ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems (SCADA).
The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.
This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.
SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.
Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.
The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.
It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.
One of the most important aspects of resilience in the information age is understanding the environment in which we exist. Resilience is adaptability in a changing environment, the more we understand that change, the less painful it is. Here are a few current issues that might help your cyber resilience.
Cyber Security Summit – Stanford November 2013
In the shadow of the Snowden revelations about the US and UK, security experts and leaders from more than 40 countries have been at Stanford University in California, USA for a gathering on cyber security.
If you have a sense of irony, you may have listened to the debate on Syria and comparing that to the NSA / Snowden / Internet debate.
– US Secretary of State John Kerry has recently made broad and I think reasonable statements saying that
President Assad had lost the moral authority to rule Syria.
– However that same test can be made against the USA.
The USA has lost its moral authority to control the Internet
through the activities of the NSA and other government agencies. The full text of Secretary Kerry’s Syria speech can be found here via usembassy.gov. Of course although the USA is the biggest culprit here, the UK, Canada, Australia and NZ have all been shown up.
China was prominently represented at the conference. The Minister of State Council Information spoke about China’s problems. In his speech Cal Mingzhao said that in the first six months of 2013, 20,000 websites were hacked and 8 million servers compromised. According to Minister Mingzhao this indicated a rise of 14% year on year.
It is good to read that Scott Charney ex US Department of Justice and current Microsoft VP on privacy and security is publicly calling for the US to show more information about what it collects and what happens to that data. Few sensible people disagree that the US and its allies should use maximum efforts against terrorists.
The US has lost support because it has strayed away from its stated goal of combatting terrorists and towards industrial espionage and employed tactics which compromise the majority in the pursuit of this goal such as the backdooring of encryption algorithms.
In other news
The Canadian Office of the Superintendent of Financial Institutions has released a ‘Cyber-Security Self Assessment Guidance for Canadian financial institutions, but which provides some good advice to any organisation looking for a template to help them.
Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for financial institutions to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.”
Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Of course if you’re a Canadian bank trying to do business in the US..
I can just imagine it – “Our little Johnny fixes our firewall whilst we sit him on the potty…..” But seriously, of course keeping kids safe online is important in the same way as keeping them safe in the real world, but maybe they should learn to read first.
Over-classification in government continues to restrict information sharing according to a report by the US Department of Defense Inspector General.
Balance in Information Security
I’ve written previously about over-classification and why it needs to be actively countered in large organisations in the private sector and more importantly government. Getting the balance right in information security is critical to mission success.
There are a few key findings from the Inspector General’s report which will be no surprise for anybody who’s worked in a classified environment. The review sampled emails and documents classified by the US Defense Department and found:
100% of the emails reviewed were incorrectly classified or marked
Around 70% of the sample material (documents/ files) had ‘classification discrepancies’
I’d like to say its better in Australia, but I’m not confident. What is more interesting from a security perspective is the over-classification of material. The report states
“we do not believe that those instances concealed violations of law, inefficiency, or administrative error; prevented embarrassment to a person, organization, or agency; restrained competition; or prevented or delayed the release of information not requiring protection in the interest of national security.”
Well they would say that wouldn’t they. But leaving my cynic’s hat off for the moment… Ok one passing comment – there is a difference between the organisational approach which tries not to conceal and the approach of individuals or groups within an organisation.
Unfortunately, the report doesn’t make very many recommendations that will bring about change. In typical public servant speak, it says
We recommend that the Under Secretary of Defense for Intelligence and for Acquisition, Technology, and Logistics carry out the recommendations outlined in this report and continue to leverage the new Defense Security Enterprise, especially with regard to ensuring that Original Classification Authorities are fully engaged and accountable.
In any case, the report does acknowledge that
over-classification could unnecessarily restrict information sharing.
Hooray! Admittedly, a bit softer than I would like, but still important.
In this information age where as the Snowden revelations keep showing us, the US and allies have access to huge swathes of information, but they can’t use it effectively to defend themselves or their allies.
The answer to this problem is not gathering more information! The 9/11 Report and scores of others keep telling us that we have the information in our databases, but we don’t use it effectively.
I’m not sure what the best analogy is here, maybe its a person who’s brain is not connected to their muscles properly. They can see and hear everything, but they rarely succeed in reacting to any of these stimuli. The problem with this analogy is that somebody with locked in syndrome desperately wants to make his limbs move. I’m not sure this is the case with intelligence agencies and sharing information.
This does seem to be the curse of too much information and not enough brainpower to analyse it and use it properly. Especially when you are looking for the terrorist needle in a haystack. Over-classification is a key issue in the fight against fast evolving terrorist organisations.
Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators
An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security.
If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!
This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!
Compromised systems accessed through the criminal service seem to include
Dun & Bradstreet – an identity service that also has a presence in Australia as a credit reference agency
Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.
This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.
The Four Corners program that aired tonight “In Google We Trust” was interesting if a little alarmist as these things sometimes are. But it did make some good points about privacy in the information age.
There was an interesting piece of information about the NSW Police licence plate tracking technology which has been installed on about 200 police vehicles and has contributed to a database of several million pictures of cars, numberplates and associated metadata.
Whilst the NSW Police were willing to explain what the technology did, they were unwilling to explain how it was being used or what protections were placed on the data.
Comments by Danny O’Brien from the Electronic Frontier Foundation emphasising that data held for non-US citizens by US corporations has none of the protections that one might otherwise expect, despite the protestations of Google, Microsoft, Apple and others.
The assertion that Australian authorities might be using this to circumvent Australian laws by getting the US authorities to ‘retrieve’ Australians’ data and hand it over to Australian authorities.
Revelations that a broad number of agencies including Australia Post and the RSPCA (yes the dog and cat people) were able to access Australians’ metadata with no legal oversight and little administrative control.
The poignant comment by one of the commentators that when information becomes available, people find a way of using it before actually thinking whether they should. This was followed by the question of whether in a democracy the government should know as much about you as it can, or whether there should be limits?
As an aside, it would seem that the US has been telling fibs when it said that the NSA PRISM system was just used to catch terrorists and that there was no economic espionage undertaken. The Brazilians are rightfully annoyed after the latest Snowden leaks reported in the Wall Street Journal show that the NSA targeted the Brazilian national oil company Petrobas. The article states
In the past, the U.S. has harshly criticized Chinese hackers, for example, for allegedly engaging in industrial espionage. But the new allegations at the very least showed the NSA using corporate targets for training purposes. One of the slides presented on the show listed three reasons for spying—one was “economic.”
Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?
If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian alleged that the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .
The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.
Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.
It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.” George Orwell, 1984 . No organisation as large as the NSA can do this forever.
The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the concept.
The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.
News that the New York Times was hacked by the Syrian Electronic Army is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.
According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.
A number of quick conclusions
This was a well planned attack almost certainly took some time to conceive, research and operationalise.
You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
Everybody is your neighbour on the Internet, the good guys and the bad.
Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.
A biological approach to organisational resilience
By a lapsed microbiologist
“Organisational resilience is only achievable through adaptability”
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations? The answer is resilience, and at the core of resilience is adaptability.
The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.
The same is true for organisations.
The vast majority of organisations that have ever existed are not around today
In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons
1 They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
2 They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.
By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.
This is an era of organisational accelerated extinction
What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.
I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.
Research carried out on fortune 500 companies in the USA shows that the average rate of turnover of large organisations is accelerating. The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.
If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.
So give me the recipe!
Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.
1 increasing connectedness – interdependencies leading to increasing brittleness of society/organisations – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
2 increasing speed of communication forces speedier decision making
3 increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers
4 biology – Organisations operate with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.
5 Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.
Something about organisational culture and resilience
When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.
Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.
Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150 staff have a mix of cultures.
The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.
Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.
Where does my organisation start on the path
So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.
It is a combination of many things –
developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
partnering with other organisations to increase their knowledge and reach when an event comes; and
Lastly engaging in the debate and learning about best practices
Are there two sorts of resilience?
But is resilience just one set of behaviours or a number. When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.
However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.
Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.
How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.
If you wish to discuss any of the issues in this whitepaper, please contact us
 noting that the word dinosaur is directly translated as terrible lizard
A culture of entitlement is corrosive in a government agency or any organisation
I’ve just come across a USA government document which is both fun to read and educational. Its called the Encyclopedia of ethical failure 2013, its published by the US Defense department. The dry title doesn’t do this piece justice, I think the title should be “A culture of entitlement in an organisation is corrosive”.
The reason that you should be reading it is that it is a series of sometimes funny and tragic stories about how employees forget that the employee/employer relationship is a two-way street. Maybe it is also about how employers forget that their staff are human. They sometimes do dumb things and forget about the consequences of their actions.
Steven Dubner from Freakanomics interviewed the current and past editors Steve Epstein and Jeff Green. Interestingly they said that it was difficult to find common characteristics (M/F, race, religiosity, seniority) between the people who did these things. Green and Epstein suggested that they all didn’t think about the consequences of their actions properly. The other thing to notice is that security people, intelligence officers and lawyers commit these crimes too.
Maybe as a collection these are cases of a man or woman failing to identify the full consequences of their actions. I could put it in risk terms, individual failure to realise initial risk and downstream consequences when the they get caught.
The other observation that is interesting is that some people are cheap to bribe. Some of these people lost their careers and potential earnings of millions of dollars over a lifetime for hundreds of dollars in cash or kind. This is an sign that the perpetrators haven’t thought about personal risk and/or their decision-making is visceral. It makes me wonder whether one possible mitigation against fraud is teaching employees decision-making to improve the way that they weigh up alternatives. Maybe the SWOT analysis is the best preventative tool against fraud!
Because the document was written by the US Defense department, it has a military flavour, but the examples run the gamut of the US Federal public service. Here are some of my favourite excerpts. I’m sure you’ll get a laugh out of these and some food for thought. Maybe some of these are familiar in your organisation…..
FBI Undercover Parties
According to an FBI report, upon the retirement of a senior FBI official, FBI personnel from around the country journeyed to Washington to attend the official’s retirement party. Many out-of-town G-men traveled on official orders and public expense. According to their travel orders, the purpose of the trip was to attend an ethics conference! According to the news report, only five people actually attended the ethics forum.
“But, Judge, I didn’t get anything!”
An offshore safety inspector found much of the Government’s equipment to be in need of repairs to meet safety standards. He then referred the business to his brother-in-law’s repair shop. The rig operators smelled a rat and called the FBI. They discovered that, in return for each referral, the brother-in-law was treating the inspector to an evening with a lady of dubious morals.
The case was brought to trial. In his defense, the inspector claimed that he had not received a “thing of value” in return for the referral. The judge didn’t buy it – and neither did his wife.
A former official of the U.S. Tax Court, Fred Fernando Timbol Jr., was sentenced to 18 months in prison and three years of supervised release in connection with a bribery conspiracy.
Timbol was a facilities services officer in the Facilities Management Section of the U.S. Tax Court. Timbol was responsible for assisting in the award of contracts to contractors who provided maintenance, construction, and other related service to the Court. Timbol admitted to soliciting and accepting over $12,000 from a government contractor in exchange for rigging the award of at least six inflated contracts. As part of a plea agreement and by order of the court, Timbol also agreed to pay restitution of $24,143.
DVD Bootleggers MIA During Government Work Hours
A Federal employee used his Government computer to make illegal copies of commercial DVDs in violation of copyright laws. He and another employee also used their Government computers and duty time to watch the movies. The other employee took lunches lasting up to three hours in order to watch the DVDs and take naps. Initially the employees’ supervisors signed off on this behavior, even assigning extra work to others to make up for the employees’ time wasted napping and movie watching. The employee who copied the DVDs received a written reprimand. The supervisor received an oral admonishment for failing to address the misconduct, and another employee received a Letter of Counseling for knowingly accepting a pirated DVD. In a similar case, a civilian employee working for the U.S. Army in Germany was involved in selling pirated DVDs. He used the profits from his illegal operation to buy vacation homes and luxury cars and to pay for frequent European ski vacations. He devoted some of his duty time to the marketing and selling of the bootleg videos, including taking payments while on the job. Even though the employee had left Federal service by the time the accusations against him were substantiated, administrative action was taken to bar him from US Army Europe installations.
This next one is interesting because of the recent Asiana crash
FAA Employee Sentenced for Bribery
A former employee of the Federal Aviation Administration (FAA) was convicted of bribery. In carrying out his primary responsibility of reviewing and processing applications for FAA-issued pilot certificates, the employee accepted bribes of $2,000 and an all-expense paid trip to Korea in exchange for preferential treatment of applications for Korean pilots from the flight school, Wings Over America.
The employee was sentenced to pay a $2,000 fine and serve four months in prison, followed by three years probation for violating 18 U.S.C. 201(b)(2). Bribery occurs when a public official seeks or accepts anything of value in return for being influenced in the performance of an official act.
government Lawyer in Tucson Illegally Possesses Sheep Skull and Horns
The Assistant U.S. Attorney (AUSA) prosecuted an individual for illegally killing a bighorn sheep on an Indian Reservation. As a result of the prosecution, the hunter forfeited the bighorn sheep and trophy (skull and horns), valued at approximately $5,000, to the Arizona Game and Fish Department. Pursuant to a request from the AUSA, the Arizona Game and Fish Department entered into an agreement with the AUSA allowing him to publicly display the skull and horns in his office, but requiring their return upon request. However, after leaving employment with the U.S. Attorney’s office, the AUSA took the skull and horns with him and treated them as his personal property. When the former AUSA was questioned a year later about his possession of the skull and horns, he claimed that an unspecified Indian had sent the skull and horns to him in appreciation for his work on the prosecution of the hunter. Investigation showed that such a gift would have been contrary to tribal practices and no member of the tribe could be found who knew anything about the alleged gift.
CIA Employee Drives Overseas Auto Scheme
As a U.S. Federal employee residing in Egypt, the CIA agent discovered that he could purchase an imported vehicle in Egypt without having to pay the normal 150% excise tax. This fact had created a black market in which Egyptian car brokers would pay U.S. employees to register luxury cars in their names in order to allow the dealers to evade import taxes. Investigators found that while in Cairo, Egypt, the employee had agreed to accept $25,000 in exchange for changing the status of his personally-owned vehicle with the Egyptian Ministry of Foreign Affairs, which would allow him to participate in the scheme
So there’s some of the highlights from my perspective. You can download the full document here (163 pages). You’ll find that it references most vices! What do you think about the alternative title – “A culture of entitlement in an organisation is corrosive”?
Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.
The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.
Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.
Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
Things to remember
most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.
That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.