Posterous theme by Cory Watilo

bmonday.com

Fending off the cyberhoard from an island in the middle of the Pacific

Ten Habits of Highly Effective Information Security Leaders

(This is a re-post of the original article, which appeared on a previous iteration of bmonday.com in 2009)

I have been doing a lot of thinking lately given the state of the economy and some of the discussion I’ve had with many of my colleagues. What I’ve come to realize, is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security.  It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's Facebook access.  Our role is so much more than that. Too often, we paint ourselves into that corner because we are unwilling or unable to engage the organization at a higher level or learn how to make the business function better. 

Given the landscape of the past and the changes due to economics, a successful infosec leader must do the following things, and do them well, to cultivate a healthy information security program that will support and align with the business:
 

Communicate to the business about the business
Consider this quote from global recruiting firm Alta Associates: 

When we started, years ago, we most often looked for the most technical person in the room for senior [information security] positions, and now we're finding that we're replacing those technical execs with execs that truly understand, and can take a holistic approach to, risk.  What we're finding in the jobs that we're filling, not just at the C-level, but at many levels, is that they're asking us for folks that really understand how to communicate effectively to the board.  -Joyce Brocaglia, Alta Associates, RSA 2009

Risk is the language of business, and if you cannot communicate risk to the powers-that-be in your organization, your infosec program (and career) will never evolve.  You will never be invited to the table if you cannot demonstrate that you belong there by helping them make critical business decisions.

Businesses manage risk, day in and day out.  What is the risk of investing in a new product line?  What is the risk of leaving out Feature X until Version 2?  What is the risk that the $10,000 investment in the new marketing campaign won't result in an uptick in new business?

If you learn how to quantify risk, you will never be accused of trying to scare the business into buying needless security widgets (the Chicken Little syndrome), and you will be able to justify the investments that make sense for the business.

Never let "it's a best practice" be a justification for a security initiative
"Best practice" is an excuse, not a justification.  Best Practices are what you resort to when you don't know what the right thing for your business is. The company isn't in the business of aligning its security program with industry best practices.  The company is in the business of selling widgets.  How many more widgets will the company sell if they implement your suggestion?  Is some significant risk reduced by implementing the suggestion?  These are the arguments that will allow the business to say Yes. 

Never say "No"
No is rarely an acceptable response to someone communicating a requirement.  Someone's secretary wants to access Facebook during lunch?  "No" isn't going to get you anywhere.  How about "Sure, we can do that, but given the various threats coming from Facebook lately (demonstrate some), we'd be wise to implement some additional protections around that traffic."  I bet you can leverage that secretary's lunch desires to reduce her rights on the system, which kills 2 birds with one stone.  Or, if the organization isn't willing to spend the money on the necessary controls. you can go back to the secretary and let her know that you went to bat for her but failed.  Either way, you're the guy that tried to help, not the bad guy who just said "No".  Chances are, she'll come back to you the next time she wants to do something risky.

No doesn't make you friends.  "So what, I'm not here to make friends, I'm here to secure the enterprise," I hear some of you say.  Well, your job will be orders of magnitudes harder if you are viewed as an obstacle that must be overcome, rather than a friend of the business.  How many groups will invite you to the conversation when all you do is burden them with costly and time-consuming controls and processes?  Which brings me to...

Be approachable
Encourage dialog.  Reach out to all level of end users.  Introduce yourself to business owners, solicit their opinion on things, and ask them what their challenges are, how they work, and their viewpoint of information security. Learning what the end users really think rather than making assumptions on their behalf builds the relationship of shared ownership. The result are allies that will enable you to sell future initiatives with their help.

Don't let the first contact with your end users or business owners be only after you have discovered a problem.  Integrate yourself into the onboarding process.  5 minutes spent in a new hire orientation, introducing the infosec organization, and going over basic guidelines will make a night-and-day difference in the attitude end users will have of you and your program. Sharing with then why security is integral to the business and making it personal will put them in the driver’s seat for supporting security.

Conduct brown-bag sessions on security topics.  Make them short.  15 minutes is my target, with questions for however long they need.  Record them, if you can, so you can distribute them via intranet to people at other sites or who couldn't make it to the live show.

Speaking of which...

Learn to talk like a human being
If you have a conversation with 99.999% of the population on this planet, and you toss out words like "AES256" or "Diffie-Hellman", you will not connect with your audience.  All you are doing is confusing your audience, at best, and probably alienating them.  End users don't need to know how the sausage is made, only that they have ready access to sausage and that It's A Good Thing(tm).  You can go into a little more detail during Brown Bags, but be clear about the level of technical depth of the talk, so you will hopefully get an appropriate audience.  But I would argue then that you should be spending time on topics that will reach a larger portion of your user population.

What you *can* do, however, is...

Blow your end users' minds from time to time
End users get complacent about their computer usage habits.  Always have a small collection of ready-to-roll, and easily demonstrated exploits in your bag of tricks, even if they have been long since fixed.  Maybe it's a virtualized image of a poorly patched Windows box that you can bring up at a moment's notice.  Doesn't matter.  Demonstrating the sneakiness of attackers is often an eye-opening experience for your end users.  I once orchestrated a demonstration of a chromeless window exploit to a group of system admins, and their mouths all dropped.  Demonstrations like that tend to re-engage your users, and remind them that they are critical part of the company's security posture.  That's a win for you.

Cultivate your reputation
Develop a reputation for protecting the business.  Understand the risks of the changes you are proposing and work diligently to reduce them.  Even if the company doesn't have an official change management program, you should.  Even if it's just yourself.  I can count on my hand the number of times a security control under my purview has negatively impacted the business' ability to operate.  Availability trumps security every single time, and those security controls will get ripped out if they impact the business' ability to operate.

Develop a reputation for being a straight shooter.  The business needs to know it can count on your for a fair and accurate assessment of risk, countermeasures, controls and technology.

Develop a reputation as a problem solver.  You want business units to approach you with problems, and ask for help solving them, rather than route around you with a solution they know is poorly considered.  See above guidance regarding "no".  You need to be seen as a business enabler, not an obstacle that must be continually overcome.

Develop a reputation for being pragmatic.  Don't blindly follow the industry.  Reevaluate your beliefs, frequently.  If the password policies don't make sense, change them.  Ignore best practices if they don't fit the realities of the business, even if it means bucking an auditor in the process.  Mold the information security program to the needs of the business.

Understand that robust security begets compliance, not vice versa
If you have a solid information security program, you will not have to worry about audits or regulatory compliance exceptions, because you are 99% there on most compliance obligations your company is likely to have.  That does not mean implementing every suggestion from NIST or similar bodies of infosec standards. If you blindly implement controls and processes to satisfy your PCI audit, for instance, it doesn't mean your business is secure.  Secure your business, and compliance will be trivial.

Befriend your auditors
If you have an adversarial relationship with your auditors, internal or external, you're doing it wrong.  Your auditors are partners.  They help you measure (and demonstrate) improvements you are making to the business, and help you justify investments in additional areas.  If you have a healthy relationship with your auditors, your audits will go more smoothly and they'll be out of your hair quicker.  An adversarial relationship with your auditors will only result in them looking harder and longer for cracks in your program, and every hour they spend doing so costs your business money.  Once the auditors develop confidence in your program, and understand that they can't run up the bill generating finding after finding, they'll be motivated to complete their report and move on to the next engagement.  Reducing your company's annual audit bill is a fantastic way information security can contribute to the company's bottom line.

Contribute to the InfoSec Body of Knowledge
The information security profession relies heavily, perhaps more than most other fields, on information sharing and peer review.  You should be writing; be it articles, blog postings, or contributing answers to questions posted in online forums.  A good infosec leader should be continually contributing to the InfoSec Body of Knowledge, even if the contributions sometimes seem trivial.

Show up at local infosec events, and speak at one at least once a year. One thing you should take away from the other habits listed above is that your communication skills are critical to being successful in the information security field.  Hone them, exercise them.  If you are not an effective communicator, you will not be an effective information security leader. Don't know where to look for speaking opportunities? Local chapters of ISSA, ISACA, and other national infosec organizations are always looking for speakers on interesting topics. Reach out to them, ask them what their members would like to hear a talk on, and make it happen.

Conclusion
It's harder than ever to get support (funding and otherwise) for our programs in today's challenging economic environment. But if you follow these general principles, you'll be able to demonstrate real business value to your stakeholders, and they will be more inclined to reciprocate by supporting your important initiatives.

 

Back Online

After a nearly 2-year break from blogging, due mostly out of respect for my previous employer, I am back online. The blog is very different because I've given up on the open source subText engine, which was born out of dotText, and moved from self-hosting to hosted by Posterous.

I'll be reposting some of my old blog entries over the next few weeks, provided I can suck them out of my old subText database, which is in a somewhat damaged state after several failed upgrade attempts.