Research

One of the concepts I use in my Pragmatic CSO material is a Day in the Life of a CISO. There are lots of firefighting and other assorted activities. I usually get a big laugh when I get to the part about groveling to the CIO and CFO for budget. Yes, I call it like I see it. But after seeing a post on budgeting by Ed Moyle from before Thanksgiving, I think it’s time to dig a bit deeper. Remember the budget is pretty critical to your success (or failure) in security. This job is hard enough with sufficient resources and funding. Without them, you’ve got no shot. So becoming a budget ninja is one of the key skills to climb the security career ladder. Ed makes a number of good points about spending transparency and measuring effectiveness. Basically trying to show senior management what you spend money on and how well it’s working. I agree with all of those sentiments. And I’m being a bit sarcastic (go figure), when I talk about groveling for budget. You need to ask, but in a way that provides a chance of success. And the most useful tool I’ve seen used for this in practice is the idea of scenarios. Basically when building up your architecture, project plans, and other assorted strategies for the coming year, think about breaking up those ideas into (at least) three scenarios: Low bar: This is the stuff you absolutely need – in order to have any shot at protecting your critical information, or meeting your compliance mandate, or the like. To understand where this bar is, think about a scenario where you would quit because you don’t have enough resources/funding to have any shot, and a significant issue becomes a certainty. That is your low bar. High bar: This is what you need to really do the job. Not to 100% certainty – don’t be silly. But enough to have a good feeling that you’ll be able to get the job done. Real bar: This is somewhere in the middle and what you hope to be the most likely scenario. To be clear, how much funding you get to do security is out of your control. It’s a business issue. You are competing with not just IT projects, but all projects, for that resource allocation. And if you think it’s a slam dunk to build a case for a new perimeter security infrastructure, as opposed to a new machine that can streamline manufacturing, think again. Even if you know your project is the right thing to do, it may not be as clear to someone with lots of folks all groveling for their own pet projects. The scenarios help you explain the risks of not doing something, and provide a more tangible idea of the costs, than a long project list which means nothing to a non-security person. Scenario Risks Group your projects into scenarios, and model a specific type of attack that would be protected. For example, in your low bar scenario, just make the case that you’ve got no shot to meet compliance mandate X without that funding. Then explain the possible ramifications of not being compliant (fines, brand damage, breaches, etc.). This must be done in a dispassionate way. You are presenting just the facts, like Joe Friday. The burden is on the business managers to weigh the risk of not meeting (funding) the low bar. When presenting the high bar, you can discuss some of the emerging attacks that you’d be able to either block or more likely detect faster to mitigate damage. Get as specific as you can, use real examples of your applications and the impact of those going down. But be careful to manage expectations. Even if you reach the high bar of funding (which typically only happens after a breach), you still may have problems, so don’t bet your firstborn or anything. The real bar provides a good mixture of protection and compliance. Or at least it should. Truth be told, this is our hopeful scenario, so make it realistic and plausible. Make it clear what you can’t do (relative to the high bar) and what you can do (compared to the low bar). And more importantly the potential risks/losses of each decision. Not in an annualized loss expectancy way, but in a we’ll lose this kind of data way. The key here is to rely on contrast to help the bean counters understand what you need and why. The low bar is really the bare minimum. Make that clear. The high bar is a wish list, and in reality most wishes don’t come true. The real bar is where you want to get to, so use some creativity to make the cases push your desired outcome. Don’t Take It Personally Above all else, when dealing with budgeting, you can’t take it personally. Every executive team must balance strategic investments and risks and decide what is the best way to allocate the limited resources of the organization. Sometimes you win the battle, sometimes you lose. As long as you get to the low bar, that’s what you get. If you don’t get to the low bar, then maybe you should take it personally. Either you made a crappy case, you have no credibility, or the powers that be have decided (in their infinite wisdom) that they are willing to accept the risks of not hitting the low bar. That doesn’t mean you have to accept those risks. Remember, you are the one who will be thrown out of the car (at high speed), if things go south. So if you don’t reach the low bar, it make be time to look for another gig. And do it aggressively and proactively. You don’t want to be circulating your resume while your organization is cleaning up a high profile breach. Photo credits: “spare change towards weed + starbucks 🙂 long live bank of america” originally uploaded by sandcastlematt Share:

This is usually the time of year I write a how-to article on safe seasonal shopping. And some of it is the usual generic advice – use a credit card, don’t click email links, use merchants you trust, etc. – but I like to include specific advice to deal with new seasonal threats. Wading into the deluge of threat warnings about Black Friday shopping schemes this year, I found mostly noise. There are plenty of real attacks consumers should be worried about, but many which aren’t worth the attention. And every article seems to have a particular agenda. For example, I have a hard time believing SMS banking scams are a real threat to holiday shoppers, in the same way I can’t imagine someone falling for a Nigerian banking scam or turning off their refrigerator because of a crank call. Some are so targeted at a small group, the news is only interesting to the most dedicated security researchers. Others attacks combine good old fashioned fraud with a few Search Engine Optimization shenanigans to game the system, causing a lot of people grief, but persist until law enforcement makes then a priority to investigate. Of the dozens of articles out there, they all seemed to feed the security theater, making it much harder to know what’s a real threat and what’s not. I don’t know if Bruce Schneier coined the term Security Theater, but he’s certainly the first person I head use the expression. Over the years I thought I knew exactly what he meant: pretending to do something about security when not really doing much of anything. But every couple years I find a new wrinkle to the concept, and now the term embraces several variants. To my mind there are at least four additional variations on this theme, all quasi-political: Grandstanding: For the pure selfish desire to be front and center in a discussion, and a relevant force in the industry, talking about security topics in overheated terms such as ‘Cyber-War’, taking the popular side on a one-sided issue like spam, or stating “X technology is dead!” Voyeuristic Groupies: The audience for security theater. If you have ever been to Washington DC and watched the lawyers and lobbyists huddle around politicians and policy makers for the sheer enjoyment of watching partisan politics as if it were Shakespearean theater, you know what I am talking about. The audience for security theater is simply fascinated by the hacks and clever ways in which hardware, software, and people are subverted. They love security rock stars. Hacking news may not contain much actionable information, but this audience feeds on the drama. Red Herring: Cry loudly about one problem, while studiously avoiding equally troubling issues. A little security theater redirects the spotlight away from the real problem. Like how to protect oneself from Firesheep, when the real problem is security irresponsibility and sloppy web site coding practices, which are much harder to tackle. Or focusing attention on ATM skimmer fraud becoming more of a problem while releasing very little information on the rates of compromised point-of-sale computers that serve credit card readers. Both are serious security problems – and I am guessing that they cause equal financial losses – but we have published numbers in one instance and not for the other. I understand why: one makes the bank or merchant look like the victim, but the other makes them look too cheap/lazy/incompetent to provide security. Reverse Scamming: The ATM skimming article referenced above states that there are technologies that solve these problems, such as ‘Chip-and-PIN’ systems. The theoretical argument is that this system is better because it uses two-factor authentication (knowing your PIN and having the card with the chip in it), in practice these systems have been hacked with great success. Look no further that European ATM fraud rates if you have any doubt. If you are a vendor of such technologies, it’s sure great to have people think you can solve the problem, and maybe even get adopted it as a standard. What better way to fill the company coffers? One thing we know for sure is that on-line fraud rates are on the rise, and both companies and individuas are targets. What we don’t have this year is one or two popular attack types to warn users about – rather we are seeing every known type. And this is further clouded byt seeing more ‘spin’ on security news than I have ever seen before. So this year’s advice is simple: use your head, and use your credit card. Hopefully that will keep you out of trouble, or at least reduce your liability if you do find any. Share: