Just a quick note about this month’s column (available here).
I’m getting the sense from the risk and control professionals I’ve spoken with recently that there is a greater realization of the separation of duties incumbent upon risk functions. In this piece, I briefly discuss how to use reporting to make this clear, and drive an increase in control posture across your organization.
This being the goal setting time of year, its also worth noting that you shouldn’t be committing to increasing control strength unless you are really the owner of a control. Otherwise, I’d recommend using phrases like “better inform,” “make aware,” “increase awareness,” etc. It more accurately represents the role you play.
(Yes, that’s Chuck Norris in the eponymous 2009 game, because nothing says “effective IT risk management” like Chuck Norris!)
Recently Ben Rothke named Measuring and Managing Information Risk as the Best Book of 2014. Frankly, I’m humbled by this as the field of competitors we are named amongst are very strong; Adam Shostack’s book was even named as best of 2014 by the venerable Bruce Schneier.
As we close out this year, one thought has been dominating my days. We’ve all learned how to practice risk from different places (where I’ve worked is different from where you’ve worked, etc.). So much in the practice of risk is based on the notion of personality; we do risk one way because I’m leading it today. Tomorrow, a different person leading it would insist on doing it in a way that they are familiar with. Essentially, like all humans, we overemphasize our own experiences in risk as being more “true” than others. In other words, we are more likely to assume that what we’ve experienced before can be made to occur again with the same results. Unfortunately, this is not how science views the same set of experiences. In the scientific method, not everyone’s experience qualifies as valid scientific observation. In a given room full of risk people, the sheer fact that we’ve experienced different things doesn’t make them all valid, at least in a scientific way. Any attempt to include everyone’s experience as objectively valid is incorrect and potentially dangerous. I often refer to this as “risk relativism.”
An overriding characteristic of scientific observation is the ability for different practitioners to be able to recreate the results (reproducibility) given a similar set of environmental variables. In fact, a case study is probably the most accurate research method for what most of us call our work experience. Case study’s are very concerned with “validity:” construct validity, internal validity, external validity, and reliability. The combination of these four things contribute to the overall reproducibility (aka objectivity) of the research. In all cases, there is a need for using multiple sources of data and/or observations to ensure that each unit of analysis (workplace experience) are “coded” or analyzed accurately. Further, the applicability of results are carefully curtailed. For example, a single-unit case study has limited applicability outside of its own environment (one company’s risk experience is obviously most applicable to just that company), but multiple unit case study’s can be applied more broadly.
But what factors are the most critical for establishing broad applicability and reproducibility? In my opinion, that is the use of an accurate model; that is, the use of a model that can reliably used to predict outcomes. Put another way, across all your industry experience, which model are you applying that allows for meaningful measurements to be made that enables effective comparisons? Work in information theory tells us that all measurements are inexact (statistical if you will). This lends great credence to the use of statistical methods to reduce uncertainty in our measurements as we move from workplace to workplace.
What are you going to do in 2015 to increase your use of scientifically valid models of measurement?
My latest column was published today with the above title and I wanted to call out two things with this one. First, since risk drives the selection of priorities, it only follows that its stressful work. Decision making is mentally taxing, so the professionals whose job it is to facilitate that will shoulder that burden as well. Second, take care to ensure that a high priority in your personal life is to appropriately manage the risk associated with my first point. Any job that bears the burden of high stress means that your health is important and requires the requisite attention.
Click here for the full article.
On 27 June 2014, I delivered the Commencement Address to the graduating class at DeVry University Charlotte. I was honored to be asked by Dr. Regina Campbell. I didn’t post the address here previously, but I talk about risk so I thought it might be interesting to my followers here. Enjoy!
Thank you to Dr. Campbell for inviting me here today and thank you to the faculty, administration, and staff of the DeVry University Charlotte Campus for the warm welcome they have extended to me. Congratulations to all of today’s graduates, their parents, families, spouses, partners, significant others and all the other recalcitrant folk you managed to bring to today’s proceedings. But seriously, we should all be enormously proud of our graduates today. They join an ever-growing body of DeVry alumni across this nation, Canada, the Caribbean, and other parts of the world that have benefited from the uniquely DeVry experience and how it enhances their careers. I know a little something about this group as I have been honored to have been made a DeVry alumnus three times in my life–and my wife a DeVry alumna twice. All of which means that I’ve had the opportunity to sit where you are now several times and as a result, I know there is truth in the old joke about there being two kinds of commencement speeches: short and bad. As for me, I plan for this one to be short, however I’m also sure that no one plans to deliver a boring commencement address, which may very well account for my knowledge of both the masculine and feminine forms of the Latin noun “alumnus” so well (thank you Wikipedia).
There are several time-honored traditions in American commencement address giving that I am obliged to follow. The first I’ll call the Pronouncement of the State of the Real World. It will come as no surprise to you that we live in a rapidly changing world where our lives and fortunes rise and fall with the technological innovations we love and love to hate. Navigating a career in this environment is nothing short of a lifetime commitment. A recent publication by the Business Insider reported on the most in-demand college majors. The four that topped the list (in order) were Business, Computer and Information Sciences, Engineering, and Health Professions, the sum total of which comprised 82% of new demand. If you’ve identified those as majors that DeVry focuses on and has so prepared you for, you get to get a diploma today, or sometimes later in the mail, as the case may be.
Continue reading DeVry Charlotte 2014 Commencement Address
Organizations are increasingly furthering their goals through reliance on suppliers conducting critical work. In support of this, information security departments routinely conduct security assessments of those suppliers in order help minimize risk in their supply chains. These assessments usually consist of some combination of questionnaires, onsite observations, testing, and interviews. Unfortunately, such assessment routines tend to reveal superficial (or overly obvious) issues with the suppliers. However, what decision makers really need to know is whether the supplier will handle the information entrusted to them with care. Amongst other things, what managers and executives want to know is if they have had problems doing this in the past, and what are the odds of them making mistakes in the future? This article will provide a technique to help better inform management and to make better information security decisions about vendor and supplier choices.
Continue reading Using Behavioral Interview Techniques to Assess Supplier Security Posture
I’ve been watching Amish Mafia lately (a guilty pleasure). That got me to thinking about the role of shunning in good risk management (because this is how my mind works, apparently). We want our leadership to take good, appropriate levels of risk, which is a way of saying there are good behaviors to which we would like them to adhere. There are many theories on the psychology of behavior, but I want to focus today on shunning and public ridicule. (Quick note: yes, I know that the Amish and Mennonites don’t practice shunning sadistically and also don’t use a pillory; I took some artistic license here.)
Many security and risk professionals take the security of their systems personally. A hack against their firm is a personal failure. In other words, until everything is secure, many people leave work thinking that there is yet work to be done and their day is incomplete. This can be very stressful. Working in security with a risk-based focus is a little different. Instead of feeling accountable for the configuration of systems, the goal is to inform the resource owners about the state of their systems, allow them to make a decision, and then report on the outcomes. It works something like this: in most organizations, the security team doesn’t own the servers (there is usually some IT production services team that does). Whether something gets patched or a config setting gets changed (as an example) is usually a function of keeping the owner informed as to good practice and then letting them choose what they want to do. This is where the shunning and shaming techniques come into play.
We could feel personally accountable for the patching that needs done, or we can feel that once we’ve delivered the message about what “secure” looks like, our work is complete. After that, it’s a matter of reporting and follow-up. The shaming comes in the reporting: delivering reports to the head CIO that shows which areas aren’t as secure and then comparing the different teams to one another. This works well in organizations that have multiple lines of business (LOBs). We can compare company area A’s servers to company B’s which begs comparison of one to the other. The various CIOs/CTOs, etc. that own responsibility for the servers in each area will compete and/or be shamed by their relative performance. We can also develop policies/standards that encourage “shunning.” For example, we can declare that only servers/applications/etc. that meet certain risk criteria are allowed to be used for high-risk transactions; effectively “shunning” insecure systems from high-risk roles in the organization.
Regardless of what happens next, you’ve done your job of keeping everyone well-informed. First, everyone knows what is expected of them and second, everyone knows how they are performing against those expectations. This doesn’t need to be antagonistic either: it’s merely informational. No need to pillory your CIOs at the next staff meeting ;-)