management

Enforce the policies

Enforce the policies through incentives. Make sure that you use the policies, or they may be useless when you try to enforce it 5 years down the line.

Follow up policies with technology

Use technology to control and enforce the policies. Never develop policies to adapt to the technology - it must be the other way around. If in doubt, hire specialist.

Review and audit regularly

Technology, markets, regulations and people change all the time. Policies need to be audited and adopted as you go - regularly. Make sure employees are allowed to suggest changes. If errors are discovered - make sure to act swiftly to update the policy.

Corporate governance is key

Corporate Governance is not only a new buzzword. It is only a new name for an age-old best-practice.

1. Set targets / visions

2. Draw the path through strategies and tactics.

3. Compare the outcome with targets/vision.

4. Start over

The purpose is simply to put forward a set of methods to ensure quality, trace-ability and documentation. You can do it in large scale or small scale - the principles stay the same.

Remove the bad apples

Bad apples must be handled correctly. Get rid of them by using their forces and turning them into valuable gems.

Or, throw them out of the basket.

------------------------------

This is part two of the article Bad advice for good security, as appear on Risksopportunities 2007.

Part one is available here.

In an organization, there are rules. Rules are there to be followed - like it or not. To make sure that the rules are followed, most of them are written down as procedures and policies. That makes it easy to control, and change when necessary. The challenge is that not everyone follows the rules.

Policies enforces behavior

Humans are different - some are energetic and full of ideas, some are very down to detail and control. Others prefer a nice workplace where everyone is happy and calm. Others again like to be in control and drive their own agenda forward. The more people you put in a room, the more diverse the group will be. And without a clear leadership and management, the group will not be able to efficiently come up with anything but noise.

In a corporate world the same scenario is true. You need to control your employees and join their efforts to push in the same direction. On a day-to-day basis, policies are used to control the behavior and to put in place a set of methods and processes.

No incentives - no followers

One very important thing about policies is the fact that if you give no incentives to follow them, people will soon start to make up their own ways of doing things. To the one employee it may make perfect sense to use his laptop to store personal images and share music. To the company, this sort of behavior may result in lawsuits and liability.

The incentives will vary from organization to organization. The most important is that if an employee does not follow the rules, then a penalty must occur. The penalty should be widely known, and practiced.

A few years ago, a Norwegian oil company tried to sack a team of employers that had view adult movies at one of the oil rigs. The company did have a policy that prohibited any kind of adult material to be viewed using their systems. So you would think they had a clear case. Not so, the policy had never been enforced. The company had to take the employees back in, and even pay penalty.

The lesson to be learned is simple - when you have a policy in place, make sure you enforce it.

Technology is a supplement

Technology should supplement policies - not the other way around. You should never invest in (security) technology and then make the policies.

The purpose of security technology in regards of policies is to enforce the policies, to control that they are being followed and to trace possible violations. To do so, you first need to know the behavior you like to have in place (the policy), and then you invest and set up the necessary tools to check if the policy is followed.

Technology include tools that removes threats, tools that enforces a particular behavior, tools that logs and analyze the movement and use of your employers, as well as tools to audit, control and change policies itself.

Today there is a great demand for this kind of technology. The driving force is not so much the company itself. The driving force is the need for the company to stay compliant to public regulations like SOx, HIPAA, PCI and the like. These regulations come in different flavors, from international, to regional, via national laws. And finally as policies in the company. Then add industry standards like ISO. Clearly you need some technology to help you stay on top of the problems. Still, always remember to have the policies in place beforehand - the technology is only there to support and enforce your policies.

Review and audit

If you like it or not - or do not understand the reason behind the policies - then ask around internally. If you have the knowledge and the power, you may change them – a process that should be a major part of the rules, and it is called auditing.

Auditing is important to keep your policies and your employees up to speed.

If you have a policy that your employees see is useless, or wrong, they will try to find ways around it. You need to teach them that if the policy is wrong, the right way of doing things is to change the policy. It must be easy to report errors. It should be positive to report errors.

Errors happen all the time. If you if fail to catch the errors, how will you be able to improve?

The Toyota Production System is one way to do this. The purpose is to improve and manage quality. Toyota does this by emphasizing the need for improvement. They proactively ask their employees to come up with better ways to do their job.

Rule breakers

In every organization you have the people who always seem to be breaking the rules. Some are in the R&D - and there they are doing a great job. But other employees who break the rules with intent must be identified and removed. They are working against the target of the company, and they are reducing the inner bonding and cooperation of the team.

Most importantly, rule breakers impose a risk to the organization. You will never be able to control everyone 100%, but most people will follow most rules if told given a reason to do so.

If you add noise to the group in form of a rule breaker, the team will soon stop following the policies. And of course - people who do not abide by the rules is more likely to sell off company secrets, impose threats to the company and be an overall liability.

The challenge is to discover and neutralize such elements. Especially since they very well may add great value to the organization by their opportunistic views and new ideas. You see them in R&D, Sales and as business developers.

The bad bones you must remove. But if you cater for them correctly, and stay in control, any organization has great benefits from these people.

Success with policies

Policies are a set of rules put in place to ensure a particular behavior. Many policies out there are worthless - either because they are not being enforced, they are wrong or outdated, or they have been put in place by the wrong reasons.

Success with policies comes by combining the right mix of incentives and controls, with regular updates and audits. But if you forget that the policies are all about human behavior, you will fail.

------------------------------------------

Article as published on Risksopportunities.

Part two - 5 tips on policies - will be available from March 10. 2008.

This is a post I made to a security group I am on. The topic is biometrics and the need for it in a business environment.

--- 

Usually today, the security issues are NOT with identification/authentication - it is the lack of completely understanding the technology - thus implementing a bioscanner to identify / authenticate a user, while sending the data itself over a non-encrypted line.

The biggest challenge with any security is the need for it. Do you REALLY need this kind of security? Will this technology make you are SECURE? Is there any other tool or solution that can achieve the level of security you need - at a lower price (monetary, user acceptability, support)? If you choose this particular technology - what parts will be secure, and what parts are not changed/adequately secured?

Another key challenge is lack of understanding. Business people care more about business - making the profit, ensuring the operations. Security people care more about adding security - less about the business impact. By the end of the day, these two parties have to work together to ensure an adequate level of security for that particular business. Unfortunately, what we see almost every day is the complete opposite scenario (particularly with ICT-security).

The Security guys tries to make a case about how important a new tool, technology or gadget is. And from a single, security minded point of view - they usually are right. BUT - the business do not invest in the tool - they choose to go "insecure" instead. What the security people do not get is that business people are usually equally good at risk assessment and risk management - some even better.

Why?

To successfully run a business - you handle risk and have to manage these on a large scale, continually. You make the decisions - to go or stop - usually with only little knowledge of the outcome. Some say you have to gamble, others prefer to call it risk management. Some don't even know that this is what they do. They will tell you that all they do is maximizing profit while reducing the costs - known and unknown.

So in this scenario, the business people usually win the game - because of their added perspective. They perfectly understand risk - and they are willing to some to gain some. It is a different mindset.

For the security industry, this means they dig up dangerous scenarios, construct hypothetical issues to sell you only parts of what you need. That would be fine - if they'd only tell you that the actual risk is usually much lower than the perceived risk (after their FUD), AND if they'd tell you that they are only part of the solution.

For the business people, a simple equation should be applied:

Value > security measures

Never spend more securing an object than the actual value of the object. Common sense, right? Yeap. But not commonly adopted unfortunately.

On biometrics - they will come. They are already here. A fingerprint scanner is implemented in most business laptops today. A camera is on some, and as mentioned in this thread - almost all laptops do have a mic. The challenges for biometrics, however, are more complex (list is not conclusive):

• local laws/regulation

EU has strong privacy regulations, that some of the countries use against the Biometrics.

• MITM/MITB

authentication / identification alone is not enough - you need secure communication too

• authentication vs. identification

should you authenticate only, identify only, or the both? At what stage? Using what technology and measures?

• the actual need

What is wrong with a username/password combo? Why do you really need a stronger method? When do you need it? Can you do without? Should you do without?

• usability

a tool can be as secure as it want, but if users do not like it, they WILL circumvent it. BUT - it may also be the killer app so in demand - use biometrics as a way to simplify the life of the users - no more need for usernames/passwords and devices up and down and back and forth.


This post is not only true about biometrics - this is true about all security. The challenge for the industry is to make relevant solutions, that are needed and that fix real issues. The challenge for the customers is to identify the solutions relevant for them - to fix issues they have. The challenge for (end)users is adopting new security solutions every other day.

In the end of the day - you can never be 100% secure. You can get very close if you really want to (and can afford it) - but fact of the matter is that your job is to secure your business - meaning you are there to make as much profit as possible, or if an NGO - to spend as much time as possible to do your thing. No matter if you are the CEO or the CSO - your job is NOT to invest in security - it is to work towards the business goals of your company. Period.

A while back (September) we had elections in Norway. The elections where local municipality elections. 

As part of the pre-election marketing mix in my local community, a couple of the parties (we do have a few here) went door-to-door and talked to the inhabitants. A great service, and a possibility for us normal people to discuss local and national politics with the politicians who pulls the strings.

 One of the parties that knocked on my door, invited me, my family, and our international business guest to a promotional event where they would serve a special, Norwegian dish in a dramatical cultural location. The mix of the culture, and their political agenda was very inviting, and when upon my direct question, I was told that our international guest also would be welcomed, we changed our plan for the weekend and decided to go.

Upon arrival, we decided to be on the outskirts of the speech area so I could translate and explain to my guest. And after the program, we where welcomed and told to go to grab a bite - of a dish called Sour Cream porridge - a special Norwegian Feast dish, traditionally served in weddings and other feasts.

We lined up, and as it happened we where early in the line - number 5 or 6. When it was our turn to get our servings, the clerk told us briskly (tone of voice as old teachers talk to 10-year old bad-boys) that

"You have to walk out of the line and wait until all the others have been served!"

I was surprised, and told her that we where here by invitation, and that we should be treated like any one of the other guests. To no avail. She could not be reasoned with.  

We obeyed, disappointed and with a growing anger (I was pretty hungry, I have to admit, and I just love the sour cream porridge). We decided that we'd better leave the event since they obviously did not want us there. 

----------- 

And therein lays the lesson to learn. 

No matter what you try to achieve - seducing voters, selling hot-dogs, or any other services where you have people representing you, your message and your products/services - it only takes one person, one single error to turn a great message into the opposite.

In this particular case, it was based upon a mistake. The clerk thought me and my guest to be tourists, and not voters (I was, my guest was not). Thus, she decided that we where to be served after all potential voters.

Even though the event was advertised in local media. The municipality is small, but not so small that she would know all inhabitants.

The party did have their internal discussions on this event (actually, they still asks my wife if I am still angry). They recognize the  error, and do all they can to fix it.

What can you do to avoid this? 

The first thing you do is to reccognize the potential price to pay if such a thing happens. Particularly in a small place, one person actually can make a lot of noise. Also keep in mind that the one person you do treat badly, might be a journalist, a potential large client - it is not certain that it is "just a tourist".  

Then you need to prepare your staff - service, service, service. Treat people nicely, and remember your role. If you represent a brand, or a service level - keep with it no matter what you think of it personally.  And as a manager, you need to train your staff accordingly.

When (not if) disaster strikes - get on it right away - solve it. Start at the source, and find out what went wrong. Try to help the client/voter to recognize that this behavior is not part of your brand - it was all an error. Most people will be reasoned with - at least if you let them cool down first. 

As for your source of error - the clerk - make sure that the story is turned from a critic into a learning experience. We all make errors, and unless they are made on purpose - make your staff learn by their mistakes. Forgive, retrain and use the story as a learning story for new people coming on board. 

Also keep the persons (the clerk) feelings in mind. People  do have feelings, and even though they may not show that they take the episode hard - they might. You do not want to loose a great resource, so you should spend some time and effort to make sure the person can turn the negative reaction into a positive learning experience. 

Doing so helps strengthen your brand, and it shows your organization that it is OK to make mistakes as long as you are learning by them.  

The observant reader of my blog have noticed that I am a member of the Worldwide organization for young leaders and entrepreneurs - JCI.

This weekend, JCI Norway had its National Congress, an event my local chapter JCI Innovation hosted this year. My hats included getting sponsors and marketing, as well as making sure everything went smoothly during the actual event - I was the slave master!

The reason I post this on my security blog is to pinpoint that things do go wrong - and when that happens, you find solutions.

Saturday morning, our program said that Harald Kippenes, a mountain climber and adventurer would tell us how to get up after a crisis - how to motivate yourself to keep walking. 

Friday afternoon, our project group got a phone call from Harald, where he said;

"Hi, yesterday, I fell off a cliff, and broke both my legs. I am currently at the hospital."

We immediately thought we would have to cancel his appearance - you know the feeling - blood turns cold, sweat appears on your forehead.

"But I would love to do the presentation anyway - do you guys know if we can set up a video conference session instead?" 

A long story short - Tandberg, the Hospital, the hotel and the ISP Ice turned the world upside down, and during Friday evening, they made it possible. Working late and long hours, for a project they had no economic interest in. 

They accepted a challenge, they made it possible, and they prove that technology and priority makes things happen.

From a security point of view, this story shows that even when you think all is lost, and you have to give in - creativity, network and a stayer-attitude makes it possible to achieve your goals - even though the solutions you end up with are not the same as you planned!

So the next time you want to give in, be creative, and open minded. Solutions are all around - and everything is possible.  

Can you share a similar experience?  

One of my favorite bloggers, Rob Newby has been ranting about business, technology and compliance the past few days.
He is making one major point - NAC and Firewalls will not last forever.

Although I am certain that his posting will uproar some of the vendors, and some of the technical readers as well, I happen to agree with Rob.

Technology evolves. It changes. It adopts.
Most importantly, it must change. It should adopt. If it did not, we would still be riding rock carts like the Flintstones.

And I must admit I prefer heated, leather coated, soft seats, where I can listen to an V8 roar at my willing. Knowing that some years down the line, the V8 will be replaced by an electric engine.

With IT, it is the same thing. As it is with security. The thing on your lap is not an ENIAC, mind you!

If you take a look at the firewall, it is easy to understand as well. The port controlling (stateless) FW from the 80s is still in place in today firewalls, but is only a small part of the package. Add statefull inspection, AV&AS, webfiltering, VPN and a coffee machine, and you have the UTM of today.

With NAC, the same thing will happen. It will end up as a part of the internal security systems only. And some years down the line you no longer realize that what was key technology in 2007, happens to be only one of many technologies that takes care of your ICT systems.

The challenge of all times in a commercial world is to be able to look beyond the buzzwords. To use your own business targets, goals and challenges when you choose your strategy.

Only when you take control yourself will you be able to control your world. If you leave the decision making to vendors and buzzwords, you will find yourself a hostage of insecurity - you will never know if you are adequately secured. And that is the point of forcing compliance and governance - to put you in control, to enable you to drive your modern, secure and up-to-date car. 

So that you do not have to keep dinosaurs as pets and kicking about in your rock cart.

Sloggi, the company of great underwear - want to undress your passport number according to a Norwegian article. 

Sloggi runs a world-wide campaign  to boost their sales. As any sane multinational would do. They do it with a twist. And they use Internet.

They want you to photograph your butt and upload it to their website. If your butt is found attracting enough, people may vote you to become a new model. What a bummer.

I guess they got the idea from the sites like Penest.no, where young girls sell pictures of their booty for points. 

In the article, Sloggi spokeswoman Sofie Lindahl-Jensen, says they have very good controls of making sure users are over 18.

"They [users] have to register with an e-mail address and a cellphone".

I am positive that I do not have to inform my readers how easy it is to fake that? Even the journalist of the article knows how to do it.

Well, it's not over yet. After being confronted with sharp reactions from Datatilsynet (Norwegian Data Protectorate), and the fake profile with a strangers behind, the same Sofie Lindahl-Jensen assures the readers that new measures to control the age are being implemented. 

How?

"We will use passport numbers to compare with the national passport databases to check their age.." 

No, you will not. Sorry. As the police says: 

"Unless they are paying off some rouge policeofficers, they will not get that access. That data is illegal to obtain."

Sloggi, we may question your methods. We may question your security. We may even question your motives. And we may believe you are stupid and incompetent.

YOU (Sloggi) should NEVER remove that doubt by admitting you have no clue what so ever about security. If you are in doubt - say nothing. When the journalist has gone, call someone for help. 

NEVER, EVER let us realize you are clueless. 

Bummer. Or was it Butthead?

I have been asked to contribute to Risks|Opportunities website as author. I am targeting one to two articles per month, covering information security, compliance and corporate governance.

My first article is here.

The Risks|Opportunities website targets managers, business people and the like, thus many of my readers will find it useful.  

Data integrity is one of the building blocks of security. The others are availability and confidentiality. 

Many of the people I meet are not security professionals. For them to understand the importance of integrity, I use examples.  Until recently, that was the only way to get any interest in the topic. Now, thanks to regulations and corporate governance, integrity seems to get more attention also from the management side of things. But still it seems to be hard to grasp the importance of it.

I admit that integrity of logs are important. IMO, they are mostly important to the technical side of things, and to the auditors. Unless of course you get caught red-handed one day, then the managers will find integrity of the log to be important too.

 ---

The managers I meet usually has their focus on business. Creating revenue, maximizing profit, lowering cost of operation. For them to see the value of integrity, you need to focus on their everyday life. Focus on their tasks, and relate the integrity to that. What will it do to you if you no longer can make sense of the CRM system? How can you manage your team if you no longer trust the information at hand? 

For exec managers it is easier to see the value of being compliant. But my experience shows that also at this level the true value is created by relating it to their everyday tasks. What happens if you can no longer trust the financial reports?  What if the information at hand is wrong and manipulated, but you do not know? If you suspect errors in the data, how can you make sure there are non (or find out how they came about?)

Trusting your information is key. If you cannot trust it, what value does it have to you? Speculating can only do you so good. Knowing is always better.

Rob is not making me pull my hair off today - he has a very good summary of integrity. It uses good examples and focus on different solutions and discusses the issues each solution rises.  

Just to break the news - I have been given the honor of being a guest lecturer at BI (Norwegian School of Management) this autumn. The topic - what a surprise - is Information security, the audience is 3-years at the Bachelor of management study. 

I will be assisting Renny B. Amundsen.

This is a great achievement for me, and a great opportunity. Teaching the future managers of information security and how they should related to it is very close to my heart.

I guess this is a prove that I am getting older, wiser and hopefully not grayer!