:::: MENU ::::
Posts tagged with: opinion-piece

Please don’t kill your CISO if he doesn’t know how a virus works

I came across this rant (with the usual don’t-kill-me-am-just-making-a-random-statement-and-fully-intend-to-get-away-with-it disclaimer) on LinkedIn about how CISO’s are clueless about how a virus works, even with CISA/CISM and a decade’s experience under their belt. It got me seething about how this statement is wrong on so many levels, but then I decided to marshal it in a better way and keyboard-and-mouse my thoughts (penning my thoughts would have sound a bit cliched, anyway) in a bit more structured way. I could be wrong but am willing to learn from feedback and remarks of my readers (if there are any. I am a realist).

A disclaimer first – I am not trying to promote anything here except my viewpoint.

CISO is 90% management, 10% technical post.

Let’s look at this line of thought.

Management, IMHO, is about making decisions without complete data at hand. This means that entire organization has to be put into an abstraction (nothing else will give a high level view that quickly). However, it results in a whole lot of jugglery and political skulduggery which has given a bad name to management. In an ideal world, every management guy has hands-on experience in everything that his company is doing. However, reality is different. Hence companies look for an ideal combination of practical know-how and management skills, with mixed results. Just like it is difficult for a management guy to learn technology, it is also difficult for a techie to learn management skills.

Companies seldom fail because of lack of technology. They fail due to lack of management / business sense and leadership (market disruptions notwithstanding) . It took a Steve Jobs to make Apple where it is now. It took Bill Gates’ decision making and management skills to make Microsoft where it is today.

Time for another disclaimer now.

I am not saying that Technology or techies are not needed. I am only saying that Management is also needed.

Time to look at an image that I created to illustrate my point. What I am trying to put here is the viewpoints of different roles in the information security food chain and an example of the viewpoint in action. See how abstraction builds up as roles get near to business.

 

 

 

 

 

 

 

 

 

 

As per Rafeeq Rehman (someone whom I admire a lot), below are the different activities that a CISO has to perform these days (http://rafeeqrehman.com/wp-content/uploads/2016/10/CISO_Job_v8_A0.pdf). You will notice that a lot of those activities are leadership activities and not technical. Although, technical knowledge is required, it is at an enabler level (in other words, understand what your team is saying so that you can make a decision), because CISO is essentially a decision maker / leader, sometimes a manager (if the company is small, CISO may also end up doing a bit of technical work himself). And, folks believe me when I say it – IT IS A FULL-TIME JOB.

Does a CISO need to know how a virus works? That is not the right question. The right question is –

Does a CISO need to know how a virus works in the same way as that of an incident responder under his team?

The answer is a resounding NO.

If you bring an OSCP (without the business experience) for CISO , you will suffer. And if you bring a CISA / CISM (without the necessary incident handling experience) for leading a team of incident handlers, my condolences.

CISA / CISM are technical certs, but not in the way you think.

Let me approach it in a different way.

I consider, anything that belongs to the know-how of the field, technical. So, detailed procedures on how to audit is technical stuff (related to audit). Its usage of software tools may be confined to MS Excel and Access, but it is still technical because it describes the innards of the field (e.g., how to sample, what is the meaning of audit, how is it different than assessment, how to do audit, etc.).

CISA (Certified Information System Auditors) is for auditors (present and wannabes) who audit information systems (security is a part of it). CISM (Certified Information Security Managers) is for managers (current and wannabes) who manage information security management systems. Together, they have a knowledge base that, if internalized, can help a person gain lot more insight into the field than without. That doesn’t mean everyone can stomach it. No so-called-techie can read CoBIT without falling asleep (that doesn’t mean that you claim yourself a techie just because you can’t stand CoBIT documentation), but a decision maker will immediately feel home with that documentation because it offers him a vantage point for the entire information security control landscape of an organization. Not just that, it will give him enough ammunition to oversee an existing information security system. Because the decision maker is used to see things in abstraction.

However, this also doesn’t mean that everyone who is a CISA / CISM has internalized all the knowledge that was part of the syllabus (you didn’t think I am vouching for incompetent guys, did you?). Which brings me to the next part.

Certifications are not knowledge pills, you still have to work your grey cells.

Having certifications only mean that you have cleared an exam. It doesn’t mean that you still retain, cross-reference, update, and internalize all that knowledge that was part of the syllabus, after the exam and in subsequent years. It also means that you still have to be interviewed for all those above verbs and your suitability to the role. I will stop here because this topic has been beaten so many times that it doesn’t make sense anymore to trample on the same. Just google “are information security certifications necessary” to know what I mean. Having a certification is no guarantee of job-material in this field.

Standards and Compliance are not bad things, neither are they cause of the current sad state of affairs. People are.

As far as I am concerned, all of our problems stem from increase in population. But that is for another post. Let’s focus on the current point.

Bruce Schneier made an interesting point in one of his books (I think it was “secrets and lies” but I am not sure) that firewalls got famous NOT because they were technically sound and made perfect sense, but because their absence was getting flagged as non-compliance by auditors! And you thought your CCIE made all the efforts!

With all the jokes running around compliance and ISO 27K1, I still think that the flaw is in the implementation, not in the spirit.

Security has so many facets these days that it is a full time job just to keep all the balls in air and make sure that they don’t crash. Add to it the daily pressure of selling security to top echelons so that you can keep your job lest a non-clued security director, or some other high title, decides that he doesn’t need you with all the flashy tools in place (SIEM / DLP / IDAM, once installed, must learn on its own) and you will sympathize with all the CISO’s since the term infosec was coined. Jokes apart, management needs someone who can translate the jargonic (wait, is that even a word?) aspects of security into a more manageable chunk so that they can decide where to direct the funding and oversight (in other words, tell me if it is working for business and show me how). Standards (like ISO 27001) and compliance / regulations are supposed to help a decision maker understand security in a language that they understand. But, as Ian Tibble points out so poignantly in his book “Security De-engineering”, excel masters took over and they took the whole focus away. And we have been cursing management ever since!

In other words (meaning I could have avoided all this rant and said these lines instead and still made my point): –

Security management and tech must co-exist to create a beautiful recipe that is tasteful to the business. Singular won’t work.

I published this on both LinkedIn, Peerlyst and on my Medium Publication, Trinetra


Process Myths, Busted

This article has originally been published by me on LinkedIn.

—————————————————

Disclaimer:- All of what is written here is my own opinion. ‘nuf said.

Raise your hands if you have heard / said these lines before:-

  • “This is not our job, this is the job of documentation team”
  • “I’ve many important things to do and deliver, I don’t have time for process”
  • “Process, what is this? We are doing fine here without it, we don’t need process here”.

This term ought to take the cake for oft abused / misused one apart from “housewife” (that is the MOST abused term on this planet IMHO. I think they deserve a LOT more respect than they get, but i digress).

I also think that knowledge of process is an evolutionary primitive to move up the corporate ladder because nothing provides a better view of the corporate than process.

This post is an attempt to explain the term from my perspective. Suggestions, remarks, feedback are welcome.

MYTH #1 – Process means documentation

Process is a way of doing things.

That’s it.

That’s what process is – A way of doing things. Say this again, and again and again, till your mind hurts and you cannot think further.

If you are following some steps to achieve an aim and if you are following a path (Ok, any path, your path, my path, some path) you are following a process (whether you like it or not). If you dream of reams of documentation in your sleep with reference to process, then I am sorry because it was never meant to be thought of in such a way.

Let’s pick some very common processes:-

  1. The process of going from one place to another
  2. The process of translating requirements into working software
  3. The process of capturing requirements from client;
  4. The process of eating / sleeping / buying things / selling things ….. you get the drift.

Just because it has not been documented, doesn’t make it a non-process.

MYTH #2 – It’s not process if it ain’t best practice

Now, this actually hurts. Best practices have a way of hurting like no one else. We have gotten results – good results, with satisfied customers – with less-than-best-practices. Also, has anyone seen a definition of it, lately?

Practically, if it works for your team, helps you repeat the success again and again, then I guess it is a best practice, for your team.

Ok, if you insist, call it a better practice. But please, don’t call it the best, because it depends on a lot of things (# of people required to execute it, can it scale up/down, efforts required to implement it, clear ROI, etc.).

MYTH #3 – If it works for company A, it will work for company B

Nothing can be farther from the truth.

The line, when corrected, would include “may” instead of “will”.

A successful process implementation answers the following questions:-

  1. Does it account for the existing capabilities of the team (in other words, can the existing team do it, with their current skill set)?
  2. Does it provide a way to not only repeat the success, but also to record the failures?
  3. Does it take the number of people into account (in other words, process that requires 200 may not work for 20 member team, and vice-versa)?

Successful processes depend a lot on the balance between other 2 factors – people and technology (and here i was thinking that it is just for feel-good factor and CYA, meh). Which means you will not be successful if:-

  1. Technology and process is appropriate but people with required skills are not put to implement the process;
  2. Technology and people are appropriate but the process is outdated (e.g., no review mechanism, no record keeping even though technology implemented supports it, etc.);
  3. Process and people match but no technology in place to help them (e.g., a very complicated, industry-recommended and proven process to handle incidents without tools to identify them in the first place, no-IDS, anyone?);

Please let me know if these myths exist or it is just a figment of my imagination. Any feedback is welcome.


{ctrl+z} My Interview :: Here’s what I should have said

So, after a long time, i finally broke my jinx of not updating my blog! I hope to keep updating it more often now.

Life is a collection of memories. If you don’t have memories, you don’t have a life (which means you are dead. That is why Shiva – the lord of death – is also called “smarahara”. “smara” incidentally, is sanskrit word which has two meanings. One, it refers to kaamdeva – the god of love. It also means memories. Amazing language, isn’t it? But i digress). My information security career has also gifted me with many memories, one of which is this interview. I didn’t like one of my responses during the interview and i kept going back to it, for some reason.

I finally got the reason (or so i think). This LinkedIn post is an introspective attempt to articulate that reason. Please find a reproduction of the same below: –

———————————————————————————-

Being a thick skinned guy that I am, I usually don’t like to admit mistakes. Scratch that, I NEVER like to admit mistakes. However, there are instances when one, during introspective phases (I know, it is a big word, yipee-ka-yay – MS Word 2013), identifies his/her mistakes and what he could have done instead of how-could-I-do-it and wish-he-forgets-it type of things.

So, during one of those ‘aha’ moments, I realized a mistake that I happened to commit during one of my interviews.

The Question

Around the end of an interview, one of the interviewer asked me this question

“If you had unlimited budget, what would you have done to improve your organization’s security posture?”

Now, on the face of it, this is a pretty open ended question that allows you to articulate some of the key controls / strategies that you think would add value to an organization’s security posture. This question also allows an interviewer to probe the mind of the person who is being interviewed to gauge his priorities. AND, this is also the sort of question, the response of which, will open you up to scrutiny.

My Answer

When I faced the interviewer, I was on the way from a normal ISMS professional to a higher plane (by establishing a SOC or Security Operations Center). I was then struggling with handling incidents with limited resource and skill (more on skills and competencies in a later post), so my response was a reflection of my struggles:-

“Given unlimited budget, I would like to invest in a tool / technology / process which ensures that infected machines are isolated as soon as they are identified. Also, I would like to be able to analyze them faster”.

How wrong I was!

An organization’s security posture is dependent on the following 3 Ps:-

People, Process, Technology

People – The most important thing in the triad. If people

(a) don’t have an understanding of the information that they have and its value and

(b) don’t want to secure it (due to different reasons, and surprisingly, deliberate espionage doesn’t feature till the end of the list), you will not be secure no matter how many processes and technical measures you have.

Think of all the passwords that have been shared, all the intellectual properties lost due to people and you will get the drift of what I am trying to write here. Awareness sessions on information security DO’s and DON’Ts, communicating all and any process changes to all relevant people, assessments (both online and behavioral) to gauge how people treat information security when no one is watching are some of the things that an organization can do to ensure that people act their part to keep information secure while handling. All information security branding related activities would also come here. The branding activities could include posters, quizzes that includes giveaways, etc.

Process – I can never tire of saying this “The way you handle information will dictate how secure you can make it”. Please refer to this post to know more about my thoughts on this.

Technology – All technical gadgets worth their salt (e.g., DLP, SIEM, IDS / IPS, Firewall, etc.).

So, while technology is important, information security is inherently a people and business problem. It is perfectly possible to implement a cost-effective ISMS that is aligned to the business and it is equally easy to botch it by blindly implementing “best practices”.

What I should have said

“Given unlimited budget, I would invest in security awareness at all levels, coupled with good detection tools, a superb DLP tool, and a capable incident response team”.

Now that would be a better answer, don’t you think?