Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove security can pull out its piece and compel the action it desires…or else!

Except its the “or else” thats really the problem. Like a modern day Barney Fife, Information Security has no bullets in its gun (we may have some in our breast pocket though-only to be used for emergencies).

This gun metaphor is very helpful for understanding two things about the practice of information security today. First (and obviously) there are the overt violent overtones associated with the imagery above. If we reflect on the perception of security over the past several decades, it’s clear that its viewed as an aggressor. Its a perception that is well earned–keeping things and people safe is by necessity an aggressive career choice, only to be undertaken by those enveloped with machismo. Except in the corporate world this approach is misplaced. Its reminiscent of the over-enthusiastic mall cop, or the former New York City police officer that is now a corporate physical security guard. And this metaphor too is an important lesson in the way information security could be perceived if misapplied (which reminds me of this scene from Goldeneye).

Adapting to the new reality of risk-based security means relinquishing the controls-based security approach that is endemic to the mall cop metaphor above. Which brings me to my second point: If we pull the trigger of that gun, the infecundity of controls-based information security is made plain for all to see. Simply saying “no” to new technology is not an act of machismo anymore; its an act of suicide. Its oftentimes denying the business the very thing it needs to survive. Whether it be cloud, mobile, social media, or BYOD, the modern IT landscape is ripe with opportunities for information security to enable top-line growth, or at the very least to reduce the bottom line. Like the stick-up artist that engenders such fear with its pistol, information security has the ability to effect change, just so long as it doesn’t actually shoot anyone. Hinting at the regulatory hammer(s) to which you are subject is the bullet–its just not in your gun.  Instead, partner with the business to protect against the bullet in the FTCs or PCI Council’s gun, lest you drop the hammer on yours and the business hears the emasculating click of an empty chamber.

In order to achieve success in modern information security programs, there must be an emphasis on the soft skills of negotiation and communication. Effectively communicating a risk scenario using a mature risk taxonomy (one that allows you to communicate threats, control deficiencies, vulnerability, and losses) gives risk decision makers the ability to execute a well-informed decision. And that, after all, is what information security is really all about: enabling decision makers with the information they need to determine if a risk is worth taking.

And now, “Looking Down the Barrel of A Gun” by The Beastie Boys. Apropos.


Thus Wastes Man

A discussion on priority-making, risk, and the nature of humanity

I’m always interested in examples where we make implicit risk decisions. It happens naturally all the time, mostly because we lack the resources (time, skills) to properly evaluate the scenario. Despite being good at keeping us immediately out of harm’s way, this quick decision-making skill set (our “gut” reaction) tends to be wrong very often about long-term risk. Nowhere is this more prevalent than in our own health decisions.

The FAIR risk-assessment framework discusses and flowcharts the reasons for failure to comply with policy; however it is equally applicable to failures in decision making. At a high level, the flow chart goes like this: awareness, resources, motivation (evil, dumb, priorities). It’s usually the priorities that throw us for a loop: after I know what needs done, have the tools to do it, I have to want to do it. Since we’re not often evil or dumb (thank goodness), I have to make it a higher priority than the other things I care about. It’s the same reason that although I see the nail pop in my one wall all the time, I’m unlikely to ever really do anything about it (after all, I’m really busy with this blog and everything…).

It’s through these lenses (implicit decision making and the compliance flowchart) that I would like to discuss the following chart:

This is a chart provided by the FAIR Foundation on their website (no relation to the risk analysis method called FAIR). This chart details the US funding priorities for various disease (mostly -all?- NIH funding). I care about many of these diseases personally, as I’m sure many of you do. It’s because of this personal attachment (my gut reaction), that I’m immediately appalled at the funding priorities that exist. If we are being rationale about our resource allocation, then clearly the diseases that cause the most deaths need the highest levels of funding. On closer evaluation however, there is more to diseases than just death; many diseases substantially limit one or more of the major life activities (to borrow a phrase from the US American’s with Disabilities Act of 1990). Diabetes (especially Type 1) robs you of normal eating habits for the rest of your life, Alzheimer’s takes your mental faculties, and Parkinson’s the steals ability to move regularly (to just name a few – there are many horrible outcomes for many of these diseases).

So if we are all rationale humans, then why are these funding priorities what they are?

There’s a certain amount of complexity associated with these decisions. There is a system of systems responsible for these funding decisions, not the least of which is popularity (there are countless discussions like this happening all over the web). However, the reality is that all rubrics for funding will leave some people’s concerns out of the running. There just aren’t enough resources to go around.

I don’t have the right answers for this problem, but I wanted to use these chart as a mirror for our own IT Risk and Security funding priorities. There are doubtless many pet projects that will garner the most funding in your organization that will not have rationale support from a risk perspective. Fighting this gut-level decision making is the work of IT Risk professionals today. The same as the medical communities that argue for a risk-based approach to research funding, you too should be spending your time and efforts advocating for the reduction of risk in the scenarios that effect your organizations.

Given that you will never work for an organization that has in infinite budget for security (or anything really), nor will you have all the time needed to address every concern, you must prioritize efforts to ensure the best results. Priority-making is inherently a risk-based activity. This is the essence of modern risk management.

A drink after work

Your organization has a problem with its employees. Too many people are going to Happy Hour after work and spilling important information about future expansion plans and other details about top-secret intellectual property. This lack of operational security (OpSec) is starting to take a toll on the business. The company is loosing out on new opportunities, the competitors are undercutting its bids, and next-year’s new model is already being touted by the competitor. What’s worse is that you HR department is telling you that the next generation of employees grew up with Happy Hour and have very different thoughts about how it should be used. Their basic attitude is that all the “old folk” in the company need to get with it and start using Happy Hour. They don’t bother drawing a distinction between personal and work drinking and they don’t care about this OpSec problem. They’re completely aggro about it and are demanding that the company stop trying to keep them from Happy Hour.

After a long debate where many options were evaluated, the company finally has their solution to the problem: Company Bar. Yes, the plan is to renovate an office downstairs and install their own working alehouse, taproom, cocktail loungue, watering hole, and any other synonym for a place where beer, wines, and spirits are sold. This plan is genius! Now, instead of everyone leaving work to go to Happy Hour, everyone will just go downstairs after work and drink in an environment where no one has to worry about saying the wrong thing to the local purveyor of corporate espionage. Since they can act out their Happy Hour needs with corporate blessings, no one will feel the need to go to other establishments to wet their whistles.


These are my thoughts on the effectiveness of corporate social media sites as a control to limit information leakage (I’m looking at you Yammer)

How to Play


I recently took my daughter to a kid’s birthday party. The location had one of those kid’s gyms where you kick your shoes off and dive into the balls and have a great time. Risk never leaves my mind, so when I was reviewing the sign that was posted over the entrance to the area, I found an interesting parallel that I thought I’d share.

There was a sign posted that said, “How To Play,” followed by what is presumably a list of rules on how to play. The gate was guarded by a disinterested young man sketching on a pad and ostensibly enforcing the rules of play. What were those rules? See for yourself:

  1. No shoes or coats
  2. No running or jumping
  3. No throwing balls

What is missing from these list is exactly what the title of the sign said would be there: rules for playing. Instead, what we have is a list of how NOT to play. While my little one was playing she was having a difficult time getting up some of the ramps in her stockinged feet, so I slipped her socks off and sent her on her way. My wife chastised me because another sign somewhat out of sight indicated that socks were required. The disinterested young man from early failed to notice.

I think there are some clear parallels to corporate security polices in this brief example. First, information security policies rarely identify “How to Play.” Instead, like our sign example above, we frequently find a list of things you are not allowed to do. This is an example of security-centric thinking. Know this: the people in your company are interested in knowing How To Play. Tell them the approved technologies, processes, and systems that they are allowed to use without running afoul of the policy. This is the basic logic of a white vs black list, so help your organization know how to do the right thing (I’m assuming there’s more you don’t want them doing than otherwise, so save time and just tell them what to do).

Next, the metaphor of the disinterested enforcement agent I’m sure is not lost on most. Enforcement is tricky business, and worthy of longer treatment, but for today’s blog post focus on the economics of the situation. There was one guy at the entrance who ostensibly had responsibility for enforcing the rules in the entire area (it was very large with between 30-50 kids). Clearly he was going to fail at 100% enforcement. But just like in other areas of life, its often just as effective to selectively offer enforcement for those areas that are high-risk.

Lastly, don’t forget the allure of the one-stop-shop. Having everything you need someone to know in one place is valuable. Don’t make them hunt for that hidden sign to find out that bare feet are not allowed. Everything should be clearly visible and in one place.

In summary, we as security practitioners can make it easy or hard for people to comply. You get to decide, “How To Play” for your organizations. Choose wisely.