Modern Infosec is Older Than You

While researching a project I’m working on, I found an interesting publication, National Bureau of Standards Special Publication 500-19, Audit and Evaluation of Computer Security. This publication contains most of the principles found in modern infosec management and control frameworks today. Indeed, looking into the details, one finds discussions of static and dynamic evaluation of computer programs and numerous other familiar topics.

Here’s the punchline. This document was published in 1977. Forty-five years ago.

The next time someone complains to you about having to deal with these “new” cybersecurity standards and practices, you can remind them that these standards and practices are older than most living people in the world today.

Selected screenshots from the Table of Contents.

Source: U.S. National Institute for Standards and Technology legacy archive

The entire document is available from NIST here.

The Criticality of Business Alignment for Information Security Programs

The need for an organization’s information security program to be business-aligned cannot be overstated. The lack of business alignment could be considered a program’s greatest failing if not corrected.

For the most part.

It is critical for an information security program to be aligned in terms of support of the organization’s overall goals, and to utilize existing mechanisms such as corporate governance and policy enforcement. However, if and where there is dysfunction in the organization in terms of culture (for instance, a casual attitude or checkbox approach towards security or privacy), the program may position itself deliberately out of phase with the organization to alter the culture and bring it to a better place. In another example, rather than be satisfied with what may be low organizational maturity, security program leaders may influence process maturity by example through the enactment of higher maturity processes and procedures.

As change agents, security leaders need to thoughtfully understand where alignment is beneficial and where influence is essential.

— excerpt from an upcoming book on information security management

CISOs are not risk owners

Many organizations have implicitly adopted the mistaken notion that the chief information security officer (CISO) is the de facto risk owner for all identified cyber risk matters.

In a properly run risk management program, risk owners are business unit leaders and department heads who own the business activity where a risk has been identified. For instance, if a risk is identified regarding the long-term storage of full credit card numbers in an e-commerce environment, the risk owner would be the executive who runs the e-commerce function. That executive would decide to mitigate, avoid, transfer, or accept that risk.

The role of the CISO is to operate the risk management program and facilitate discussions and risk treatment decisions, but not make those risk treatment decisions. A CISO can be considered a risk facilitator, but not a risk owner.

Even when embraced and practiced, this concept does not always stop an organization from sacking the CISO should a breach occur. A dismissal might even be appropriate, for example, if the risk management program that the CISO operated was not performing as expected.

— excerpt from CRISC Certified in Risk and Information Systems Control^TM All-In-One Exam Guide, 2nd edition.

FPRM is the new TPRM

The recent Accellion-related breaches (a recent one here) are shining a light not just on third party risk management (TPRM), but fourth party risk management (FPRM).

When we bring on a new service provider, in a healthy TPRM program, we assess the service provider’s security (and maybe privacy) programs to see whether their security posture is something we can live with. I see a new set of questions to be asking our third parties, including:

• What third-party service providers do your third-parties send your data to?
• What third-party service providers are used to facilitate data transfer and other aspects of your service?

TPRM managers – these recent incidents should be sending us back into our methodologies to ensure we don’t have blind spots.

That is all.

Will 2016 Be The Year Of The Board?

This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.

It’s about time.

Really, though, this makes sense.  Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.

Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.

The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.