book "Managing the Human Factor in Information Security".

Enhanced by Zemanta

Where next for the enterprising CISO?

| No Comments | No TrackBacks
| More

The sizzling summer in Surrey (UK) has slowed my writing, though the cyber security market is also equally hot with many fresh initiatives emerging. Your own perspective will no doubt vary of course, depending if you're an investment bank, an energy company or a government agency. Personally, I work across all sectors so I'm interested in observing any relevant trends.

Such diversity of interest is to be expected of course as the problem space in cyber security progressively develops. The risk profiles and drivers of individual market sectors have in fact always been very different, though the desired solutions have seemed very similar which tends to encourage a herd mentality.

But the business drivers are the key trends to watch. Banking, for example, is focused primarily on compliance. Energy is (or should be) focused on insecure SCADA systems. And government agencies should now be paranoid about the theft of their secrets. These are the hot topics. They are very different concerns. The priorities and fixes are not quite the same though the vocabulary and articulation of the problem space is coalescing.

The answer to senior management demands for better security used to be to conduct a risk assessment, carry out a gap analysis, or develop a remedial programme. But these days just about everyone has already been there and done that so we're now contemplating the next level of maturity. What does that look like?   

The answer is that it's quite different from the guidance you might find in ISO and similar standards. Concepts such as Carnegie Mellon style maturity frameworks simply don't deliver. Paperwork, metrics and targets don't make things better. They were always a theory rather than a proven practice. Real progress now depends on short or medium term indications of improvement,such as stemming data breaches and intrusions.

Achieving this is hard. Make no mistake. It means taking sensitive data and unnecessary users off the network. It means raising the bar on systems development standards. And it means ramping up the resources assigned to network and audit trail monitoring. These are unpalatable business decisions. So what's the answer?

It's quite simple in fact. We need to start with an early investment in secure development (or procurement) processes because, like it or not, that takes the longest time to deliver. We need to then switch to network security architecture and monitoring because that's the key to short term fixes that can stop or detect an intrusion.

Finally we need to develop the security practitioner skills needed to respond to a major incident, because that's our saving grace. Whether or not we prevent incidents the key thing that impresses management is how we behave when the spotlight shines on our function.

Unfortunately you won't get advice on this from reading standards or following compliance processes. Smart CISOs need to avoid being seen to be deficient on compliance, but they should major on real security management improvements that deliver true business value. 

Enhanced by Zemanta

Whither Cyber Security

| No Comments | No TrackBacks
| More

I'm back blogging after a lengthy break due to extensive writing and consultancy commitments. Nothing much has changed in the cyber security sphere during that time apart from a very slight broadening of public concern as citizens became a little more aware that their information systems are vulnerable to hacking and that some governments seem keen to do it. This concern has yet to compel the average citizen or business manager to change their cyber behaviour, but the press has certainly become more preoccupied with cyber security. Throughout June we've been swamped with newspaper and TV reports about allegations of US, UK and Chinese cyber espionage, not to mention a steady trickle of data breaches.

Does anyone actually care enough to actually try and fix the problems? Not really, though we can begin to detect the start of a long public debate on what precisely should be done and who should do it. But it will take a long time to educate everyone, and even longer to care enough to respond to the challenge. The UK Government thinks the answer is to advise executive boards to take ownership and implement a risk management process. Perhaps they don't realise that most Fortune 500 companies did this years ago but it didn't make a blind bit of difference: they still got hacked.

To stop advanced threats we need advanced countermeasures, not corporate governance systems. Unfortunately these measures are beyond the demands of current accepted practice and regulatory compliance standards. We will need some new thinking and a major change in perception to change the existing order. One might expect the fact that intelligence agencies, criminal groups and activists are able to wander at will through our databases to be scandalous enough to compel citizens to demand solutions. But people only respond to threats that are personal, immediate and certain. And an outside risk of an obscure foreign power stealing information doesn't quite pass the criteria.

There's an even bigger barrier however, and that's the question of precisely what to do about the threat of a professional attack. In practice organisations have four realistic options.

The first option is to ignore the danger, i.e. to rate it as an insignificant risk. And many do. After all if a major intrusion hasn't happened in the last ten years, it's not an unreasonable judgement for a manager to expect it not to strike in the near future. And you won't get sacked for getting it wrong as long as you documented your reasoning.

The second option is to implement a security management system. It won't stop any sophisticated attacks but it's cheap to put in place and it will satisfy the auditors and lawyers.    

The third option is to take critical or valuable assets off the network. It's an effective solution but nobody wants to do it; even when they should. A decision of this type is far above everyone's pay grade. It's an action that could well get you sacked.  

The fourth choice is to invest in a small army of monitoring staff, equipped with an arsenal of state-of-the-art security technology. It's practical though expensive. But it's the smartest approach for any enterprise that's serious about security. Unfortunately you can only justify such an option in the wake of a major incident. 

The biggest challenge to justifying an adequate set of measures is that the major driver of corporate spending on security, regulatory compliance, lags too far behind the technology and security curves. We can satisfy auditors by assigning responsibilities and formalising procedures, but these actions will not stop an advance persistent threat (APT) in its tracks. To combat an APT we need stringent monitoring tools, specialist technical skills and a professional secure operations centre equipped by experienced security staff.

We can prevent and stop known forms of professional attack. That should be the today's baseline. Buts it's not. Much harder is to anticipate and prevent new forms of APT. That demands fresh research and ambitious solutions that stretch beyond our current academic efforts, too many of which are obsessed with breaking today's products rather than building tomorrow's solutions. It's not difficult to do, but it requires a transformation in security philosophy and techniques, because our current model of security management based on industrial age quality management concepts is no longer fit for purpose.

There are some excellent new ideas however lurking in the wings waiting to take centre stage. If we can ditch our legacy baggage and start to experiment with new technologies then we might be on to something. Malware detection software, for example, is progressively decreasing in effectiveness yet still deployed. There are superior modern solutions that have yet to catch on. Check out Cipher's approach for example. But such technologies are just scratching the surface of what could be conceived with a touch of imagination and a basic understanding of the underpinning drivers of the information age.     

To get there we need a modern, forward looking vision that specifically addresses the new challenges of scale, diversity, volatility and complexity. My view is that we should look to nature for such solutions. The human body for example is an excellent model of simplicity and sophistication in defensive techniques. The immune system exhibits scale, detail, richness and evolution. At the turn of the century I sponsored an ambitious project to develop a model of the human immune system for fraud detection. My researchers developed a prototype which worked, though it was too clunky for prime time application. Typically, the research funds ran out before we could refine the technique. And as usual the software and learning points were lost in time. 

Many visionary projects end up this way. It's the innovation we urgently need to build the solutions of tomorrow. But who will sponsor the journey from blue sky thinking to everyday product deployment? It won't come from industry and it's not yet coming from academia or government.

We need two things to make this work. First we need a creative environment, something like the equivalent of an MIT Media Lab for security. Nicholas Negroponte's brainchild has been highly successful for new technologies. But it's not fast enough. It' s taken almost two decades for ideas such as  electronic paper, 3D printers and wearable technology to emerge as viable products.

So the second condition is that we need a commitment to investment in product development. We can't wait two decades for venture capitalists to develop emerging ideas. It's a challenge that's now far too important and way too ambitious to be left to market forces. Is anyone listening? I hope so though I doubt it.  

Enhanced by Zemanta

About this Entry

This page contains a single entry by David Lacey published on April 4, 2014 5:17 PM.

Research does not guarantee innovation was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --