Seeing risk for what it is

No Comments »

So it looks like the broader business community is getting religion on cybersecurity--and it's about time. Organizations are finally considering the impact of not just regulatory oversight, but also of the true price of bad press. After all, what would you want to pay in order to keep your company name out of the headlines.

The cybersecurity game is all about risk management; assessing the liklihood of something happening, deciding what the consenquenses and cost of such an event might be, and weighing all that against the cost of various countermeasures that your organization might invoke to protect against the threat.

So if you've decided it's time to get down to really building your cybersecurity program, one of the place you can start is with the assessment. This naturally means understanding a couple of key issues; what is your risk tolerance as an organization, and how well do your internal processes stack up against a defined standard or security framework.

There's lots of options out there for frameworks to choose from, but it's always best to consider what organizations similar in size and complexity to your own are up to. For those who go the ISO route, consider ISO 27000-series security frameworks. If your organizational focus is more in North America or if you are a smaller entity looking for a good standard that's easy to understand and actionable, consider the NIST framework.

Oh, and don't think of this as a once-and-done kind of exercise. Your organization should design and implement a regular review/renewal cycle of risk assessment. Keep on top of what concerns you the most because you'll find that over time, the threat environment evolves--something rapidly. And when the chips are down, that's NOT the moment to start thinking of ways to address risk.

“Can I get that in writing?”

No Comments »

You may have heard of the Internet of Things (IoT for short), but did you realize that it’s a term that is part of a revolution going on all around us? The days of managing relationships through a centralized source are coming to an end, and end-points are beginning to talk to each other directly—no middle man.

When people talk about driverless cars, this peer-to-peer, IoT relationship is often what they are referring to in the background. The vehicle of the future will communicate with other vehicles directly (not through some centralized authority) to better understand the driving conditions and safety context of the road.

When discussion turns to bitcoin (or other crypto-currencies), it’s the same IoT idea again. Such currencies are built with blockchain programming, and the currency itself is both decentralized and self-contained—the currency can carry its own accounting history within itself, and this information is available to all who participate in its network (sometimes referred to as a node in the blockchain).
But did you know that there is now a complete platform environment to support the decentralized execution of contracts? It’s called Ethereum, it has just turned three, and it has the power to change everything about the way we do business on the Internet.

Contracts done in the usual manner are NOT decentralized, but proprietary. They can get lost (or corrupted), and they can be complex and costly to administer. When managed in an Ethereum environment, contracts are shared and updated to all participants in the moment.

Flexibility is the name of the game here. They are designed to last only as long as the parties allow, and any funds associated with the contract can be held in the buffer, waiting for the moment to be transferred (on the successful completion of the metric) or returned to person who put the funds up in the first place.

In short, contract relationships are going to become more like your smart car or your bitcoin wallet—they will be decentralized and consistently updated among all the parties (or nodes). It’s all going to be about how we as a community of users share, update, and fulfill transactions on an event-by-event basis.

And just think… contract lawyers might just be looking for something else to do…

Taking on systems one blockchain at a time

No Comments »

Systems professionals with a deep understanding of the regulatory environment in healthcare (or banking, frankly) are best equiped to devising and adapting the most favorable attributes of blockchain design to suit industry data-processing needs. To that I might add that a deep understanding of optimal process would also come in very handy.

We have long struggled in heath care to determine  what "optimal" workflows really look like. Hospitals and clinicians look to the software vendor to provide efficient data-processing solutions, but software companies rarely have any real understanding of HOW care is best provided. Mostly, the vendors just know what functionality is MOST POPULAR with their customers--hardly a good substitution for optimized processing of data based on optimized understanding of care.

The resulting systems, no matter how beautifully tricked out with functionality, are incredibly rigid and are difficult to modify, or worse, transfer into newer systems as growth and market evolution inevitably demand. Our legacy systems really can't keep up with the enormous data growth we expect to see in information processing. Add to that the cost of cut-over into next-gen systems, seen against a background of exacting regulatory oversight, and suddenly you understand why banking and healthcare entities would rather "fight than switch," at least as far as systems go.

This is where, I believe, blockchain might be a truly innovative disruptor. One of the curious aspects of blockchain is that the history of the transaction becomes part of the record, whether it's a banking record, a unit of currency, or a healthcare record.

If we were to tuck the history of the transaction right into the transaction itself (and provide interested stakeholders in a shared use of and access to this history), it's easy to see that an organization's core processing system might well be "set free," to a certain extent, from maintaining the large (and ever-increasing) sea of information. Instead, the processing system will focus more on the transformational aspects of the entity's business and the "value-add" that the organization brings to the data.

Banking and healthcare are two marketplaces where regulatory oversight is significant and increasing. Whatever benefit we might see in blockchain, and I suspect there is great potential value there, we need to be keenly aware of HOW we best accomplish our work in healthcare, and how we do so WITHIN the given regulatory environment. Professionals with experience in these critical areas will be most suited to developing and exploiting the promise of blockchain.

Cashing In on Process...

No Comments »

We all know that security organizations benefit greatly from properly documented procedures. After all, who among us has ever forgotten that one item we went to the grocery store for in the first place? Lists work...

There are a number of issues that you might want to focus on in the world of policy and procedure, so here's a place to start. Take the time to actually document functional procedures. This means taking stock of security controls that you employ, and drafting procedures that reflect how things actually get done.

This can be easier than it looks, but with a structured approach, you should be able to find a good many of the day-to-day procedures lurking in your organization. Don't be surprised to find that there are lots of opportunities for standardized behaviors... and lots of evidence that things are happening in a "customized" approach pretty much everywhere.

Organizations worry about the time and expense of documenting standard work processes, but these same entities will invest extraordinary amounts of time looks for small economies of scale to achieve modest but real increases in productivity. Think of standardized work as just another way of achieving predictable outcomes; ones that can actually help your organization's bottom line.

Training versus Education

No Comments »

For all the effort we put into securing our corporate systems from a technical perspective, it's still the case that the bulk of the effort associated with a comprehensive security posture relies on helping our people understand their role in security efforts day by day.

For this reason, security training programs have been implemented far and wide, but does training really fit the bill? When we talk about training, we are really referring to rote repetition of concepts, ideas, and steps in process. This can be very helpful when teaching your staff the value of a check-list to ensure that each step was completed, but what about when the end-user needs to actually interact with the situation and make a decision?

This is where education takes over... When we teach ourselves how to evaluate the evidence at hand and make a decision, that's the heart of real education. The best way to educate your workforce on security concepts is to give them the tools and information, and then step back and let them teach themselves.

This requires more preparation on the part of the instructor, but it will empower your workforce to evaluate the situations they encounter every day and make effective choices... and wasn't that the whole point of the exercise in the first place?


Is your change-management process working? Do you even have one?

No Comments »

Do upgrades to your corporate systems happen because of deliberate reflection and defined testing, or do changes get introduced “on-the-fly?” The latter is more common that we all care to admit, but it can be a costly way to do business when an untested change causes an entire system to behave in unexpected ways--sometimes things even cease to operate. 

The value of the productive hours lost is part of the real cost of poorly-implemented changes to systems, so make sure that all changes are planned, approved, tested, and documented, along with some form of a back-out strategy. You never know... things don't always work out quite the way we expect, now do they?

Consider forming a Change Management Committee and make sure that senior members (who might be construed as stake-holders) from across your organization participate in its activities.

Finally, communicate, communicate, communicate: Make sure that everyone who needs to know about an upcoming change actually gets the memo. Surprises can get ugly.

Have You Defined Standards for Each System?

No Comments »

Unlike policies and procedures, which are mandatory in nature and apply to all members of the organization, a standards document is specific to the information system that it belongs, and sets forth goals for implementation of that system. 

As we all know, there’s more than one way to implement a system, and keeping track of how your organization has chosen to set up controls in each application is a great idea. Still, core concepts of security implementation at your organization can be identified and codified for each system, regardless of the endless variety.

These standards documents can be as detailed or as high-level as you wish, but they will always be specific to the system and will be advisory in nature. Make sure that your security teams can demonstrate how day-to-day activities relate to the code of behavior in each standard.

Who Owns the Data vs. Who Maintains the Data

No Comments »

In the age-old battle of data and systems administration, organizations must understand who actually owns the data contained in the applications. Data center staff may well administrate the programs and the operating system upon which the programs depend, but their role in ownership is limited.

Access to sensitive data must be authorized by the department or group who create and maintain the actual content of the system. They alone should decided who gets access to the system, since they know all their departmental players, and are best suited to determining who has an actual business need for access.

Systems maintenance staff are the perfect choice for maintaining the software that runs the application, the operating system that supports the application, and the hardware that houses the application. They are not the best folks to decide who gets access to the data.

Are Your Policies Just Credenza-ware?

No Comments »

How often are your policies and procedures reviewed and updated? If you’re having trouble answering this question, chances are you’ve got a credenza-ware problem, a not-uncommon malady in our current business environment.

The cure for this condition is to decide at what intervals policy and procedure documentation will be reviewed, and by whom. Even if no changes are to be made, a quick review and validation that everything is up-to-date is a powerful tool. Keep the date of last review and revision handy too.

The reason for this is simple—anyone can pay to have policies built to satisfy a regulatory requirement, but if you want to get true value out of them, you have to see your corporate policies, standards, and procedures as something more like a mirror, meaning that they reflect a commonly understood reality of your corporate life.

Envision your policies as hierarchical, with a few broad policies at the top, and more specific sub-policies and procedures supporting them. Then take the time to allow your standards and procedures to flow from the initial design that you’ve chosen.