Information Security is Free!

Why are you giving information security away for free?

More to the point, why do so many companies today fail to create a holistic financial charge-back model for information security services within their corporation? During my two-plus decades in IT executive management in corporate America, having been both a CIO and a CISO, I have always been confounded by the notion of “free” information security. “Free” information security fails to allocate both cost and risk to the appropriate parties within a company. “Free” information security creates a universe where employees and executives are economically incentivized to intentionally and unintentionally bypass or even ignore the security controls your company is spending a fortune on; and that you are desperately trying to protect your organization with.

Free? The Dukes Are Not Amused

Most companies today, especially those who have centralized their technology and business services, have cost allocation models that focus on unit-costing and transactional charges for the catalog of things that they do; from servers to storage. In rare cases however, is information security treated in the same way. Which is fascinating if we pause to consider the implications.

It is commonly understood that information security is simply a “pay-it-forward” version of an insurance policy. It is operational insurance with a twist. Rather than an independent party (like an insurance company with an actuarial department), this insurance policy is funded at a level of perceived risk that has been self-identified by a Board, a CFO, a General Counsel and with some input of the remaining members of the executive leadership team. To be frank, this is why information security organizations are so grossly underfunded today; because the dollar amount a company is currently spending on this function is their perception of the appropriate risk premium they should be paying to keep the company safe from the bad guys. That’s right; companies are underestimating their actual risk of exploit, breach and catastrophe to the point that they are paying the bare minimum budget rate for their operational insurance policy. Which explains why so many companies are shocked and staggered when they do get breached; because the cost of recovery far exceeded anything they imagined, planned for or underpaid the premium for.

A great example of this phenomenon are both the Target and the Sony hacks. Consider this, what if the hundreds of millions of dollars each company has had to pay to recover from those exploits had been spent, instead, on information security solutions and controls? Do you have any doubt that both companies would not only have the most advanced information security functions in the world, but also would most likely have never experienced the breaches to begin with? Given the consequences both companies faced, do you have any doubt they would have gladly funded their information security function if they had the gift of the crystal ball and were 100% certain they would have been crushed to begin with?

One challenge in creating a charge-back model for information security is that it cannot be treated as a simple IT operations function. If this is the approach, then the cost of non-compliance and the penalty for increasing the risk to the company will be too low and employees and executives will simply ignore, work around or intentionally defuse the controls that bind them. Let’s look at a common use case to prove this point.

Your company has a reasonably mature identity and access management program. But, business units and their supporting technology organizations have been very slow to move their applications to the Identity and Access Management technology platform that you have implemented. The arguments and rationalizations are endless; “I don’t have time to move that application in the next 2 years”, “I don’t have budget to do the configuration and connection work necessary”, “I can’t inconvenience my business users with the change in process”. As a result of the push-back, many companies will be forced to swallow the bitter compromise; either the CISO has to set up an access administration function that handles all the provisioning, de-provisioning and entitlement changes manually or the business and/or application owner will do this function themselves manually. In both cases, manual access administration will eventually lead to a security deficiency finding. Manual is risky, prone to error and is the primary contributor to audit failures.

The transactional cost allocation for the information security function must be developed in two parts. First, the chargeback model for applications that have federated to the IAM platform should be representative of true costs; servers, software, technical support, head count, licensing and maintenance divided by the forecasted number of access events that flow through the system. Typically this will be a charge back of dimes and pennies; because automated access control is cheaper. The first part of the chargeback model is simple and straightforward.

Second, manual provisioning can’t just be an equivalent true cost calculation. There must be an inconvenience and sub-optimization penalty added to the cost for manual support. Since we all understand that information security is a pay-it-forward insurance policy and manual control invocation is riskier and dangerous, the addition of a risk premium to the cost allocation model is no different than a teenager paying a higher insurance premium because actuarial history clearly proves that teenagers suck at driving safely.

For the sake of simplicity, let’s set our calculated total cost of personnel, hardware, services, maintenance and licensing to support a manual access control function for one business application that refuses to move to our lower risk IAM platform at $25.00 per transaction. Standard cost allocation practice would suggest that as our volume of transactions increases or more applications chose to stay manually serviced, the cost per transaction should decrease. This decrease will continue until the efficiency of current capacity (human beings, phone queues, ticket/incident systems) have been maxed out and additional capacity needs to be added. But our goal is not a more efficient manual process, because it is still exponentially less secure than an automated solution built specifically for security and risk mitigation. As long as I am only charging a business owner pure pass through costs, that owner has zero motivation to move to the more secure pathway. They will simply factor it into their budgets as an operational cost of doing business and only move if they are demanded to under the worst possible type of mitigation requirement like a material defect, a demand for remediation or even worse – a catastrophic breach.

But, what if you also included the appropriate risk related premium? Instead of $25.00 per manual transaction, what figure would force your business units to change their behavior? This is where the calculation gets tricky. Cost of exploit or breach simulations require assumptions of risk exposure and probabilities of occurrence. Those assumptions and probability calculations tend to be underestimated in corporations today. The most effective way to address this is to simplify the equation by looking toward physics instead of calculus. Think of the risk premium as a lever in the classic way that Archimedes did, “with a long enough lever, I can move the world”. The correct sized lever is the risk premium that makes a business executive respond to the same degree that they do when their jobs and budgets are impacted by a cyber security mess.

Premiums for dangerous drivers and dangerous behaviors should be painful, as they are in every other facet of insurance coverage. If I told that business owner that their risk-based cost per manual transaction is $25.00 in actual cost with an additional charge of $75.00 for the risk premium, I have no doubts that the business owner will immediately protest. As they should, because they are now experiencing the appropriate pain caused by shifting the ownership of risk to the rightful owner, which is not IT or Information Security. More importantly, if I tell that same business owner that by moving to the IAM platform that I run they can experience a reduction from $100.00 per transaction to $.18 per transaction, they now have a very compelling reason to embrace security controls. The case is probably so economically compelling that they will move at light speed to reduce their costs, while coincidentally reducing their risk.

For those who would argue that placing a risk premium on a transactional cost is “unfair”, what is your take on the fairness of an information security organization trying to save your company because of the disastrous configuration of your systems and the bad practices of your own people? Why is it unfair to refuse to pay for fire insurance, smoke detectors, escape plans and fire department services but fair to force your information security organization to constantly be in firefighting mode because they are surrounded by the corporate equivalent of arsonists, both internally and externally?

For those who would argue that this approach results in turning Information Security into a revenue center, you’re missing an extension of the lever that moves the world. As an information security treasure chest grows due to the collection of the premium, that money can be redistributed quarterly or annually to business units and managers that are practicing secure behaviors and continuing to mitigate risk. With this approach, we penalize behaviors that put our company at risk while driving dramatic security control improvement and we finally reward the types behaviors and responses that result in a safer company . Win – win – win.

So, why are you giving information security away for free?


How to Hack Your CISO to Get Better Results, Every Day! Pt. 2

Do you believe you have enough money to buy your way to safety with information technology solutions?

This is where we left off in Part 1 of this article. Do you truly believe you can buy enough technology to fix your security problems? Do you believe you can be fast enough, responsive enough or agile enough to buy tech that is right on time and ahead of the threats you face? Do you think information security, in your company is simply a money problem? My sincere hope is that your honest answer is; no.

Your Chief Information Security Officer is a technologist as a secondary function, not as a primary. And if you just treat your CISO as a firefighter, most organizations today are equipping these leaders like this:

Is this how you’ve equipped your CISO?

Your CISO is critical! Your CISO is the senior leader tasked with direct intervention to mitigate inherent and residual risk across your company. In fact, they are the only resource in your company with this mandate and supposedly the only ones given the tools, resources and staff to do so. Many CISOs may not even realize this truth yet; information security is a merely a component of an entire security universe within a company. Her primary role is implementing solutions, processes and standards that mitigate risks for the company. Those risks go well beyond the IT space. Way beyond the IT space.

In today’s corporate structure, this is what I hear CISOs saying across the dozens of companies I advise on cybersecurity strategy:

“I can only apply my technology solutions to what I “own”. I can’t protect everything because I have to put my limited money and resources into protecting SOX assets, critical applications, only PCI data and everything else is out of my control.”

Ask your CISO, today, what they don’t own. The list is enormous. They don’t own the defining characteristics of employee identity in your company today; but you demand that they have an effective identity and access management program in place. They don’t own change management but you demand that she keeps infrastructure and OS patching 100% current; fighting against all other feature and functionality patches and taking finding after finding for being further and further behind. They don’t own all of the dozens or even hundreds of cloud solutions being bought by your business managers, but you demand that there be no exploitable channels into your organization; while your business managers are pushing customer and employee confidential data into off-premise data stores that you no longer control. They don’t own the firewalls; but you demand that the perimeter is kept locked down. They don’t own directory services; but you demand that employees only receive the least amount of access to your systems, file shares and databases that they need to do their job.

Imagine for a moment any other function in your company having this “you must control it but you don’t own the underlying rules of engagement, standard or policies” … (notice, I didn’t say function). Imagine a CFO with no control over departmental budgets. A CMO with no control over site-level marketing budgets. A CEO with no control over subsidiary businesses.

So this isn’t just a matter of bad decisions related to your organizational structure or the budgetary constraints placed on the CISO. In companies of every size and within every industry, we have created a position that has all of the accountability for risk mitigation and we have kept that same individual from having direct ownership of all of the pieces, processes, many of the functions and most of the technology needed to accomplish the task. Are you starting to see why the typical CISO lasts 18 months in their position?

On top of these challenges, the CISO’s executive peers see security as an inconvenience and as unnecessary overhead. This is not universally true, however. In companies where a major breach has happened, those same peers typically don’t see security in the same light. Urgency, ownership and responsiveness to information security and risk control demands changes overnight in companies that have been hacked. It is definitely a sad state of affairs though that this is the driver for true change within a corporation. Wouldn’t it be smarter to “hack” your CISO for heightened security performance and exponentially improved risk mitigation efforts? Before you get breached?

The truth is staring us directly in the face; your CISO’s authority to deliver risk mitigation has been completely marginalized by her positional and functional placement within your organizational hierarchy, his obligation to fight for budgetary table scraps to buy only part of the technology needed keep pace with a constantly evolving threat environment, and no power over business related security decisions ranging from cloud application utilization to physical security control to operations related risk. Basically, you have a Chief Information Security Officer that is neither a Chief Security Officer nor an owner of enough “information security” domains to even be a complete Chief Information Security Officer.

But we can change this, we can hack our CISO, our company structure and our security focus to get the results we not only want, but that we desperately need. We can change this by;

  • Aligning the CISO to the CEO with direct and regular contact with the Board of Directors
    • This means that your CISO (or another resource) becomes a CSO and controls not just information security, but operations security and potentially fraud operations and physical security
      • (Ever notice that your operational risk management organization and your IT risk management organization seem like they are from different planets? Hmmmm…. another potential article? I wonder..)
    • Before you say “yeah right”, understand that many large companies are already doing this
  • Funding information security as well as business security as if it were a brand new product line for your company
  • Bring all security related functions together under a unified structure; recognize that information security is only one piece of the security puzzle
  • Stop treating information security as an “IT” function; treat it as a corporate service
  • Stop giving information security away if you really want to create a secure company; a topic you can dig into further by reading my upcoming article,  “Information Security is Free!”

Certainly many of these recommendations are up for debate. I don’t, for a moment, believe I have all the answers or a silver bullet to solve the universe of complexities we face as risk and security practitioners. But, I do know that how we have been conducting the business of cyber security and risk management isn’t working under our old structures, models, beliefs and methods. If it were, we’d be seeing fewer and not more cyber events every single day, month and year.

Are you ready to hack your CISO and your company to fundamentally change how you keep your organization safe?

How to Hack Your CISO and Get Better Results, Every Day! Pt. 1

Can I be brutally honest for a moment? Your Chief Information Security Officer has been set up to fail.

I know, I know; you believe in your CISO. You stand up for them in executive leadership team meetings and board meetings. You talk about how much you truly worry about the next breach, exploit, fraud event or cyber related production outage. But, you really don’t mean it. How do I know? Because your CISO is still reporting to your Chief Information Officer.

Before we dive in to how to hack your CISO and your organization for better security results, every day, let’s take a look at how your corporate governance and organizational hierarchy decisions are probably screwing up your hopes of avoiding the front page of the newspaper for the next big breach event.

When we look at the most common reporting structure faced by CISOs today (if your company even designates someone as CISO – not just a Director, Information Security), it is important for us to draw parallels to what our corporate environment would look like if we made the same bad choices in functional hierarchy in other areas of our company. Using the logic applied today to CISOs, why don’t we have the Chief Financial Officer report to the Global Head of Sales? What could possibly go wrong if the leader in charge of revenue generation and market share acquisition had the company’s primary accountant reporting to them? Using this same compelling line of reasoning why don’t we have the General Counsel report to the Chief Marketing Officer? Wouldn’t it make the pesky business of legal disclosures so much simpler and better for your customers? Why have the Chief Information Officer report to the Chief Executive Officer at all? We know that the business drives large parts of the annual technology spend in every company so why not just let the CIO report to the head of the largest business unit in your company? Fair is fair right? I am certain the business executive owning all of technology will pay all the required attention to system maintenance, the needs of other business lines and day-to-day IT operations. Aren’t you?

In all of these instances, I am certain you’re saying “no, that won’t work. That’s not how any of this works”. But, this is precisely what you’ve done with your Chief Information Security Officer. You’ve aligned them to a business leader for information technology. You’ve aligned them to a member of the executive leadership team who has enormous up-time demands from his business partners, huge expectations from her product development and marketing teams as well as day-to-day run the engine requirements that consume considerable portions of their already heavily scrutinized budgets. And in the midst of all of this, you’ve aligned the one person in your organization that has been tasked to keep the entire digital universe you occupy safe, while putting them in a position where they can never deliver on that task.

So what happens as a result? Your CISO’s budgetary asks are put into the total CIO budget request and it is evaluated based on “business need” or “business priority”. Your CISO will tell you “we have included risk reduction in our business case formula” but seriously, it is not true. It isn’t that the CISO is lying, it is that your CISO is the only one desperately saying “I need this technology spend to fix this serious security problem, so stop taking my money to build the next rewards program application for the business”. They are diplomatically drowning. And you are throwing them a boat anchor instead of a life preserver.

Think about the reality of history for a moment, without discounting the truth of it. The information security function did not exist within your company as recently as 10 years ago, maybe not even 2 years ago for several organizations. By aligning information security or cybersecurity to IT, you immediately made a subconscious decision to have your CISO fight for table scraps of budget dollars from the 1.5% to 6% of total budgetary spend you were throwing to your CIO. Oh, and don’t forget – you also demand a 10% reduction of that total expense year-over-year. The choice made, long ago, was that even though cybersecurity is an entirely new function and frankly an entirely new set of technologies, processes and staff expertise there would be no “green” dollars reserved for the function. In no other area of our corporate structure have we ever made that type of decision. We’ve never started a brand new business line, product category or acquisition without investment dollars; new money, green money. So we’ve organized and funded our CISO in a way that guarantees failure. Every budgetary battle for a CISO ends up being the equivalent of King Solomon demanding that the baby be cut in half to appease the CFO, the CISO and all the other IT leaders fighting for money. Except, the decision to not fund a security program across any of the many control categories, is precisely why you will get breached. Making your CISO engage in the financial equivalent of Fight Club with your Head of Infrastructure will most certainly lead to your much needed infrastructure upgrade and your much needed infrastructure security monitoring both being underfunded and sub-optimally implemented.

I’m sure there will be some sensitivity to my brusque tone and sharp delivery of this message. But, CEOs, COOs, CFOs, CIOs and members of risk management committees at the Board of Director’s level, you need a wakeup call. I’m just ringing the bell. While you might be defensive about this series of statements, you just need to ask yourself one question so we can get on to how to hack your CISO for better results.

Do you believe you have enough money to buy your way to safety with information security solutions?

We’ll dive into that in Part 2.

Anti-CISO; The Birth of a Nickname

I have had a very fortunate, heck a pretty extraordinary, career journey since leaving the US Army nearly 30 years ago. One that I truly never could have predicted for myself and certainly one that I wouldn’t trade for any other.

I spent a number of years in construction project management in the retail sector and was feeling like my options were limited. Fortunately for me, I was at a party one night and a gentleman who would become both my manager and ultimately a long-time friend and mentor saw in me something I couldn’t see in my mid 20’s self. He told me, “if you can manage a construction project, you can manage a technology project”. More than 20 years later, that simple statement turned into more IT executive management roles than I can recall sometimes. Over 1,000,000 miles of air travel in multiple global positions and more experiences, passport stamps and truly great friendships than a kid from a small town on the shore of Lake Erie could have ever thought possible.

A number of years ago I had transitioned through several technology positions in program management, infrastructure and application development and eventually to a global head of technology position. While I thought I had finally grabbed that brass ring, the global economic downturn quickly realigned both my thinking and my reality. Fortunately for me, it was also the time in history when copious amounts of attention were being directed towards information security and risk management. With prior Big 4 experience in financial risk management, I made a fortuitous change to the “cyber” side of the house and what a ride it has been since then.

After a tenure as a global head of identity management in the banking industry, I became the global head information security and compliance for a high-tech manufacturer. And in this position, I got the nickname; The Anti-CISO.

“Anti” in this case was never meant in the form of “against”, but more in the way of “anti-hero”. Sometimes it is hard to read the official definition “a protagonist or notable figure with no heroic qualities”. Ouch. But I’ve always understood the intent of why a sales executive gave me that moniker. I was, and still am, a tough customer. Skeptical, not prone to believe anyone’s conference marketing-ware and I typically have an almost visceral reaction when someone approaches me and trumpets what part of the “quadrant” their solution has been placed in.

High expectations for both integrity and positive outcomes were characteristics cultivated in me, not from my corporate upbringing, but from my home upbringing. My father was and will always be my best business teacher; and I grew up in a family business household. Your word was your bond and you delivered what you were paid for, without exception. Sadly, this isn’t exactly the world we find ourselves in when it comes to the sales and purchasing of technology solutions. There is a huge amount of “vapor ware” out there, surrounded in a bubble wrap of bad implementations and sour partnerships. When you run technology operations for a long time as I have, you simply learn this reality over and over again. Which led to me being a very pragmatic, matter-of-fact, no baloney kind of CISO.

When it comes to the selection, purchasing, implementation and on-going operational management of information security and risk management solutions; the driver today isn’t good, solid fundamentals. Nope. The driver is blinky lights and “buy me a solution that fixes the immediate pain”. The driver is remediating audit findings that actually don’t reduce a molecule of risk. Fear, uncertainty and doubt have become the fuel of a fire that consumes hundreds of millions of dollars without delivering actual results. Mainly because we have forgotten many set-in-stone principles of technology.

A great example of this is how many information security solutions that are purchased and implemented today that run on unreliable, incomplete, inaccurate and corrupted data from other source systems in order to function. No information security solution on the planet will take garbage data and turn it into usable intelligence or a functioning defense. Yet, companies are buying and implementing solutions like this every single day. Out of fear of doing nothing. Out of uncertainty as to where the actual root cause of their weaknesses and exploits really reside. And, we buy while fighting that nagging doubt that nothing we do will save us or that whatever we buy won’t actually work as advertised.

So, this Anti-CISO is here to call B.S. We can take control. We can win. We can be safe. We can protect, defend and overcome. We just need to stop trying to cultivate our heroic qualities and focus on fixing what is bad at the core of our security programs. We all need to be a little anti-CISO.

Where Are All The Contrarians At?

Here is the disclaimer:

All of the opinions, musings, thoughts, observations, poems, limericks, heavy metal hair ballad lyrics, beliefs, approaches, methods, suggestions, ideals, mores, philosophical and/or existential rabbit-holes, jazz stylings, brushstrokes, inappropriate origami, satirical references, uncomfortable silences, awkward juxtapositions, lame analogies, inspired metaphors, chilling predictions, grammatical abuses, declarative statements and egregious movie quote references on this page are mine and mine alone.

I write this blog as a contrarian. A pragmatist. A dis-believer in the mystification of information security. A skeptic in the evil power of glossy conference ware. A champion for those faced with the day-to-day reality of:  I have to run your expensive solution after you recommend it to me in your “strategic” guidance, after you implement it and after you and Elvis have left the building while I have to figure out how to care and feed it.

Yes – I work in the industry. Yes – I provide strategic consulting. Yes – I provide recommendations on what to buy, sell, shoot, support, maintain on life support and co-develop.

No – that isn’t a conflict of interest. No – I’m not bought and paid for by manufacturers and solution providers. No – I can’t get a solution provider to give away their technology to you for free because you want a 100% discount. No – I’m not sharing these contrarian positions, thought-provokers, cocktail party conversations starters, harsh critiques or the occasional endorsements to line my pockets with BitCoin, fat stacks, Bennys, high fives or subway tokens.

Nope – I believe passionately in what we do. I believe that we aren’t faced with a crisis of serviceable solutions for cyber security and risk management. I believe there are great solutions out there. But, I do believe we are facing a crisis of leadership, knowledge and good basic foundational controls. I believe that a contrarian needs to stir the pot, take some bumps and bruises for saying what is unpopular, pointing out what is kerfluffle and calling to account those who are leading us down a primrose path.

We need more contrarians – so come along for the ride.

One last thing – the one prohibition I operate under professionally is that I cannot offer detailed commentary about any specific hack. So, this ain’t that kind of blog. There are plenty of places to go to dig into the gory theories of how a given exploit was executed. Given my background though, I can tell you a little secret. Regardless of what all the folks who decode the mystic arts of the hack tell you – they probably won’t tell you the painful truth. Ultimately, every single hack leads back to the bad guy acquiring an identity that doesn’t belong to them.

But, that is a spoiler. There will be a lot of things to read on that incontrovertible truth on this blog.