October 23, 2007 - #33

Mike's Pep Talk:

"Dan: It's not safe out there.
Alice: Oh, and it's safe in here?"

- Closer (2004)

I need to be honest here. I don't really like all the movies that I highlight in the P-CSO Weekly. Or songs either. Come on, I mentioned a Culture Club song once (Go Boy George!). So this week is one of those times where I need to make a point and a movie that went down like battery acid is going to help me do it.

For those of you that haven't seen Closer, don't bother even NetFlix-ing it. Ebert I'm not, but the whole lame psychodrama thing just doesn't work for me. It's basically the story of two couples that do some dysfunctional swapping action and involves a stripper, lots of infidelity, and basically four people trying their best to hurt each other. If I want to see that I'll just watch the nightly news.

Unfortunately I did seem some parallels between these couples and how security folks and auditors tend to go out of their way to hurt each other. This was confirmed last week, when I addressed an internal auditors group in California. I basically went through a portion of the Pragmatic CSO pitch and also highlighted my stump speech on "How Focusing on Compliance Can Get You Killed!"

The session went really well and I had a lot of folks come up at the end and tell me how much they learned about what security folks are worried about. I knew that was going to be the case (it always is when I talk to auditors), but it still annoys me. The security folks and auditors need to be attached at the hip. There needs to be constant and focused communication, especially for internal auditors. Remember, we are all on the same team and auditors and security folks are looking to achieve EXACTLY the same goals. Basically it's about the reasons to secure.

Yet, even time I talk to a security crowd, they are scared and intimidated by the auditors. They look forward to an audit about as much as their annual prostate exam (for the boys anyway). Seriously, it's got to stop. Auditors are people too, they are looking for guidance (which I'll discuss in this week's tip) and they want you (the security person) to be successful. They don't get any more money if they nail you to the cross.

So let's try to get a little "Closer" to the internal audit group. Maybe make an effort to get to know these folks. Who knows, your next audit may go a lot smoother. Stranger (and more damaging) things have happened.

In this week's issue:

• This week's P-CSO Tip: Feed your auditor
• News clip: Online service shuts down to fix security breach

This week's P-CSO Tip

Feed your auditor (I don't mean food)

Another of my general suspicions relative to auditors was confirmed last week as well. As I was doing my best to help the audience get into the heads of the security professionals, what they really wanted to know was how to audit PCI. Huh? Aren't the auditors supposed to know everything? Aren't they supposed to have all the answers and know exactly what they are looking for? Yeah, right.

Here is a news flash for all of you security folks out there that have hoisted the audit group up on a pedestal because they can write a report that results in significant road rash for you. They don't know any more than you do. In many cases they are looking for guidance relative what they should be focused on and how they should be auditing a business system against one of the new (or updated) regulations.

Can you smell the opportunity? Right, we (security people) can be a little proactive, approach the auditors and maybe help them understand and interpret the PCI requirements. Or any other regulation for that matter. We can "set the table" and make sure that everyone is on the same page relative to what needs to be examined and how.

I know it seems like cheating, but it's not. Remember internal auditors are on your team, so it's in both of your best interest to make sure there are open lines of communications and expectations are focused and set accordingly - well before they show up to actually audit your stuff.

You don't have time? That's the usual response. That's a cop-out and you know it. I suggest you have a standing monthly lunch date with the head of your internal audit team. Talk shop, discuss things that are happening in the business, and strategize a bit about the evolving threatscape and how the auditors tests can continue to be relevant to what needs to be done.

Also have a quarterly planning meeting with the teams. Again, this is about setting and managing expectations. I understand some organizations maintain a firewall between the security folks and the audit team. In my opinion that is stupid. So work hard to break down the wall and start cooperating with your audit team.

News clip: Online service shuts down to fix security breach

In the Pragmatic CSO Introduction, I talk about the 5 reasons to secure as a subset to what security is supposed to do for the company. You can get the introduction by registering on the Pragmatic CSO website. Let's review that for a minute. I maintain that the job of the security professional is "to protect the assets of the organization and to ensure business can operate." The first reason we do what we do is to "maintain business system availability."

This week I'm going to highlight a situation where that didn't work so well. A company called Eve Online shut themselves down to address a security breach. These folks run a multi-player online gaming network and when they have to shut down to remediate an exposure, they are out of business. They are not collecting money and even if they have mostly subscription revenue, they will end up having to refund some money to their customers.

This is a bad day for this organization and really highlights Job #1 for security folks. In my Daily Incite newsletter I floated the idea of a "security value destruction" meter and this kind of stuff makes the meter spin like a top. Whether it's real lost revenue, opportunity cost of not being able to sign up new customers, or brand damage from ending up as a poster child for what not to do, Eve Online will suffer from this incident.

And they are doing the right thing by shutting things down until the issue is fixed. It's probably better to not have the issue happen in the first place, eh? Or to find out about it and remediate it before you have to take your whole business down. Those able to REACT FASTER tend to live to fight another day.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---