I’ve worked in a few places where I security wasn’t wanted. We were there because someone said we had to be. It may have been regulators, auditors, compliance departments, a governing body for the industry, or the parent company or business itself required that we be there.  But the particular business you support (or the business as a whole) wants nothing to do with you. That is frustrating for someone who believes strongly in the value of security to an organization. It’s tough to get up day after day and make the trek into the office when you know that you are going to be ignored and have to fight for every inch of ground that you gain. After several days like this the little bit of ground that you gain doesn’t give you the warm fuzzies that you would hope to get after a hard day’s work.

So what do you do? How do you keep your sanity and remain civil to your friends and family? How do you deal with this? How do you get your job done while facing constant opposition? Better yet how do you work through the situation and hopefully change some mind s and get the business on board with you?

In many cases you are going to have to start with changing the way security is viewed by the business. Usually, and unfortunately, security is often known for saying “no”, slowing down productivity, delaying product launch, impacting usability, and “keeping me from updating my Facebook status with my lunch choice for today” . This doesn’t set well with our customers (the business) for lots of reasons.
1. They are the customer and the customer is always right.
2. Their job is to produce and security hinders production.
3. They are tasked with fiscal responsibility and security is seen as being a cost center with little
to no return or value
4. Their job is to keep employee moral up and security hinders that.

Let’s look at each of these and see what we can do to effect real change that will improve our image and relationship with the business.

They are the customer and the customer is always right.
At least that is how they see it and we should let them believe it. Actually we need to act as if it is true. In reality it isn’t true anymore for its than it is for anyone else. Yet the principle behind it is very important in keeping the customer happy. Our mindset should be “if they want it then we will make it happen”. That doesn’t mean that they get what they want exactly. It means that we work with them to find a solution that will meet their needs and keep it secure. The days of saying no are behind us and we have to change the negative image that we have because of those days. If you are supporting a business that has never had security work with them then the first time you do this you may have to make sure you have smelling salts with you. If you take”no” out of your vocabulary and work to make things happen you will be amazed at how quickly the business starts to change their attitude towards security.

Their job is to produce and security hinders production.
One of the biggest complaints that I hear about security initiatives is that they often slow down the release cycle of products and programs. Sometimes there is not a whole lot that we can do about this especially early on. In today’s world we can’t ignore the need to implement security but we also can’t rush into it headfirst work little to no reward for how it impacts the work that the business is tasked to do. (Wow! That hurt to write that) One of the best things that we can do to minimize the negative impacts here is to make sure that we communicate with the business as to what is being done, why it’s happening, how it will benefit them (this one can be a tough sell), and what you are doing to make this as painless as possible. It’s also important not to have a “grin and bear it” attitude. If you can get good data that will show how the slowdown should only be temporary that will also be a big plus. Many times the problems caused by security programs will either go away or at least be reduced over time as people get used to the new processes and learn how to work with the security program.

They are tasked with fiscal responsibility and security is seen as being a cost center with little to no return or value
Don’t worry, I’m not going down the security ROI path with this one. As with most everything coast goes down over time so your job is to show the business how you too are being fiscally responsible. Be open with them about how cost and expenses rise and fall. Don’t ask them to find something without having a clear plan that shows them the cost and benefit aspects. Have plan A, B, and C when you need something new. Shot for the stars but be willing to settle for less. Also don’t come to them with a proposal that is stupid expensive when times are tough. You should never go to them unprepared. Remember they are business people not technology people and they want a business case not cool, flashy lights.

Their job is to keep employee moral up and security hinders that.
In this area there are several things that we can do to improve our image.
° Follow all of your policies. If they see you on Facebook when everyone else is blocked you will be vilified and your credibility will be damaged.
°Don’t block access to websites and technology without a good reason. There are few reasons and cases where complete exile from”non-business” sites is necessary so don’t do it just because you can.
°Expect everyone, including executives, to follow policies.
°Don’t deploy security that makes it too difficult for employees to do their job.
°Expect (read – demand) your employees to answer questions, work to solve problems, not say no, and do it all with a smile and an attitude that lets the customer know that they are not being a “stupid user”, even if they are. We all have our “stupid user” areas. Imagine how you would feel if you were expected to do something that you knew nothing about.

That does it. If you are tasked with making the business like you hopefully this will help. If you have been through this before, or are going through it now, please feel free to leave comments with what did and didn’t work for you.

Of course you have to be careful when you download apps. The potential for malicious behavior, poor coding and compromise are just around the corner. Hmm, sounds like the same problems PC’s have with software from major vendors. This will be interesting as I work through the change and make the required adjustments. I’ve been at it for just over a week and so far so good. Let’s just hope that it stays good. This thing cost to much to toss aside.

So far I’ve only real issue had been with some web pages not rendering properly. It’s not too bad and only happens on some pages. If any one else has made the switch is love to hear your stories, good and bad.

Now on to the actual reason that I’m writing this post……

As many of you know some hackers released source code for an older version of a couple of Symantec products. Symantec said that it would have no real impact on their customers because the code was for products that were 5 or 6 years old. They also said that the code wasn’t taken from them but from a business partner. I guess their conscious got the best of them because now they have decided to come clean and admit that the data was actually taken from them in a breech of their network. When you read the various articles the picture is still a bit fuzzy. Were they breached recently or 6 years ago? If it was that long ago why are we just now finding this out or worse yet why didn’t they know it until recently. If you read some of the quotes from Symantec spokesperson Chris Paden it almost seems to say that the breach happened in 2006 but they just discovered it. Lots and lots of unanswered questions and questionable comments and actions.

So what’s the point? Honesty, Integrity, Character, Trust. All things that people and companies need to embrace. Let’s face it we are living in hard times right now. Many companies are struggling and doing all they can to keep their heads above water and consumers (individual and business) are looking long and hard at where they are spending their money. They are also looking at the total value for their dollar and they want to know that the company they are doing business with isn’t trying to pull the wool over their eyes. I know that if a company changes their story and is vague on something like this then it says to me that they will do it in other areas and it erodes my trust in them.  The same holds true for an individual. If you are not honest in some areas how can I trust you in others?

On Wednesday I noticed that Josh Corman (@joshcorman) posted the following tweet couple of tweets.

joshcorman Joshua Corman

If $SecurityVendor uses deception / social eng to separate you from your $$$, how are they not just another adversary?

joshcorman Joshua Corman 

.@gollmann there are a lot of things $SecurityVendors shouldn’t do. Some abuse the implicit "trusted adviser" expectation more than others

18 Jan

 

I’m sure most of us have stories of vendors gone wild. Ones who sold you what you didn’t need or what wasn’t right for your environment. Sold you too much or baited you with a little only to hit you with the big stuff later. Maybe they gave you a good deal on what you needed but too you to the cleaners on professional services to make it work. Sometimes it’s the company culture that encourages it and sometimes it just a unscrupulous sales person or a SE who it working off commission and wants a nice Christmas at your expense. The problem still goes back to character, integrity and trust. If they aren’t there then someone will get hurt.

To be fair it also happens on the side of the customer. Often times they will try to take the vendor for all they can get even if it’s lots more than they paid for. Maybe they broke something but they want to get it fixed for free so they will try to make it look like it was defective. I remember one time early in my career we were having problems with a data circuit and in my troubleshooting I determined that the problem was with the smart jack  that our T1 terminated at. I called the local telco and put in a trouble ticket and they scheduled a time for a tech to be out to look at it. My boss called and told me to take a paperclip and short out the smart jack. The telco would charge us for a service call if it turned out that the problem wasn’t with their equipment and he didn’t want to risk having to pay. I refused to do it and it turned out that I was right anyway the jack was bad. To me it just wasn’t worth tossing my integrity out the door to possible save the company a couple of hundred dollars. Not to mention the fact that if I did that then what else would my boss expect me to do. It’s a slippery slope and we can’t afford to go down it.

Don’t get me wrong I’m not condemning Symantec b/c I don’t know all of the facts. They just happened to be the one that got me on my soap box.  I hope that Symantec is able to clear this up and that we discover that the twisted stories are all the handiwork of a few individuals who can be replaced with people of integrity. I’d hate to know that it was a corporate culture of lying that was behind this. There are already enough companies out there who will do all they can to keep and make more money no matter who it hurts. We have enough “evil” companies out there already and we don’t need more. We need to be people of integrity and we need to demand it of the companies that we do business with.

Mr. Brenner is a former top-level NSA insider and he seems to have the inside scoop on a lot of pretty scary stuff. He does a good job of telling a interesting tale and doing so on a level that anyone can understand. He explains concepts that those of you who read my blog already understand but there is a chance that your parents and their friends don’t understand. He also doesn’t just tell a story or try to scare you. He offers some insight into some things that need to be done and can be done to make some changes that hopefully will make a difference.

I like the way that he calls out both public and private networks being behind the curve when it comes to security. He highlights things that you and I do everyday that can impact your security, my security and everyone else on the internet. He gives examples of things that could happen and tells us about things that have happened. One of the things that I really enjoyed was a story about a “hit” that took place in Dubai. Those who were involved still haven’t been caught but the whole thing took place on camera. That is how we know what happened. Due to digital surveillance that occurs daily in Dubai those who participated were caught on video and the authorities were able to track them back to their original flights into Dubai. Unfortunately that’s as far as they were able to get. The point here though is that 20 years ago they would have never even known that much. Technology has it’s blessings in helping out with such things but it also has it’s curse because it has brought about the loss of privacy and anonymity in many ways.

This is a book that I like and would not hesitate to recommend to my friends and family. It has lots of useful info that will educate and inform those who need to know.

I’m going to approach this from a generic angle because it will be different for each company due to many factors. This will probably work better for the SMB market due to the complexity of large enterprises but with some creative thinking you should be able to use this as a template for them as well. So if you are a security pro in and are tired of doing compliance management instead of risk management what do you do?

First you want to make a plan and prepare a strategy. Lay out the goals for for what you want to accomplish. Who do you need to influence?  Your boss, a business leader, company leadership?

A good place to start is with a good understanding of what you currently have. Do you know your environment? Do you have an asset list of all systems (Hardware, OS, applications, services, accounts, etc)? What patches do you have installed and what software updates do you currently have? What infrastructure components are in place? What are the various connections to the outside world? Do you have Extranets? Things such as this are key to the next step.

Do a Gap analysis to determine what you need to do to get from where you are to where you need to be. After that do a risk analysis on the gap. It doesn’t have to be fancy or even follow a particular methodology just as long as you are doing a through job and not just looking at things through the blood colored glasses of a security pro. Talk to others who are in the business and can give you insight. Ask questions of others in different roles to help you understand better and be able to view the “problem” from the security angle, the business angle, the user angle, the customer angle. These things will help you when you present your recommendations because you can anticipate questions and concerns ahead of time and have answers and alternatives prepared. Plus it really adds to your credibility because they see that you are serious about this and not just spouting off.

Next you will want to look at ways to close the gap. Don’t just think technology. What process changes can be made? You will be able to answer this because you took the time to talk to others and learn from them. Are there policies in place that address this and if so do they address it fully or are there areas that need to be shored up? What about current technology that is already in place can it be used to solve some problems? Then look at “new” technology that could be implemented. Also don’t forget awareness programs and other training that can reduce the likelihood that someone in the company will make a mistake due to lack of knowledge.

Now go back and look at what you can realistically do given resources available to you. Think about time, talent, money, etc… and build a case for doing what you can, but don’t stop there. Build the case for going beyond. Why is what you can do not enough? What risks will still be there that need to be addressed? Why do they need to be addressed and explain it in a way that the business managers and others that are not security focused will understand. I love this “nugget” from Mike Rothman’s “Pragmatic CSO”, put together different presentations for Plan A, B, and C. With A being getting everything on your list, C being the minimum you can get by with and B is somewhere in between.

Once you feel that you have built your case(s) then run them by others in the company who can help you refine them so that what you present to management is first class. After that practice your presentation many, many times and make sure that you have asked the right questions (those that management will ask) and have your answers prepared.

Now it’s up to Management how they respond but at the very least if you have done this well you will build credibility so that next time they listen to you more closely and value your input.

I’ve been thinking a lot lately about “Risk management”. After all that is the core of a security professional is supposed to do. We help the business manage the risk that they face. Sounds great in theory but how well does it really work. What I’m seeing is a not real risk management so much as compliance management. We are tasked with ensuring that the business doesn’t fall below the compliance threshold and that is considered risk management. We talk to the business about issues and give them our input on what needs to be done and we are told “that’s not required by regulation X or policy Z” so the business will approve the minimum that gets them “compliant” and they then go on about their merry way.

Some will say that if this happens then you are just ineffective in selling your program or solution and maybe that is the case from time to time but I think it’s a much deeper problem than that. The business is focused on doing business and they push back on those things that they see as being a hindrance. They are more concerned about ensuring that Customer Connie and Client Clint don’t have to do anything themselves to protect their interactions with the business. They don’t want to negatively impact the customer experience and I get that. Very few people like it when they are constantly being asked to verify their actions online and they will go elsewhere if given the opportunity. The problem is that the business has taken the hard line and wants security to be completely seamless and invisible to the customer. Now the business has become the department of NO. No, we don’t want to deploy something that requires the customer to take action. No, we don’t want to deploy a solution that will slow the transaction by 1/2 a second. No, we don’t want to change the way we code we want you to install something that fixes (or hides)our mistakes for us.

The business has fully bought into the compliance mentality and doesn’t want to go beyond it. They tell us that they want us to manage risk but what they really mean is that they want us to ensure that they are not at risk of being out of compliance. Unless of course the compliance requires too much of them they they want either a compensating control or to accept the risk and hope that it never comes back to bite them. Then once it does they blame security because we didn’t push hard enough or didn’t inform them of the potential for it to be this bad. Of course the 20 different emails and slide decks where we laid all of this out doesn’t matter at this point. It’s still our fault for not doing our job.

Well, I’m thinking that the time may be upon me even as I type. I’m giving serious consideration to going out and buying not one, not two, not three……. but FOUR Macs. One for each separate household in my family. That way when they have computer problems they will no longer be able to call me for help because I can’t work on them, won’t work on them and refuse to work on them! My sister got one a few months ago and I haven’t talked to her since. Not because I refuse to but because she knows that I can’t and won’t help her with Mac problems. One of my Brother-in-laws got one a year or so ago and now when he calls we actually talk about things other than his computer problems. If it’s worked out so well in those two cases it’s bound to make my extended family relationships much better if they all have one.

Thanks You Mr. Jobs! I can’t believe it took me this long to see the light.

The event is sponsored and hosted by Focus.com. We would love to have you join us and join in the conversation.