If you’ve ever watched a sumo wrestling match, you’ve seen the collision that takes place between two very large bodies, each trying to push the other out of the ring. It’s a match that always ends with a big winner and a shame-faced loser. Unfortunately, the practice of InfoSec can often be like a sumo match in many ways.
The focus of this chapter is to offer up a better way—a new way unlike the traditional sumo approach. To best explain this process, I’ve likened it to the martial art of judo, in which both attacker and defender roll together and end up in a different place. It’s efficient, simple, and easily achieved.
I’ve designed my approach to building an InfoSec program as a simple, easy-to-follow, seven-step process. It has been my pocket guide for years. I’ve used it to develop a set of operating principles that guide my team members as they partner with the business. Before delving into my approach and the seven steps, let’s look at the sumo analogy in more detail.
The Sumo Approach
InfoSec teams often use their power to try to enforce security controls throughout the company, frequently among the unwilling and uneducated. The sumo analogy is especially pertinent when others in IT or engineering oppose the InfoSec team, and the two departments begin the relentless and unseen pushing and shoving match until someone “loses.”
I can’t count the number of times I’ve heard myself or other InfoSec practitioners complain about how hard it is to improve security in the companies where we work. We complain that our IT colleagues don’t want security requirements on their systems, app developers don’t have the time to integrate security into their sprints, and management doesn’t want to pay for it. If we do finally get a security control implemented, the end users complain about it or do their best to try to bypass it.
Nonetheless, we keep throwing our weight around like a sumo wrestler, spending time and money on the same old security projects and initiatives, while the organizations we serve receive little improvement to their security posture. Didn’t Albert Einstein have something to say about this practice of doing the same thing over and over again and expecting different results? This is what it feels like when we “oppose” elements of the organization and follow the sumo approach.
The Judo Approach
Judo’s philosophy is to harness your opponent’s momentum to achieve a less threatening state. The aim of judo is to use your opponent’s movement, to take them to a position of improvement for yourself. Judo is a martial art that does not rely merely on your own strength, but on the strength of the opponent to win the match. You want to roll with them. I use this analogy to illustrate that your customers have an opinion about security that is most likely different from yours, and you have to be willing to compromise to maintain relationships and to keep moving the security needle forward.
In this approach, you no longer use the sumo-style “might makes right” to force departments to conform to InfoSec policies and guidelines, but instead use the strength of relationships and others’ expertise to move toward an improved position for both sides. If you’re having a hard time grasping the judo analogy, perhaps it will become clearer when you read on and discover the seven steps contained in my approach:
· Step 1 is all about relationships—relationships at all levels of the company. Every staff member in the company is your customer, and establishing relationships with them is critical to your success. The 2020 Data Breach Investigations Report by Verizon shows that our customers will most likely be the ones to identify security breaches when they happen, as the InfoSec team is responsible for only about 30% of all identified breaches. In light of this data, relationships are the most important component of your program. As such, I suggest you start on them first and keep them at the top of your agenda throughout your entire tenure.
· Step 2 is what I call alignment. It’s the process you must go through to understand the company’s culture and tolerance for information loss. Knowing your company’s culture and risk tolerance allows you to build the InfoSec program that the company wants—not the program you believe it should have.
· Step 3 discusses the importance of laying the groundwork, or what I call the cornerstones, of your program. These cornerstones become the architectural components of documentation, communications, technology, and governance upon which you’ll build out your program.
· Step 4 highlights the need for a communications and education program and the importance of reaching others and educating them about their roles and responsibilities for InfoSec.
· Step 5 makes the argument that to be effective, you have to give some of your job away, or at least share some of it with others. The domain of InfoSec is too broad to be “owned” by a centralized department. There’s just too much to do, and as I’ll discuss later, to be effective, you’re going to want to establish a “neighborhood watch,” and get everyone involved in protecting company assets.
· Step 6 is a primer on building your team for maximum effectiveness. Since I assume you will always be under-resourced, you’ll need team members who relish playing multiple positions—great communicators who enjoy presentations and who are also uber techies.
· And, finally, step 7 identifies those few metrics that really matter when building a new program or inheriting a preexisting one.
This seven-step process has been refined and well tested over many years. Whether you’re building a new program or inheriting an existing one, I believe you’ll find the seven steps useful as you navigate your way through your early days on the job, or use it as a comparative tool for the program you’ve inherited. As I stated earlier, I’ve referred to this process as the art of our profession, or the last domain of InfoSec.
The Seven Steps to Engage Your Organization
The formula that leads to success in InfoSec is my simple seven-step process. It will change the way you approach InfoSec, provided you are ready to challenge your assumptions of the security industry and its so-called standard practices. My process is centered on building relationships, sharing the responsibility for security with others, and not centralizing power within the InfoSec team. Each step in the process can be performed without a lot of resources other than time. The only thing you have to be willing to do is change and let go of your traditional approach to InfoSec.
The process is almost too simple to believe, but I know it works because I’ve lived it and refined it over many years and in several companies. It’s been my road map and guide while working for several Fortune 500 companies, all of which couldn’t be more different. The only thing that can hold you back from establishing real InfoSec at your organization is if “your cement is dry,” and you hang onto those old InfoSec methods and assumptions. Are you ready to let go? Then read on about the road map to success.
Step 1: Cultivate Relationships
Relationships are your greatest asset and provide your only hope for securing the company’s digital assets. Forming and strengthening relationships should be the most important item on your agenda. You will be able to implement the security program that your relationships allow.
At the core of my simple process is the belief that InfoSec cannot be achieved without solid, collaborative, mutually respectful relationships. Your InfoSec program won’t move forward if you and your team aren’t constantly working to build and maintain great relationships throughout all levels of the corporation.
We all know the stereotype of the socially inept security nerd who would rather spend time in front of a computer than with an unpredictable human being. And I know that some of you readers may identify with that stereotype. That’s why I’ve dedicated the entirety of Chapter 4 to the topic of relationships. I know for many of you this may be a showstopper. It’s not the skill you’ve spent years developing. It doesn’t differentiate you from your peers or contribute to your technical abilities. Building relationships isn’t sexy engineering work, and it doesn’t make sense among all the good security work you have to choose from. I get it. I understand your arguments, but hear me out and give the concept a chance.
Whatever your personality or social skills, to be successful, you’ll have to focus on and build good working relationships. Without them, you and your InfoSec program will go nowhere. You’ll be dead in the water. You can’t be successful over the long haul, and you’ll find your effectiveness as an InfoSec leader severely limited. Relationship building is the main ingredient for success. Relationships come first, always. And without a continual focus of keeping them central to your team’s approach, the following steps will not be as effective, and you’ll find you’re building a suboptimized InfoSec program.
Step 2: Ensure Alignment
Alignment is simply about taking the time to understand the risk tolerance of your organization and then building an InfoSec program commensurate with that tolerance. Get to know your organization and align with it quickly. Culture matters. You have to find where your company’s risk needle is pointed. Keep in mind that alignment changes from department to department within the company.
Accept your lot in life. Your company is most likely not security minded. Your colleagues don’t understand your work. They don’t value it or accept it to the degree you’d like. They don’t design security into their products. Security doesn’t make any money for the company and it doesn’t occupy time on the executives’ agenda. The short answer is to get over it. Don’t agonize over it, deny it, or be frustrated by it. Acceptance is the first task in positioning yourself for success. It’s the first part of alignment.
So, while you’re building good relationships (and possibly repairing bad ones), your next step is to understand the culture of the company, which I cover in Chapter 5. Don’t try to change it or demand that everyone sees things your way. Without aligning your InfoSec values with the organization’s, you may find yourself trying to implement a security program that exceeds the needs and wants of your company and is inappropriate for the prevailing risk tolerance of the company’s culture.
This step can be throttled based on your tenure at the company. If you’ve been running the InfoSec department for longer than two and a half years, I’ll bet that you’ve probably already aligned yourself with the company’s values. If you’ve had your job for less than three years, you may not be as aligned as you should be, and reassessing your alignment would benefit you greatly.
Step 3: Use the Four Cornerstones to Lay the Groundwork
for Your Program
All InfoSec programs consist of eight domains, but not all domains are of equal value, nor do all require the same amount of attention as you build your program. When building your program, you should initiate a few domains first. These areas won’t require much effort to start, and the progress you make in these specific areas will set you and your program up for future success.
The four cornerstones are documentation, governance, security architecture, and communications. These four areas (which encompass many of the eight domains), along with relationships and alignment, should make up the bulk of your first-year plans.
I suggest you start with the first piece of documentation, the InfoSec charter. The charter enumerates in simple terms what the company leadership wants from the InfoSec department. It also describes the responsibilities of all IT and engineering staff and management for protecting the company’s digital assets.
Foremost, the charter is a clear statement from company leadership regarding the roles and responsibilities of the InfoSec team. The primary reason a charter is so important is that it allows you to align with the intentions and wishes of senior management. It forces their hands to make a statement about InfoSec.
You’re going to be responsible for writing it, of course, but you’ll need management to sign it into effect. I’ve found that sitting down with senior management to explain the spirit of the charter, and the “why’s” of each statement is a great way to begin the alignment process. Management’s reaction to your draft will help set the course for you and your program.
To be more impactful and beneficial, your charter should go beyond highlighting the roles and responsibilities of the InfoSec team to also include the roles and responsibilities of IT management and staff. The responsibility for InfoSec does not rest solely on the shoulders of your team, and you want a charter that reflects this. Protecting the company’s information assets is everyone’s business. I discuss the process of writing the charter in Chapter 6. Try to get the chief executive officer (CEO), president, or chief operating officer (COO) to sign it. Once the charter is signed, it needs to be communicated broadly.
Step 4: Create a Communications Plan
If you believe as I do, that your only hope to secure the company’s information assets is to get everyone involved in the security process, then communications is your pathway. If your aim is to get the whole company involved in the security process, a communications plan is a must.
InfoSec does many good things for the company, but if nobody knows about them, you’ll miss many opportunities to raise awareness. Communications is challenging to most InfoSec folks. They don’t allocate time for it in their model for security. It doesn’t play well to their experiences or their skill sets. Fundamentally, they doubt its value.
Many don’t see communications as sexy or making a communications plan as a good use of their time. Traditional InfoSec workers will scoff at the idea, but my experience tells me that a well-thought-out communications plan that includes multiple media channels is one of the best uses of your team’s time. As you practice communications activities, you’ll quickly realize the time spent on communications holds the highest return on investments for you and your team.
For example, communications will make your charter impactful. Taking the charter to the various IT and engineering departments to educate them on their responsibilities will lighten your workload and enlist others in the process of securing the company’s information assets. A charter is meaningless unless others know what’s expected of them. But this applies to all areas of your work. The organization needs to know what security policy violations look like and how to report them. This happens through communications.
While security awareness and education lays out your company-wide security curriculum, the communications plan details all the messages to be communicated over many channels to everyone in the company. You want to take your InfoSec messages to employees. I believe communications is so important that I hire a marketing and communications person to help promote our team’s activities throughout the company. One person dedicated to marketing and communications activities can connect your team’s work with everyone in the company. Part of the marketing and communications efforts will be a large body of training offered to staff throughout the company. Here’s where the InfoSec team has the opportunity to shine, provided your team has good working relationships with others.
The IT staff should be your closest ally, but unfortunately, it most often behaves as your toughest sumo opponent. Building relationships with the IT department and bringing them onboard through specific and relevant training will be like adding staff to your department. In fact, once you train the IT staff about InfoSec, you’ll find that they often taken a stronger stand on security than you would have taken as a starting point. Chapter 7 is devoted to covering all you need to know about creating a communications plan for your company.
Step 5: Give Your Job Away
In this step, you delegate InfoSec responsibilities to others and allow them to participate in the InfoSec process. When InfoSec is done correctly, the responsibility for it is given away to the employees of the organization. Remember that to secure the company’s information assets, you need everyone in the company involved. You can achieve that only if you’re willing to let others in while giving much of your job away.
No longer does the InfoSec department work from within its own empire, nor is it pushing InfoSec requirements on others. The responsibilities of InfoSec rest on the entire organization as all levels of the organization will be deputized for the task. I like to call this approach the neighborhood watch.
Part of giving your job away is to let others outside your team in on the decision-making process. I do this by allowing the system owners to be a part of the tool-selection process. I don’t buy any InfoSec tools without running them by several teams first. I allow those teams to be a part of the proof of concept, and to provide critical feedback on the viability and goodness of fit of the tools before they get added to our environment.
Finally, as you give your job away, don’t be overly concerned about maintaining the responsibility for traditional security functions you believe you should. Let the charter steer you here. If the charter needs updating to reflect new shared responsibilities, don’t hesitate to make the changes and let the network services team own a new security service they’d like to own. This is what you want and is evidence that you’re creating the neighborhood watch, and allowing “homeowners” to protect their own “homes.” Chapter 8 goes into the details of giving your job away and building your neighborhood watch.
Step 6: Build Your Team
What skills are needed to build your InfoSec program? What’s the profile or capabilities of the staff member you should look to hire? As you build your team, partner with the system administrator and engineers to create an “extended security team.”
If you’re new to your job, you’re probably in one of two situations: you’ve either just inherited an existing InfoSec team, or you have to build one. Both have their challenges, but it’s better to be able to hire your own employees and build the team you need rather than deal with the tribulations that come from an existing team of “stepchildren.” If you’re in the position where you assumed leadership over an existing team, you’ll need to take immediate actions to set the direction for your group.
Relationships, as discussed earlier, are the foundation of your program, and at the heart of relationships are people skills. It will be your team members who take the messages to the masses. If they don’t have great people skills, their value to you and the program decreases.
You’re going to be sending them out into the client areas, and if they’re unable to act in a professional manner, then you’re setting yourself up for failure. Why do I emphasize personal skills so much? Because your team members represent InfoSec to about five to seven groups within the company. If your team members don’t have the agility to skillfully handle this on their own, it will come back to haunt you in a big way.
One final thought about building your team. Your “extended” InfoSec team will consist of many engineers who don’t work for you directly but have taken an interest in security and have become security advocates or ambassadors in their areas. These individuals are important to your success, and you want to treat them as special. I’ve often found that some of the greatest accomplishments for security came from others outside my team. These individuals should be recognized and rewarded in a major way. I go out of my way to do so. I must confess, though, finding techies with outstanding people skills is difficult. Chapter 9 focuses on how to organize and build your team.
Step 7: Measure What Matters
If you implement the six steps laid out so far, your organization will become a true, self-defending organism. As it matures, you’ll want to measure your progress toward the goal of achieving the neighborhood watch and getting everyone involved. But as you mature and go down this path, what metrics do you use to track your progress? As you know, our industry has hundreds of security metrics to choose from. They’re all good metrics. But which ones really matter?
I believe the key measurement for your success lies in a simple metric: can your employees identify a security threat or policy violation when they detect it, and do they know how to report it? That’s it. I’ve used this metric for years, and it resonates with organizational leadership. It’s simple to understand and aligns with the industry data as well. This metric is easy to measure and totally makes sense. Tracking this metric will indicate your progress toward protecting the company’s information assets and establishing the neighborhood watch.
The next metric I track relates to phishing emails. Staff members often make a wrong assumption about InfoSec: that someone else is doing it for them. Nothing could be further from the truth when it comes to phishing emails. If staff members don’t catch them, you’re a goner. Phishing should have a special place in your program. Its ability to educate and shape the culture can’t be ignored. The phishing program, if done properly, will educate end users about InfoSec, heighten their awareness of other security matters, and generally draw them into your world.
If over the last 15 years you’ve tracked metrics for our industry, you’ve noticed that the stats for phishing haven’t changed much. As an industry, we should be shocked by the number of breaches traced back to a phishing email. For years, it has hovered over 90%, and only in the last few years did it fall into the 80s. That’s right. As an industry, we haven’t made much progress in defending against phishing emails.
Considering these statistics, I suggest you keep staff education of phishing a top priority. Maybe someday we’ll crack the code on phishing, but the numbers don’t seem to indicate that’s likely to happen. One last thought: if malicious foreign entities or other hacking organizations phish your organization every day, why wouldn’t you prioritize this practice? Your staff’s ability to defend against phishing emails is a key metric to monitor. My metrics for improvement are discussed at length in Chapter 10.
Conclusion
I believe the job of every InfoSec group is to influence the company’s culture and move it toward greater security, as the company allows you to do so. The steps I’ve enumerated in this chapter to build and/or maintain an InfoSec program are the ones I still use to this day. My ideas are simple, and they work. In the following chapters, I discuss each of the seven steps in detail, and share examples and stories from my experiences. I believe you’ll be able to identify with them.
Building a program following my simple seven-step process requires that you honestly examine many of your long-held beliefs around InfoSec and a willingness to let go of some old and possibly bad habits, receive honest feedback from the organization, and require that your team change its approach.
Most importantly, you’ll have to define success in new terms, and this will be hard for most. Success will be measured by the overall awareness of the organization and how it functions as a self-defending unit. I have often referred to the leaders of InfoSec as “self-defense” instructors because they’re about teaching others about the science of InfoSec and ways they can defend their systems and data. If you follow my plan, you will change the way your company secures its assets.
Stay focused on these steps, and you’ll build a program that will have a legacy long after you leave. If you can separate yourself from your normal approach to InfoSec and consider the seven simple steps, you and your organization can make a huge leap forward in reducing the attack surface of your environment without buying a single piece of hardware or software.
When you’ve implemented my plan, you will be able to cut your staff size and budget dramatically. And most importantly, you will know your company is more secure this year than last. I believe all these steps will do more for increasing the security of your information assets than any tool or increase in head count can do.