Okay this week the post is going to be a bit of a cop out.  Things have been a bit hectic around here and while that is a good thing, it is typically just me that can do them.  I know that I have a few series postings that I need to finish up but billable work must come first. 

What I wanted to mention this week is an article out on CSO Online by Joan Goodchild.  It is entitled “5 Steps to Communicate Security’s Value to Non-security People” and is based on an interview with Michael Santarcangelo.  If you recall that I reviewed Michael’s book last week (wow – it seems like that was a month or so ago) and I was part of a podcast put out by Michael’s company, the Security Catalyst. 

Needless to say I’m a Michael Santarcangelo fan and, in the spirit of full disclosure, we’re discussing some collaborative efforts sometime in the near future.  (More on that as we work the details out.)

Anyway – back to the article:  Ms Goodchild’s article is a timely one as it addresses what information security practitioners can do to demonstrate their relevance in these tough economic times.   The article covers the five steps that you can take to communicate effectively and demonstrate your value.  I think that the time that you take to read the article will be well spent. 

I’ll be back next week with my usual long winded posts.  J

A recent study by the Ponemon Institute have shown that 59% of the individuals being laid off, fired, or quit admitted to stealing company data.  This study backs up the post that I made a while back entitled “Its Not Personal, just Business.”  While it is always dismaying to have to lay people off it is an unfortunate reality in today’s economy.  What this study shows is that mission critical data is walking out the door at an alarming rate.  Where are these former employees going?  Well in most industries it is to the competition.  What would your competitor do with your proprietary information?  It is possible that they might not even know that it is your proprietary information if your former employee sanitizes it properly or “pretends” to recreate it.  Don’t think that will happen?  Well the study also showed that 67% used their former employers proprietary information to leverage a new job.  (See the Network World article on the study)  (Listen to the NetworkWorld Podcast)

When the respondents to this survey were asked why they did this, they responded that they felt the information was theirs since they created it or felt some other sort of entitlement with regard to ownership of the information.  Now couple this with survey results that 44% of the respondents indicating that they did not trust their former employer to “act with integrity and fairness”; 25% said they were unsure.  What kind of picture does that paint now?

Now you’ll never be able to completely stop this sort of thing from happening.  There are both technical and management level controls that can seek to curb data loss like this but they will never totally stop it from happening.  The goal should be to minimize the likelihood as much as possible while recognizing that complete success is unattainable. 

What you should do is identify and rectify the “low hanging fruit” first.  Address those items that are easiest to fix first and once their done begin to focus on longer term, more complex control measures.  One of the things that the study indicates is that 24% of former employees indicated that they had access to their former employer’s computer systems after they had left.  Roughly one in 5 indicating that this access lasted for more than a week. 

Immediately cutting network access and reclaiming computer equipment shouldn’t be reserved for the difficult employees.  It should happen to everyone.  Employees should be educated from day one that this is just what happens when someone leaves the company – for whatever reason.  Effort should be made to get the point across that the reclamation is not a statement on the former employee’s ethics or integrity.  Remember it is not personal, its business. 

This sounds rough, callous, and uncaring.  Don’t get me wrong, I struggle with that too however if the results of this study are anything near accurate then some action needs to be taken to address this major hole in our information protection programs.  It also underscores the point that people are both are greatest vulnerability as well as our greatest security control. 

I just finished a book by Michael Santarcangelo entitled Into the Breach: Protect your Business by Managing People, Information, and Risk. I am ashamed to admit that I hadn’t run across this book sooner and didn’t know about it until after I was a guest on Michael’s Podcast a few weeks back. At 110 pages the book is a quick read but don’t let that fool you – there is a lot of information in here.

The book is aimed at executives and other decision makers and not at technical information security professionals themselves. That is not to say that there isn’t value in here for the technically minded as long as they remember that they are not the targeted audience. There are a few things in here that might actually cause the technically focused some anguish but if they are honest with themselves and take a step back they should admit that what Michael says is true.

Into the Breach is the book that I wanted to write. I share Michael’s perspective on many of the topics discussed and have come to the same conclusions, although independently. We attack the problem from different angles but we share so much in common that I’m left to wonder if the differences are merely trivial. As I read the book I heard my own thoughts being echoed back to me more than a few times. I found new and interesting perspectives on issues that I have worked hard to solve and I even learned a few things (which means that it was time well spent.)

The book is broken up into three parts. The first part explains the human factors at play in any environment and seeks to provide a understanding of the human factors as they relate to protecting information. I really couldn’t find fault with anything I read in this section.

The second part lays out Michael’s Strategy to Protect Information and its implementation. Michael’s approach to the problem is different from mine but in no way does that make it any less valid. He does a good job explaining not only how something needs to be done but why it needs to be done which is the key to mastering anything. That said I have some constructive criticism to provide with regard to a few things that were mentioned.

The first being that Michael talks about how a management team can learn and deploy his strategy by just reading his book. The concepts that he lays forth are simple and well explained however I can say that I have facilitated groups through similar processes and it is not as easy as Michael makes it sound. The greatest fear that I would have by someone reading Michaels book is that they will try to implement his program without guidance then in failure believe that this approach is just a load of crap and go back to the way they have been doing things. Processes like this need to have someone with experience facilitate their adoption in order to steer teams around pitfalls and ultimately achieve success.

The second criticism is that near the end of Part Two, Michael talks about metrics and how to measure the success of the program. This is indeed an important point however his examples did little to illustrate his point and may have in fact made his argument weaker. He talks about the blending of quantative and qualitative measures (a concept that I’m wholly in favor of) but gives his executive/decision maker reader little to take back that is actionable.

The third part addresses considerations for extending and enhancing the strategy laid out in Part Two. Michael talks about how his strategy can help protect the bottom line and help reduce the cost of compliance. I agree that it will but again the topic was treated so quickly that a reader may be left to conclude that this is all that there is to the argument. They couldn’t be more wrong however would someone in the targeted audience know this – perhaps it would; perhaps it wouldn’t.

Please dear readers, don’t construe my criticisms as a damning critique of this book. At 110 pages it is nearly impossible to cover the topics that Michael has attempted. This book is exactly where it needs to be in terms of detail when considering the intended audience. I applaud Michael for writing the book. It is a book that has been needed out there for a very long time. I highly recommend it. I would even go so far to say that you should buy several copies and give them out to senior executives in your organizations. But only do so if you intend to follow up with several conversations about how to apply these principles in your environment. Use this book as a basis upon which to build conversations on how you can improve security within your organization and environment.