Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
Changing the Conversation Articulating the Value of Programmatic, Holistic Security
by Kim L. Jones CISM, CISSP, M.Sc.
“An organization does well only those things
that the boss checks or causes to be checked.”
-GEN Bruce C. Clarke
“The boss ‘checks or causes to be checked’
only those things which he deems to have value.”
-Kim L. Jones
The discussion started out innocuously enough….and frankly seemed like the start to a bad joke.
“Fifteen security professionals walk into a bar…”
I founded the informal CISO group in Phoenix many years ago, to allow local CISOs to network,
share ideas, and commiserate about issues and challenges under Las Vegas/Chatham House rules.
No vendors allowed (unless they’re buying the beer), and others allowed by invitation only.
At one of these gatherings, one of our colleagues brought his friend: the CIO of a manufacturing
company here in the town. He had a problem and was looking for advice and counsel from people
who spoke and understood security. The basic issue was that the company was getting ready to
sell their product into the federal space and needed to certify its operations against NIST 800-53 –
a fairly exhaustive and comprehensive standard. While the sales strategy had been approved, the
CIO was struggling with how to sell this initiative into a very freewheeling, innovative culture.
As CISOs, we jumped at the problem and provided what we thought were good and reasonable
answers. We talked of strategic alignment with the business objectives…return on
investment…protection of intellectual property…shoring up overall confidentiality-integrity-
availability within the organization…risk management…competitive advantage. To every solution
we offered, the CIO responded with the same phrase:
“I hear what you’re saying, but we value the ability to freely innovate in our company.”
In the end, we were forced to fall back on requirements for market entry – in other words,
compliance – as the only solution we could offer. This left the CIO unsatisfied…as it did me. Think
about it for a second: fifteen senior security leaders with a combined two centuries of experience,
and we weren’t able to come up with a credible and compelling answer to offer a senior
technologist who was asking for help.
I chewed on this problem for a long time, as to me it typified some of the conversations that we
regularly have with business executives in our various roles. After several weeks, I realized the
2
subtext of concerns that I and my colleagues were failing to answer. If I were to summarize the
between-the-lines conversation that was occurring, here’s what the CIO was really saying:
Security is counter-intuitive to the existing values of our culture
Implementing security requires us to change our culture significantly
The value/ROI gained by this implementation might not outweigh the values lost or impeded
by implementing security.
I’m not certain, though, because you have yet to articulate the value of security in a language
that I both understand and find compelling.
That last bullet is of particular importance. Despite the CIO’s high value on the culture’s ability to
freely innovate, this freedom did not include, for example, allowing new engineers to unilaterally
make a $1 million commitment on behalf of the company without appropriate process, checks, and
balances. Clearly there are competing values at play within the company that are viewed as having
merit to the leadership team. As security professionals, we failed to express the value of
programmatic, holistic security in a language and manner that was truly meaningful to the audience
(the visiting CIO) …
…and I would contend that this is often the case.
I am proposing that we change the conversation with our leadership to one of value and begin to
discuss injecting the security values which we champion into the DNA of our organization’s
operating models and culture. If we can have this conversation freely and openly, then discussions
around tactical implementation measures become less contentious. More importantly, we can now
move the discussion to issues of security versus compliance and the value of focusing on this larger
issue.
What follows is an attempt to define the values of a good security program in clear, easy-to-
understand language. I have also provided operational tenets and statements around those values
in order to promote and ease the conversation. It is my hope that this material can be used to change
the dialogue around security into a more constructive and thoughtful discourse.
The Concept of “Value”
The definition of “to value” is something upon which most individuals can agree. When you
discuss “the value,” though, things get a little fuzzy. Everyone talks of values and their import; ask
people to define what a value is and people tend to provide a circular definition which provides
little clarity to the discourse. For the purposes of this dialogue, I did some research into the topic.
I do not claim to have the be-all-and-end-all answers to this question, but hopefully my definitions
and terms can be seen as reasonably accurate.
At its most basic, a “value” is a concept that is fundamentally important to someone – with someone
being defined as an individual, group or organization. If I were to go to something a little more
3
structured, I would look to the definition offered by Dyer and Dyer: “a value is the embodiment
of what an individual or organization stands for.1”
Organizational values may either be stated or implied – and are usually some combination of both.
An organization or group may have stated values of Quality, Innovation, Integrity, and Customer
Service; however, there may be other unstated values such as Candor, Legality, Safety, and Speed-
to-Market.
Figure 1
The interrelation between values within an organization is always interesting. No set of values
wholly aligns with one another when operationalized; there is a healthy and (hopefully) supportive
tension between the values of any organization – though when stated and unstated values enter
into unhealthy conflict, it is usually the unstated (implied) value that wins.
1 Dhar, Santosh and Dhar, Upindor (editors). Value Based Management for Organizational Excellence. New Delhi, Indian Society for Training
and Development, 2009.
4
Figure 2
For example, if the stated value is Quality, whereas the unstated/implied value is Speed-to-Market,
organizations will more likely sacrifice quality assurance and testing in order to get their product
out the door faster.
Values are an important part of any culture, where culture is defined as “the philosophies,
ideologies, values, assumptions, beliefs, expectations, attitudes and norms that knit an organization
together.2” It is important for security professionals to remember that deploying or changing a
security implementation, by definition, changes the culture (even if only to a small extent). This is
why something as simple and straightforward as implementing a shredding policy or badging
policy can meet heightened levels of resistance within an organization.
Having a value is one thing, but what does this value mean in our day-to-day lives? Most
individuals and organizations create a set of operational tenets based upon their values which
allow us to take the somewhat esoteric concepts embodied within a value and provide us with
guidelines for action and behavior. If the value is Safety, for example, the operational tenet might
be “do it safely or don’t do it at all.” If the value is Quality, then one of the operational tenets
might be “there is always time to do it right.” Operational Tenets are the directional statements of
belief which are designed to directly influence behavior, attitudes, and outcomes within an
organization.
It is important to remember that every decision an organization makes is influenced by its
collective values. No organization or individual willingly acts against the totality of its values
system (what I call its values construct).
2 http://academlib.com/3030/management/organiational_culture
5
Security and the Values Construct
Most organizations have security as at least an implied value if not a stated one; after all, most
organizations do lock their doors and keep their intellectual property out of the public domain.
Programmatic, holistic security, however, is something with which most organizations struggle.
This might manifest itself as either the lack of willingness to create a function focused on security,
or a desire not to make improvements to an existing security posture. Whereas a business might
be comfortable locking their doors, they might balk at the concept of having a minimum standard
set for that lock and inventorying the keys to that lock every six months as part of a programmatic
approach.
When security professionals are confronted with the (reasonable) question of why improvements
are needed to the current security posture, our answers invariably link back to the concepts of
availability, confidentiality, integrity, and/or risk management. These answers do not completely
satisfy our critics, as they do not address the unasked questions of, “Why is what I am doing now
no longer good enough?” When our critics press us for the answer to this implied question, many
security professionals default to answers centered around regulation or compliance.
Figure 3
This conversational paradigm converts the value of our security programs to that of achieving
compliance, versus making our environments secure. In other words, the implied value achieved
by programmatic, holistic security is to avoid fines and adhere to regulations. Without compliance,
our changes provide no value…
…or at least no value that we as a profession have consistently and compellingly expressed to date.
6
It is no wonder that our changes and implementations meet with resistance within organizations.
By defaulting to compliance-based explanations, we fail to place security as a value within the
organization’s value construct. Security does not become a driver the organization’s decisions in
such circumstances; compliance does. Any changes, therefore, that we make/recommend which
go beyond the minimal compliance standards are considered unnecessary and excessive. Worse,
if these changes interfere with the organization’s business objectives in even the slightest manner,
they are perceived as obstacles and roadblocks to the organization – in other words, they are
deemed to have no value and must be avoided.
The Security Values Construct
What follows is my view on dissecting and expressing the values embedded in programmatic,
holistic security.
Figure 4
Each value is broken into two components:
A statement of the goals/objectives of the value. Every value that we place within our
personal or professional values construct serves a purpose; the goal/objective statement
reflects that purpose. Candor, for example, might serve the purpose of ensuring the free
exchange ideas and viewpoints in order to stimulate of innovative thoughts and ideas.
A list of the operational tenets of the value. These tenets form the basis of our dialogue
around these values and can serve to hone in on differences of belief within an organization
regarding the value itself.
It should be noted that all operational tenets associated with a particular value must be
accepted/adhered to in order for the value to be seen as relevant to an organization. In many cases,
disagreements regarding a portion of the security values construct center around an organization’s
lack of belief/agreement with a specific operational tenet. Changing to a values-based dialogue
allows for more finite identification of such disagreements and can better focus efforts for
achieving compromise or understanding.
7
Access Control
Goal/Objective: Enabling access to that which is required to perform one’s duties
Operational Tenets:
Personnel should have access to the tools and facilities necessary for them to perform their
job functions.
Not everyone should have access to everything.
Notes:
This value applies to thing-to-thing access as well as person-to-thing access. Thus,
application-to-application access; system-to-system access; and person-to-building access
are also impacted by this value.
Most organizations have little problems with the first operational tenet for this value; the
second operational tenet may be problematic for more open environments such as
universities.
Business Continuity & Disaster Recovery
Goal/Objective: Ensure timely continuity of operations in the event of a potentially catastrophic
event.
Operational Tenets:
In order for the business to thrive, we need to keep doing the things that we do from both
a process and technological standpoint.
Failure to appropriately plan for an operational failure will result in an inability to service
our customers in a timely manner, which will negatively impact our business.
a. “Failing to plan is planning to fail.”
Not everything that we do needs to come back instantly in the event of an operational
failure.
Everything that we do needs to come back eventually after an operational failure.
Incident Management & Response
Goal/Objective: Ensure the timely and accurate ability to detect, measure, and appropriately
respond to potentially harmful events impacting the environment.
Operational Tenets:
No matter one’s security posture, there will be events and incidents within the environment
An unmanaged event has the potential to cause substantial harm to our business and our
organization
Lack of preplanned incident response procedures will result in an inefficient (if not
ineffective) response to the situation.
8
Notes:
This value is closely related to the BCDR value, as a business continuity situation is the
extreme instance of Incident Management & Response.
Information Protection
Goal/Objective: Ensure that all corporate information is protected at an appropriate level
Operational Tenets:
We have information that is unique to our business and/or critical to our success as an
organization
This information exists in many forms in our organization – and not all of them electronic.
If this information is exposed to the wrong people/the wrong time, it will limit/impair our
ability to thrive as a business
It is important that our information not be erroneously or maliciously altered.
Notes:
This value addresses the principles of confidentiality, integrity, and nonrepudiation. It also
addresses the importance of information in non-electronic forms.
There is a concept of timing of data exposure addressed within this value as well. Earnings
data, for example, are considered extremely sensitive prior to their public release date (at
which time they become freely and openly available).
Physical Security
Goal/Objective: The physical protection of corporate assets
Operational Tenets:
Personnel should be safe from violence or threat of violence from external or internal
personnel.
Corporate assets should not be subject to theft or damage by external or internal personnel
Personal property should not be subject to theft or damage by external or internal personnel
Facilities should not be subject to damage or destruction by external or internal personnel
Policy Framework
Goal/Objective: Ensure clear understanding of the security processes and control withing the
environment
Operational Tenets:
Every process is based upon “rules.” Policies codify and document these rules.
In order to ensure understanding, policies should be written down and easily accessible to
all members of the organization.
Policies reflect the desires, values, and objectives of the organization and its leadership.
Notes:
9
While the overall objective of this value is to ensure understanding of processes and
controls, the operational tenets also clarify the role of policy in reflecting the desires of the
leadership
Risk Management
Goal/Objective: Create and maintain a risk balanced operational environment
Operational Tenets:
Some risks are worth taking
We should know the full extent of the risks we are taking
We should make decisions only with full knowledge of the risk
Risk decisions should be made at appropriate leadership levels within an organization
Risk should not be the only reason for selecting or rejecting a specific course of action
We should remain fully aware of the risks in our environment
Where existing risks are deemed excessive, we should take steps to limit or eliminate those
risks.
Notes:
There is a danger of the “risk management” value becoming a catch-all for all of security.
I have tried to cull as many specific items and areas out into separate entities within this
values framework to avoid this trap.
Where I have found the risk management value of particular use is when mapping specific
regulatory compliance items to the values framework. There are certain areas within most
regulatory requirements which (to date) are difficult to explain/justify within a values
construct for reasons other than pure risk management.
Benefits to a Values-Based Approach
The organization and the security professional can reap a multitude of benefits from adopting a
values-based approach to a security conversation.
Clarification of Concerns. A values-based discussion of security can lead to a clearer
understanding of the positions and concerns of all parties involved. If, for example, a concern
exists over access control measures within an organization, then a values-based discussion can
determine whether an individual has a fundamental disagreement with one of the operational tenets
of the access control value, the mechanics of the access control process, or the outcome of said
process. In other words, does the individual:
Believe that all information within the company should be available to everyone;
Disagree with a how or how rapidly the access process works;
Disagree with the implementation of access control (e.g., multiple, complex passwords
changed every 90 days); or
Disagree with the removal of their access from some particular room/building/application?
10
Values-based discussions allow the security professional to more quickly identify fundamental
differences with a value, versus a challenge with the mechanics or personal disgruntlement
regarding a particular outcome.
Identification of Cultural Dissonance. I use the term “cultural dissonance” to describe potential
differences in beliefs between the organization and its individuals en masse. As organizations
evolve, there can be large disconnects between the direction of the leadership and the desires of its
people. Such dissonance around security can add an additional layer of difficulty when
implementing programmatic changes. Surveying the environment to determine where dissonance
exists – and the type of dissonance – can dramatically reduce program implementation risk.
Take, for example, the area of physical security. After conducting a simple survey, you find that
the organizational leadership values physical security at a “10” (very important) on a ten-point
scale, whereas the individual rank-and-file value it at a “1” (very unimportant) on the same scale.
In such an environment, the rank-and-file would view any augmentation to the physical security
posture as stifling and restrictive; some might even compare their work conditions to that on
imprisonment. If the numbers were reversed, however, the CISO would have difficulty
implementing even the smallest changes to what is probably a minimalistic physical security
structure…whereas the rank-and-file would welcome such changes and probably feel that their
current work environment is lacking and possibly unsafe. Understanding the level of agreement
with the security values construct and what dissonance (if any) exists increases the probability of
implementation success.
Rising Above Compliance. Regulatory compliance standards may be mapped to the security values
construct in order to show and express the value of various compliance components. Appendix A
contains an example of such a mapping.
Conclusion
The outdated paradigm of a security framework based upon a tug-of-war between the CISO and
the rest of the business needs to shift into a more balanced, holistic partnership. To fall back on
the notion that security is merely compliance with the myriad of laws and standards does both the
security profession and the business a disservice. We as security professionals must do more to
change the conversation and integrate security into the values construct of our supported
organizations.
11
About the Author
Kim L. Jones is a 29-year intelligence, security, and risk management professional with expertise in
information security strategy; governance & compliance; security operations; and risk management.
A sought-after speaker and industry thought leader, Professor Jones is a former Chief Security Officer
who has built, operated, and/or managed information security programs within the financial services,
defense, healthcare, manufacturing, and business outsourcing industries.
Jones holds a Bachelors Degree in computer science from the United States Military Academy at
West Point, and a Masters Degree in Information Assurance from Norwich University. He also
holds the CISM and CISSP certifications.
Professor Jones may be reached at [email protected].
12
Appendix A: Mapping the Values Construct to Compliance Regulations
This appendix contains a sample matrix mapping a regulatory framework (in this case, NIST 800-
53 version 3 ) to the security values framework.
13
14
15
16
17
18
19
20
21
22
23
24
25
26