Security Leadership is Risk Leadership

When writing this blog post for ISACA it occurred to me that to be an effective cybersecurity leader requires that you understand the dynamic of risk communication and becoming comfortable with the decisions of well-informed business leaders.

You can read the article here.

Accepted at RSA 2019 – Virtual Pen Testing

I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t wait to share what we developed with you in March!

Here are the details of the session; please be sure to save it to your agenda!

The “Yes, and…” Approach to IT Risk Mgmt

In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here.

The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assume its valid and work with it. This gives you the opportunity to redirect the outcome. However, if you shut down the scene and attempt to wrestle control away from your partner, the scene gets awkward and if you do it enough they tend to not want to work with you anymore.

It’s a metaphor you see: work with the business on their initiatives and you get invited back to the table.

Using Risk to Take the High Road

My @ISACA column for November was published recently. You can read it here.

This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which they work. It’s second nature to think that your judgement about security overrides whatever else management is doing. My point with this column was to help people see that risk management defines priority across the organization; in other words, I’m sure that marketing, accounting, sales, etc. think that whatever they are working on is far more important than what security is doing. Thinking about these priorities through a risk lens helps people level-set their work against the rest of the company’s work. I use an outraged “author’s voice” to wake people up to what they are saying and how they express it.

This was difficult to write primarily because I didn’t want to insult anybody, but to also help people understand that the words they use, even amongst other security professionals, are not productive in improving relationships within the rest of the company.

High Accumulation

1280px-Snowy_street_in_Madrid_(Spain)_01I recently relocated to Charlotte from Ohio. Its South, but not so much so that it doesn’t get cold and yes, sometimes there is even snow. As I become acclimated to things down here, I am always surprised at the response that folks from here have to snow. They dislike it immensely and are often fearful of it. Now, I grew up in Pittsburgh which has a lot of snow. Ohio has a lot of snow too. So, this past weekend we had some weather reports that hinted at snow. They used a particular term that peaked my interest. The weather forecasters predicted that there would be a “high accumulation” of snowfall.

This is always the difficulty with verbal labels used to define measurements. Being that I am from the North, where snowfall is frequent, High to me means 6-8 inches or even 1 foot of snow or more. I imagine those from even farther North than I, probably laugh at my ranges and speak only in double-digit feet when measuring “high” amounts of snow. As it turns out, here in Charlotte “high accumulation” means between 1-2 inches. Oh, and that snow was mostly melted about a day and half later (for those that don’t know, this is a marginal amount of snow and the ensuing overreaction is largely comical to us Northerners).

When communicating risk, the same problem is endemic to that process. Just saying high, medium, or low is problematic. No one is able to divorce themselves from their biases and experiences. As a result, when you say “high risk,” there will invariably be those that think $10M, and others that are thinking in terms of $100K or even less. Why? Fundamentally speaking its because there are no numbers. Think about how much more plain it is to speak in terms of dollars or inches. We may disagree about what the relative impact of those units of measure, but one is not likely to argue that an inch isn’t an inch.

So as you go through your risk work, know that if you aren’t speaking plainly in terms that are universal (frequency and magnitude), then know that you may be perceived as shouting at clouds…

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove security can pull out its piece and compel the action it desires…or else!

Except its the “or else” thats really the problem. Like a modern day Barney Fife, Information Security has no bullets in its gun (we may have some in our breast pocket though-only to be used for emergencies).

This gun metaphor is very helpful for understanding two things about the practice of information security today. First (and obviously) there are the overt violent overtones associated with the imagery above. If we reflect on the perception of security over the past several decades, it’s clear that its viewed as an aggressor. Its a perception that is well earned–keeping things and people safe is by necessity an aggressive career choice, only to be undertaken by those enveloped with machismo. Except in the corporate world this approach is misplaced. Its reminiscent of the over-enthusiastic mall cop, or the former New York City police officer that is now a corporate physical security guard. And this metaphor too is an important lesson in the way information security could be perceived if misapplied (which reminds me of this scene from Goldeneye).

Adapting to the new reality of risk-based security means relinquishing the controls-based security approach that is endemic to the mall cop metaphor above. Which brings me to my second point: If we pull the trigger of that gun, the infecundity of controls-based information security is made plain for all to see. Simply saying “no” to new technology is not an act of machismo anymore; its an act of suicide. Its oftentimes denying the business the very thing it needs to survive. Whether it be cloud, mobile, social media, or BYOD, the modern IT landscape is ripe with opportunities for information security to enable top-line growth, or at the very least to reduce the bottom line. Like the stick-up artist that engenders such fear with its pistol, information security has the ability to effect change, just so long as it doesn’t actually shoot anyone. Hinting at the regulatory hammer(s) to which you are subject is the bullet–its just not in your gun.  Instead, partner with the business to protect against the bullet in the FTCs or PCI Council’s gun, lest you drop the hammer on yours and the business hears the emasculating click of an empty chamber.

In order to achieve success in modern information security programs, there must be an emphasis on the soft skills of negotiation and communication. Effectively communicating a risk scenario using a mature risk taxonomy (one that allows you to communicate threats, control deficiencies, vulnerability, and losses) gives risk decision makers the ability to execute a well-informed decision. And that, after all, is what information security is really all about: enabling decision makers with the information they need to determine if a risk is worth taking.

And now, “Looking Down the Barrel of A Gun” by The Beastie Boys. Apropos.

RIP MCA