I ran into an interesting scenario yesterday concerning Lines of Business and security.

In case you’ve never heard about LoB, the short story is that each government agency becomes an expert in one area and then sells their services to other agencies. This is good, it gives the executive branch as a whole some economy of scale and significant cost savings. Over the next year and beyond, the Office of Management and Budget (OMB) will be pushing agencies towards LoB offerings from other agencies.

LoB information from the Office of Management and Budget

The problem is, when it comes to the security side of LoB, I don’t think we’ve figured it out yet, and our current security governance model doesn’t work.

Here’s the typical scenario, and it will get more common: If I am an agency who is getting pushed towards using one of the other agencies as a LoB provider, then effectively I’m outsourcing. The problem comes when the provider does not have any security program at all or they do not value the service at the level that I value it at.

No big surprise, security inside the government varies widely. Love it or hate it, that’s what FISMA (the law itself) is aimed to fix, and the highly-scorned FISMA scorecards provide us with a very, very, very high-level metric on an agency-wide basis.

So how do I help/force/coerce my LoB provider to increase their security? This is where the current IT security governance model fails. There are many reasons, here is a short list:

• Current model is focused around one agency owning a system
• Current model does not consider jointly-owned IT systems
• Government does not fully understand a shared service provider model

Inside the Department of Defense, they have a great way to deal with this. They have a system register and everybody puts their system and its vulnerabilities into it. Then if I want to connect or share data with somebody, I can see what all their warts are. However, the civilian agencies are not at this level of maturity.

In order to make LoB work, what needs to happen is for the agencies to learn how to become contractors. This means that if I am offering up a service under LoB and a client agency wants a higher level of security than the system currently provides, then we need to talk about how the funding works out. It doesn’t make sense for the service provider to absorb the cost of the improvements because they don’t have a need for those improvements, but on the other hand it doesn’t make sense for the client agency to pay for 100% of the improvements when the provider agency can now turn around and sell their services to other agencies at a higher rate. Probably the outcome of this discussion is a Memorandum of Agreement with the client agency funding 50% of the improvements.

Short end of this debate is that we need to start having these conversations now.

• Ack! With the Mandates!
• Feds to Embrace SaaS, End is Nigh for Security!
• Compensating Controls
• Clearances and Economy of Scale
• You Didn’t Outsource Your Responsibilities

Random thought for today:

I have a very common name.  It’s mostly accidental (not my name at birth, I’ll let you extrapolate from there) but it has some interesting side effects when it comes to anonymity.

For instance, I know 2 Michael Smiths inside DC who are Information Security practitioners.  That means that I can’t find myself on Google even if I know what I’m looking for.  For all practical purposes, I’m about as anonymous as you can get in today’s world.

• Hello World
• Alternative Uses for System Security Plans
• Communicating the Value of Security Seminar Preview
• MREs and Bad News
• Subversive Music

Sounds like a neat idea.

DC Demo Camp 2

• Et Tu, TIC?
• Privacy Camp DC–April 17th
• My System Environment
• Volunteer to be Tracked
• Hack Disaster Relief

During a recent conversation with Mark Curphey, we hit on a good idea.  I have all these little stories that are about the secret activities around my data center and the bubbling stew that is the security community in the DC area, and I’m thinking about some way back-alley information that nobody on the outside knows.  This conversation was the birth of The Guerilla CISO.
Think about The Guerilla CISO as sort of a Bastard Operator from Hell for the Information Security Management World. =)

• The “C-Word”
• Guerilla CISO Tip: Get Inside the Data Center
• CISO’s “Book of Death” for June 22nd
• CISO Trick: Know the Hiding Places
• How I Became the Owner of Two Rogue WiFi APs

I’m just speechless.  I think this has to be the InfoSec news scoop of the year!!

Sex Lube Maker’s 250K Customer List Slides Onto Net

And honestly, it was some other Michael Smith.  Really it was!!

• Self-Quote Time #2
• Barcode Hacking
• Self-Quote Time
• Communicating the Value of Security Seminar Preview
• Evolving the Physical Hacking at Security Conferences

Back in my army days, most good leaders carried around a book with info on their squad.  We jokingly called these our “Book of Death”.

Anyway, I aggregated all the spreadsheets I’ve used over the past year, sanitized them, genericized them, and put them up on the web.  Feel free to borrow heavily or let me know what maybe needs to be added or expanded.

Really, I’m just testing the waters to see if there is interest in taking something like this on as a full project or if it should remain a Mike Smith skunkworks project like it has been so far.

CISO’s Book of Death V0.1

• William Jackson on FISMA: It Works, Maybe
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• Our “Peace Dividend”: DISA SRR Scripts
• CISO’s “Book of Death” for June 22nd
• All Quiet on the ISM-Community Front