October 23, 2007 - #33
Mike's
Pep Talk:
"Dan:
It's not safe out there.
Alice: Oh, and it's safe in here?"
- Closer (2004) [1]
I need to be honest here. I don't really like all the movies that I highlight in the P-CSO Weekly. Or songs either. Come on, I mentioned a Culture Club song once (Go Boy George!). So this week is one of those times where I need to make a point and a movie that went down like battery acid is going to help me do it.
For those of you that haven't seen Closer, don't bother even NetFlix-ing it. Ebert I'm not, but the whole lame psychodrama thing just doesn't work for me. It's basically the story of two couples that do some dysfunctional swapping action and involves a stripper, lots of infidelity, and basically four people trying their best to hurt each other. If I want to see that I'll just watch the nightly news.
Unfortunately I did seem some parallels between these couples and how security folks and auditors tend to go out of their way to hurt each other. This was confirmed last week, when I addressed an internal auditors group in California. I basically went through a portion of the Pragmatic CSO pitch and also highlighted my stump speech on "How Focusing on Compliance Can Get You Killed!"
The session went really well and I had a lot of folks come up at the end and tell me how much they learned about what security folks are worried about. I knew that was going to be the case (it always is when I talk to auditors), but it still annoys me. The security folks and auditors need to be attached at the hip. There needs to be constant and focused communication, especially for internal auditors. Remember, we are all on the same team and auditors and security folks are looking to achieve EXACTLY the same goals. Basically it's about the reasons to secure.
Yet, even time I talk to a security crowd, they are scared and
intimidated by the auditors. They look forward to an audit about as
much as their annual prostate exam (for the boys anyway). Seriously,
it's got to stop. Auditors are people too, they are looking for
guidance (which I'll discuss in this week's tip) and they want you (the
security person) to be successful. They don't get any more money if
they nail you to the cross.
So let's try to get a little "Closer" to the internal audit group. Maybe make an effort to get to know these folks. Who knows, your next audit may go a lot smoother. Stranger (and more damaging) things have happened.
In this week's issue:
- This week's P-CSO Tip: Feed your auditor [1]
- News clip: Online service shuts down to fix security breach [1]
Pragmatic CSO [2] website. Let's review that for a minute. I maintain that the job of the security professional is "to protect the assets of the organization and to ensure business can operate." The first reason we do what we do is to "maintain business system availability."
This week I'm going to highlight a situation where that didn't work so well. A company called Eve Online shut themselves down to address a security breach [3]. These folks run a multi-player online gaming network and when they have to shut down to remediate an exposure, they are out of business. They are not collecting money and even if they have mostly subscription revenue, they will end up having to refund some money to their customers.
This is a bad day for this organization and really highlights Job #1 for security folks. In my Daily Incite newsletter I floated the idea of a "security value destruction" meter and this kind of stuff makes the meter spin like a top. Whether it's real lost revenue, opportunity cost of not being able to sign up new customers, or brand damage from ending up as a poster child for what not to do, Eve Online will suffer from this incident.
And they are doing the right thing by shutting things down until the issue is fixed. It's probably better to not have the issue happen in the first place, eh? Or to find out about it and remediate it before you have to take your whole business down. Those able to REACT FASTER tend to live to fight another day.
Buy It Now!
Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.
[4]
[5]