Recently in Managing the Human Dimension Category

Every year Alan Stockey, a well known London banking security professional, sends me a Christmas poem with a security theme. It's a little late for Christmas Day, but then so is the snow. 

Day Zero, Day Zero, Day Zero!

Network traffic outside is frightful

But the firewall's so insightful

Check the patches are all just so

Call CISO, Call CISO, Call CISO!

DDOS doesn't show signs of stoppin'

Hope the firewall keeps on blockin'

Websites have all gone slow

Day Zero, Day Zero, Day Zero!

When we finally see daylight

They've hit so many ports in the storm

Saving others from similar plight

There'll be others that you can now warn

But if the firewall's slowly dying

Not sure what you'll next be buying?

Just as long as you keep the code

Buy Escrow, Buy Escrow, Buy Escrow!

From a performance perspective I'd suggest a concert pitch of F for ease of singing. Try to get a bit of a swing feel to avoid annoying the neighbours.

I'm now back blogging after an extended break of several weeks. Unsurprisingly, nothing much has changed in the world of cyber security, except for the media coverage, which has grown in quantity, scope and sophistication.

This trend is clear from the number of daily emails churned out by specialist briefing services, such as Team Cymru's excellent Dragon News Bytes, which seems to have at least doubled in size over the past year. It's also quite apparent that the subjects addressed are now much more sophisticated, encompassing cryptic threats such as State-sponsored espionage, as well as abstract risks such as intellectual property rights. Such coverage would have been unthinkable a decade ago.

But it's not unexpected. In fact it's quite predictable, as press, politicians and pundits gradually catch up with long lasting, subtle trends that are becoming increasingly apparent to a much wider audience. Esoteric subjects such as espionage, operating system vulnerabilities and cryptography are now regularly discussed in newspaper columns. The Internet probably publishes more classified government secrets than can be found in any intelligence agency synopsis.

So what are the trends that are currently catching the imagination of the media? Here's three to kick off with.

Firstly there have been a number of high-profile catastrophes. For the purposes of this posting, by "catastrophe" I don't mean regular disasters such as fires or floods - though they can cause massive damage. And I don't mean "hacking" which is both unrelenting and damaging. What I'm really getting at are the digital glitches caused by inadequate software testing or bad change management. The sort of things we generally consider "cock-ups" rather than "conspiracies, if you get my meaning.

Secondly there's the gradual realisation by military observers that cyber warfare is very, very important, though few people have any idea what it's really about. Let me rephrase that:  I mean lots of people can easily articulate the problem space, but few people understand the underlying root causes or the changes needed to correct them. Hardly a day goes by without a government agency or lobbyist calling for more research and development, regardless of the thin results that have emerged from previous decades of academic and industry studies.

And thirdly there's the growing speculation that China is becoming a little too dominant in the cyber security field. Whether it's the absolute control of the routing technology or the perceived level of offensive capability, many people seem concerned. This is rather interesting, as the cyber battle space appears (at least to me) to be a relatively level playing field, characterised by a handful of bright individuals drawing on a relatively similar set of tools and techniques. It's certainly not an arms race of the kind we have experienced in the nuclear space. Nevertheless there are lots of reporters and TV producers exploring this area and even a few conferences dedicated exclusively to this subject. (Who can justify attending those?)  

Over the next few blogs I'll explore some of these trends and suggest what the longer term implications - as opposed to the short term media interest - might be. Many people in business focused roles might wonder what on earth the relevance might be to their everyday programmes, but, believe me, press coverage and the resultant citizen perception have vastly more influence on employee behaviour than industrial strength awareness campaigns. 

I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was interesting to observe the trends and progress in the region.

This year's conference was longer and well attended. Key themes included infrastructure, consumerization and mobility. There's no doubt that bring-your-own-device is this year's hot topic though it's been creeping up for a while. Cloud security is also a hot topic.

I left with an impression that this region is learning fast. Discussions with local security managers revealed a high level of maturity, as well as a healthy degree of openness to new ideas and change. Unlike the US and Europe, compliance has yet to blunt the enthusiasm of security managers.  

Of course there's little new under the sun. You see the same techniques and technologies in action but often with a regional twist. One leading company I spoke to, for example, had implemented risk assessment with anonymous voting, rather than open discussion, to avoid staff being unduly influenced from the views of their bosses.

The thing I found most fascinating however is to observe how networking varies around the world. In the US, breakfast meetings work best. In London it's dinner or perhaps after-work drinks. But Hong Kong remains one of the last bastions of the business lunch.  

Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.  

It's an excellent paper though I have to admit it's largely Geordie's work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.  

I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the United Nations last year and he was awesome, reflecting a lot of research and deep thinking about important issues such as trust, risk, surveillance and cyber warfare.  

I shall be ordering a copy of his new book "Liars and Outliers". It's about trust, a subject I find both relevant and fascinating. Trust is a phenomenon that few security researchers seem to understand. The problem is that it's a means to an end, and makes little sense when studied in isolation from its purpose.

The nature of trust is also changing as we move from an industrial-age dominated business landscape to the information age.  I find this paradigm shift is neatly captured by two Russian proverbs. The first, ascribed to both Stalin and Lenin, is "Trust is good, control is better", which encapsulates industrial-age thinking for vertically integrated enterprises and societies. The second, made famous by Ronald Reagan, is "Trust, but verify", which reflects our best endeavours for managing situations in a modern, diverse supply chain that is increasingly beyond our direct control.   

Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It's also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.

Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.  

Progress with the human aspects is likely to be show more promise. At least the problem is  recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)

On the bright side, however, more and more academic courses are including human factor considerations. It's a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.

It also raises the obvious question of why we don't have universally recognised warning signs for information security risks. Now that would be a good idea, though it's unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.  

Postscript:

Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.

I spend a good deal of my time travelling around the world giving lectures and helping companies with consultancy. Last week I was in Amsterdam, the week before in Norway, and tomorrow I'm off to sunny Cyprus.

It's refreshing to interact with security professionals in other regions, as there are marked differences in attitudes, interests and priorities. There are many reasons for this, such as the influence of culture, economic outlook and the level of security maturity.

Local culture influences the level of understanding of human factors, as well as the nature of trust and loyalty. Economic outlook shapes business priorities and budgets. And the level of security maturity, amongst other things, determines the vintage of available solution.

Innovation and openness to new ideas also varies tremendously. London, for example, is a classic example of a well-organised information security community paralysed by Groupthink. There is too much socialising and job rotation to allow room for free thinking. I regularly raise eyebrows by challenging existing assumptions. In contrast, new thoughts and solutions are welcomed in continental countries that enjoy debate and tolerate mavericks. Travel further east however, and a herd mentality begins to set in, though for a different set of reasons.

Security technology has always been popular in the US and the Far East, much less so in Europe. Continental Europe prefers to focus on people and processes. The UK is the home of bureaucracy and exports it aggressively. ISO 27000 is popular in Commonwealth countries but is frequently despised outside. Unfortunately, it is beginning to catch in cultures where staff pay little attention to policies and procedures.

Wherever you go, however, it's compliance that's the primary driver for security. Paperwork has assumed centre stage, as it ticks all the boxes and can be copied and implemented at little cost. In contrast, real security can only be achieved by careful attention to people and thoughtful use of technology. The most important asset for the future, however, is smart improvisation and innovation, and unfortunately that's thin on the ground across all corners of the globe.

I was contacted last week by a company that specialises in harnessing influence. They claimed to be working for a top IT security solutions vendor and had identified me as a key "influencer" in the UK. They wanted me to answer a set of questions but refused to say who the client was and offered no references or incentives. Not surprisingly I turned them down - another case of the Cobbler's Children, where the influence peddlers are themselves lacking in influence.

But it set me thinking about who actually sets the agenda for security in Today's world. It's an interesting question, because the answers are not immediately obvious. Certainly the influence is not where you might expect it to be.

Analysts such as Gartner and Forrester have our ears, but they operate by repeating back what clients and customers tell them. They are primarily as a decision support tool, rather than a decision making one. The same goes for consultants, who are essentially overpriced sounding boards.

Academics could be highly influential but today's crop is short on ideas and prefers to ape the not-so-best practices of industry. Some new university courses are now focusing more on universal business skills, such as how to present a business case, rather than real security competences, such as how to secure an infrastructure.

Regulators are in a perfect position to set the agenda but they cannot be seen to be tilting the playing field, so they usually end up falling back on bland principles and universally agreed standards. You get the occasional exception, such as PCI DSS, but it's generally the result of a standard developed by experts rather than regulators.

Vendors should be setting the scene, but innovative technologists are very much in the minority, and most established firms are run by commercial managers seeking to squeeze every last penny from their cash cows. Meanwhile their PR companies dish out bland press releases which few people read as they are primarily designed to stroke the egos of their masters.

That leaves governments and journalists. The former are a mixed bag: of politicians who pursue fame and publicity supported by civil servants who prefer consensus. The latter are also divided: into loyal scribes who support their sponsors, and trouble makers who are looking for a good story.

So it's no surprise to find politicians and bloggers featuring strongly in SYS-CON's list of the "Most Powerful Voices in Security". The top three are Darrell Issa, US Representative for California's 49^th congressional district, William Lynn III, Deputy Secretary of Defense, and Bruce Schneier. I made it to 51 on the list, though my friends tell me that's because I have a loud voice that's difficult to shut up.  

This week's Infosecurity Europe seemed quieter than usual. It was no surprise of course as it bordered on the Easter holiday. But it was a good event, made enjoyable and interesting by a well-designed exhibition hall and the presence of many top CISOs and security personalities. It's an event that relies far too much, however, on legacy experience rather than innovation. That's not really good enough. In today's fast-moving environment, we should be aiming to stretch the boundaries, rather than repeat well-worn debates.

Certainly the education programme could have been more imaginative. It did not really live up the theme of "foresight". The acoustics in many of the theatres should also have been much better. But such is the power of the brand and the appeal of the subject area, that it was well sponsored and well attended. You could, in fact, learn a lot simply by talking to the people on the stands or in the surrounding avenues and alleyways. As with many exhibitions, the really useful information lurks behind the scenes, rather than being on show. You have to speak to the exhibitors, not just pick up the leaflets and free gifts.   

The most worrying trend was the lack of new solutions. Most products or techniques on display were simply variants of long-standing practices. I saw little that was new. It was good, however, to see a greater emphasis on cloud security issues, though much of the debate centred on compliance, rather than security. (See my next posting for a debate on that subject.) Next year should be better, given the range of new technologies that I know are under development. 

The most pleasing trend was the emergence of solutions aimed at small companies. For years the needs of SMEs have been ignored by vendors. Finally we are seeing products that are cheap and easy to use. Qualys has been a pioneer in this space, justifiably picking up the Best SME Security Solution at the SC Awards. This week Sourcefire also announced a lower cost version of their IPS product with a simpler user interface. These companies are smart, as this is a rapidly growing market that has ignored for far too long.

Qualys has to take the rosette for the best exhibition stand, with plenty of space, expert advice and generous quantities of beer available. Everything was on show, including slick product demonstrations, as well as the opportunity to meet Philippe Courtot, award-winning CEO of the year. Outside the arena, the Portcullis Arms takes the biscuit for continuing to maintain a consistently high standard for networking and entertainment.   

Infosecurity will continue to survive as an established institution. But like all such networks it needs to aim to stay ahead of the herd, rather than following in its wake.    

I had an email from Charles Pask yesterday, asking me for my opinion on "What keeps CISOs awake at night?" It's a good question. I thought for a bit and decided that "advanced persistent threat" was the most dangerous threat I could imagine. I was wrong. CISOs are more concerned with personal, immediate and certain problems such as building teams and running projects.

This illustrates two things. Firstly, human behaviour is mainly influenced by things that are personal, immediate and certain. (See my book Managing the Human Factor in Information Security for more on this point.) Secondly, it confirms the first of my laws of information security: The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents.  

Perhaps the question should have been "What should keep CISOs awake at night?"