I’m doing Security Awareness and Training.  This is aimed at the average user, so for me to be taking it, it’s like a Navy destroyer taking on a zodiac.

I’m not going to name the organization that this training was for, because they probably don’t want the rest of the world to know.  There’s a reason for this:  the training sucked.

It was 2 people talking behind a podium without any good presentation skills.  Even for security content which is slow sometimes, this was a new low.  The sad part is that it was some really smart people trying to teach their audience too much and in such a disorganized fashion that they ended up confusing most of them.

Mike’s version of what Security Awareness and Training should be for the average user:

• You have no privacy on our network or computers
• Doing this list of things will get you sent to a federal prison
• Doing this list of things will get you fired
• If you suspect something is strange, call the help desk
• If you have any security-specific questions, here is how you can reach me to ask
• Don’t do anything that seems stupid at the time, if you have to ask if it’s OK to do, then the answer is probably “no”.
• Have a nice day

Notice I don’t believe in trying to educate users what a firewall is, the basics of CIA, none of that.  They won’t remember it, just like I try to forget everything I know about asset depreciation and the other fine points of counting beans.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• What’s Missing in the way the Government does Security?
• Data Centers and Hair Driers
• Inside the Obama Administration’s Cyber Security Agenda

Compliance is a Dead-End

Compliance is aimed at one thing: limiting risks to the organization that writes or enforces the standard.  How’s that for “Bottom Line up Front” writing?

I’ve been a critic of approaching FISMA with an eye toward compliance, and I just recently started to look at PCI.  I’ve started to come around to a different way of thinking.  It all makes perfect sense for the people who write or enforce the standard–they’re cutting their losses and making the non-compliant organization take the blame.  It’s risk management done in a very effective Macchiavellian style.

For an organization looking to improve their security posture, taking a compliance-based approach will eventually implode on itself.  Why?  Because compliance is binary–you are or you’re not.  Risk management is not binary, it’s OK to say “well, we don’t meet the standard here, but we don’t really need to.”

If you base your security on compliance, you are spending too much of your time, people, and money on places where you shouldn’t be, and not enough on where you should be.  In engineering words, you have had your solution dictated to you by a compliance framework.

The endgame of all compliance is either CYA, finger-pointing, or both.  Look at how data breaches with both PCI and the government get spun in the press: “$Foo organization was not compliant with $Bar standard.”  As Adam Shostack says, “Data Breaches are Good for You”, the one caveat being “except when you are caught out of compliance and smeared by the enforcers of the compliance framework”.

I remember a post to the Policy, Standards, Regulations, and Compliance list from Mark Curphey back in the neolithic age of last year about “Do organizations care about compliance or do they care about being caught out of compliance?”  It makes more sense now that I look at it.

On the other side of the coin, what I believe in is risk management.  Risk management realizes that we cannot be compliant with any framework because frameworks are made for a “one size fits all” world.  Sometimes you have to break the rules to follow the rules, and there isn’t room for that in a compliance world.

• When Acceptable Risk is Not Acceptable
• Core Belief #2 — Risk Management Uber Alles
• My 2 Obsessions this Week
• Dictating Common Sense
• An Open Letter to NIST About SP 800-30

Learn Something from the Cavalry

Remember the old westerns?  The US Cavalry always comes riding over the hill just in the nick of time and rescues the hero ala deus ex machina.  It’s almost uncanny how the cavalry manages to show us their sense of timing, but if you’ve ever known or worked with the cavalry, they plan it that way–they’re the first well-known proponents of Just-In-Time methods.  Bear me out, and I’ll explain this grandiose statement.

According to the cavalry article at Wikipedia, the cavalry (more specifically, the light and medium cavalry) has the traditional roles of scouting, screening, skirmishing, and raiding.  When they engage, they pick the time and place to engage, and that gives them local numerical and firepower superiority when overall they have a disadvantage.

So think back to the Battle of Gettysburg.  It’s a classical meeting engagement between 2 19th-century armies.  You’ve got the Union Army on one side with very active cavalry under Brigadier General Buford scouting out ahead of it.  He sees the Confederate Army and choses the time and place to engage them in order to delay the Confederates and give the Union Army time to occupy the high ground South of Gettysburg.  The rest by now is well-known–the Union Army defeats the Confederates by defending the high ground and turns the tide of the war.

How does the cavalry master time and space?  They have some advantages that can be summed up in one sentence–they conduct reconnaissance activities in order to mass at critical points and times.  In other words, they know how to prioritize and it gives them an advantage on the battlefield.

One other thing that the cavalry realizes is the concept of friction.  It’s not a new concept, Clausewitz uses it quite frequently.  But it does make sense if you’ve ever gone to war:  things are never the best-case scenario.  Attack times get delayed because Private Smith left the tripod mount for the M240 in his ruck sack.  We can minimize friction to a manageable level, but it’s still present in even the best-planned and best-executed mission.

In information security management, we’re trying to accomplish the same thing.  We use metrics as reconnaissance to find out the times and places to mass our forces.  We use risk management and triage techniques in order to prioritize our scarce resources to engage and destroy the superior enemy.  We account for friction by having a layered approach–if you will, defense in depth.  We use our local advantage in order to shape the remainder of the business engagement.

Yes, we have much that we can learn from the cavalry.  And in the end, we might ride over the ridgeline just in time to save the day.

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• The Long Tail and Security Posture
• Reading Between the Letters G, A, and O
• Ack! With the Mandates!

A little-known piece of trivia:  in the original ending to Pretty in Pink, Andie picks her geek friend, Duckie.  The test audience didn’t like this, so they refilmed the ending where she picks Blane.  This was a perfect opportunity to show the world that geeks are cool in their own way.  But peer pressure won out in the end, just like it always does.

The moral of the story is, even in the movies, geeks don’t get the girl.  And we’ve been suffering ever since. =)

Pretty in Pink trivia at IMDB

• Driving Wiping
• MREs and Bad News
• It’s Time for an Exit Strategy
• No, Really, Mom…
• What’s Happening at Wired?

Risk Management Above All

I have people come to me all the time relating something to what they want to do with whether a particular system has been certified and accredited yet.  My answer is almost always “I don’t care about C&A, I care about risk management!”
I’ve worked on projects where my goal was, if I accomplished anything else, I was going to teach the team how to do risk management.

Why is risk management so important?  Well, for starters, you need to go into information security management knowing and accepting the following facts:

• Fact: There is always a shortage of money
• Fact: There is always a shortage of people
• Fact: There is always a shortage of time
• Fact: You will always have shortages because if you have enough resources for security, you slow down progress on the business end.

Let’s look at a related scenario from a different industry — a hospital emergency room — for some insight.  They deal primarily with time and people, and they only have so many resources to manage.  That means that they have to prioritize who gets helped first.

Inside of the emergency room, they have a pretty well-established process to determine who gets the help first.  They perform triage to evaluate and prioritize patients into categories then they treat the worst first.

Sounds like risk assessment and risk management, doesn’t it?  Good information security managers know how to do triage.  That’s how you budget out your time, people, and money.  The rest is basic project management skills.

• Core Belief #4 — Compliance is a Dead-End
• Core Belief #3 — Learn Something from the Cavalry
• Another Day, Another Vendor
• Core Belief #1 — Security is not Different
• My 2 Obsessions this Week

This week, I’m doing a series on some of my core beliefs as an information security manager.  I’ll put up a good blog post each day on something that I hold close to my heart.

• Core Belief #1 — Security is not Different
• Stands Alone
• Moving
• A Story About Potatoeseses
• Layers Upon Layers of Oversight