Rick’s Playground

For the past one month, I probably spent half of my free time in playing Starcraft II on the Battlenet. While I am trying to pull back a bit and get back to the usual IS research stuff I am doing, I just find the two (Information Security & Starcraft II) are amazingly similar in multiple aspects.

In the Information Security world, we always look at People, Process and Technology while in Starcraft - Resources, Troops and Technology are the threesome to win a game. As in both case, an optimal balance of these three factors are the key to successfully manage an enterprise information security or defeat your opponent in a Starcraft 1vs1 game.   Also an objective and adaptive strategy are fundamental in both cases.  As an IS professional, we need to keep a close eye on the current threat landscape, the emerging threat and allocate resources (your budget) accordingly. In Starcraft, scouting and intelligence about your enemy’s strategy is the used to decide how you want to use your minerals and gas.

At the tactical level, a complimentary mixture of your troops are the most basic micro techniques in Starcraft. Similarly in the Information Security, I am a strong believer of multi-layers/tier implementation and diminishing returns of investment in single type of Information Security controls. A single type of IS security controls can only reduce the overall risk to a certain percentage and subsequent return of investment in the same type of control will decrease and reach a plateau. In one of the recent talks I have attended, Dr Peter Tippett from Verizon Business also illustrated this by using the example of safety belt in car safety controls. A nylon safety belt will reduce the probability of fatal car accident by 50% while a high-cost titanium safety belt will only reduce another 3%. Instead, an airbag at a fraction cost of a titanium safety belt, will reduce the risk much more significantly.

Just like Starcraft’s micro (unit controls in battles) and macro (resource planning, map controls etc)management, there are also micro and macro in Information Security. We need Risk framework, Governance, Strategy, Measurements and Metrics etc at a macro level, but we also need micros such as vulnerability research, code analysis, log monitoring, intrusion signature developements,  reverse engineering. Lacking either one will neither win you a Starcraft game nor will protect your enterprise information effectively.

An article from CSO online and I can’t help but blatantly post it here to share with all my friends in the Information Security Industry.  Information security is a very young industry and we need people to have faith in what we are doing and the value we create. It’s sad that we see a lot of people leaving during the good years to pursue greater monetary gains and also people who are forced to go when the economic crisis strikes. I heard one of the veteran mentioned that “All of us want to quit the InfoSec industry but realized that it has sucked us in !” Hope this quoted article can help us survive in the current economic recession and keep the passion and faith in the professional to which we have dedicated our career.

========================================================

November 04, 2008

When meeting someone new and describing my background in this industry I often say “I’ve seen the best of times, I’ve seen the worst of times and most of what falls in between.” I’ve been recruiting in Information Security long enough to have experienced the heady times of the dot.com boom and the dark days that followed after it all came crashing down. I’ve also been here as the industry has grown and evolved—sometimes as a result of and sometimes in spite of significant difficulties. This evolution leads to adaptation, and it’s the ability of people to adapt and rise above one challenge after another that makes our industry so dynamic.

Given what I do, communicating with and connecting people, I’ve offered both a shoulder to cry on and kick in the pants to those that need it—especially in uncertain times like the ones we’re facing. I don’t enjoy either situation. For the purpose of this column I wanted to offer some sound advice to those Information Security professionals who are concerned about the future of their jobs. Think of it as a general checklist of things that you probably should be doing all the time but need to devote some time and consideration to right now, especially if your future is uncertain.

First, know your differentiators. Understand what sets you apart from your peers and how you can use these qualities to best advantage. Similarly, think about your personal “brand”. If you had to describe to another person who you are, what you do and most importantly what problems you can solve, how would you do it? Develop a personal branding statement that will allow you to do this whether it’s in the elevator with your boss’s boss or on a job interview.

For example, I was speaking with a candidate who had very strong application security skills. She also had a great sense of humor and was a natural communicator. She was frustrated because she was falling behind in her work due to the number of times she was personally requested to sit in on IT project meetings. I laughed when I heard this because she didn’t realize what she was saying. The result was one more critical differentiator that strengthened her personal brand. So now, when somebody asks her what makes her stand out, she’ll tell them “Although my primary focus is application security risk assessment, I’m the person my company relies on to bridge the gap between business and security requirements and who gets everyone work and play well together.”

Second, find ways to leverage your differentiating qualities to add greater value to your current organization. By demonstrating the ability to provide solutions and solve problems important to your company you may just save your job, or at least postpone your departure. So find out what the hot buttons are—not just within security but with other areas of IT and within the business you support. There may be hidden opportunities where your perspective and experience could make a difference.

Third, work on strengthening your relationships with your management as well as other stakeholders or clients you support. Communication is key to accomplishing this. Developing an active and open rapport with others will help you better understand the big picture of what’s going on around you. It will also help you keep your cool and make informed decisions about your options while rumors at the water cooler are flying.

And finally, be ready to embrace change beyond your control. From a career perspective this means having your “personal marketing documents”, AKA resumes, references and professional certifications up to date. It also means communicating your interests and intentions to everyone you know who might be able to help you. This includes re-connecting with your recruiter, any mentors, past co-workers or clients with whom you’ve had positive experiences with in the past. It also means taking the time to catch up on the industry at large through reading trade journals, attending networking events and increasing your participation with industry organizations. Get the word out to your associations, organizations, friends and family that you are on the job market.

Lately, not a day goes by that someone doesn’t ask me what the future holds for our industry in these tough economic times. The truth is, nobody can tell. It’s a fact that in the short term, supply will likely outstrip demand especially for the most senior roles in our industry. The best and only way to adapt to change of this nature is to be prepared—mentally, materially and socially. We should know that we’re in for a marathon and not a sprint. Yet despite the challenges ahead I’m confident that our industry will continue to grow and thrive. We just need to put less stock in the markets and more stock in ourselves. ##

Jeff Combs is Practice Lead, Security and IT Risk Recruiting at Alta Associates.

========================================================

I just read an article “Confessions of a Risk Manager” from economist.com. It is recommended by a featured blog post “Risk Managers Are Just Like Security People” on securityfocus.com.  The article truely and vividly described the kind of difficulties and dilemmas encountered by a Risk Manager, which I can very much relate them the information security folks in the finanical sectors. The situations are amazingly similar between information security folks and the risk managers.

” In their (By Rick: the business people mainly front line traders, bankers, sales) eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.”

Probably I shall replace all the financial terms with information security terms in this articule and come out a new version titled “Confessions of a Information Security Manager”.

Recently I have been doing some work on risk management mainly information security risk and impact to a medium to large companies in financial sectors. Commonly used risk categories include but not limit to following types:

1. Monetary loss (such as reduced Revenue, inflated expense etc)

• High Risk: Potential for a significant impact on revenue or expense plan (greater than $xxxx per day)
• Medium Risk: Potential for a moderate revenue or expense plan (between $xxxx - $xxxx per day)
• Low Risk: Potential for little/no impact on revenue or expense plan

2. Legal and Regulatory Risk

• High Risk: Risk of potential regulatory intervention and supervisory action or fines (greater than $xxxk per day)
• Medium Risk: Significant compliance gaps with potential serious impact or fines (between $xxxx - $xxxx per day)
• Low Risk: Common compliance findings without serious impact (less than $xxxx per day)

3. Reputation

• High Risk: National or international news segment (Print, TV, Blog or Radio). Repeated news mentions.
• Medium Risk: Makes local news with potential for national coverage
• Low Risk: No external exposure. If leaked externally, unlikely or negligible impact

4. Competitive Ability (For example leakage of new products information etc)

• High Risk: Potential for a significant impact on potential new enterprise-wide customers or incremental fees
• Medium Risk: Potential for a moderate impact on potential new customers in isolated markets or incremental fees
• Low Risk: Potential for little/no impact on potential new customers or incremental fees

5. Customer/internal Staff

• High Risk: Potential for significant loss of existing customers enterprise-wide or significant impact on employees enterprise-wide
• Medium Risk: Potential for a moderate loss of existing customers in isolated markets or moderate impact on employees in certain geographies
• Low Risk: No loss/negligible loss of existing customers or impact on employees

The last time I studied about BCM was during year 2005 when I was preparing for my CISSP exam. The post-SARS period was also the moment companies in Asia became aware of the importance of BC practices. In my current working group, we have a couple of BC experts who are developing and managing regional BC practices. Although I am in the InfoSec side, there is also opportunity for me to get in touch with all the BC stuff and it is pretty interesting.

I have just read a PDF document on “How to Deploy BS 25999″ by Susan Yardis and John DiMaria and pleasantly surprised by a couple of new items in the current BCMS in comparison with those back in year 2004.

For example, the main activities and stages in the current BCMS defined by BS25999 are:

1. Business Impact Analysis - determining the impact of a disruption of critical organizational activities
2. Risk Assessment - understanding the threats and vulnerabilities to the organization’s critical activites
3. Risk Threatment Options - determining the strategy options to mitigate risk by reducing the likelihood of an interruption or limiting its timeframe
4. Business Continuity Options - defining how the organization will recover critical activities, and accounting for those activities not deemed critical
5. Response Activities - determining the process to respond to an interruption and manage the business recovery activities
6. Planning - documenting the process determined in the previous three sections
7. Exercising - validating the plans and arrangements are effective and up-to-date with current information
8. Strategy and Plan Review - updating the plans and arrangements following exercising or review
9. BCMS Review and Maintenance - reviewing and revising the BCMS to ensure the program is meeting objectives in an efficient manner

One significant additional item between this new practice and the old one is item 3 - Risk Treatment Options. It clearly indicates the additional responsibility of BC professionals to be involved with risk mitigation and shift the emphasis from a traditional “find problem and deal with it when it occurs” approach to “find problem and fix it before it occurs”. This is definitely a nice feature improvement, and we shall see the actual industrial acceptance to this.