Seven inspiring ideas for small changes that lead to big improvements in both security posture and leadership in the next few weeks.
A brief pause before decisive action
We know the routine of the new year is settling in when the predictions stop, the resolutions go by the wayside, and the rhythm of work takes hold.
This is the perfect time to pause. For just a moment. Then to act, decisively.
Sometimes one small change is all that is needed to create big results. In security, both small changes and big results are needed. To help focus our efforts, I asked five people that inspired me last year to share one thing to change this year.
I also reached out to two respected advisors for a small bonus. What follows are 7 solid suggestions to create a foundation for success in 2015. Quick actions and small changes you can make before the end of the first quarter.
Jack Jones: Adopt Root Cause Analysis
Jack Jones (LinkedIn, @jonesFAIRiq) is a legend in the field of security, especially for those paying attention to the need for evidence-based practices.
One change for this year: adopt root cause analysis (RCA) in risk issue management. Because treating symptoms rather than root causes is inefficient and leaves the organization with higher levels of exposure more frequently and for longer periods of time. Simply establish a requirement that all audit findings and information security deficiencies undergo a root cause analysis, and then treat the identified root causes.
Jack explained that “Few organizations perform meaningful root cause analyses on the control deficiencies identified in audits and security testing. More often, they treat the findings themselves, which are symptoms of underlying problems, rather than the causes of the findings. This wastes resources that could be applied to managing other risk-related challenges or to grow the business.”
Jack shared five steps to get started in five days or less:
Identify outstanding risk issues (existing known audit findings and security deficiencies)
Perform RCA on the risk issues using the CXOWARE RCA worksheet (link)
Identify the one or two root causes responsible for the majority of issues
Treat those root causes (admittedly, this might take a bit longer, but minimally, knowing where to focus is a benefit worthy of spending a few more days)
Make RCA a requirement for all audit and information security risk identification processes
According to Jack, “performing meaningful root cause analyses against a set of control deficiencies almost always identifies a small set of underlying systemic problems that, if addressed, can have a profound effect on an organization’s ability to manage risk cost-effectively over time.”
Ron Wilson: Tactically Prepare for the Assume Breach Mindset
Ron Wilson (LinkedIn) is the VP of Customer Success at Damballa (disclosure: I worked with Ron while building an educational series for Damballa last year). During our work together, he shared a lot of insights for leaders looking to make the shift to the “assume breach” mindset.
One change for this year: advance the ‘assume breach’ mindset with some simple, tactical preparations.
On the need to change our mindsets and prepare tactically, Ron quotes Kafka, “ “Better to have, and not need, than to need, and not have."
Ron suggests working through the following five steps:
Figure out who (internally) needs to be informed, and in what priority; define and document who owns internal and external communication
Create and define the communication team. These are the folks with the skill and ability to communicate effectively during a crisis. They need to be able to rapidly translate complexity to coordinate various groups.
Identify who needs to internally help assess and remediate. Make sure they know.
Determine who you can turn to (external) for additional support; work to get agreements in place before a breach happens
Pre-define the local, state and federal agencies to work with (if the need arises); consider connections, introductions, and familiarity with the appropriate organizations
Once the initial work is done, socialize your findings with other security leaders and influencers. Once everyone is on the same page, schedule a briefing with executives and leaders named in the program. Use the time to review the findings, validate decisions, and open a dialogue to guide further changes. Minimally, work to tie executive perception to practitioner reality.
The simple act of working through these questions in the span of the week is a significant advantage when a breach is discovered. Equally powerful is the ability to build the dialogue necessary to guide more changes down the road.
Jonathan Sander: Get Comfortable Talking about Unstructured Data
Jonathan Sander (LinkedIn) is the Strategy & Research Officer for STEALTHbits. Brilliant, witty, and someone I count on for philosophical insights and sharp ideas.
One change for this year: include unstructured data in conversations and plans about security
Unstructured data is information in human generated files. Every spreadsheet, presentation, PDF, and Word document are examples of unstructured data.
“It’s always been amazing to me how few security professionals think about it. I get that it’s not the sexiest thing in the world. No one makes a movie about the person who copied a sensitive file. It’s always about the HACKER who BROKE through a FIREWALL. That makes for better Hollywood plots and better board room presentations about funding strategic security initiatives.”
Jonathan shared that up to 80% of all the data in any organization is unstructured, and that data contains 100% of an organization’s sensitive information in most cases. Of course, that sensitive information is also locked up in a database or application as well – so it feels safe.
“We all know people have copied that information into spreadsheets, emails, documents, and then squirreled those away in every nook and cranny of the infrastructure.”
The good news, according to Jonathan, is this one comes with an easy solution: access controls and proper policy (setting, enforcing).
“Security professionals are good at access control and setting proper policy. They can’t do that for things that aren’t on their minds, though. That’s why I simply want them to put unstructured data on their lists. I’m absolutely confident that all they need is to pay attention to the problem, and they’ll soon nail down the solution.”
Shawn Tuma: assess contracts and policies that govern use
Shawn Tuma (bio, blog, @shawnetuma) is the counsel I seek when I have questions on security issues, especially when it comes to discussing CFAA and security breaches.
One change for this year: reconsider and take contracts and policies that relate to the access and use of their computer network and data seriously.
Shawn explains that “Insider misuse, whether intentional or accidental, is a substantial factor in many of the cybersecurity and data breach incidents that impact companies. The rules and regulations that govern what insiders can and cannot do on the network and the legal remedies that are available in cases of intentional misuse are frequently governed by the contracts and policies that the company had in place before the incident occurred.”
Here are five steps to get started:
Inventory and prioritize all contracts and policies: take a broad view of both internal and external agreements
Ensure adequate contracts and policies are in place to cover all actual and potential accesses and uses of their company network and data
Look at each of the agreements and policies (by priority) individually to ensure that they work together, holistically, and do not contradict or undermine each other; if necessary, resolve conflicts
Review each agreement/policy in more detail to ensure they provide adequate confidentiality requirements, notices, limitations permissible access and usage, and disclosure of information; identify potential remedies, too, like monitoring and legal action for violations
Conduct periodic training with employees to explain limitations and requirements; rely on case studies to guide how to think through situations to make better decisions
More agreements might take longer than five days. However, the process of focusing on and strengthening agreements doubles as an educational opportunity. Use the opportunity to bring groups together to share insights of interest -- along with the kinds of risks, how to avoid them, and work to ensure mutual understanding of consequences.
Shawn points out the power of this approach, “if a problem arises and the company finds itself in court over these issues, it will have a strong documented record to show that it took the risk seriously, used it as an opportunity educate its workforce to help minimize the risk, and that the members of the workforce had actual subjective knowledge of these rules, which always helps.”
Jay Roxe: Understand your users
Jay Roxe is the Sr. Director of Product Marketing for Rapid7. We spent the summer telling each other bad jokes (we had a few good ones) and exploring the importance of understanding how people use our systems (link) (disclosure: Jay was a client that worked with me on an educational series).
One change for this year: understand your users and how they behave.
“We saw the importance of user behavior throughout 2014 as compromised credentials repeatedly made headlines as part of high profile breaches. If you know what your users usually do, you can lay the foundation for a comprehensive user behavior analytics strategy that will mitigate these risks and alert you to potential issues as they arise.”
Here are three areas to focus on, in order to gain an accurate understanding of your environment:
Assess Your Administrators: We routinely work with customers who have many more domain admins than they believe. One customer estimated a dozen admins and found many more people with the keys to the kingdom.
Phish Your Users: Most current monitoring technology is blind to attacks based on compromised credentials, yet users remain susceptible to phishing. A quick phishing and education campaign at the beginning of the year can help to remind users of the best practices they may have forgotten over holiday turkey.
Check The Cloud: Research has shown that more than 69% of terminated employees retain access to corporate information stored in cloud services. Are you aware of which cloud services are in use and who’s using them?
Jay explained that “these three quick checks give you some insight on where you may be vulnerable to having users and their data be compromised. Hopefully this inspires you to consider the next question of how to put a more complete monitoring strategy in place to address compromised credentials and user-based attacks.”
Two bonuses to improve your leadership
A key to successful security leadership is investing in yourself, and your team. Sometimes the support we need comes outside of security and technology. To round out the list, here are two powerful concepts from experts I respect and consult with on a regular basis.
Justin Foster: assess Emotional Intelligence and Intrinsic Value
Justin Foster is recognized as a branding expert. He is, and more. Author of Oatmeal v Bacon: How to Differentiate in a Generic World, Justin possesses a remarkable ability to quickly distill to value and inspire improvement.
One change for this year: focus on your Emotional Intelligence and intrinsic value
Justin explains, “Emotional Intelligence (EQ) and Intrinsic Value are linked as two of the leadership traits absolutely necessary to perform consistently under pressure. EQ creates self-awareness and empathy for others. Intrinsic Value creates an internal equilibrium that ensures that leaders are clear thinkers, decisive and modeling behavior despite stressful conditions.”
Leaders can create new habits around EQ and Intrinsic Value with some of the following steps:
Seek professional help for untreated emotional trauma. Trauma has a numbing effect on both EQ and Intrinsic Value - creating blind spots and compartmentalization under stress.
Complete a self-audit of strengths and weaknesses - and share with several influencers/mentors that you trust for confirmation and feedback.
Build new habits around both your strengths and weaknesses. Examples: if mentoring is others is a strength, create a system/process to make this a weekly habit. If expressing feelings is a weakness, start a private journal.
These three steps will make you a more holistic leader - allowing you to better lead yourself and your team.
Roger Courville: embrace your role as a connector
If you know of Roger’s (link) work improving virtual presentations, then you’re going to love his focus on connectorship. And if you’re new to Roger, then you’re in for a treat.
One change for this year: embrace your role as a connector -- the need to reach, teach, and lead.
“The rate and scale of change in today’s world is accelerating. This means that swaths of our employees are experiencing increasing deficits in attention, making sense of things, and feeling a sense of trust and connection. Connectorship — the ability to reach, teach, and lead in a digitally-extended world — is no longer an optional skill.”
Here are 3 ways to rapidly improve your ability to connect over the next few weeks:
Reach: Content is abundant if not overwhelming. When you share something, improve your attention-getting by “annotating” with a comment that connects what you’ve shared with why you shared it. Example: “Interesting list -- #4 is particularly relevant to us”
Teach: You will be “stickier” when you are perceived as a valuable connection to have. Be the “I always learn something from you” person.
Lead: Leadership is influence that points in a direction. Explicitly or implicitly, use every interaction as an opportunity to connect people back to the mission, objective, or motivator.
“The good news is that really connecting with your best (and most expensive) asset, the hearts and minds of your people, can be improved with technology when you make it a people-first endeavor.”
Go forth and improve
The start of a new year is a good opportunity to start fresh with a renewed focus on the priorities that actually improve your security posture. Include time to invest in yourself and improve your leadership, too.
Security is changing.
The opportunity comes to those who embrace the change. No more negative. Stop talking about limits and restrictions. Frame the positive.
Executives and boards need you. What do you need to provide them?
The concepts in this slide show set the stage for a successful year (and beyond). These are investments in yourself, your team, and your program. Depending on your situation, some might take a bit longer than a week; with some focus, all of these can be completed successfully by the end of Q1.
Collectively, these represent small changes with big results.