3 steps to measure what matters in any situation

Once the fear of truly measuring what matters subsides, the actual process centers on 3 basic steps. And they work in any situation.

While it only takes 3 steps and is easy to understand, the process of measuring what matters  is deceptively hard to operationalize.

Measuring what matters is a process that requires the experiences and perspectives of different people. By bringing the right people together and seeking to avoid politics (at least the politics of selection), the result is more effective.

Precision and common understanding of terms and effective communication are essential for this process to work. Using words with different meanings or failing to clarify — including context — sets the stage for confusion and failure.

When I guide clients through the process, it normally takes 3-5 weeks (and a few iterations) to get all the pieces right. Each situation is different, but plan to spend more time than expected.

This takes at least twice as long as you think. Maybe longer the first few times through.

1. Define the problem

The first step is to clearly and accurately address the purpose. What are you trying to do, and why?

To get started, ask simply, “What is the problem we are trying to solve?” And then let it hang.

What seems like the obvious answer is not always accurate. Probe a bit deeper, simply by asking, “Why?” Perhaps a few times.

This step is skipped too often. This is a situation assessment.

Understanding the true, often hidden, problem allows us to set the baseline. Engaging in a discovery and diagnosis surfaces important insights and helps set the pathway to resolution. The nuance and experience of exploring the challenge and likely pathway is crucial to capturing the right measurements.

Clarity is essential here.

A common barrier to success at this stage is the driving desire to do “something, anything” as quickly as possible. To rapidly develop a dashboard or other visual reporting tool in an effort to justify a program. But when asked to define what problem it solves, the answer is usually a shrug of the shoulders and the proclamation that “something is better than nothing!”

That’s not generally true. The wrong something has a tendency to create more work in the future.

To measure what matters, first seek to truly understand the challenge. The success of the measurement program depends on that clear and mutual understanding.

2. Establish outcomes

The process of establishing outcomes defines success. Simply stated, it captures and details for others the result of the solution; the expected change in the condition of organization.

This answers the question, “How will we — and others — know we are successful?” Established outcomes need to be clear, consistent, and mutually understood by everyone involved.

Measure against outcomes to demonstrate success. The 3 essential elements to measure what matters ensure the trend reveals what is working, what needs to be changed, and documents when the effort is successful.

When focused on managing risk and reducing intolerable events, it’s important to remember to capture the “when it works right.”

Even with clearly defined and understood problems, it takes time to work with stakeholders to establish outcomes. It  requires translating complexity into understanding. Invest the time to document what the result looks and feels like. Focus on describing how the behaviors of individuals are expected to change.

3. Measure behavior matched to outcomes

Consider the actions people take now. How are they evidenced? What actions are people expected to take in the future? How are they different? How are those new behaviors demonstrated? What (and how many) steps exist between the current state and the desired outcome?

The key to measuring what matters is to focus on capturing and demonstrating the evidence of behavior. Place emphasis on what people do over what they say.

For example, asking people if they intend to change their passwords after a session on building better passwords usually results in an overwhelmingly positive response. When faced with the question, most give what they feel is not only the right answer, but what seems to make sense in the moment. It doesn’t, however, represent a change in behavior.

The better approach is to measure how many people actually change their password. I also like to test the strength of the new passwords, monitor password resets, and look for evidence of changes in other places, too (to the extent possible).

By adopting an evidence-based approach, we can capture and consider the behavior of different groups, at different times. Those insights and the trend they form help to guide the programs to solve the problem and reach the established outcomes.

The key is to keep it simple, focused.

Simple is generally more powerful, but it often takes a bit more time to distill and process. Make the time in the beginning to seek out the right behaviors and outcomes that allow everyone involved to see the changes.

This is where training helps. Normally, this is wrapped inside discussions and agreement on value. Ultimately, the measurements of value need to be communicated effectively. But that’s another series.

Make the commitment to measure what matters

These three steps work in any environment and any situation. The questions are easy to understand, and even easy to ask. The challenge sets in when the right people are together and it’s time to document the answers in a way that everyone understands.

The trick is to avoid rushing, while driving to successful conclusion in a reasonable period of time.

Training and outside help eases the process and reduces mistakes. But like anything, the key is to get started. Make the commitment to measure what matters, to focus on challenges, outcomes, and changes in behavior.

Work from a consistent, open framework and keep doing it. This is the pathway to success.

You can do it. I’m here to help. Share successes, frustrations, and ask questions in the comments or by dropping me a note.

Why the definition of security awareness matters

Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows

A practice built on teaching and creating materials based on the art and science of effective communication often leads to discussions about how to build and improve security awareness programs. I start the conversation by first asking, “what does it mean to be aware?”

After a nervous laugh (or two), answers range from blank stares and silence to lengthy lectures with no connection to security awareness. In fact, I had one executive suggest to me that trying to define security awareness was akin to US Supreme Court Justice Potter Stewart attempting to define pornography when he wrote, ” I know it when I see it…“

Clever. Maybe funny. Certainly not true.

The inability to define and explain awareness creates a situation where security awareness is not understood, and therefore not funded. Business has a responsibility to make investments that increase revenue, decrease costs and improve efficacy. A blurry vision for security awareness relegates it to a checkbox on a compliance form, a program tasked to someone without the understanding, experience or support to be successful.

But more importantly, without a clear definition of security awareness, it is impossible to obtain.

It doesn’t have to be this way.

The first step toward building a successful security awareness program is to understand the concept of awareness, how to define security awareness, and how that impacts the business in a way that makes sense to support.

How do others define awareness?

Awareness is not a new concept. Here are three definitions that share common threads, easily applied to the challenge of generating awareness with regards to security and risk:

  • Wikipedia defines awareness as: the state or ability to perceive, to feel, or to be conscious of events, objects or sensory patterns. In this level of consciousness, sense data can be confirmed by an observer without necessarily implying understanding. More broadly, it is the state or quality of being aware of something. In biological psychology, awareness is defined as a human’s or an animal’s perception and cognitive reaction to a condition or event.
  • Awareness is also defined in personal injury claims: Conscious of stimulation, arising from within or from outside the person.
  • Marketing is keen on awareness: a measure of respondents’ knowledge of an object or an idea. There are two main measures of awareness: spontaneous (or unaided) and prompted (or aided) awareness.

The common threads with these and other definitions are a sense of individual, recognition of actions and a measurable component related to some sort of message. Also consistent is the notion that awareness can be spontaneous or aided. None of these definitions use the word training. Awareness is awareness (more below), and training is something that comes after awareness. While these are a good starting point to define security awareness, a complete picture considers the underlying challenge of the human paradox gap (for more see: Why people are not the problem).

How The Human Paradox Gap Impacts Security Awareness

When it comes to connecting with people, demonstrating business value, and influencing change, the underlying challenge of The Human Paradox cannot be ignored.

Described in Into the Breach, the Human Paradox is the condition where individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable. The result of The Human Paradox is a gap (explained in the Human Paradox Gap Model).

The implication for security awareness: the more disconnected people are from consequences, the more complicated and costly the effort to reconnect them. Bridging the gap requires an approach that blends an understanding of people (not users!) with effective communication to create the environment for awareness. This means traditional approaches that inflict misguided “training” on people (Memo from employees: educate, but don’t embarrass us) have the adverse effect of disconnecting people further… increasing risk.

Security Awareness Defined

Successful security awareness programs start with an accurate and clear definition. Based on existing definitions of awareness and the impact of the human paradox gap, security awareness is defined as:

Security Awarenessthe individual realization of the consequences of actions (with the ability to assess intention and impact)

This definition of security awareness actually shifts the purpose of the program. Separated from security training (the step after awareness), the focus of a security awareness program is to provide people the information and experience to reach the individual realization. Oddly, this makes the task easier, and more challenging; success depends on the ability to properly apply the art and science of effective communication. That means creating the right materials, delivering them in the right way, at the right time, and then working to navigate to mutual understanding.

The Benefit of a Successful Security Awareness Program

Security awareness isn’t a temporary condition, it’s a realization that sets the stage to demonstrate business value and influence behavior change. Of course those benefits come after considering how to structure the security awareness program, implement it successfully and measure the results. When employees are aware, they are able to work to reduce risk. They realize problems sooner, are more comfortable speaking up, speaking out and seeking to partner with the security team. They gain a better sense of the information that influences decisions about risk and share more freely to better the organization. They become more resilient.

The first step is to use the right definition create a vision for what security awareness is, and why it benefits the organization. A small shift with big results.

How Virtualization Affects GRC

By Dave Shackleford
Virtualization technology is becoming ubiquitous. More and more organizations are replacing physical infrastructure with virtualized systems, including desktops and servers, and application and storage virtualization are popular as well. Virtualization changes a number of paradigms across the information technology landscape – some obviously for the good, some possibly for the worse. In the realm of GRC, virtualization has some distinct points to consider, many of which may require changes in operations and policy, as well as overall information security management.

Where governance is concerned, virtualization brings about changes in separation of duties and policy definition.

In traditional IT environments, distinct teams with specialized skill sets manage and operate various pieces of the infrastructure. Network engineering and administration teams manage routers and switches, Windows systems admins manage Windows servers, etc. With virtualization technologies, all of these functions are collapsed into a generally cohesive management structure, such as VMware’s vCenter Server.

This leads invariably to challenges with “who manages what” – many IT shops tend to put the burden of managing VMware solutions on Windows admins, for example. These admins now manage the virtual machines, the underlying hypervisor platforms, the virtual networks, storage connections, etc. All of these can be regarded as separate disciplines, and having one team manage them all flies in the face of proper separation of duties.

Along with this problem comes the definition of policies governing the use and oversight of these technologies – who drafts the policies, and which teams are the policy owners?

The overall risk landscape changes dramatically with virtualization, too.

Many of the risks are similar to those we understand today, but are present in a somewhat different form. The lack of proper change management and configuration management programs are still viable risks that can lead to innumerable security issues, but they’re compounded by the operational nuances of virtualization technologies themselves. For example, the act of creating and provisioning systems is simplified immensely – keep a template, generate a new virtual machine from it, move the VM to a host platform, and flip the switch.

Without ensuring that a) the template configuration is patched and up to date, and b) the VM provisioning has gone through change control, the risk of having a new system online that has OS or application-specific vulnerabilities is exponentially higher. Threat vectors change, too – if the hypervisor platform is compromised by an attacker, the entire group of virtual machines hosted on that platform is immediately at risk, which tells us that new risks inherent in hypervisors hold much greater impacts than single-system risks that we’ve managed before this, potentially.

On the compliance front, there is a considerable amount of grey area around how virtualization plays a role. On the one hand, most compliance mandates (SOX, HIPAA, GLBA) are vague enough to leave the interpretation open to both auditors and auditees alike. Herein the issue lies, however – compliance mandates open to subjective interpretation are bad, since potentially unsafe practices may be considered acceptable by different auditors and organizations who don’t understand the risks, technologies, or both.

Even more prescriptive regulations like the PCI DSS don’t specifically address virtualization, which has led to a number of issues around interpretation. For example, PCI DSS section 2.2.1 mandates that all servers involved with payment card data should only have a single function, such as a dedicated Web server or database server. What about virtualization hosts like VMware ESX, though? It’s a single server, but runs VMs that perform a variety of different functions. Although a Virtualization Special Interest Group (SIG) has worked on this, there’s no clear timeframe for integrating their work into the standard. In addition, many auditors just don’t understand virtualization technology, and default to the most restrictive possible implementation methods “just to be safe” – any “knee jerk” reactions of this type are probably a bad thing, in either direction.

Virtualization can help organizations reduce operating costs, and many feel that it’s a key component to “Green IT” strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.

Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is also a SANS Analyst, instructor, course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He’s worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

Into the Breach – Audio Series – Chapter 8 (Measuring Success)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 8)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engage with Michael on twitter (http://twitter.com/catalyst)
  2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
  3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Leading from the Front: Bringing Planned Disruption To The Organization

By Martin Fisher

What is the most important job/function of a leader?

  • Inspire the team?
  • Use resources effectively?
  • Make tough decisions?
  • Set an example?
  • Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

  • Changing the organizational structure? Then create a org chart to talk to and demonstrate.
  • Changing processes?  Then show a picture that details before and after with the benefits.
  • Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

Continue Playing

by Jeff Kirsch1210501_chess2

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

FTC Says Bloggers Must Disclose Freebies

A Closer Look at the Moneyby Aaron Titus

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

[Read more…]

Securing the Toughest Times

by Ron Woerner59962_the_axe

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.


Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Planning / Establish processes
Disabling access
Establish trusted contacts
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data

Disable regular individual access
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
Physical surveillance

Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
Check for backdoors, Trojan horses, logic bombs
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

Minefield of Bananas

riskybusiness_150by Jeff Kirsch

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

Pet Risks – A New View of Risk Management

by Ron Woernerleash

“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.”  Computerworld

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ’96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.