Social unrest. Inflation. Supply chain shortages. Earthquakes. Freak storms. Floods. Rampant crime. Wars and rumors of wars. Disease. Famine. Erosion of culture and social values.
It’s hard not to recognize that the world is going through some kind of distress. Its root cause is difficult to discern and may be invisible. But to many, it feels as though something big is about to happen, although what that something may be will depend on what you believe and who you ask.
Some of the possibilities being discussed include:
A drastic change in the global financial system with a significant impact on standards of living
A drastic change in global political systems with significant impact on personal freedom
A world war that includes the use of weapons of mass destruction
The sudden, inexplicable disappearance of a substantial portion of the world’s population
A pandemic with a high mortality rate
A dramatic appearance of UFOs and their occupants
An unexpected weather, geological, meteoric, or astronomical event that causes widespread damage over much of the world
Whatever it might be, it feels as though we should get our lives in order. What that means for each of us will vary, but at its core are our relationships with others.
Do not be afraid to dig deep into your memory, so that you may settle accounts with others. Do not delay.
I’ve been in technology for more years than I’ll publicly admit, and I’ve been full-time infosec for 23 years now. In the past ten years, it’s been hard to escape the rallying cry of the skills shortage: organizations take weeks, months, and longer to fill infosec positions.
I’m going to tell you now why, in many cases, this so-called skills shortage exists.
Yes, we are lazy. We don’t want to take the time to find a motivated, solid foundation, perfect personality, tech worker, and train them up on cybersecurity. Instead, we want only the finished product.
We all want unicorns.
Further, we want someone who has experience in all ten of the main preventive / detection / response tools we use. I think we’d have better luck on Power Ball.
If we are fortunate to find a candidate who checks all of the boxes, we probably can’t afford them. Unicorns are rare, and rare things are expensive.
There – I said it. Most of us fit into one or more of the above categories. Me included.
Historically and collectively, the COVID-19 pandemic was one of the most impactful events in a generation. Entire industries were uprooted, resulting in significant shifts in how and where people live and work. The work-from-home (WFH) phenomenon was wrenching for some, welcome by others, and transformational for all. Workers and companies adjusted and continued to operate as best as they could, and WFH became the new normal for entire industries and professions.
Return to the office (RTO) has been disruptive for companies and workers. Management in some organizations have insisted that personnel plan on working in offices part-time and full-time. We’ve seen the entire spectrum of compliance and non-compliance, and we’ve seen large organizations order a full- or part-time RTO and then backtrack when employees objected.
Workers are finding the transition from WFH to RTO nearly as disruptive in 2022 as WFH was in 2020. The routines established in WFH have become normal, routine, and comfortable. In many organizations, workers can choose whether to return to the office, continue to work from home, or adopt a hybrid arrangement.
WFH is probably here to stay. During the pandemic lockdown, many organizations began recruiting workers from wider geographic areas who live hundreds and even thousands of miles from workplaces. Organizations have discovered that they can compete for workers across larger areas. Workers have found that they can live almost anywhere and do their jobs effectively in full-time, permanent WFH arrangements.
It’s difficult to know whether a gradual shift back to in-office work will occur, or if work-from-home will be a permanent fixture in today’s workforce. Time will tell.
In past generations, families and businesses stocked up on essentials for that “rainy day” disruption, whatever it was. There was wisdom in that kind of thinking that was overrun in our generation.
Decades of peacetime, economic prosperity, the reliability of supply chains, and the lust for greater profits led to a “just in time” mentality and practice. Instead of stocking up on essentials, we rely on a steady influx of supplies – whatever they are – because we have gotten used to the reliability of the supply chain.
Just-in-time was driven by investors and accountants who found that organizations could eke out a bit more profit through not having unused inventory on the books. This is a trap we made for ourselves because we thought that nothing would ever go wrong.
Normalcy bias is what got us into this mess. And I do say “mess,” because it’s soon going to feel like one:
The global semiconductor shortage is bound to worsen, particularly when China attacks Taiwan, the source of most semiconductors in the world. This will result in short supplies and higher prices of everything with chips in them – worse than we are experiencing presently. We’re about to learn just how dependent we have become on information technology.
The shortage of truck drivers is precipitating the shortage of “everything else” – felt by consumers and businesses. Every one of us has experienced this personally.
There is an acute shortage of fertilizer in the world, due to rising natural gas prices. This means that there will be less food in this harvest year, resulting in food prices skyrocketing.
The resilient supply chains that took decades to build were taken down in years, and will take years to rebuild. But the shortage of everything will make even this a difficult task.
I believe we are about to experience shortages and price hikes like the world has not seen since World War II – but it’s likely to be worse than that, because supply chains are not just local, but global.
We are living in wartime – and this is going to change everything. Too few people, including those in charge, fully understand what this means.
The COVID-19 pandemic and working from home for many office workers have wrung the variety out of our lives. Many of us have found ourselves in a Groundhog Day scenario (referring to the movie) where our workdays are a nearly-identical blur:
The variety of our days is mostly gone:
Our commute (from the bedroom to the kitchen to the home-office-or-whatever) is the same: we don’t drive different routes, we don’t make any stops, we don’t experience the weather, we don’t see any scenery, and we don’t see any interesting people or things.
Our workday is more regimented: we have rigid schedules, we don’t run into people in the hall, we don’t have those impromptu, unplanned conversations, and we don’t see each other at lunch.
In short, our work lives have become quite dull – the same routine every day, with little prospect for change.
Here’s an observation from eight years of WFH, particularly since 2020 when we were sent home to work remotely for God-knows-how-long: we no longer look at each other in the eye. This may seem like a small thing, but it feels important to me: eye contact is the most intimate body language in an office conversation, vital because it keeps us honest and connected. In videoconferencing, we can look into the eyes of someone we’re talking with, but when we do so, they see us looking up (or down, if the webcam is at the bottom of our screen). Or, if we concentrate on looking into the webcam and its tiny green dot, we are not looking into the eyes of the person we are speaking with, even if they think we are. You could argue that the use of a smartphone makes this a little easier, but still: we are looking at a video representation of the person, not at the actual person. The result: we are not connected with our co-workers as we should be. The quality of our connected relationships suffers, as if we’re all holding back a little bit.
I don’t have the answers – I’m not a sociologist but a technologist. My observations are as a layperson who instinctively feels like something important is missing in our work-from-home, long-distance work relationships.
I’m going skiing today with my kids. This time of year, I relish the every-other-Friday mental health break of connecting with people and getting outside.
While I’ve been a privacy nerd since the early 2000s, lately I’ve found a few of my long-time practices have been defeating my attempts to fly under the radar. I have little to hide, but I don’t care to reveal to big tech everything that I do online. For this reason, I stopped using the Google Chrome browser many years ago, nor do I use Google Search. But something else escaped my scrutiny until lately.
I’ve been using the Google Translate browser extension for years, as it’s handy for – you know – translating websites in other languages into my native language. I reconsidered the T’s & C’s for Google Translate, and find that I’m revealing far too much of my personal business to Google. Depending upon the settings you select, Google Translate will send your entire browsing history to Google, and all of the content of websites you visit. If you are privacy-conscious like me and have switched to other browsers and search engines but continue to use the Google Translate extension, your privacy efforts may have been wasted.
In the final months of 2021, a record number of workers were quitting their jobs. This will lead to a spike in the workforce turnover in many organizations. I want to focus briefly on a specific risk that is not getting a lot of airplay.
Organizations with lower process maturity rely on tribal knowledge to get things done. During the Great Resignation, a replacement worker often does not receive cross-training from their predecessor. Instead, replacement workers learn about their routine duties through studying policy, process, and procedure documentation.
In many (and perhaps most) organizations, there is often little documentation to rely upon. And, often, other co-workers are not familiar with the details of their departed colleagues’ duties. The result: organizations stop performing routine activities correctly, and many activities stop altogether.
This is a particular problem for cybersecurity-related activities. Security activities are detective and protective in nature: they protect core business operations, but they are not those core business operations. When cybersecurity activities such as scanning, patching, reviewing access, event monitoring, alerting, and response cease to function, core functions delivering the organization’s goods and/or services continue, for a while at least. As more organizations fall even further behind on these essential activities, the likelihood of successful attacks increases.
The cybersecurity workforce shortage has been a problem for years, and I fear it’s getting far worse with the Great Resignation. I fear that many routine and essential cybersecurity-related activities will simply stop in instances where security professionals resign and take other jobs – particularly in organizations with lower maturity.
This phenomenon will make it easier for cybercriminals to successfully attack and compromise organizations, particularly those less mature.
The fix for this is not easy: many organizations are already short-staffed, and taking remaining persons offline to document their processes results in other essential work not being performed. Organizations with lower maturity are often unaware of the need to document critical activities, particularly those related to cybersecurity. Squeezed by tightening profit margins, hiring outside experts is often not a viable option. Instead, the silent indicator of risk will continue to increase, and the inevitable will occur.
The world of certifications opened up to me in 1999, when one of my colleagues, a security manager, earned his CISSP. That is my earliest knowledge of IT professional certifications to the best of my recollection. This was when I made my pivot from IT engineering to security engineering and, soon after, later security management.
Immersed in IT security over several years, I already had the background and the experience, and passed my CISSP exam in November 2000 on the first attempt. Two years later, I studied for and earned my CISA. At the time, I thought that these two certs would be all that I would ever need. Funny how plans can go awry.
EC-Council released its CCISO (Certified Chief Information Security Officer) certification in 2011-2012 and offered me an opportunity to earn it through grandfathering. As is typical for security-related certifications, earning a certification through grandfathering involves a good deal of paperwork, documenting one’s experience in one or more domains, and having one’s current and former supervisors attesting in writing that the experience is genuine.
My reasons for obtaining the CCISO certification were two-fold: first, I wanted to show that I had the chops to be a security leader – a CISO. Second, I wanted to someday have a job where that was my job title, and I believed that having the cert would demonstrate that I had the background for such a job.
Four years later, I reached that goal, as the CISO for a Los Angeles-based public company, on a contracting basis, for two and one-half years. Mission accomplished.
A couple of years later, during certification renewal season, I re-evaluated all of my certifications and decided, for each, whether to renew them or not. For only the second time, I decided not to renew a certification, and I let my CCISO certification lapse.
Here was my thought process: I had had CISO in my job title for over two years, a testament that I had not only the desire, but the experience, of being a CISO. The CCISO cert felt like a proxy that was no longer necessary, since I had the real thing. For me, getting CISO after my name involved either the certification or the job title, and having both did not seem to add value.
I want to be clear on one thing: EC-Council is a fine organization, and my experience with them has been nothing but positive. This article is not a hit-piece on the organization or the certification, and I can understand that other security professionals may have different reasons for choosing to earn and retain the CCISO.
I’ve been in information technology my entire career, even during the years of my college education. In many positions I’ve held, I have done the work of connecting people and organizations to what we now know as the Internet. Many useful sources of reliable information have sprung up, resulting in the accumulated knowledge of mankind available anytime, anywhere.
But like many technologies, the Internet is slowly being co-opted by those whose narrative includes the twisting, distortion, and complete omission of historical facts. This is the way of man back to the beginning of history: things are invented for mutual and overall benefit, but some pervert these inventions for malicious purposes. For a short time, it was possible to rely on information found online as factual, but this is no longer the case. Even stalwart and highly reliable sources are crumbling before our very eyes, making it increasingly difficult to tell actual truth from the “truth” asserted by those driven by a fanciful narrative and who turn a blind eye to reality.
It is appropriate to ask the same question posed by Pontious Pilate long ago when he uttered the words, “What is truth?”
Difficult as it can be, each of us is responsible and accountable for knowing the answer to this question.
Thankfulness is a choice, and it is about perspective.
If you are not thankful, then perhaps you are not seeing the complete picture of your life.
Are you bitter about a job with pressure, deadlines, and quotas, or are you thankful that you have a job? Are you bitter about family relationships, or are you thankful that you have a family? Are you bitter about your living situation, or are you thankful that you have a roof over your head? Are you bitter about your health, or are you thankful that you are alive another day?
Thankfulness, like gratitude, is a choice. Thankfulness should come through any circumstance, not just when things go your way.
Do you notice that one or more of your co-workers always seem to have a good attitude? I doubt it is because their life is perfect and everything for them is going great. Instead, I propose that they have simply decided to be thankful, regardless of their circumstances.
An old saying comes to mind as I write this: “I cried when I had no shoes, until I met a man who had no feet.”
I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.
Let’s dig deeper.
If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.
Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.
Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.
I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.
Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.
Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.
Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.
Until recently, I didn’t consider my accumulated contacts a liability, but I do now.
In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit. Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.
Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?
At the dawn of my career, I worked in two different old-school computer mainframe operations organizations. We spent a considerable amount of time (I’m estimating 20%) doing backups. Sure, computers were a lot slower then, and we had a lot less data.
We did backups for a reason: things happen. All kinds of things, like hardware failures, software bugs, accidents, mistakes, small and large disasters, and more. I can recall numerous times when we had to recover individual files, complete databases, and ground-up (“bare metal”) recoveries to get things going again.
We didn’t wait for these scenarios to occur to see whether we could do any of these types of restores. We practiced, regularly. In one mainframe shop early in my career, we completely restored our OS every Sunday night. Okay, this was in part a storage defragmentation measure and performed mainly for this purpose. However, we were still doing a bare metal restoration, precisely like what we would do if our data center burned down and we had to recover our data and applications on a different system.
Was this exciting work? Certainly not.
Interesting? Not in the least.
So what am I getting at here? Am I merely reminiscing about the good old days? Hardly.
I’m talking about ransomware. At times, it’s difficult for me to sympathize with the organizations that are victims of ransomware. It’s hard for me to rationalize why an organization would even remotely consider paying a ransom (particularly when the FBI reported that only about half of organizations would be able to decrypt their data when they paid the ransom) (sorry, I cannot find the link to that advisory, I’ll keep looking and update this article when I find it).
A survey by Kaspersky indicated some facts that shocked me:
37 percent of respondents were unable to accurately define ransomware let alone understand the damage it can deliver.
Of those survey respondents who suffered a ransomware attack, 40 percent said they would not know the immediate steps to take in response.
I’m amazed by these results. Do IT organizations no longer understand IT operations fundamentals that have been around for decades? I hate to sound harsh, but if this is the case, organizations deserve the consequences they experience when ransomware (or human error, or software bugs, etc.) strikes.
That said…. I am acutely aware that it can be difficult to find good IT help these days. However, if an organization is crippled by ransomware, they’ve already gone “all-in” with information technology, but neglected to implement common safeguards like data backup.
For decades, those in cybersecurity were fed the doctrine of CIA: Confidentiality, Integrity, and Availability – the pillars or foundational principles of information security. Advances and changes in information technology have rendered the CIA triad obsolete.
For many years, information technology has been used in numerous applications where life safety is a major concern. Examples include:
Patient health monitoring
Patient medication delivery (e.g., IV pumps)
You can probably add more examples to the above list.
The former CIA Triad should give way to the CIAS pyramid: confidentiality, integrity, availability, and life safety. I first argued for this in my book, CISSP For Dummies, 5th edition (2016), on page 37, as well as in CISM Certified Information Security Manager All-In-One Exam Guide (2018) on page 382, where I called argued for confidentiality, integrity, availability, and life safety.
As a simple model and a reminder of foundational principles, the CIA triad has served us well. However, as a foundational principle, the CIA triad now falls short, as arguably the most critical aspect, when applicable, is safety and life safety.
Many organizations have implicitly adopted the mistaken notion that the chief information security officer (CISO) is the de facto risk owner for all identified cyber risk matters.
In a properly run risk management program, risk owners are business unit leaders and department heads who own the business activity where a risk has been identified. For instance, if a risk is identified regarding the long-term storage of full credit card numbers in an e-commerce environment, the risk owner would be the executive who runs the e-commerce function. That executive would decide to mitigate, avoid, transfer, or accept that risk.
The role of the CISO is to operate the risk management program and facilitate discussions and risk treatment decisions, but not make those risk treatment decisions. A CISO can be considered a risk facilitator, but not a risk owner.
Even when embraced and practiced, this concept does not always stop an organization from sacking the CISO should a breach occur. A dismissal might even be appropriate, for example, if the risk management program that the CISO operated was not performing as expected.
Today, in my newsfeed, two stories about breaches caught my attention.
In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.
In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.
In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.
Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.
On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.
An experience late last week was an epiphany for me.
While managing the financial affairs of a relative, I needed to get a one-page document notarized. I live in a small town, where there are only two or three local bank branches.
One of the branches is K** Bank. On their website, K** Bank makes available the capability of making an appointment at a nearby branch. I filled in the appointment form, including the specific nature of the visit. Another relative who was visiting a few weeks ago got a document notarized there, so I knew that this branch of K** Bank had a notary.
I showed up, was greeted by branch staff, and invited to have a seat while someone came to assist me. Soon, another branch employee came over and said she was ready. I presented my document and my photo ID. The employee asked for my K** Bank account number, and I replied that I was not a customer. She replied that Key Bank only notarizes documents for customers. When I asked whether K** Bank would notarize my one-page document for a fee, the answer was, no, sorry. The branch was not busy: there were six employees in the branch, and I saw one or two customers come and go in the ten minutes that I was there.
I left and drove two blocks to the town’s professional building, where a lawyer, an accountant, a marriage counselor, and a financial advisor have small offices. I poked my head into the CPA’s office and asked, do you know of a notary here in town? The CPA got up, greeted me, and took me across the hall to the financial advisor’s office, where she introduced me to an independent financial advisor. He gladly took a couple of minutes to notarize my document. He refused to accept a fee. Since he was conversational and polite, I asked him about his business, asked for some business cards, and may have some business to refer to him.
Branch banking is going the way of the bookstore. Key Bank had an excellent opportunity to take a few minutes to meet a new potential customer by showing a bit of goodwill. Instead, they turned me away, and frankly, I will probably never set foot in that branch again.
During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.
Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.
A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.
Last summer, I started a new job as Senior Director of Cyber GRC for GCI Communications, an Alaska-based telecommunications company. Being a resident of central Washington State, this was to be a mostly WFH job with occasional (monthly-ish) travel to Anchorage and elsewhere to meet with GCI personnel and others.
The COVID-19 pandemic lockdown was in full swing when I was hired, and non-essential business travel was prohibited. So our days were consumed with video meetings on Teams and Zoom. I met and managed my team of 13 managers, analysts, and specialists, worked with my director, senior director, and VP peers, and was accustomed to full days of video conversations and a bit of time to do real work. And over the past year, I hired five additional team members (including two managers) via video calls. WFH and remote work was the only way.
This week, I met my security department leadership peers in person for the first time, the director of security architecture and planning, and the senior director of security operations. None of us had met in person before, ever. Later, our CISO joined us (our CISO had not met the secops leader in person either).
We spent two long days understanding each others’ departments better, and we spent a lot of time doing some strategic planning. We had bits of time telling stories, and there was plenty of laughter as well.
Meeting and working face-to-face is definitely better than WFH and Zoom meetings. I always knew it, but after 15 months of hunkering down, finally meeting some of my colleagues face to face was confirmation for me. While the three of us live in three different states, we’ll spend most of our working time on video calls, but occasional in-person work is valuable and strengthens and improves work relationships.
I’m certain that thousands of you are having the same experience – as business travel and office work slowly return, you’re meeting many of your colleagues in person for the first time. Relish it.
Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events.
I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.
Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?
I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm. They don’t ask, and they don’t care.
You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind. While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.