Top Down Urgency

The pragmatic decision makers with whom I work rarely find my more urgent recommendations compelling. Driving change in security and compliance practices can be challenging.  Finding the right ‘lever’ to influence decisions is what the work is all about.  The recent unclassified report to President Obama by the President’s Council Of Advisors On Science and Technology (PCA ST) entitled “Immediate Opportunities for Strengthening the Nation’s CyberSecurity” is going to significantly change the conversation. While there’s nothing in the report that’s going to startle any security professional, the authors have significant clout and the recipient definitely can influence change.

If I were to boil the entire paper down to a single statement, it would be “we need to build a culture of awareness and vigilance in to society and more specifically the commercial sector through existing governance models”.  The most compelling and relevant statement in the report is:

The President should strongly encourage independent regulatory agencies to adopt regulations that require self ­reporting of continuous ­improvement practices along these same lines. In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cyber-security risk factors that go beyond current materiality tests

The wheels of government do move slowly – but they grind everything down to the same fine powder.  The Sarbanes-Oxley act drove significant change in the commercial sector.  Eventually this recommendation is going to blossom in to legislation.  Once the SEC (or equivalent federal agency) requires it, my pragmatic decision makers will embrace the need for fundamental change in much the same way they did Sarbanes-Oxley – and I’ll have fewer opportunities to promote challenging changes.  That’ll be a good day.

Advertisements

Pre-Encryption Access?

Steve Blank has speculated that the NSA has corrupted the Intel/Microsoft microcode update process.  Microsoft has already admitted they have been compelled by the US government to build a back door in to their chat service.  The chat service is encrypted, but not for the NSA.  Steve Blank believes the revelation that the NSA has “pre-encryption stage access to email on Outlook.com, including Hotmail” means they have a back door farther down in the stack.  He postulates the NSA can inject their own code in to the encrypted Intel microcode update packages.

If someone had speculated this sort of thing a year ago I would have labeled them a conspiracy loony and asked them to take off their tinfoil hat.  Now, I’m not so sure.

Power Corrupts or Reveals?

A great article by Adam Grant (author of the book Give and Take) discusses whether power corrupts or simply reveals the inherent flaws we each carry.

Power frees us from the chains of conformity. As a team of psychologists led by Adam Galinsky finds, “power psychologically protects people from influence.” Because powerful people have plenty of resources, they don’t need to worry as much about the negative consequences of expressing their values. For givers, power is associated with responsibility to others. This means that power often grants givers the latitude to help others without worrying about exploitation by takers or sheer exhaustion. For takers, on the other hand, power is a license to advance their own interests.

It’s always tragic when we see individuals who appear so promising fail just as they reach the zenith of their career. Why do some people self-destruct?  More importantly, how can we all avoid doing the same in our own small world.  Do we have the ability to overcome or suppress these natural tendencies or are we doomed if we hold these qualities.  I hope we have the ability to compensate, because I’m certain we all have some of these negative qualities.

Panic in the Cyber Security Industry

Reuters just published a story entitled Analysis: The near impossible battle against hackers everywhere on the current state of panic in the industry.  Earlier this week the security firm Mandiant published their assessment of the state-run hacking program operated by the Chinese government.  It was tempting to pull the entire article as a quote.  The rhetoric in the article reflects a state of panic held by many security professionals:

“They outspend us and they out man us in almost every way,” said Dell Inc’s chief security officer, John McClurg. “I don’t recall, in my adult life, a more challenging time.”

“There is a battle looming in any direction you look,” said Jeff Moss, the chief information security officer of ICANN, a group that manages some of the Internet’s key infrastructure.

“Everybody’s personal objectives go by the wayside when there is just fire after fire,” said Moss, who also advises the U.S. Department of Homeland Security.

“Your average operational security engineer feels somewhat under siege,” said Bruce Murphy, a Deloitte & Touche LLP principal who studies the security workforce. “It feels like Sisyphus rolling a rock up the hill, and the hill keeps getting steeper.”

“I don’t remember a time when so many companies have been so visibly ‘owned’ and were so ill-equipped,” said Adam O’Donnell, an executive at security firm Sourcefire Inc, using the hacker slang for unauthorized control.

“Our biggest issue right now is getting the private sector to a comfort level where they can report anomalies, malware, incidences within their networks,” McFeely said. “It has been very difficult with a lot of major companies to get them to cooperate fully.”

He said what worries him the most is Chinese presence on networks that have no espionage value, such as systems that run infrastructure like energy and water plants. “There’s no intellectual property to be pilfered there, no trade secrets, no negotiating positions. So that makes you frightened because it seems to be attack preparation,” Hayden said.

Ethics

I enjoy ethics as a subject. Professionally, integrity is central to my role. My business success is predicated on my company’s ability to execute on it’s commitments to our stakeholders. I enjoy the way this fairly dry subject is presented. In it, Dan Ariely explores the circumstances under which someone would lie and what effect deception has on society at large. What’s cool about the video is that he ties the subtle decisions individuals make to the large consequences that result.

I do recommend the other videos in the RSA Animate series. Like the TED Series, these videos are thought provoking and insightful.