Skip navigation

Tag Archives: National security

USDA Driving Towards Both Food Insecurity And Cyber-Insecurity?

It’s rare that two of my passions—food and information security—intersect, but thanks to the USDA’s announcement of their Blueprint For Stronger Service, I can touch on both in one post.

In 2011, the Obama administration challenged all departments to reduce costs in a effort dubbed the “Campaign to Cut Waste“. In response, the USDA has managed to trim annual expenses by $150 million through a number of efforts. One such effort is to close 259 domestic USDA offices (you can see which states are impacted below).

I’m going to expand on why this is a bad idea over at #nom later this week, but 2011 was not a good year in terms of controlling food poisoning in the United States and I don’t think closing offices will make for better oversight.

Other efforts focus on the elimination of redundancies and inefficiencies. The Blueprint has 27 initial (or to-be-implemented immediately) improvements that include the following:

  • Consolidate more than 700 cell phone plans into about 10
  • Standardize civil rights training and purchases of cyber security products
  • Centralize civil rights, human resource, procurement, and property management functions

So, they were either getting gouged by suppliers (unlikely since there is negotiated pricing for the government) or the USDA’s “cyber-security” strategy was severely fragmented (and, thus, broken) enough that even finance folks could see the problem. Regardless of the source, it had to be pretty bad to make it to the top three of 27 immediate items (and called out in every sub-department press release) and even more so amongst over 160 initiatives that are being or have been put in place.

I still cannot find the details of the plan or budget analysis that went into the focus on cyber security products (links appreciated if you have them), but as private organizations continue their efforts to defend against existing and emerging threats, it might be worth a look at your strategy and spend a bit more closely. Would your infosec department be included in a similar list if your organization went through such a sweeping cost-cutting analysis program? Is your portfolio of security products as optimized as it can be? Could you use a budget sweep as an opportunity to leap frog your security capabilities (e.g. move to whitelisting vs signature-based anti-malware) vs just pressure your existing vendors and re-negotiate contracts?

Unfortunately, the government being the government, I’m now even more concerned that the USDA may need to worry about increased infections on both the food-level and the “cyber” level.

Crossroad of ERM and the Parallels to IRM

Had to modify the latimes URL in the post due to a notice from Wordfence/Google

I was reviewing the – er – highlights? – from the ninth ERM Symposium in Chicago over at Riskviews this morning and was intrigued by some of the parallels to the current situation in enterprise security risk management (the ERM symposium seemed to be laser-focused on financial risk, which is kinda sad since ERM should make security/IT compliance risk a first class citizen). Not all topics had a 1:1 parallel, but there were some interesting ones:

  • Compliance culture of risk management in banks contributed to the crisis :: While not necessarily at crisis levels yet, the compliance culture that is infecting information security is headed toward this same fate. Relying on semi-competent auditors to wade through volumes of compensating controls and point-in-time reviews to deliver ✓’s in the right boxes is not a recipe for a solid security program that will help mitigate and respond effectively to emerging threats.
  • Banks were supposed to have been sophisticated enough to control their risks :: I’ll focus on medium-to-large enterprises for this comparison, but I’m fairly confident that this is a prevalent attitude regarding information security in corporations across the globe (“We manage information risk well“). Budgets seem to be focused on three fundamental areas that non-security-folk can conceptually grasp: firewalls (stop), traditional anti-virus (block) and endpoint disk encryption (scramble). By now, with a decade of OWASP failures [PDF, pg 28], a multi-year debate about anti-virus efficacy and ample proof that vendors suck at building secure software as evidence, you’d think we’d be focusing on identifying the areas of greatest risk and designing & following roadmaps to mitigate them.

    This may be more of a failure on our part to effectively communicate the issues in a way that decision makers can understand. While not as bad as the outright lying committed by those who helped bake the financial meltdown cake, it is important to call out since I believe senior management and company boards would Do The Right Thing™ if we effectively communicated what that Right Thing is.

  • Regulators need to keep up with innovation and excessive leverage from innovation. :: The spirit of this is warning that financial regulators need to keep a sharp eye out for the tricky ways institutions come up with to get around regulations (that’s my concise summary of “innovation”). Think “residential mortgage-backed securities”. The “excessive leverage” bit is consumers borrowing way too much money for over-priced houses.

    I’m not going to try to make a raw parallel, but just focus on the first part: Regulators need to keep up with innovation. The bad guys are getting more sophisticated and clever all the time and keep up with hot trends faster than we can defend against them…due in part to our wasted time testing controls and responding to low-grade audit findings. When even the SOX compliant security giants can fall hard, you know there’s a fundamental problem in how we are managing information security risk. Regulators & legislators need to stop ( http:// articles. latimes. com /2011/feb/11/business/la-fi-0211-privacy-20110211 ) jerking knees and partner with the best and the brightest in our field to develop new approaches for prescribing and validating security programs.

  • ERM is not an EASY button from Staples :: I’m *so* using that quote in an infosec context this week
  • Many banks and insurers should be failing the use test for ERM regulation to be effective. :: More firms need to fail SOX and PCI and [insert devastating regulation acronym here] checks or SOX & PCI requirements need to change so that we see more failing. Pick one SOX and PCI compliant company at random and I’ll bet they have at least one exploitable Internet-based exposure or that custom-crafted malware can get through. If we start making real, effective, and sane regulations, we’ll start contributing to the betterment information security in organizations.
  • Stress testing is becoming a major tool for regulators. :: What if regulators did actual stress testing of our security controls versus relying on point-in-time checks? I know that the stress tests for banks end up being a paper exercise, but even those exercises have managed to find problems. Come in, pick three modern exploit vectors and walk-through how company defenses would hold up.
  • Regulators need to be able to pay competitive market salaries :: we need smarter rule-makers and examiners. There are good people doing good work in this space, just not enough of them.
  • Difficult for risk managers to operate under multiple constraints of multiple regulators, accounting systems. :: Just domestically, 42 states with separate privacy regulations, SOX for public companies, PCI compliance for those who process credit cards and independent infosec auditing standards across any third-party one needs to do business with make it almost impossible to stop spinning around low-level findings and focus on protecting critical information assets. We need to get to a small number of solid standards that we can effectively understand and design solutions to meet.
  • Nice tree/forest story: Small trees take resources from the forest. Large trees shade smaller trees making it harder for them to get sunlight. Old trees die and fall crashing through the forest taking out smaller trees. :: This made me think of the rampant consolidation of the security tech industry. Savvy, nimble & competent boutique vendors are being swallowed by giants. The smart people leave when they can and the solutions are diluted and become part of a leftover stew of offerings that don’t quite fit together well and are not nearly as effective as they once were.
  • Things that people say will never go wrong will go wrong. :: “We’ll never have a SQL injection. Our mobile devices will never get malware on them. Those users will never figure out out to do [that thing], why should we spend time and resources building it correctly?”
  • Compliance should be the easy part of ERM, not the whole thing :: So. True.
  • Asking dumb questions should be seen as good for firm. 10th dumb question might reveal something that no one else saw. :: This needs to be a requirement at everyone’s next architecture meeting or project initiation meeting. At the very least, do something similar before you let someone open up a firewall port.
  • There is a lack of imagination of adverse events. US has cultural optimism. Culture is risk seeking. :: Can be easily seen in our headstrong rush into consumerizing IT. I find that architects, engineers and application developers tend to see 1-2 “security moves” out. We need to do a better job training them to play Go or Chess in the enterprise.
  • People understand and prefer principles based regulation. But when trust is gone everything moves towards rules. :: If firms had been Doing The Right Thing™ in information security when they had the chance, we wouldn’t be in the state we are in now. I can’t see us getting [back] to principled-based regulation any time soon.
  • Supervisors need to learn to say no :: How many firewall port opens, disk-encryption exclusions, anti-virus disables and other policy exceptions have you processed just this past week? How many defenses have you had to give up during an architecture battle? Non-infosec leaders absolutely need to start learning how to say “no” when their best-and-brightest want to do the wrong thing.
  • Caveat Emptor :: Don’t believe your infosec vendors
  • A risk metric that makes you more effective makes you special. :: We have risk metrics? Seriously, tho, if we can measure and report risk effectively, our infosec programs will get better.

I may have missed some or got some wrong. I’d be interested in any similarities or differences other saw in the list or if you think that I’m overly cynical about the state of affairs in infosec risk.

Behind The Mask : Supporting The New CIO Personas

This morning, @joshcorman linked to an article in the Harvard Business ReviewThe Conversation” blog that put forth the author’s view of The Four Personas of the Next-Genereation CIO. The term persona is very Jungian and literally refers to “masks worn by a mime”. According to Jung, the persona “enables an individual to interrelate with the surrounding environment by reflecting the role in life that the individual is playing. In this way one can arrive at a compromise between one’s innate psychological constitution and society.1

So, the jist of the article is that there are four critial roles that the new CIO must play to succesfully interrelate with and orchestrate the IT environment within their business. I believe this provides a context to dovetail information security & compliance components within personas (since none of them are overtly infosec or compliance), essentially facilitating a compromise between the innate desire to “do the right thing” – i.e. compliance/security – (which I do believe most CIOs possess) and the initiatives that stem from these personas which appear to be – on the surface – in direct conflict. As Josh pointed out, this gives us – the professionals that support our CIOs – an opportunity to help rather than obstruct. Let’s take a look at each of the four personas and what parts of information security & compliance are critical to the real success of each role.

Chief “Infrastructure” Officer

Key points:

  • cost reduction
  • accounts for 70% of IT budget
  • “lights on” focus
  • needs to maintain legacy environments while trying to integrate disruptive technologies
  • internal-facing

This area is where most IT information security & compliance dollars are spent and typically involve personnel & legacy security technology costs (e.g. firewalls and traditional anti-virus) and contribute to the overall budget impact of verifying the efficacy of established controls (i.e. audits).

The best way to help this CIO persona is to ensure that your organization is only spending what it needs to in order to safeguard the information at risk and can be facilitated through regular and repeated risk assessments which prioritize the systems, networks and applications that require the most protection and enable the design & implementation of automated controls in these environments.

Government and industry regulations, third party business partner mandates and internal audit requirements are all factors in the risk assessment process, so there should be no surprises when the auditors come around. Furthermore, this risk assessment process will ultimately ensure that the controls are operating as efficiently as your organization can support with as little resource consumption as possible. It will also help shed light on controls that are missing or ineffective (both the first time through and as you perform regular validations). If you don’t believe compliance has a budget impact, take a look at the True Cost of Compliance report by Ponemon Instutite & Tripwire, Inc.

Solid and well-integrated risk assessment methodologies will speed up infrastructure and application deployment times as there will be no last-minute security surprises that either hold up a rollout or cause compliance problems at a later date due to them not being properly considered. By driving manual control costs to automation, focusing on the right risks and keeping the compliance folks satisfied, you will provide your CIO the tools she needs to keep the lights on and the budget requried to correctly integrate new technologies.

Chief “Integration” Officer

Key points:

  • connect internal & external ecosystems
  • accounts for 10% of IT budget
  • connects disperate processes, data, systems, etc
  • M&A-centric
  • external- & internal-facing

Of all the areas, I believe this one presents the best opportunity for our profession to shine and deliver the most value to IT & the business. They key is to weed out all “Doctor No’s” in your organization. The “Doctor No” basically says “No” to every ” can we do ‘x'” questions, which is at the heart of all the activities this CIO persona needs to perform. For example:

Senior Business Analyst: “Can we connect these systems to this cloud service?”
Security Analyst: “NO! Of course not, you fool!”

Moving from “No” to enabling the business to operate in a secure fashion is an extension of the risk management practices that make the Infrastructure persona successful and needs to be combined with a strong Security Architecture program. For every connection, identify the non-negotiable compliance requirements as factors in a thoughtful risk assessment process. Communicate the “must-haves” and the risk finding to the business & IT stakeholders and enable them to make an informed decision with innovative and/or time-tested architecture options.

Business owners are used to taking risks all the time (or just going out of business if they fail to take on risks regularly) and security/compliance risks are no different except that most senior executives are far more familiar with traditional risk management activities and need your help integrating security & compliance risk understanding into their existing knowledge-base.

Natural by-products of your support in this area will be:

  • an understanding of the benefits of a data classification system (so your CIO will know what she really does need to protect),
  • an appreciation for the development of lightweight, repeatable process during the early stages of analysis & integration design, and
  • a comprehension of the inherent, legitimate risks in the environment

which will all support more efficient acquisition and integration endeavours (and, I can’t think of one CIO that would be against increased efficieny in those areas).

Chief “Intelligence” Officer

Key points:

  • actionable insight
  • accounts for 10% of IT budget
  • improves business-user access to information
  • right data to right person at right time on right interface
  • internal-facing

This area has a similar reliance on a robust data classification program and can be more easily facilitated via a robust identity and access management program. To make your CIO successful, you will need to help her work with the business to identify the information assets to be incorporated into each business intelligence (BI) initiative and ensure they are classified by their owners/stakeholders. There’s a good chance you’ll need to re-think your access control infrastructure architecture as well since you will be facing users armed with iPads, Macs and modern web client technologies that you’ve managed to avoid up until now.

To ensure these BI activities will not just add to audit findings it will be important to incorporate regular access rights reviews into the mix since authentication and authorization will be the most robust control points. Perhaps this will also be a way to start the discussion on moving from archaic username and password credentials to multi-factor authentication, adaptive authentication or even a full-on migration to PKI. You will not have a better time than now for showing how these solutions enable better access control and give even more options even in the general application space.

Finally, with all of this information flying through your network this may be the most opportune time to research what DLP solutions are available and how they might be deployed (one size and even one solution does not fit all) to ensure the business is retaining as much control over the data as it wants (risk management always seems to sneak its way in).

Remember, the goal is to facilitate the business operations with as little disruption as possible. Getting in up-front with your ideas and solutions will make your CIO much more effective in orchestrating successful BI programs and projects.

Chief “Innovation” Officer

Key points:

  • pilots disruptive technologies
  • accounts for 10% of IT budget
  • move fast; fail fast; move on
  • externa-facing

I like shiny objects as much as the next tech-SQUIRREL!-and many CIOs do as well. Who wouldn’t want to arm their workforce with iPads connected to VDI sessions in the cloud (shameless SEO-inspired sentence)? Seriously, though, the modern CIO must regularly push IT & business users and management out of their comfort zones to avoid having their whole shop turn into a data center maze of twisty legacy deployments. Even if the mainframe is still king in many large shops, getting that data into the hands of consumers wielding iOS and Android devices will be crucial to the ongoing success of each enterprise (and, that’s just today).

Moving beyond traditional development models and languages and embracing faster, lighter and domain-specific tools is also part of the equation. Rapid code updates across far more platforms than you are use to will eventually be the norm. And, deployment models that involve traditional systems, internally dynamically provisioned application spaces and external content and hosting providers will almost be a necessity for business to succeed.

You must be prepared to have your organization adapt with these changing models. Make sure your staff is part of initiatives like the Cloud Security Alliance, OWASP and Rugged. Keep up with disruptive innovators and embrace the challenge of working with these groups instead of fighting against them.

You will need to help your CIO bake security and compliance checkpoints all throughout the exploratory and development phases of these risky endeavours. Identifying compliance pitfalls will be paramount as the regulatory bodies and auditors are even less apt to embrace change than your security teams are, never mind the monumental and drawn-out tasks of making any changes to established regulatory requirements. Working to help these efforts succeed is great, but you also need to take care to avoid being the reason they fail (especially if that’s not due solely to a compliance problem).

I believe this new model of modern CIO will be very willing to work with a information security/risk/compliance group that exhibits even some of the qualities listed above. It won’t be easy (hey, it isn’t now) but it will give you the most opportunity to be successful in your program(s) and be one of the most critical components in enabling your CIO to respond to ever changing business needs and ventures.