Month: June 2016

Hi folks,

The other day I was digging through some old family papers and I found something interesting. No, no unknown fortune or half-sibling nobody talks about – I found out I’m unwittingly carrying on a family legacy. A legacy of security nerds.

My granddad worked for the Army for decades. During the Vietnam era, he developed counter-guerilla technology and later got into computers. I knew that, but what I didn’t know was that towards the end of the 70s, he got into information security. And in 1978, he wrote this paper on secure computer facilities:

Computer Facility Security – 1978

I’m not clear on why he wrote it, but I definitely dig the graphic on the last page. And there are two lessons I took away from it:

• Learn from other fields of study. The original Rex had spent decades focused on physical security for both military and civilian environments. The lessons he learned in those fields helped inform his efforts in information security. We have the same opportunity today to apply lessons and knowledge from other fields – psychology, warfare, accounting – to what we do in information security.
• Security is a long-term problem. If you read the paper, O.G. Rex was talking about many of the same issues that consume us today; environmental security, insider threats, access controls, etc. Nearly 40 years have passed since he wrote this paper. We’ve had some of the best and brightest minds in the world working on making technology more secure, but it still has a long way to go. We live in a world that increasingly values instant gratification, but we’re not going to get it in our field. Our victories are small, incremental and sporadic, but we can’t give up. We need to be patient and continue to fight the good fight.

Not a bad yield for digging through some old papers.

Rex

Hi folks,

I was recently asked by an OIG to give a presentation on communication and collaboration.  I gathered a number of the topics we’ve discussed on this site and gave the presentation last week.  It went really well, and I hear from my hosts that they’ve already adopted a few of the approaches from the presentation.

I want to share the slide deck (with extensive speaker notes – close to verbatim) in case it’s helpful to anybody else.  The template isn’t mine, but hopefully the content is useful.  Please feel free to use it as you see fit.
IT_Audit_Meeting_RGB_20160602

Rex

Hi folks,

One of my favorite quotes on communications is by George Bernard Shaw, the Irish dramatist and critic, Nobel Laureate, Academy Award winner – just a general big brain kind of guy.

I think this gets to the heart of the issue with communications – all too frequently, one or more parties are operating under the assumption that effective communication has occurred when, in fact, it hasn’t.

There are an unlimited number of examples of this, but I’ll focus on just one tragic one.

In 1162, Thomas Becket was serving as Lord Chancellor to King Henry II of England. When the position of Archbishop of Canterbury – the highest church position in England – opened up, Henry appointed Becket, thinking he would prioritize the needs of the state above those of the church. Henry was soon disappointed, though, and Becket almost immediately resigned as Chancellor and became a serious thorn in Henry’s side as he agitated for stronger church power at the expense of Henry’s state.

In 1170, the feud came to a head when Becket excommunicated a bunch of Henry’s allies during their latest squabble. Henry, at his height of frustration, lamented aloud “who will rid me of this troublesome priest?” A handful of knights overheard this and interpreted it as a royal command, mounted their horses, and headed for Canterbury. Once there, they hunted Becket down and, in the middle of the cathedral, murdered him.

Right. That wasn’t Henry’s intent. But because of his position, his words had an unintentional, outsized impact.

There are modern equivalents, too. Jeff Weiner is the CEO of LinkedIn. Years ago, he got wind that his casual comments were having a big, unintended impact – direct reports would scramble to address what they thought were commands when he was actually only expressing an opinion. It was wasting precious time and energy, so Jeff came up with a plan. He implemented a three-tiered structure for his feedback – it would be categorized as either one person’s opinion, a strong suggestion, or a mandate. This helped clarify the weight his words should carry and thereby eliminate that wasted effort people spent trying to carry out imagined commands.

Now, most of us aren’t kings or CEOs, but we still have to be mindful of the impact of our words – especially folks who are in positions of authority. What we say can carry significant weight – often time more than needed or intended. If we have good people around us, we want to make sure we’re getting the most out of their expertise and judgment, not just getting copies of a single person’s (read:our) vision and opinions. Just like King Henry or Jeff Weiner, we all need to understand how our words carry weight and we need to choose them carefully.

Rex

Hi folks,

A few years back, I headed to an unnamed state that’s famous for its BBQ.  As a fan of all such things (consuming, not producing), I made a beeline for the first BBQ joint I could find upon landing.

As I stood in line waiting to order, the guy in front of me became agitated.  It sounded like he thought he didn’t get what he ordered and couldn’t get the woman on the other side of the counter to understand.  Eventually he yelled “DO. YOU. UNDERSTAND. THE. WORDS. I’M. SAYING?!” Things got awkward, the woman walked away upset, and the man remained angry and was asked to leave.  Nobody was happy.

A short time later I was at a client site, presenting to a Fortune 50 CISO and her team on the awesome job we were doing.  We had been struggling for a long time to communicate the value of our services to clients – clients who were paying lots of money for us to detect threats in their environment.  We had tried quantifying the number of threats detected, number of hits reviewed, aggregate risk ratings for those threats… nothing really resonated.  This time we thought we’d found the right metric – the reduced time an attacker had in the environment based on the speed of our detection.

Our client was unimpressed.

She was kind, but clear.  She said “That’s great, but I can’t do anything with this.  I may inherently understand the value, but I can’t take this to the board and have them care.  I need something expressed in terms that they care about – money.”

It’s a lesson our field needs to learn.  Security doesn’t happen in a vacuum – it’s an inherently collaborative effort.  And when we turn to our partners for assistance, we need to speak their language, understand their motivations, and communicate in terms that resonate with them.  Do we need to be an accountant to talk to a CFO?  No, but we need to acknowledge that they’re not a security professional and that the minute we use the term “buffer overflow”, we’ve lost.  Otherwise we risk being like the angry BBQ guy – isolated and hungry because we refused to adjust our communications.

Rex

Hi folks,

Among aristocratic families, marriage was/is a tool to cement relationships, gain power, and grow empires.  In America, having thrown off the yoke of a formal class structure, we’ve instead embraced an informal class structure where we celebrate family dynasties in politics, industry, entertainment, and elsewhere.  Because, apparently, what good is a society if you don’t have betters to look down at you?

So it’s kind of big news when a marriage unites two of the American “royalty” families.  Like the marriage of the Ford and Firestone families via the grandkids of both founders.  Which made the corporate breakup in 2001 – after more than 100 years of partnership – perhaps a bit awkward.  What could have caused the end of such a long and fruitful relationship?  The death of more than 240 people as the result of flawed Firestone tires installed on the roll-over prone Ford Explorer.

The fallout for both Ford and Firestone was huge.  On top of the tragic losses of life, both Ford and Firestone spent about $2 billion each on tire recalls and undisclosed millions in lawsuit settlements.  Not a good era for either company.

Much like the auto industry, IT is a very interconnected, interdependent world.  Our systems and networks don’t exist in vacuums – they establish relationships with other systems and networks.  Those relationships extend trust and, by doing so, open themselves to risk – shared risk.  Ford inherited risk from Firestone when it decided to install the tires on their vehicles.  We in IT inherit risks in the same way – from our OS, development frameworks, plugins, connections, etc.  If something goes wrong with those components, the impact is felt by our system.

Sadly, many system owners strangely see this interconnectedness as an opportunity for risk transference   It’s not.  These kinds of risks are shared risks, not transferred risks.  When the Firestone tires failed on Ford vehicles, no amount of finger pointing (try as they might) could exonerate Ford – they were significantly impacted by the realized risk.  You can’t just walk away from inherited risks – they impact you, too.

Information security is a team effort and none of us are in a position to ignore a risk to our system.  We must work together to solve all problems – even if it’s “somebody else’s responsibility”.

Rex