Good Morning:
Some days I get to reflect on how lucky I am. I guess when you are sitting on the beach, watching your kids enjoying life, it's as good a time as any to appreciate all that I have. Of course, a unique "feature" of my personality is to never be satisfied - to always be striving for more. Yet, some days it just makes more sense to forget about all that crap. My goals and aspirations of world domination will be there when I return to the office and my daily rituals.

Until then, I think I'll just enjoy the fact that things could be a lot worse.

Have a great day.

Incite #2: It's time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Read the original Days of Incite post on this topic.

6-month grade: B-

I need to come clean. Sometimes I get what's right and what's realistic confused. Now there is no doubt that my ideas about how auditors and auditees can work together are right on the money. I've heard enough feedback from enough people I trust that not treating an audit or an assessment like a 15-round fight is a much more productive way to go about things. This approach is laid out in the Pragmatic CSO.

But then again, what's realistic tends to be constrained by people, and people don't really change readily - if ever. It reminds me of one of the great lines in You Don't Mess With the Zohan: "They've been fighting for 2000 years, it will be over soon." Unfortunately, that seems like the story we tell in the security business. We've always fought with auditors and not fighting with them is kind of like asking for peace in the Middle East. Except I do think it's possible.

Just keep in mind that we are all fighting for the same thing - and that's to protect the information and assets of the organization. The auditors want to be able to prove that things are happening. Is that all bad? Of course not, it's quite good - but it takes a different kind of security practitioner to realize that.

What about the whole compliance golden goose? It's still alive and well. As we look forward to the end of 2008 and into 2009, it seems the global economy isn't going to be improving much at all. So we will face even more budget tightening and scrutiny of our investments. Since security is still largely an overhead function, it's going to be even more heavily scrutinized. 

So using the compliance card is not a bad thing at all. But do you buy something that is purported to help with compliance? Of course not. After all, a smart guy figures that GRC is dead. Buy what you need to protect your stuff. That hasn't changed at all. You still need to focus on Security FIRST! If you do that well, you'll be in decent shape for your audits and assessments.

In terms of a grade, the long term trend is intact and the approach is solid. But it'll happen more slowly than I anticipated - so I get a B-. Or go hug your auditor and prove me wrong.

Photo credit: "Monster Hug" originally uploaded by Alberto+Cerriteno

2007 Incite: CSO Next
A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

2008 Incite: It’s time for an audit revolution
Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Back in September, I addressed a chapter of the Institute of Internal Auditors. My goal was basically to help them understand the mindset of the security professional, and how the technical CSO needed to transition into the CSO Next (described in 2007’s Incite) and why the auditor was a key cog in that wheel.

It worked. This was one of my favorite speaking gigs the entire year. The internal auditors where both shocked and appalled at how difficult it is to be a security professional, and how so many counter goals and incentives are in place, which makes the job of security a lose-lose endeavor all too often.

The auditors also empathized with how acrimonious the relationship between security and audit had become. Kind of like the image at left. That's what most security folks feel like when they get out of the audit. But the conflict and friction took it's toll on the auditors as well. They felt it every time they sat down with the security folks and for the most part, they couldn’t pinpoint why it’s gotten to that point.

Just as last year’s Incite was a call to the masses to get past our technical heritage and start thinking about security within a business context, the 2008 Incite is a similar call to action. We, as security professionals, need to understand auditors are on the same team as we are. We both want the same outcome, and that’s to have a strong security posture and protect the critical assets of the organization. It’s as simple as that – it really is.

Security folks tend to be proud people. We fight the bad guys every day, and as every good warrior is prone to do – we don’t like to admit weakness or ask for help. Unfortunately that usually ends up with the security person being thrown out of the car at a high rate of speed once something goes south. It’s a pretty unpleasant experience.

It doesn’t have to be that way. We can (and must) start treating the auditors as peers. We need to realize they see a lot more stuff than we do. That means they can actually help. We need to stop being perceived as infallible, which results in a largely defensive position. We need to start asking questions and listening.

Sure, the auditor may be wrong, but then again – maybe they aren’t. If you have your blinders and earmuffs on and your head in your backside due to some misplaced sense of hubris – you’ll never know. Since we are coming up on Valentine's Day, maybe get your auditor a box of chocolate or something. OK, I'm sort of joking, but not really. If you start the audit on a positive note, it goes a lot better.

Finally, I’ve also made a significant “evolution” of my position relative to compliance. For the past number of years (actually as long as I can remember), I projected compliance was a flash in the pan. And it really should have been. You don’t buy compliance, you buy (and implement) security. I always advocate a “Security FIRST” mindset, because if you are secure (to the degree that’s possible, anyway) – then you are very likely compliant as well.

Now I’ve come full circle, largely driven by being thumped on the head for years about my compliance position. I’m finally ready to embrace what many of you probably figured was inevitable. There always seems to be a new regulation coming down the pike. There will always be auditors showing up and assessments relative to a specific regulation to complete. So compliance is a fact of life for the security professional, we may as well make the best of it and figure out how to best use the compliance budget to get what we really need with is good security.

 

This is it. The last day of our visitation of DR's Top 10 IT Security Myths. The link is here. Which is fine by me, since I'm pretty much tired of this myth busting. I'll leave that to the Urban Legend folks. I hope you've enjoyed the quick series and maybe even busted a myth or two yourself.

Myth #9 - Clean Bill of Health Attainable? (link here)

The fact is that auditors are paid to look for problems, and they usually find them, experts say.

Ah, the ages old battle between security people and auditors. I do find that most organizations fail audits frequently, and then they go into a few weeks long death march to get things right. Of course, as the DR folks point it - it's usually a failure of documentation rather than a failure of controls.

To be clear, this is our problem - not the auditors. Relaxing the documentation requirements won't fix things. I guess some reporting requirements are onerous, but deal with it. You need to have the data, if only to verify what you do on a daily basis and the value that you bring to the organization. As we learned in the UBS insider case, it's critical to document the stuff you do - or else the forensics folks will need to do it for you. So documentation is not a bad thing. Protection and documentation can be done synergistically. I promise.

All security folks need to get a little auditor empathy. Maybe we can make up some bracelets that say "WWAD." What would the auditor do? So when we are implementing new products or controls, we know we can get the right information out at the right time. It's usually a bad day when you figure out you don't have information as the auditor is breathing down your neck.

WWAD. Make it a mantra, and your life will be much easier. This was pretty good. B+ I say!

Myth #10 - More Spending = Better Security (link here)

There's no real way to measure your return on investment
from hiring white-hats to run penetration tests and stage social
engineering exploits. It's much more cost-efficient to train your own
instead.

Man, DR really whiffed on this one. For one, the title is misleading. They are talking really about outside pen testing, not a broader security spending bucket. I do believe that more security spending does NOT lead to better security, but what does that have to do with pen testing?

What the so-called "experts" here missed was why company's engage outside resources for pen tests. It's pretty simple really. Management doesn't believe their own people. So getting someone in (even if it costs more money) to basically validate what the security folks have said is money worth spending to these folks. Sure you could do it cheaper, but that won't give answers to the muckety-mucks. Sometimes we need to do things to give answers to the muckety-mucks.

That being said, training your folks to do poor-man's pen testing and social engineering attacks is a good thing too. I don't think it's an either-or proposition here. And looking at automated pen testing products to provide more sophisticated tools for your own internal use is a good thing as well.

Then when the outside folks show up, they either won't find much or you'll already know the answers. And that's a good day, when you know (and hopefully have already asked for money to fix) all the holes.

Well, that's it. I need to get working on some of my own myths.