Our Progress in Cybersecurity Culture Is Improving, Now What’s Next?

Tricia Griffith, CEO of Progressive, the large insurance provider, said: “With the right people, culture, and values, you can accomplish great things.” [1]

Several excellent analogies can be used to describe the global challenge we face in cyberspace. We can describe it as modern piracy, given the history of piracy impacting so many people while it was rampant, its criminal nature, and its use in proxy wars between the great naval powers of the 17th and 18th centuries. It could be thought of as similar to infectious disease, given how often software viruses are proximate to fraud and sabotage and how wide-spread and destructive these viruses are and how they spread through contact. It can be considered akin to unbridled marketplace competition as perhaps the emerging industrialists envisioned their battlefield in the 18th and 19th centuries. And, of course, it can be thought of more directly as outright war, where skirmishes and battles are fought by and for nation states with catastrophic collateral damage being inflicted on citizens the world over.

In each case, the common first step in fighting back is to change the culture. Whether it’s to band governments together to defeat a common enemy, create a public/private cooperative, or develop a sense of civic duty through education and public discourse, causing a culture change is often the first step in turning the tide.

With that as the backdrop, let’s think about how we’re doing in this culture change we know we need. ISACA® and the CMMI Institute tapped the power of their combined community to look at how we’re doing at developing and adopting a cybersecurity culture. The 2018 ISACA/CMMI Culture of Cybersecurity Research looks at more than 30 data points, and with almost 5,000 respondents over small, medium and large organizations, this survey is extremely valuable at helping us assess where we are.

To make the shift we need requires three distinct steps or phases. First, we need to create awareness of the problem in a way that makes it real to the entire workforce. It needs to be personal. People need to understand why it matters, not just to their organization, but to them. Next, teach people basic self-defense. They need to know what they should do to protect themselves.  Then finally, we need to develop within the workforce a sense of unity of purpose and make real to them the shared outcomes we want to achieve.

From the research, we see that 87% of respondents believe that establishing a stronger cybersecurity culture will improve profitability or viability. We also learn that almost 8 in 10 believe those without such a culture experience more breaches and more than 7 in 10 think they would be more susceptible to phishing. I think this is great; it means we are motivated to make the changes we need to the cyberculture we have, and we believe it is essential to the organization, not the regulators, that we do so.

Coming back to our three steps, we also see from the research that fully 96% of respondents already have or expect to have employee training in place by the end of next year. We can assume then if you are reading this you likely have a program in place. Most importantly, the topic most often addressed is cyber risk awareness, cited by 8 in 10 respondents. Your task now is to make sure this awareness program establishes the connection for the workforce of how cyber hygiene impacts them personally. You’re not alone. Barely 3 in 10 believe their workforce understands their role in cybersecurity completely or very well.

Conversely, around 5 in 10 believe they somewhat understand their role and almost 2 in 10 (19%) fall into the not at all and minimal categories. I think we need to move a good many people from “somewhat” to “very well” to create the momentum we need toward a sense of unity around the outcomes we want. 3 in 10 can’t well create a draft for their teammates, but perhaps 6 or 7 in 10 can. We agree this is important, 41% of respondents agree that the lack of employee buy-in or understanding is the most critical inhibitor for achieving the desired cybersecurity culture.

Of course, measuring our progress is essential. First, make the tweaks to your program to make it personal to all workers. Then, add regular assessments to gauge how the workforce is responding. Less than 3 in 10 organizations do that now. Moving the bar on this metric will significantly improve the effectiveness of your cybersecurity awareness program. Engage with the workforce, measure phishing click-throughs, reward successful outcomes, and make sure you have consistent executive sponsorship. If executive management can motivate the workforce to improve product quality and increase sales, they can certainly accomplish the great things that Ms. Griffith believes a great culture can achieve by driving a change in the cybersecurity culture.

1. Tricia Griffith Quotes. BrainyQuote.com, Xplore Inc, 2018. https://www.brainyquote.com/quotes/tricia_griffith_852303, accessed September 27, 2018.

This article was originally published in ISACA in October, 2018

How Digital Natives Are Shaping the Future of Data Privacy

With the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020, I think it’s timely to look at how digital natives may change the way we view data privacy altogether. If you were a toddler when Voyager 1 and 2 buzzed Saturn in 1980 and 1981 respectively, you are a digital native, as is anyone who came along after you. Maybe you started high school when email and file-sharing started going mainstream, and by the time you graduated, The New York Times had a homepage, at least one of your parents was likely online, and we, consumers at large, were beginning to experience FOMO (fear of missing out) if we weren’t online.

Ubiquitous tracking and big data pools as we know them today weren’t even a glimmer in a mad data scientist’s eye back then — and yet, people born before we learned who shot J.R. (or digital immigrants, as they came to be known) had already been making privacy mistakes for years.

Privacy Habits of the Past

Although the term was coined in the 1960s, identity theft has been with us for much longer. This author shares a name with a notorious horse thief, born Henry McCarty in the 19th century American Wild West. This scoundrel misappropriated the name William Bonney from an obituary in a New Jersey newspaper before he went west and famously fell into considerable mischief.

Two generations after his demise, the U.S. government began handing out identifiers for the new Social Security program. That’s where the trouble began in earnest. Many states put that number on their state-issued driver’s licenses — and this practice wasn’t banned until 2005. When Medicare came along in the 1960s, the Social Security number (SSN) was used as an identifier for each recipient. It was convenient, and it seemed like a good idea at the time, but the practice was officially ended in 2017.

Another habit we all got into long before digital natives started tagging themselves in hundreds of social media photos was putting our driver’s license numbers, addresses and phone numbers on the face of our checks. Credit cards weren’t widely accepted at grocery stores until the late 1990s, and who wanted to carry cash? None of us wanted to wait in long lines while the cashier wrote our phone and driver’s license numbers on our check to guard against fraud. It was easier and faster to have the info printed right on the check when we ordered them. The banks knew all about it. It was convenient, and yes, it seemed like a good idea at the time.

As we started using credit cards more broadly, we found ways of getting into even more privacy trouble. Rewards programs started sprouting like weeds. There were airline miles, discounts at the check stand and loyalty points for every possible purchase. Now, we coin new currencies faster than influencers gain followers. For 15 percent off, we allow our pharmacy, grocer, clothier and online retailer to track everything we buy, and we’d dutifully bark our phone number at clerks with people all around us to make sure we got credit for every purchase.

Digital natives certainly aren’t alone in posting photos, videos and online journals from their own social media accounts. While it might be easier for someone who grew up with the technology to post a fully captioned photo that tags five friends or colleagues, the consequences seem to vary more by the reach of the social profile in question than demographic factors. These consequences can range from varying degrees of embarrassment to ostracization and severe career impact. Sharing photos, videos and inner thoughts seemed like a good idea at the time — just like sharing SSNs, driver’s license numbers and phone numbers did before.

Data Privacy Expectations Are Rapidly Evolving

Our collective attitude toward data privacy is changing as we learn more about how maintaining data privacy is both desirable and difficult. We are now more attuned to the effects of sharing and the consequences of subtle privacy violations. In short, we’re in an era of rapidly evolving data privacy expectations. We’re increasingly turning to regulators to help us corral entities who would sell pieces of our information that we wouldn’t necessarily share on our own. Partly due to the experiences of digital natives, we are reconsidering the rules of data sovereignty.

As the consequences of data sharing become more evident (think public shaming versus identity theft) and long-lasting (searches often expose events going back decades), we are recognizing that our online images and thoughts can define us and should be owned by us, regardless of whether we fully understood the impact of sharing them. If a musical group can stop a political campaign from using its song or an actor can stop a merchant from using their image in an advertisement, it is my opinion that each of us should be able to determine how our images and musings may be used by collectors and whether to allow their collection at all.

The Berne Convention, which was adopted way back in 1886, established that publication alone is enough to establish a copyright. I’d assert that it’s not much of a stretch to extend that to what we publish about ourselves, whether that information is generated intentionally or as a byproduct of living in the digital age.

Should We Have Personal Sovereignty Over Our Data?

Regulators alone cannot solve this problem. It seems to me that what digital natives have asked us to do — sometimes explicitly, but often indirectly — is create the technical means to grant and revoke permission to collect, access, use and share the data we all produce.

Regulators could force each covered entity to create processes whereby current data subjects can request agency over their data privacy. New technologies could be created to encode each atomic unit of data and establish clear ownership. With options such as blockchain and smart contracts, I believe we could honor evolving data privacy expectations and enable data subjects to set or change the rules to which data brokers and users must adhere. If those parties fail to act in accordance with those rules, they could be prohibited from using that data.

Certainly, this concept has a more complex application when it comes to the digital exhaust we create (think location data and log data) as opposed to data elements that are more obviously descriptive, but this seems like more of an architectural challenge than one of scale to me. After all, we’ve managed to solve the scale problem for collection and use. As I see it, giving data subjects sovereignty over their data seems like a logical next step for our time — one that might just remain a good idea as we look back on this time years from now.

This article was originally published on Security Intelligence on Jan 8, 2020

Data Classification is the Key to Data Protection, Part I

“No, no!” said the Queen. “Sentence first – verdict afterwards.”

“Stuff and nonsense!” said Alice loudly. “The idea of having the sentence first!”
The value proposition for data is not in its protection (sentence), but in its use (verdict).
In this series of articles, we’re going to explore an alternate value proposition for data classification and the benefits of thinking of data classification primarily as an enabler for using data rather than protecting data.

In this first article, we’ll consider the fundamental reason that we want to classify data with this mindset.

In the second article, we’ll contemplate how to change the data classification schemes we use to fit our needs.

In the third and final article, we’ll examine the business processes that must change to accommodate our alternative value for data classification.

Now let’s come back and state our value proposition in a business-appropriate manner. The value of data is a function of the value derived by the business from its use of the data, minus the cost of generating, acquiring, handling, and holding the data, while also meeting any custodial requirements. The custodial requirements dictate the lengths we must go to protect it from unsanctioned access or use.

We generate a lot of data. It’s hard to know what to do with each data set. Why not just treat it all the same? If it’s just a matter of money, write a big check and give everyone − our customers, our shareholders, our employees, and our regulators − total assurance that we’re on it and that all the data is safe. Why not just assume the same custodial requirements for all our data and be done with it?
A safe is a useful analogy. One reason to buy a safe is to protect valuable papers and jewels. Sometimes a bank is hired to do this, and the bank puts its clients’ valuables in its safe. These safes are of different sizes, configurations and classifications. We don’t give a lot of thought about why because it’s intuitive. A bank has more valuable objects to protect and needs a bigger safe. A bank also has a higher aggregate total value in its safe, and therefore requires a safe that is more difficult to move and more resistant to cracking. Many banks configure these mega safes to be vaults, entire rooms dedicated to protecting valuables. Some banks layer safes within vaults.

We might choose to put all our papers in our in-home safe. Typically, we don’t do that. We might decide to hire a bank to store all of our documents, including old magazines with articles we might want to read again. We don’t typically do that either. We don’t usually have to ask ourselves what we want in the safe or in the vault. We know the intrinsic value of the papers we own, and we understand the harm that could be done if they are lost, damaged or stolen. We then act accordingly. We know that if we put all of our documents (data) in the safe, we’ll spend a lot of time spinning the dial to lock and unlock the safe, or traveling to and from the bank, rather than using the documents. But we also feel a pull toward putting our grandmother’s diamonds in the bank vault (or at least our own safe), because we don’t want to be the one responsible for losing Nana’s earrings, therefore incurring her wrath. We take our custodial responsibilities seriously.

We know it doesn’t make sense to store a newspaper in the safe, because the content is public knowledge. Assuming we don’t mind ink rubbing off on our fingers, we just want to read the newspaper. If we’re subscribing to the newspaper and have documents or valuables that we use a bank to keep safe, we likely can afford to safeguard more than we do. We don’t because we perform a little calculus for each valuable – how do I use this, and does it warrant special safekeeping?

The same value and cost mechanisms are at work for the data that our organization uses. A crucial piece of the cost equation is the custodial requirement. There are three ways to protect data: we can control access to it, we can obfuscate it, or we can destroy it. Each of these protections comes at a cost, so we need to make sure we ask all of the following questions (and others, below is just a representative list). Making assumptions about the underlying need for these controls costs time and money. However, the controls themselves create barriers, both large and small, to using the data to the organization’s maximum advantage:

  • Do we have to back it up?
  • Do we have to protect it during transmission?
  • Do we have to encrypt it at rest?
  • Do we have to control access?
  • Do we have to monitor access and usage?
  • Do we have to adhere to a policy for data retention and destruction?

Common data classification approaches are 3-tier, 4-tier and 5-tier schemes that provide increasing levels of granularity for non-public information. A typical 3-tier scheme might include public, internal use only, and sensitive. A 4-tier scheme might include public, internal use only, confidential, and secret. A 5-tier scheme might include public, internal use only, confidential, sensitive, and secret. Let’s assume each tier is numbered, starting with 1 for public and ending at 3, 4 or 5. The higher the number, the greater the need for data handling controls.

In many organizations, data classification is done much like the Queen of Hearts decreed. We perform a classification of the sensitivity of the data, which dictates data handling requirements for each data set based on the sensitivity of the data. This classification seems reasonable, but when doing so, we often decouple knowledge of the use of the data (how we derive its value) from the type or sensitivity of the data (prerequisite for designing the protection scheme). This happens because two different teams are involved and for them to coordinate their assessment requires that each have the other’s context. When the data classification effort is undertaken months or years after the business decision to acquire or generate the data, a disconnect is assured.

In many organizations, data classification is done much like the Queen of Hearts decreed. We perform a classification of the sensitivity of the data, which dictates data handling requirements for each data set based on the sensitivity of the data.

Every time we answer yes to one of the questions listed above, we spend money, which decreases the value of the data to the organization. More importantly, we also decrease the operational value of the data to the business because each of these data handling controls comes with an operational burden. Our teams have to spend time and effort to conform to our usage requirements. Don’t use it while it’s being backed up, encrypt it during transmission, encrypt it when storing it on disk, decrypt it when using it, rotate encryption keys, grant access, manage access, keep access logs, analyze the logs, and so forth. Data gains value from its use, not from being hidden and protected.

It follows, therefore, that when we fail to classify data accurately, we build inefficiencies into our data protection processes. We force ourselves to create the equivalent of multi-room bank vaults when all we might need is an in-home wall safe. Often, the inefficiencies built into our data protection schemes manifest as logic errors that allow inappropriate access to our data. This inappropriate access can lead to everything from corporate embarrassment to regulatory sanction to data theft, loss, and destruction. This defeats the purpose of the protections we’ve put in place.

Storage space is so inexpensive that we’ve all become data hoarders. But as the age of the data increases, the cost to store it remains steady or increases while the value of the data is likely decreasing. The value could be decreasing simply because the data is less current, and therefore any insights it provides is less useful. It could also be decreasing in value because the operational burden may be increasing. There is a burden to rekeying, backup schemes, and access controls and as standards evolve, older data must undergo more ETL (extract, transform, and load) activities to continue to include the older data sets with newer data sets for combined analysis.

What is needed is a data classification scheme that has a few additional attributes as well as a mindset shift that allows us to think differently about the data we keep, and which data sets need which protections. We’ll explore these new attributes and this new mindset in a follow-on article in the next issue.

This article was originally published in Cybersecurity Magazine in Summer 2018

How We Want Recruiters and Hiring Managers to Behave

Gary Hayslip, my good friend and partner, and co-author of our book: “CISO Desk Reference Guide,” just wrote what I think is a very courageous blog about a hurtful and confusing experience he had while exploring a job opportunity. It certainly struck a chord with me, so I thought I’d relate some of my thoughts as well. But first, I’d like to commend him on the vulnerability he showed in writing his article in the first person. When our leaders are willing to be vulnerable, we all grow. Thank you, Gary.

Gary mentioned in his article, “Cyber Recruiting, the good, the bad and the not so pretty,” several things I’d like to build on. The first was a lack of due diligence on the part of recruiters. He mentioned getting messages through LinkedIn for security analyst positions he would be perfect for. I’ve gotten those messages too, along with some for accounting positions I’d be perfect for. I am good at a lot of things, apparently, including systems administration, database administration, installing certain pieces of software I’ve either used in the past or managed people who did, accounting, and various manufacturing positions (not sure I’ve ever been in a factory) including production line safety programs (that’s scary) and quality assurance. Just before I published this article I got a message from a Houston-based recruiting firm telling me they thought I’d be interested in a Regulatory Inspector job for the San Diego Metropolitan Transit System. Yes, “Regulatory” and “San Diego” do appear on my profile, but really? Other than automation that isn’t well tuned or proficiently used, what causes this?

I suspect at play is the cost pressure put on the sourcing industry by large corporations who are trying to drive down costs. More on that in a bit.

The reality check for recruiters is: you’re not pushing widgets, you’re pushing people! Automation to help identify potential candidates seems like a great use of the technology. But once identified, perhaps the human touch needs to be applied earlier in the qualification process? Perhaps before you reach out to the candidate? And perhaps the automation might be a little more tuned to relationships and a little less on keywords. I’m sure some is, but based on a lot of anecdotal evidence, not enough.

Beyond the idiotic list of jobs I’m perfect for, Gary also touched on a different type of diligence. The guy staring at his beer at the bar in Vegas wasn’t applying for an entry-level or subject matter expert position; he was being recruited for a C-level position that would be critical to the firm’s success. This kind of position is a relationship decision. The due diligence should be done long before the position opens by building your human network. In our next book, we have a chapter on talent and recruiting. One of our recommendations is that every leader needs to build and nurture a human network that, among other things, creates a pool of people who, in various roles, some as advisors, some as partners, some as employees, will be important to the firm’s success. Certainly, it’s sometimes necessary to engage outside partners to help with critical searches, but assuming you’ve only made that decision for strategic positions that are hard to source, wouldn’t you be more thoughtful in describing what you want and need?

We’re Missing the Human Element

Coming back to the cost pressure that corporate HR departments are exerting on sourcing firms. I do think this is a big driver of the number of incidents of poor diligence. Let me unpack my thoughts a bit. Yes, the cybersecurity talent pool is currently more of a wading pool. And yes, this creates a demand for sourcing services to compete for the talent each firm so desperately needs. As sourcing firms rush to fill the void and fight over a small candidate pool relative to the number of positions we need to fill, there will be plentiful instances of abuse and stupidity on display. We’ve seen this before in the IT field, and many of us are still carrying those scars. But in my mind, an equal driver is the approach to cost reduction in hiring that many large corporations take.

Remember that corporations are optimized to efficiently deliver some existing widget to the market. Whether it’s a plumbing widget or a patented software widget, the organizational structure is largely the same, with minor variations in positions and reporting structures. That efficiency is often obtained by specialization, matching skilled pools of workers to specific job outcomes, outsourcing to specialists, and a whole host of other techniques too numerous to list here. This structure and purpose creates a learned, habitual response to any problem – how do we overcome the problem in the most cost-effective way possible? I’ve seen many companies apply the same cost reduction techniques to hiring as they do to their supply chain and building maintenance: “outsource it and put it out to bid.” Cost is not the only factor, but cost is a critical factor. This might seem to drive down the cost, but poorly engaged workforces, poor team composition and higher turnover negate a lot of that perceived cost savings. And the higher turnover, with myriad causes, also drives a good part of the vacancies that companies need to fill.

Certainly, tools like contingent searches that pay search firms only for successful placements are important for reasons beyond cost control. They are a great way to try out a search firm to ensure the candidates they identify are consistent with your team dynamics. But immediately putting a contingent search out to multiple sourcing firms can have unintended consequences, such as making the volume of candidates proposed more important than the fit of the candidates proposed. Retained searches are often more expensive, but the dynamics of retained searches and deep relationships with sourcing partners can create very different outcomes for filling key positions. Recruiters and candidates I have talked to believe contingent searches have been overused as a cost lever and the balance might need to shift back to get better outcomes.

At the same time, there have been several jolts to the job market, such as right-sizing and down-sizing and significant improvements in productivity that have allowed many companies to achieve higher output and generate higher profits with fewer employees. This has created intense competition for positions in many fields. Employees have been trained to act in a way that maximizes their outcomes in any job search. They’ve been taught to maximize their outcome by tailoring their resume to each job, apply for anything close, peppering the resume with as many “hot” keywords as possible, and working hard not to get deselected. And it’s understandable when you are out of work and have bills to pay; you become less picky.

To echo another of Gary’s points, we all have a role in fixing this. We are not likely to get to parity in this market for a while and yes that creates a gold rush of sorts. This is ultimately good for the economy, but we need to collectively work to smooth out the rough edges. And at the end of his article, Gary called on us all to have a dialog. So, if I had a magic wand, this is what I would wish for…

Hiring Firms

  • Hiring firms should put greater emphasize on better fits with candidates. They all pay lip service to this, but when costs produce a surprise, the heat is applied throughout the internal hierarchy and everyone gets pushed to squeeze out costs. I know that’s natural, but firms need to fight it a little harder. The impact is on people, the lifeblood of your firm. Even discounting for a moment that you have a right to get the best low-cost outcome for your firm, bringing in an inferior hire because you scared away the quality candidates by working with the lowest cost sourcing firm does not help you achieve that.
  • Firms need to invest more in talent creation. I’ve seen first-hand several firms that believe the recruiting experience begins when they open a req. Wrong! It begins when you strategize about the talent you will need five, 10 and 15 years from now. Talent you need to attract and talent you need to grow. Sometimes you grow talent internally through development programs and internships, sometimes externally through education programs and outreach and retraining. Sometimes you hire experienced people who can “hit the ground running.” Be thoughtful.

Recruiters

  • Recruiters need to focus more on relationships and less on volume. There are lots of ways to be profitable and have an impact, but not all of them are compatible with volume growth. Are you looking to solve your customer’s problem or make a buck? You can do both, but the customer must come first in that equation, perhaps not in the way they think.
  • Recruiters need to be a source of guidance for the firms they help. As Gary pointed out, an experienced recruiter in a specific discipline should help the hiring firm understand experience, skills, and market, and model good behavior. How many times have you been through some portion of the interview process and never heard back? That is unconscionably rude behavior. Recruiters, don’t let your client firms behave in that way. It’s funny that Gary mentioned CyberSN as an example of good recruiter behavior. I have also enjoyed working with Dawn Saenz of CyberSN. I would also give a shout out to Kelly Feest over at Proven (just look at the ten questions on her profile). I know Kelly helps her clients understand what jobs they are qualified for and I refer people to her all the time. I’ve also had a great personal experience with Charles Betzip at Gatti & Associates, who does take the time to call back and follow up and Pat Flynn at Errigo Group, who is great at two-way due diligence. All of these folks care enough to invest in both the client and the job seeker.

Job Seekers

  • Job seekers need to disabuse themselves of a couple of myths. The first is that recruiters are your buddy. Even if they behave impeccably, they are still hired and paid by their client firms. They are beholden to them. You will often get a guide, but you will rarely get an advocate. That doesn’t make them bad people, but you should know that going in. Another myth follows in the next item.
  • A mentor of mine once told me it is not about the title, it’s about the scope and the pay. Scope – are you solving meaningful problems that allow you to bring your passion to the job every day? Pay – are you being paid what you are worth for the value you are delivering? Culture and perks that don’t show up on your W-2 are great, but they can’t make up for deficiencies in these two critical factors. Liz Ryan, who founded the “Human Workplace” knows this only too well. She’ll tell you straight out, if you are bringing your passion every day, the doors will open before you. There are way more important things that need to get done than there are great people available to do them. Please note, I mean passion, not hard work. Hard work often follows passion, but it is not the same thing.

Senior Leaders

  • For the seasoned part of the workforce that is in coming up to the last couple of chapters of their careers, please give back. I have been fortunate to affiliate with Everwise, a firm that matches mentors with protégés that have been enrolled by their companies. I have had the pleasure to mentor four spectacular people at various stages of their growth, and I must say, if I had access to this kind of help when I was at their stage of career development, I could have avoided a lot of painful mistakes in my career. Julie Vanderheyden at Everwise has been my Experience Manager since day one, and I recommend this program to senior leaders who want to give back.
  • And again, for the seasoned pros, follow Gary’s lead and share what didn’t work so well. In each of my mentoring partnerships, I have surprised my protégés by sharing times when I totally mucked up the works. Unpacking what didn’t go so well is a very powerful tool and I promise, you will not feel exposed or weak. You will feel powerful and you will have empowered. Share yourself.

As Gary said, a dialog is needed on this and I am glad he had the courage to start it by putting a piece of himself out there for us to examine and learn from. We are going through an interesting transformation in the job market today. The lack of qualified talent is the single greatest inhibitor to success in the digital age and the dearth of good-paying jobs is keeping many people in dead-end spirals or out of the workforce entirely. We all can play a role in changing that.

This article was originally published on LinkedIn on Feb 15, 2017