A holistic approach to information security needs to address a corporate strategy for buying or building solutions. Such a strategy will have an impact on how a company looks at staffing and technology investments.
There are two basic ways to look at major investments of information technology and information security: you can buy or you can build.
Option A: The BUY model
In this model, an organization selects industry standard tools and technology, and aims to hire above-average to guru-type employees who will integrate the technology into the corporate environment. The staff is reasonably interchangeable in this model, although technology costs are on the higher end for implementation. Ongoing maintenance costs are average.
Option B: The BUILD model
In this model, an organization hires the best and brightest, and uses software and/or hardware components to build custom solutions for the organization. This affords the greatest flexibility of tools, but requires higher staffing costs, and support and maintenance are tied to the staff for the full lifecycle of the solution. Staffing changes are a bit more traumatic to the organization, and knowledge transfer is more important than in the BUY model.
Both approaches have merit, but they impact the company’s cost structure in different ways. Option A puts more emphasis on purchasing the right tools. Option B puts more emphasis on hiring strong technologists who will build the right tools and frameworks for the organization. Either way, you always need to have good, dedicated people, but the specific skill sets required in our staff will differ for the BUY model vs. the BUILD model.
There is no *best* option, especially when you include factors like availability of skills, time to hire, competition from other companies, etc. Not only is it valid to use either option, but it is valid to use a combination of both options. A major constraint is the existing staff, and this often heavily influences the direction that an organization ultimately takes. Once the company has settled upon the model that will define the general direction of their investment strategy, they need to do two other things:
1. Identify the security risks facing the organization and prioritize their remediation.
2. Start simple with every investment, then evaluate for possible expansion after it has been implemented.
Identify Risks & Prioritize
It is almost impossible to resolve issues that are not known to exist, and it is extremely difficult to set priorities and make wise choices for the investment of time or money, so the identification of risks must be performed. It must also be updated regularly. A stale risk profile is in many ways much worse than a non-existent risk profile, as it can lead to a false sense of security.
Round One: Simple Solutions
Once risks have been identified and prioritized, there should be every attempt made to implement a solution that balances simplicity and thoroughness. It doesn’t matter whether the solution is being built or purchased, the goal is to get something useful in place that will address the key risks identified, but which is expected to be potentially replaced or expanded within 12-15 months.
Ideally, the initial deployment should take no more than 4-6 weeks, and should cover a minimum of 80% of the initially understood needs of the organization for the risk it is intended to address. Getting something in place quickly and cheaply will be of immediate benefit to the organization, and it will help expose which features are really needed by the organization vs. those which were only nice-to-haves.
For organizations employing the BUY model, it makes it much easier for them to evaluate the merits of the vendor feature lists that will be vying for the corporate budget.
For organizations employing the BUILD model, they can quickly get to work on another “Round One” project, and start putting the necessary team, budget and executive support in place for any “Round Two” projects which have been identified.
For SMBs that have a limited hierarchy and are not used to any sort of formality in solution procurement, embracing this strategy can be a very effective way to add some needed process maturity without becoming overly bureaucratic. The value of a size appropriate cost/benefit analysis, and the introduction of some process discipline into the planning, procurement and deployment methodology cannot be overstated for SMBs.
Remember: Enhance the security posture of your organization by assessing the needs and make-up of your business in order to select and implement the appropriate investment strategy. Then, you can begin to mitigate your technology-focused business risks quickly and cost-effectively.
You can think of it as Agile Security, if you really want a buzzword to work with, but it is just as effective even without a cute name. Don’t delay – get started today.
In recent years, it has become popular sport to blame information technology (IT) departments and IT leaders for failures – real or imagined – which adversely impact business operations. Even some technology trade journals seem unable to get through a single issue without finding some point upon which to lambast a CTO or CIO for not “stepping up to the plate”, or adding value, or some other business sin.
This trend was clearly seen in two recent articles on InformationWeek (6 Ways IT Still Fails The Business and 5 Ways Business Still Fails IT), the first of which generated a firestorm of responses. Sadly, even with all the worthy rebuttals, there were key points that I felt went unstated.
Of the many “IT is a failure” complaints which are regularly made, I propose to challenge two of the most popular:
- The IT department is too focused on the technology and not on business initiatives or innovation.
- The IT department is just not effective for the business
(not skilled, not motivated, too costly, too slow, etc.)
Technology for Technology’s Sake
If you take a good look where organizations are spending a lot of time and effort today, it is likely on “Big Data,” Social Media, Mobile Computing, and Cloud Computing. Now, take a moment and ask yourself, was it IT that asked for spending on these initiates, or did the requests originate elsewhere in the organization?
Who was it that decided that it would be a good idea to allow consumer devices onto the corporate network, in the first place? Given the negative feedback from the vast majority of my friends and colleagues, I’ll bet that it wasn’t the IT department.
Who was it that determined that social media was vital to the business? I’m guessing that the answer is not IT.
These are just a few of most recent examples of embracing technology for technology’s sake. And, they make good examples because there are very few organizations that have taken the time to analyze and document the anticipated benefit these technologies are supposed to bring them. Most of these initiates were not pursued because of a compelling cost-benefit analysis, but because a senior executive read something on an airplane or heard something while on the golf course. Yet, it is the IT team that gets blamed for a myopic focus on technology.
There may have been a time where IT was focused on implementing technology for its inherent coolness, but that hasn’t been a problem for at least a decade. Virtualization, VoIP, Blade Servers, Gigabit (and 10Gbit) networking have all been implemented for real benefits, including business flexibility, better cost management, improved security, and streamlined operations. Of course, those investments required brutal cost-benefit analysis and substantial vendor negotiations, not just a “make it so” mandate from one or two executives.
Frankly, the truth is that most IT departments are spending too little time focused on the technologies they are being asked to rapidly evaluate and deploy. Due to the sheer number of projects that must be managed simultaneously, most IT departments have little time to spend in proper planning, much less proper deployment. As I mentioned a little over a year ago, technology is getting more complicated, not less complicated, and this means that more time should be devoted to planning and deploying robust architectures, yet the opposite continues to occur – and IT gets all the blame.
Organizations don’t want to make the necessary investments in security or long-term technology operations, but they just know that giving everyone an iPad is going to add revenue to the business in some magical way.
This complaint is the one that raises my eyebrow the most. If IT is really worthless, then why do organizations put up with them? Who is really to blame for an organization having a lame and ineffective IT team? Do the people in IT hire themselves? Are they the ones that set their own job descriptions, and then show up and start paying themselves? Does an organization just wake up one day and find that it has an IT staff which descended from the sky and took up residence, but cannot be removed?
It is as ridiculous for an organization to complain about its inadequate and ineffective IT team or IT leader, as it is for a person to complain that his or her arm is not doing what the rest of the body wants or needs. Short-term failure can be blamed on a person or a team, but long-term failure of any department is ultimately a reflection of the senior leadership of the organization. This is why, in sports, coaches and general managers get fired for extended team failure – even to a greater extent than players get traded. (Yes, salary dynamics are a factor, of course, and not every firing is a fair or accurate one, but those leaders are paid big bucks to make things work, and they pay the price when they cannot).
Most organizations end up with the IT department that they deserve. Companies are either unwilling to pay for what they need, or they fail to seek the right skill sets, or they fail to cultivate an environment where growth, training and mentoring are readily available. Many organizations fail to provide sufficient time or resources to accomplish things properly, then they wonder why they can’t hold on to people who are interested in doing things properly.
In my experience, organizations that have a culture of good planning and good communication, tend to have good alignment between all their departments. Similarly, those companies which have very fluid and shifting business “plans,” and which make adjustments by the seat of their pants – with little in the way of good communication – tend to have a lot of conflict between departments and department heads.
Lots of literature over the past decade has been focused on telling IT just how it should behave to be more successful in the business. Some of that has, admittedly, been useful. Yet, if even a third of that literature, had sought to teach business leaders about their role and responsibility in having good IT teams, there would have been even more significant gains for organizations. Organizations that don’t want IT to be a cost center, should stop treating IT like a cost center. Organizations that want IT to lead innovation, should create a culture where IT can lead or contribute significantly to innovation.
In sports, owners have learned to build their teams around the skill sets of the players that they have, or go out and find the players that they want, so they can build the type of team they want. It is quite silly to deliberately hire people who can only build cars, then call them inadequate and delinquent because you really want to build your business around producing airplanes.
Look at how many super hyped IT outsourcing deals fail – because the problem was NOT necessarily with IT, but with the business in general. Outsourcing what is not well managed or understood does not suddenly make it better managed or understood.
Organizations hurt themselves when:
…they are unwilling to take the time to understand any of the implications of the technologies they plan to deploy.
…they are unwilling to listen to the people they have hired to manage the technology they use.
…they don’t take the time to integrate all of their teams and resources into every business initiative in a holistic fashion.
…they think that blaming IT actually solves a problem or makes them look superior in any way.
If an organization’s IT department and IT leader are not up to par, maybe senior management should spend some time determining if they have identified what par is, and if they have communicated that adequately to anyone else, like HR or IT itself.
Business leaders: It’s time for you to step up to the plate and get involved in making the organization you say you want. Blaming others for situations and outcomes which are ultimately yours to manage is nothing less than an acknowledgement of your own poor leadership.
IT leaders: It’s time for you to take control of your career, and provide a better career path for your team members by taking advantage of your unique placement within your organization. From your vantage point, you can see how everything that the business is doing ties together, and you can anticipate ways to add value and reduce risk. Don’t allow this competitive advantage to be wasted. Remember: accountability without authority (or suitable influence) is simply a fool’s errand, and you have no time for that.
Industry Pundits: Yes, it makes you more popular with businesses to bash IT mercilessly, but let’s be real: IT failure is senior executive failure. Maybe you should take the time to tell them that on occasion. It will be better for everyone involved.
Back in September 2012, I wrote two articles for Point2Security on how to effectively handle breach notifications:
Sadly, to many organizations are doing something entirely different when it comes to post-breach notifications. I like to take the time to read various breach notifications and see if I can get additional clues from what is said and how it has been said.
Let’s take a couple of recent examples and see what we can find:
South Carolina, Department of Revenue
In the South Carolina breach, here are several of the statements that stand out to me:
S.C. DOR last week announced that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers had been exposed in a cyber attack, and today state officials said that information from up to 657,000 businesses was also exposed.
My Translation: We know that hackers were on our network, and we know that they likely had access to the area where SSN info and credit/debit card info is stored, but we have no tools in place to verify access one way or another, so we have to suggest that they could all have been accessed.
"South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted, she said," Computerworld's Jeremy Kirk. "The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. She said she has sent a letter to IRS to encourage the agency to update its standards to mandate encryption of SSNs."
My Translation: Despite rampant news of breaches and attacks, we are not going to try to keep up with any best practices unless absolutely forced. You can only imagine what security tools and training we have in place.
Etter (James Etter, director of Revenue Department) also disclosed Tuesday that the hacker was able to breach the Revenue Department’s system by somehow obtaining employee credentials. He said about 250 employees have special credentials that allow them access to the system. He declined to say whether the state knew whose credentials were used.
My Translation: Due to the lack of monitoring, it has been difficult to determine which credentials were used. And, we’re kind of embarrassed as to whose account seems to have been breached, so we’re trying to figure out a good way to phrase it. Look for a resignation soon, which might give some clues.
From the executive order signed by the governor on October 26, we see the following:
NOW, THEREFORE, I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies, on a comprehensive and holistic basis, pursuant to his authority under Chapter 6 of Title 1 of the South Carolina Code of Laws with the following additional guidance:
My Translation: Most, if not all of our major agencies are currently lacking an information technology officer – certainly not any with clout to implement policies and procedures. This might explain why our technology infrastructure is so inadequate as it pertains to security (and probably IT operations in general).
The remainder of the executive order highlights a lack of leadership and staffing for both the information technology and information security teams.
As for Zaxby’s, I found it interesting that the breach announcement wasn’t even on the home page. I had to go to News page, and then click on Security Awareness which then took me to an entirely different domain: DataPrivacyInformation.com. I’m sure that there are a couple of legitimate reasons not to have one’s security and privacy notices attached to one’s primary domain, so I won’t comment further upon that.
Credit card processing companies identified certain Zaxby’s locations as common points of purchase for some fraudulent credit card activity. Zaxby’s Franchising, Inc. assisted those stores in reviewing the issue, and during the course of the investigation identified some suspicious malware files on the licensees’ computer systems at several Zaxby’s locations.
My Translation: We lack any effective tools and processes for monitoring breaches, and so we were reliant upon the credit card processing agencies to notice something with their anti-fraud systems. Additionally, we feel free in using the term “several” to represent any number greater than two (2), but less than one thousand (1000), since the number of affected stores is close to one hundred (100).
Although the forensic investigation has not determined whether credit or debit card data left the processing systems of any of the locations, Zaxby’s Franchising, Inc. is concerned that the existence of the suspicious files could indicate that an attacker or attackers may have accessed data, including credit and debit card information.
My Translation: We know that there is malware on the systems, but because we lack any tools to monitor traffic, we cannot determine if the files were taken or accessed, so we are assuming that they were – to be safe.
Zaxby’s Franchising, Inc. is working with all of its store locations to implement additional security measures to prevent further intrusions. A list of affected store locations can be found by clicking here and will be updated as appropriate.
My Translation: Looks like we finally have a solid business case to purchase the tools and hire the staff that was previously requested. We’ll likely implement and IPS systems and some monitoring tools. If customers are lucky, we’ll add encryption this time around.
Below are just a few of the coded messages in most breach notifications:
- If encryption is not mentioned, then it isn’t in place.
- “Implement additional security measures” means “buy some security tools, especially monitoring, and possibly encryption.”
- “Improve our processes and procedures” means “develop an information security policy, and apply more firewall rules to stop the wrong people from having access.”
- “Streamline our security operations” means “hire a separate security team, and split that role from the operations team.”
- “Takes security seriously” means “despite how the rest of this report sounds, …”
If organizations will stop assuming that they will never be hit, they would be better prepared to stop, catch or greatly limit attacks, and they could have more reasonable breach notifications.
In 2012, the writers of malware and the attackers of networks were very busy, using both social engineering and increased technical sophistication to fuel an increased number of attacks.
Not incidentally, mobile devices just flew off the shelves this year, with predictions that over 122 million tablets and some 717 million smartphones will have been sold when the tally for 2012 is complete.
Quite a few of those devices were connected to corporate networks, and even more will be connected next year. Cloud computing is real. Bring Your Own Device (BYOD) is real. Businesses are trying to do more with less, and employees desire (and are often required) to access the corporate network from more places than ever before.
Because small and medium businesses (SMBs) are leading the charge in public cloud adoption and BYOD adoption, they are opening themselves up to increased risks from attackers. Additionally, SMBs are seen as the organizations least likely to have the tools or people to notice a breach, much less prevent one, so the attacks will be fast and furious.
No, the answer is *not* getting rid of mobile, or staying out of the cloud (or, for that matter, off the internet). The answer involves not pretending that these risks don’t exist. SMBs are going to need to be ready to build a real security architecture that is very much interwoven with their business operations. They’re going to have to be willing to bring smart, motivated information security focused people on board, even if – especially if – they decide to go with managed security services.
I expect that many SMBs will wait too long to embrace security as they should, and they will pay the price in 2013. The attacks are growing, so it is inevitable, and smaller businesses do not have the luxury of having enough funds or a large enough client base to get survive a major breach to their operations as larger organizations can.
Expect to see the new year start off with a bang, as attackers up the ante in the fight against SMBs. Hopefully, many organizations will choose 2013 in which to learn the lesson of increased information security and risk management. It’s way beyond the cost of doing business: It’s now the cost of ensuring that you can continue to do business…
Have a safe and blessed 2013, and make sure you’re taking security seriously – not just at those moments when a breach is making the news…
Earlier this week, I read an article about unemployment and the struggles of those coming out of college and graduate school who are seeking jobs. A surprising number of people were simply spouting the rhetoric that people who don’t have jobs are simply lazy and feeling entitled. May God have mercy on those who posted, such that they never have to be out of work in this economy. The whole planet is not divided into Lazy and Successful. At least some of the people who are successful (or deemed so by society) are quite lazy, and some of the hardest working people are unfortunately destitute, or at the very least, currently jobless.
Job hunting is a complex beast. This is true in general, but even more so in recent years. To be successful, every job hunter needs to have good relationships with recruiters, potential employers, and people of influence.
This is a different way of saying, “It’s who you know AND who knows you.”
The phrase above tends to invoke thoughts of cronyism and favoritism, but the fact is that people prefer to deal with people that they know and/or trust when it comes to business. No matter how you say it, what it all boils down to is this: if you want to have a chance in the job market of the 21st century, you will need to focus as much energy on your relationships with people as on how much skill you have to complete tasks and projects.
I read an interesting article on the CNN Money website this week about the “age of the freelancer”, and it mirrors what I’ve been thinking for some time. I expect that there will be more people working for themselves in the coming years just because of how volatile the economy is, and the relative lack of security in employment. What I found most interesting, however, were the comments on the website bashing self-employment. In the history of mankind, the balance of time has favored people being self-employed rather than working for someone else. Only in recent decades has this balance shifted, and while it might have started out rather favorably for all concerned, it really hasn’t favored the employee that much in the past decade or so.
Freelancing, consulting and other forms of self-employment are well recommended in these times. No, they’re not for everyone, but neither is corporate employment. But, even if one goes down the now traditional employment route, it is vital that one make use of one’s professional network. Employees and candidates need to have just as vibrant and active a professional network as do consultants and small business owners. And a good network takes some time to build up.
Job hunters will need to make good use of social media, adequately maintain a consistent social profile, and use all channels to connect to potential employers, in addition to their use of the traditional job hunting tools. They need to make it their business to talk to good recruiters, and work with resume coaches that understand social media, so they can take advantage of the channels that employers are using for their job searches.
While hard work doesn’t guarantee success, a failure to pursue every viable angle to get your name in front of prospective employers will almost certainly guarantee failure. Job hunters need to think and present their value in terms of what the employer needs to move ahead. That is not to say that employees should be wiling to do anything without regard for their own goals, but how those goals are presented and expressed needs to be carefully considered.
For instance, asking “What are the ways that you like to be able to reach your staff off-hours?” is a much better way of determining how the expectations for off-hours work might be than asking, “Will I need to be on call regular?” or “What are the average hours you put in each week?”
Likewise, “How long has the core team been together, and what sort of projects have they completed?” is a better question than “What’s the turnover rate, and why do people leave?” That’s not to suggest that you don’t need to know this information, but that you want to approach the information gathering in a way that doesn’t expose anything an employer might choose to interpret as a red flag.
If you’re in school right now, you should be looking for potential internships and building relationships with professors and other school personnel that will be able to connect you to employer and potential employers. And please, please, please, start straightening out your social media profiles! Seriously. Things don’t go away on the Internet – especially not these days – and you need to control your digital presence because employees will be looking at it and making decisions based upon it, regardless of the legal landscape.
If you’re already on the job market, then you would be well advised to seek out a career coach who is also adept with social media, and get to work. Blindly shooting out resumes is not nearly as rewarding as you think (as you may have already found out). Social media isn’t a panacea – it’s another tool to help you build and manage useful relationships.
And relationships are ultimately the thing that help you get jobs – whether as a consultant or as a employee.