Do people care about information security?

I’ve been thinking about this question a lot recently, not least because it forms part of a presentation I am doing in the August. The reality as I see it is that for people who don’t work in information security, well, they just don’t seem to give a s**t about it. Is this surprising? Probably not – people have busy lives after all. I’ve seen first hand evidence though – family members, neighbours, friends – all doing stupid things, getting hacked, losing money, getting socially engineered. They seemed to shrug and not want to take action, like it was something they had no control over. Infuriating! :)

The infosec community, me included, spend so much time thinking about it at work and outside work (some would say even more so outside of work), spend time on twitter focusing on it (I get irritated if anything non-infosec comes up on twitter – sad I know) and reading blogs and articles etc. The rest of the population is decidedly non-plussed. I recently told somebody who works in marketing in my company what I did, she just laughed and said, “So something really interesting then” in a sneering sort of way. And I know what that meant. It meant she hadn’t spent 30 seconds in her life thinking about how to protect her information (perhaps company information as well as her personal information) and her identity.

So how can we change that? I mean we are supposed to be leading this area. How do we as infosec people change a society’s views? Of course it's ambitious! It would be boring if it wasn't.

I’m intrigued by the question though and intend to spend a lot of time investigating this. I recently set up ‘Information Security Awareness Ireland’ (admittedly it’s early days) specifically for this purpose. There are two broad focus areas in my view (and this view will no doubt mature).

Firstly we need to focus on what we have at least some some control over, namely our organisations and how to get people to pay attention there. That is about maturing the organizational culture regarding information security. On this I will be focusing my efforts in the coming months.

However, the second and more difficult area, is the general public. There are some great campaigns by various groups trying to get children to be safe online which is great but I am amazed at how little focus is put on the adults. Surely you can’t have one without the other. Educating the wider public will take a monumental effort over years to change thinking, just as the campaign to change the public’s attitude to seat belts (or smoking or exercise) took years. I believe that we as leaders in this field need to play a strong role and yes, that means taking a role outside of work. We just need to decide what these activities are and what to prioritise to facilitate change quickly.

Information Security Awareness Ireland

As I mentioned previously, I am trying to get involved in some new things that I have been thinking about for a while. I want to formally create ‘Information Security Awareness Ireland’. This is a subject that I am involved in at work but something I am genuinely interested in both from an organizational perspective and from the perspective of a private citizen. 

The big question the entity seeks to answer is

How the hell do you get people to care about information security?

This will be a completely voluntary, not-for profit organization.

While it is early days, I see the purpose of Information Security Awareness Ireland being the following;

• ·      To promote an understanding of information security to the general public in Ireland (It may be a stretch to get people actually interested but I would like them to be aware of the ideas and concepts).
•         To promote development of an improved information security culture within organisations, both private and public sector in Ireland.

Now there are some excellent organisations in Ireland already covering related areas, most notable CyberSafeIreland and ISC2. However, these groups are very focused on cyber security for children and, as such, have that area covered very well. My interest is broader than just educating children. Other groups such as ISACA Ireland and Irish Information Security Forum do cover this topic to some extent but their remit is so much wider, covering a wide range of information security topics. And obviously there are companies which cover this area and sell their expertise to their clients. However, I believe there is a gap in the landscape in Ireland for such a voluntary group to promote awareness of the topic.

This was very much inspired by Lance Spitzner and the SANS Securing the Human Program which I have blogged about previously. I have taken my own organization on a bit of a journey in recent years and have seen information security awareness and understanding taking a quantum leap. Of course the environment helped foster this but we developed a program to meet the requirement.

So, short term, I will

• ·      Set up a LinkedIn Group
• ·      Try to get a few people who are interested in being involved and have an initial kick-off meeting within the next month.
• ·      Set up a .ie website (in progress)

I am really keen to generate some interest in this. So if Security Awareness rocks your boat and if you are interested in being involved please drop me a note on LinkedIn or just respond with a comment below leaving your email address.

Conferences and New Directions

Last week I had a genuinely rare experience (for me). I went to a conference (ISACA’s2016 European conference – EuroCACS). I have been to many conferences in the last ten years, some way better than others. This one was right up there but not for the reason I usually would expect.

It started off, for me, quite negatively. The first day (of three), by about 3pm, I wanted to leave. Sometimes you just get unlucky with the sessions you chose when you go to these events and by that time I wanted to go back to work as I was so bored (and that’s saying something).

However, as soon as day two started and for the rest of the event I was genuinely captivated. There were some excellent speakers and content which was relevant to me from an information security perspective (albeit with a heavy dose of ‘audit slant’….but what should I expect at an ISACA conference?).

The difference this time however was that, for the first time ever, I think I consistently understood and appreciated the value of what the speakers were trying to get across. So much so I felt, and again this is rare for me at a conference, ‘motivated’.

But ‘motivated’ to do what? Actually, things which I would not normally want to do. I wanted to present (and I am getting a chance at the upcoming ISC2 conference in October); I wanted to engage with people (I am shockingly bad at networking at these events) and, most interestingly (again for me), I wanted to make a difference. Now this may not seem like a big deal to anybody else but it is a big deal for me.

While these thoughts were fresh in my mind, the closing Keynote address by Mark Stevenson was inspirational – this is not a feeling I get very often.

He spoke about many things but focused on his ‘League of Pragmatic Optimists’ 8 principles’. Some of these were completely obvious but nonetheless eye-opening for me. Sometimes in life you find yourself in a malaise. And when you are there, you can often do with a kick up the ass to think in a different way. Of course, and I suspect this may be the case, it could just be middle-age boredom which has just found something exciting to focus on.

It’s been a week since I was at this conference and the optimism that I felt has still not left me. I have actually done several things I was thinking about for ages – literally initiated some new directions for myself. Some of these were what I would say are 'out of character' - but that is what I am excited about. And as I think about them more I generate even more ideas. I love the idea of ‘generating serendipity’. I am simply tired of being passive. What’s the worst that can happen?

Information Security - A Good Introduction

Are you interested in taking on a course in the next academic year bit are not too sure what you should do? Do you work in IT and want to challenge yourself to learn something new?

I have had the very great pleasure this year of being an Associate Lecturer on the UK Open University’s postgraduate Information Security module (M811). So I’d like to do some shameless pimping of this course because I think it is a great introduction to the subject.

The course covers information security from a range of angles that I think are appropriate for both the security person and non-security person. The course is broken down into a couple of blocks;

• ·      Block 1 – Introduction to Information Security. This gives a gentle introduction to the subject and covers information security imperatives and incentives and information asset identification (i.e. that all important identification of the information ‘crown jewels’ in an organisation and why it is so important to protect them on a prioritised and proportionate basis.
• ·      Block 2 – Information Security Risk assessment. This is where it really gets into the detail and covers risk assessment and threat & vulnerability impacts. It does all this while allowing you to focus both on your organisation and your home environment so is instantly relevant and provides immediate value.
• ·      Block 3 – Information Security Risk Management. This covers information security controls and compliance and explains how to establish an information security management system for an organisation.

What I really like about the way it is structured is that it splits each sub-module into four areas to help optimise your learning;

·      The Organisation Strand (where you learn about the relevant Information security standard, ISO27001 and how to ‘do’ risk assessment and risk management

·      The Personal Strand (where you will learn to protect your home assets)

·      The Research strand (where you cover exsiting academic knowledge in the area as a means of challenging assumptions)

·      The Practitioner Strand (to help you track developments and current issues in Information Security).

The course runs from November 2016 to April 2017. It has three assignments and an end-of-course assessment at the end (i.e. no formal exam). S

This module is one that can count towards a range of Open University qualifications or it can simply be taken on its own. So if you’re interested to understand what an information security function does all day or you just want to understand the subject a bit better, I’d highly recommend it.

If you want to find out more click here.

Skills Gap in the Cyber Security Industry

I read an FT article a few months ago (here – worth signing up for occasional articles – it’s free) about the skills in the cyber security sector or, should I say, the lack of available skills. This is something I revisited this week for various reasons. Some interesting points made here included;

• 103,000 people hold a CISSP certification, including 68,000 in the US but there are 50,000 extra job openings for CISSP certified professionals at present.
• It is not just about technical skills. You also need people who can also “speak the language of the boardroom and translate tech-talk into understanding for the C suite” (Mark Brown – E&Y). This is certainly something I agree with and have seen first hand that few people can do well.
• In  the UK salaries have increased 10 per cent year on year for security staff and 16 per cent for consultants
• Security professionals moved jobs twice as much as average workers in the year to April 2015.

       These are very real issues in my experience and it is getting worse. I think it is somewhat compounded by the C suite thinking that all IT professionals fall into the same or similar categories and that there is nothing special in relation to recruitment of security staff. The realization that this is incorrect will be a bitter pill to swallow when there are significant impacts which highlight the gaps. The Information Security Forum's (ISF) recent 2018 Threat Horizon reports asserted that

      

    “Disruption to critical systems is magnified due to the shortage of specialized skills needed to maintain algorithms and codebase………To fully close the gap between the board’s expectations and the security function’s ability to deliver, skills and capabilities have to increase”

      and

     “Inability to recruit, develop and retain the right skills, losing the war on talent and leaving a critical skills gap” will lead to more significant and long lasting security incidents for companies.

So both the research and the practical experience has demonstrated the validity of this problem but, as security managers, what can we do about it? I don’t have all the answers here but for me the solutions fall into several categories;

1. Enticing new graduates to the Security industry. I think the role we in the industry can play here is, where possible, engage with the universities to fill student internships. I know in Ireland these exist even for the summer period (e.g. DCU Intra). This is a great introduction to the real world for these students.
2. Enticing experienced IT professionals into security. Given I count myself in this group, I think this is something we should also encourage. Many people have associated skills (e.g. compliance, application development) which can, with additional training, be an asset to the security function in an organisation.
3. Development of existing security professionals’ skills. I am a big fan of the Richard Branson phrase “Train people well enough so they can leave. Treat people well enough so they don’t want to”. Given the flux in the industry information security managers need to proactively drive their people to further training. I certainly believe it is significantly cheaper to regularly train a person to develop existing and new skills than to hire a new person (if you can find them) and have to pay them (and pay for training) while they get up to speed. Anything less demonstrates, in my view, a lack of management skills and foresight. So take time out to work on development plans for security professionals – see where they want to go and build solid plans with clear time-delineated outcomes and give them the freedom to achieve these goals. This will include finding the balance between formal training (including certifications) and training-on-the-job. The latter needs to include some level of mentoring to speed up development over time.
4. Ensure people maintain understanding of the security environment. There are many ways to do this including online webinars (but you have to give them the time and freedom to attend and focus on these rather than do their email). However, it also means facilitating attendance at security conferences but also encouraging security people to speak at these conferences to share best practice. This builds other skills and increases confidence.
5. Identify those with potential and encourage them to engage with the C-Suite personnel. As the ISF pointed alluded to, we need to develop the ability in technical people to engage with senior management in their language. As managers, we need to push people and trust in their ability to do this.

Information security is an immature profession. It occurs to me that as its current custodians we have a responsibility to ourselves, our colleagues and the next generation to proactively develop that maturity.