By: Michael Christensen, Compliance and InfoSec Consultant, MSc in Computer & Information Security, CISSP, CSSLP, CISM, CRISC, CIS LI, CIS RM, EU-GDPR-P, CCM, CCSK, CPSA, ISTQB, PRINCE2, ITIL, COBIT5
What are the challenges you face as a security consultant, working in a modern and rapid changing environment? The answer has many facets, as the challenges contain both technical, organizational, cultural, legal as well as management issues.
I have worked as an independent consultant since 2011, and I have been running some rather interesting projects over the last years as interim CISO (Chief Information Security Officer). I have worked for a very fast paced, rapid expanding financial billion DKK corporation, expanding from 120 to 425 employees within 16 months; as a CISO for a development project with 3.000 employees from 11 countries, development in China, operations on Balkan outside the EU, having the objective to substitute the entire business support stack in a telco fand decommission the legacy systems. Further, I have worked as a security subject matter expert running specific projects and aiding advisory to a large telco regarding the EU general data protection regulation – GDPR.
Having set the scene with this, I have been presented for a good part of the threat catalogue - all the elements that might bite you in the leg, if you do not handle them well.
Right now there are a lot of hot topics and hot potatoes in the game. If you read the reports from NATO and from the Danish Military Intelligence, Center for Cyber Security, you will find that the threat landscape contains risks of being hacked from state actors or state sponsored actors, like the incident that hit Mærsk last year. Further, cyber espionage is a hot topic. The General Data Protection Regulation (GDPR), which might force huge fines upon the enterprises or organizations, leads to the hot potato – the sins of the past. The sin of the past is the gap between the security effort and the current legislation before May 25th 2018. It is a gap that will only expand after the GDPR comes into effect, as the GDPR will introduce new requirements. I have found that quite a significant number of Danish and Nordic businesses have not complied with the current legislation, as the penalties were insignificant. I describe this as the ‘sins of the past’, something that will add to the costs of achieving GDPR compliance. Further, the operational technology (OT), all the devices, controlling plants, processes or machines are at risk. OT is not an element of information security, but is placed under cyber security.
Add to that the insider threat; TDC had downtime during the broadcast of HM Queen Margrethe II of Denmark New Year’s speech, a former CIO has just been sentenced to jail for sabotage after he had been fired, a rouge employee giving away credit card data to a scandal magazine, an employee sending health data about all Danes to an entity of the Chinese Embassy in Denmark on two unencrypted DVD’s (they did not copy, they swear).
These are all examples illustrating the diversity of the threat landscape and the challenges that need to be handled when working with security. The examples all have similar characteristics; someone wants to get unauthorized access to data, someone with access may want to access unauthorized data and exfiltrate them, or someone internal or external to the organization may want to sabotage your operations. Providing such a threat catalogue can potentially assist organizations in prioritizing security and preparing an effective agenda for security initiatives to be implemented.
Let’s talk security
One of the grave misunderstandings circulating around security is that security is handled by the Information Security Department, and that the Information Security Officer is responsible for upholding security of the entire business.
Let me underline, that information security and cybersecurity are team sports; and security is not the work and responsibility of an individual or a small group. Everyone within an organization needs to contribute to the security efforts of their organization.
To get a security project moving, which could be a GDPR-project, you need to have a sponsor within top management. Without a sponsor the security project lives only within a silo, where you are hired in as part of the IT department, where the CIO is the sponsor. So if you are hired in to nail a business-wide objective, but are hired in by a line manager, you might want to challenge the organization (organizational structure) – or flag the organization as a risk.
Senior management, the CEO, is responsible for maintaining the right level of security, and in some sectors, this is even a board issue by regulation. Therefore, it is vital to have representatives in the steering committees on that level, in order to gain authority and sponsorship across the individual business units, who might very well have other issues than security on the top of their agenda.
Focusing on risk
For me describing and qualifying risk are the main drivers of getting attention, with management as well as with the employees in the organization. Remember, as I mentioned in the byline, security has many facets, it is not just about bleeping, shining boxes in a server room and an antivirus application on the laptop. Security is much about people, behavior and keeping a balanced level of security, and about continuously improving the effort.
Risk management is also the way of keeping up to speed in regards to new and changing threats. Again, threat identification is a team sport, as all business units and specialists need to contribute to identifying threats, putting them on the agenda, assigning values like probability and consequence, enabling the organization to prioritize the actions that are needed to mitigate the risks to an acceptable level. I recommend the establishment of a joint risk management board in the organizations with contributors from the business units and subject matter experts that may be supplemented by an external partner.
Risk Management focuses on identifying threats, quantifying them and mitigating them, however not adding unnecessary costs to the task. You must make solid business cases, which will earn you the trust of the management. Development of the business cases requires financial insight, and the financial department will be your best friend here. You need to use your imagination and sometimes use creative solutions, devise alternative routes, in order to help to achieve the security objectives with a minimum of costs. This requires you to engage in the work of the business units, working and cooperating with architecture, developer and operations guys. You need to use eyes and ears, as these guys often will be able to find their way by themselves just with some guidance.
By the way, risk is also part of the GDPR, risk being mentioned by the total of 72 times in the regulation. So in order to comply with the regulation, you need to be able to conduct risk management, and that alone is often a very convincing argument, when you argue to establish a risk management program.
Speaking the language
All of this requires you to speak the language of the people you interact with. This goes for management and finance, you need to be able to use the terminology of your stakeholders, just as you need to work together with people within development, operations and testing. I recommend that senior project managers or senior security consultants acquire knowledge about management and finance. I acquired the knowledge by taking two modules as part of my MSc program, a module covering management of technology organizations and a module about financials in an enterprise.
Furthermore, I would strongly recommend that you take the certifications like ITIL, PRINCE2 and ISTQB in order to talk to operations, project managers and testers and use their vocabulary. Of course one of your main priorities should be your expert knowledge within security. Again here there are also a lot of certifications to take that will support your profile. Finally, you need to improve you knowledge constantly, participate in conferences and other types of continuous professional education.
Your personality is also important. You need to be able to gain confidence with your stakeholders, and they need to trust your advice. Humor is in my view a great tool to defuse tense situations, for instance where you are to pass a problematic finding to a stakeholder. Do not use the wall of shame, but rather guide, persuade and be kind. Forget all about Dr. No. You are not there to say no, you are there to find solutions, to enable the organization to do business, so finding compromises are often the name of the game, finding solutions that may introduce risks, but acceptable ones.
S*** hits the fan
Evidently you will at some point face a problem. General von Moltkes said that even a perfect plan will not survive first contact with the enemy. You will face an incident, where you have an exploit of a threat, and you need to have a plan for that. You need to have an incident response process planned, where again management needs to be involved. Management needs to be put in charge, needs to send and receive communication, and must have plans for various things that can go wrong. Your role as a project leader is to create the framework that supports management in their efforts to handle the incident.
You can draw on resources like ITIL and ISO27001, ISO27002 and ISO22301, as well as other standards in order to create a framework on which you can empower the management to resolve an incident. You need to be able to adjust to minor and major situations or incidents. Sticking to standards is a good thing, but you should not be rigid, and always remember to keep in mind the external factors of the environment and the given objectives you need to meet. ITIL and ISO standards indeed calls for that kind of tailoring.
Security is a fun task
Working with security is certainly fun and exciting. This is technically sweet, and you will get a lot of human interaction, while working with your stakeholders. However, you should always keep in mind that it is challenging, and you need to do quite an effort to keep up with what is happening outside the hamster-wheel in order to keep your value as a security consultant.
Therefore, because we are in such a rapid changing environment, where the importance and role of security will only become greater, a recommendation is for skilled consultants in other domains to add a security asset to their portfolio; perhaps as a security certification.
This might become even more relevant as the GDPR introduces Article 25 “by Design and by Default”, setting up requirements for baking privacy (and security) into all aspects of development and operation – the entire SDLC and the operational lifecycle. So most of you will already need to work with privacy and security issues in you daily work anyhow. If you formalize your security knowledge, by adding a security qualification to your portfolio, one that matches your primarily field (project management, development, testing or management) you not only talk-the-talk, but you can walk the walk, and I will consider that a career move, as professionals with security skills are in short supply.
You can reach out to me on LinkedIn, and I will be happy to point you in the right direction. I look forward to meet you in the field.