A company that understands the process of maintaining its systems and services and guaranteeing the reliability of those systems and services (and the revenues they support) will over-communicate about the circumstances of any unplanned outage.  By over communicating about an outage, the company shows the extent of its understanding, preparation, and detailed response plans. Obviously, developing incident response in a professional way is time-consuming and requires a great deal of maturity on the part of the company.  After all, you might never need these procedures and processes.  Most companies discover that developing incident response processes, tests, metrics, and plans is in and of itself a developmental activity for any large organization. These benefits can take many forms but two that are relevant here are: (1) improvements in the processes that underpin reliability itself such as reliable systems and applications development and (2) improvements in the incident response process such as better root cause analysis.  A company that can discuss these issues openly with its customers can subtly communicate that it has already brought a high level of professionalism to the problem and is in a position to leverage that professionalism for the benefit of its customers and for the reputation of the company. No amount of promise making or apologizing can substitute for this.

RIM did not do this and apparently cannot do it.  In the absence of communication during an outage, one of two explanations can be considered. The company either cannot figure it out (the most generous explanation) or they know the answer but the answer is so ugly they cannot afford to tell their customers the truth. No matter how heartfelt the apology, RIM’s enterprise customers don’t want or need apologies. What they need is information, substantial and detailed assurances about future support and possibly refunds. In a sense the damage to RIM is done. Emails were dropped and the corporate processes they supported were let down in a very public way. This debacle comes at a critical and unfortunate moment for RIM in light of iPhone and Android successes. As the outage unfloded, many people were already questioning RIM’s competitiveness and the longevity of its product line.  While it is true that no other provider even comes close to the quality of RIM’s product and service design and specifications for mony corporate procurement officers, the execution in this case shows that RIM is not able to walk the talk. This brings into question the true definition of “enterprise class.” And the tide of “bring your own device to work” is coming in inexorably and threatens to isolate RIM on a shrinking island of customer loyalty.

I can’t think of a worse time for RIM to be facing serious questions about its product and service reliability. In 30 years of professional information security practice, I have often observed that ways can be found to cut corners when it comes to the security of information systems and “bring your own device to work” is a perfect example of this. However, when it comes to reliability enterprise buyers stick to their guns and insist on the contracted reliability or else take their business elsewhere. I wonder what deals RIM has cut over the past weeks for aggrieved companies who were harmed by RIM’s outages.  Since I am a retail, second tier customer, I have been offered “free premium applications” by RIM.  What a scream! It might be more successful to take out an ad in the Wall Street Journal apologizing for RIM’s lame offer of compensation.  I probably spent four hours trouble shooting the problem at the time.  Oh, well.   It would also be interesting to see how many inquiries have been received by insurers lately about the availability of insurance against an outage of RIMs BlackBerry enterprise service. Not a good sign for RIM in the future.

Morgan Stanley claims they have information or evidence that shows that a package they sent to the New York State Department of taxation arrived at its destination “intact.” How they know this has not been discussed publicly. Regardless, the CDs are now unaccounted for. The New York department of taxation stated, according to the website credit.com, “if Morgan Stanley had bothered to encrypt the CDs before sending them, none of this would have happened.” This implies that Morgan Stanley followed poor practices when securing the data send. But later in the same article is revealed that “while the Department of Taxation and Finance does now have a secure pipeline that allows for encrypted data transmissions, they didn’t ask Morgan Stanley to use the application because the software ‘was not fully implemented until after the request for annual data was sent.’ ” [emphasis is mine] These statements are attributed to New York Department of Taxation and Finance spokesperson Susan Burns. In fairness, credit.com did not use quotation marks around the “if Morgan Stanley had bothered…” comment so that bit of editorial confusion may have been cooked up by credit.com to spice up their story.

In general, when private companies send data to the state they are compelled to do so. The format, timing, and security or lack thereof is all part of the state’s command to send data. For example, if data were to be encrypted, then an agreed upon scheme to protect the keys and transmit the keys for decryption would have to be agreed upon. This would be explicitly true for the use of, say, AES 256 encryption using WinZip or other encrypting program. Or this would be implicitly true for the use of TLS encryption and an encrypted channel over the Internet. Either way, the state makes the rules. If Morgan Stanley used, say, Microsoft Office Excel password protection to secure the data, that was most likely because that’s what the New York State Department of Taxation and Finance insisted upon. This is probably why the commentary coming from New York State has been relatively mild and has not unequivocally pointed the finger of blame at Morgan Stanley. After all, it appears that at least some of the data sent to the NY State Department of Taxation and Finance has not been secured according to NY statute for at least five years. Probably budgetary pressures.

In this case the law in question is the New York Information Security Breach and Notification act (ISBN A). It appears that both Morgan Stanley and the New York State Department of Taxation and Finance are in fact covered by the ISBNA, which was originally enacted in late 2005. However, upon review of the New York State Technology Law Section 208 (the part of ISBNA that pertains to state agencies), it appears that what happened to the CDs from Morgan Stanley was not, in the eyes of New York State, a “data breach”. Here is the definition of “breach of security system” contained in state technology Law section 208: “Breach of the security system means an ‘unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.’ ” So the breach was not a breach and it appears that Morgan Stanley and, reluctantly, New York State Department of Taxation and Finance, have decided to notify taxpayers in New York out of an abundance of caution. Please note that no one is congratulating Morgan Stanley for taking the high road in its ongoing compliance with New York State law. It didn’t have to notify its customers but it chose to anyway.

The moral of this sad story is that when it comes to suspected data breaches, companies are damned if they do and damned if they don’t. A company like Morgan Stanley, which has excellent technology infrastructure and a reasonably good track record when it comes to protecting information, will be tarred with the same brush used on companies like Sony and others who arguably turned a blind eye to the protection of information in their care. You have a good reputation until you don’t. That time for good reputation expiration is chosen by people you never met who have only sketchy access to the facts and who then twist those facts to their own advantage. Welcome to data breach notification, United States style.

[Author’s Note: I have no inside information concerning this incident and have not included any proprietary information in this blog.]

Now comes Donn Parker, one of the preeminent researchers and thinkers in information security, who may have taken the idea of the death of risk a little bit too far. Parker writes in a recent journal article,

“Think of security as a necessary overhead cost of doing business just as are facilities management, legal, audit, human resources, payroll, and accounting, and like the other overheads, it does not produce a return on investment (The return of savings from expenditures for security is unknown since the incidents that would have caused the savings did not occur.) I suggest that you gradually limit the extent of your risk assessments and reporting to meet only the minimum requirements of the law and regulations and remove the word “risk” from your writings, job titles, and job descriptions.”

[emphasis mine] Aaaaaaacckk! (that was me running screaming from the room!).
The article appeared in last month’s issue of The ISSA Journal, volume 8 – issue 7, page 12, entitled “Our Excessively Simplistic Information Security Model and How to Fix it.” The main point of the article is Parker’s proposal to expand our traditional “CIA” model (confidentiality, integrity and availability) to the new “Parkerian Hexad” in which he introduces three additional attributes or objectives of security, utility, authenticity and possession, explains why these three new attributes cover things that weren’t covered before and how they complete the model of information security. Parker also adds many new types of controls (yes, Virginia, prevention, detection and correction are not enough anymore). And he also proposes new objectives for information security, including: avoidance of negligence; an orderly & protected society; compliance with laws, regulations, and audits; ethical conduct; and successful commerce; and competition. The problem is, these new objectives replace risk reduction. Unfortunately, “removing risk” from the definitional model of information security is impossible and absurd and to advocate it throws our whole profession on its ear.

There are many things in Parker’s article that I agree with. The three new attributes he proposes can be shown to relate to “CIA” in a very complementary way. As the velocity of information through our systems and networks continues to accelerate, we will very likely see more instances in which a breach in possession occurs when confidentiality is unaffected; availability will be fine but utility will be in the impaired, and integrity will be intact but authenticity will be revealed to be bad. Parker’s point here is we have oversimplified the things we are striving for, and in so doing have missed important elements. However, Parker’s arguments against risk are themselves simplistic and rhetorically throw the baby out with the bathwater. He mostly rails against the calculation of aggregate risk for a company or organization and notes, quite correctly, that the actual risks from disparate and ostensibly independent threats may be in many cases highly correlated yet we have no idea exactly how they interrelate.
Parker correctly exposes the computation of aggregate risk for a company – or, for that matter the combination of precise risk results from uncharacteristic threats (say, the sum of the ALEs from airplane disasters and earthquakes) – as at best intellectual adventures or, worse, dangerous illusions. But “remove risk from your writings”? No way does that make sense.

In the late 1970s Alfred Kahn, an economist from Cornell University, once intemperately referred to a potential outcome of unwise policy as likely to lead to a recession, or a deep depression. White House advisors to President Carter objected and thereafter Kahn promised never to refer to a “recession” by name. He later jokingly said to reporters that while he could not comment on the likelihood of an economic downturn, he could talk about a “banana.” Later, he changed the fruit to a kumquat after a large banana company complained (I’m not making this up…). What are we to do without “risk” to talk about? The ideas of active acceptance of risk, residual risk, and inappropriate risk that we have worked so diligently to nurture, are good and we benefit from that common language. Risk is important…no, it is crucial. Without it we are simply mumbling about the abstruse. If I start talking about an orderly society and ethics, as Donn Parker argues in his article, I’ll use up all of my boardroom time slot explaining terms, then my controls proposal will get voted down because no one will have a clue what I’m talking about. In the movie “Ghostbusters” Egon describes the elevated amount of psychokentic energy in New York as a, “Twinkie 35 feet long weighing approximately 600 pounds.” When your latest pen test report discloses multiple severity one exposures and shocking unpatched vulnerabilities, instead of referring to this as inappropriate risk, you can quote Winston Zeddemore from the movie,

“That’s a big Twinkie.”

In part 2 of this blog, I’ll talk about why I think Risk has an undeservedly bad name, what problems have emerged by a careless use of risk terms and how to deal with all of this in a way that helps your program. If you are busy “removing risk” from your writings, at least turn “Track Changes” on so you can get it back later…

Yesterday, we learned that that same company has experienced a growing rate of incidence of quality problems in its Tylenol production but over a period of several months has not managed to either bring about a convincing response or explain itself to the public. The United States Food and Drug Administration has apparently referred the matter to the authorities for potential criminal prosecution. What a difference 28 years makes in the evolution of corporate culture. Apparently Johnson & Johnson and McNeil have a serious problem with corporate amnesia. Of course, the executives and managers who responded in 1982 are probably all retired by now. One might assume that the 1982 problems with Tylenol would be required reading for people at McNeil and even at Johnson & Johnson. Or, maybe some genius MBA told McNeil management “look at the mortgage meltdown: ethics don’t matter anymore.” Whatever the cause, McNeil has obviously lost all touch with the wisdom and in a common sense that guided it 28 years ago.

What probably happened at McNeil was plain old garden variety CYA and inertia. Same as happened in the hours leading up to the Challenger disaster in 1986. Management was committed to launch. Engineers had really good gut instincts and a little bit of data to support their gut. But the engineers lacked a convincing argument connecting their instincts to their data and, as a result, management made the wrong decision. The real question here is: is there a systemic problem in McNeil’s production processes? If we think there’s a systemic problem isn’t it good for business to confront that problem publicly and deal with it decisively? Even if we are sure that there is no systemic problem, could the public perception that a systemic problem exists develop and still hurt our business? Don’t we have an obligation to stop that from happening? What’s the best way to stop it? Apparently, this line of reasoning did not emerge at the McNeil. Or, if it did emerge, management was not convinced.

It’s too soon to tell whether the recent problems with McNeil quality in Tylenol production will have the same effect on Johnson & Johnson stock price and Tylenol market share as the cyanide incident had in 1982. But we can safely assume that McNeil will discover (re-discover?) that when it comes to consumer confidence, perception is reality. Toyota discovered this. In 1982 McNeil discovered this. So perhaps the real wisdom in the latest Tylenol scare is that preserving institutional knowledge is hard work whether it is the recipe for a popular soft drink or the chemical process for fabricating a market-leading product. In the case of Tylenol, we’ve learned that it is possible for an organization to completely forget principles that were almost universally recognized to contribute directly to the company’s success. It is a rather stunning lapse.

What does all this have to do with information security? In the real world, bad things happen. Well implemented processes contain controls commensurate with the risk posed to the firm from potential process failure. Lapses in product quality are just like data breaches in this regard. Our information handling processes must take into account the risks of potential process failure to the organization. Information security is primarily concerned with this issue. Do you have breaches in your past? Does your industry have breaches that everyone should learn from? Study those incidents and cases and take as much learning from them to help form your own business decisions. Don’t be like McNeil and forget the guiding principles of crisis management that stood you in such good stead only a relatively short time ago.

No one really disputes that there is a legitimate government role in monitoring securities markets for inappropriate activity that could indicate an illegal breach of insider trading and other arcane securities laws.  Problem is, with the multitude of communications channels now available to every employee and every relative of every employee of every securities firm, firms and regulators face a daunting task in monitoring of communications.  When I started my employ at a Wall Street firm, one of the things I had to do was register all of the open securities accounts in my name.  Six weeks later, I was called into the office of one of the compliance officers of the firm and asked to explain why I had omitted a particular account.   Surprised by the existence of this account, I explained that apparently it was an account created by an overzealous commodities account rep hoping that I would become an active commodities trader.  The balance in the account was $.62 in a gold fund.  Despite the small amount of the account balance, it was a dead serious meeting with the compliance officer.  Basically, he had grounds to fire me for misrepresenting my list of registered security accounts.  Only when I offered a lame excuse that I did not know the account had been opened up on my behalf and that there was no activity in the account whatsoever other than the opening balance, was I let off the hook with a warning.  At that firm, as is true with most securities firms, one may only have an account which resides at the firm and which is subject to the intense oversight of firm compliance officers who regularly check for activity in sensitive securities. For example, say I decide to buy 100 shares of Cisco.  For an employee at the firm, a few days might elapse and then a call might come from the compliance department saying “you know that trade in Cisco last week?  Well, that trade never happened.”  This would be a sign that there was likely some transaction involving Cisco being managed by the firm for which any activity by a firm employee in Cisco could be viewed as suspect.  No one grateful for their paycheck at a securities firm really argues about this kind of enforcement.

But what to do about texting and social networks?  Wouldn’t it be easy to post something on Twitter or Facebook which might give an indication to someone that a trade in such and such a security might well be worthwhile? Of course it would.  But monitoring these communications channels would be simply impossible in today’s environment.  How could a firm know for example that it had reviewed all of the communications by a particular employee in each of a dozen potential channels any of which could be misused for insider trading?

In part one of this blog, I suggested that now is the time for firms to identify when security more closely aligns with customer and product values and to move away from regulatory and risk-based justification for security investments. I don’t mean to suggest that regulations or risk are unimportant in making decisions about security controls.  However, for industries that have been operating programs of security controls for over two decades, arguably the limits of security benefit to be attained based on regulation and risk reduction have already been achieved.  Now, we’re in an era of cost and budget reductions which will be imposed with the understanding that underlying security will at minimum stay the same if not improve.  Only by identifying opportunities to create added value within products that customers will pay for by implementing innovative new security controls will firms be able to advance the practice of information security.

Of course, one approach to the social network problem is to have the firm merely prohibit employees (and possibly their relatives) from having or using social networks accounts.  This seems draconian at best.  And probably unenforceable.  So let’s rethink the idea of appropriate control and oversight for use of social networking sites.   Why not require that employees register their social networking accounts, including Twitter, Facebook, LinkedIn, etc. as well as any devices they may use for texting purposes with the firm.  Then, the firm could develop an app that would act as a “traffic cop” for use of these networks by firm employees.  Part of the understanding would be that the firm is able to perform surveillance on all traffic by these employees on said networks.  The firm might then elect to archive messages as well as other kinds of interactions with networking sites such as entries to profile pages, etc. in a condensed manner that could later be easily searchable.  Now, the firm’s ability to use social networking as an indispensable appendage to a professional’s day-to-day interaction with their business network becomes something that can be exploited for firm advantage.   Almost all of the discussion about social networking in security circles has been on the negative side.  How do you prevent it?  What policies are needed to control it?  Etc. etc.  This is security people reverting to form: that is, the answer is “no.” When people figure out that the answer has to be “yes,” then security people can take off the blinders and participate with firm managers to identify innovative ways of getting to yes. Having a registered set of social networking accounts and texting vehicles — complete with all the necessary privacy disclaimers — might be one excellent way to get on top of the social networking juggernaut by securities firms and others.  In this way, firms can turn security to their advantage.   A complete archive of all social networking entries could easily be used to absolve valuable employees from suspicion when in the absence of such archives they might be suspected or accused of wrongdoing.  Security people need to learn that the ability to exclude someone from suspicion after any incident may be just as valuable if not more so than the ability to match the evidence with the bad guy.

Until firms can do something like this, it seems inevitable that we will have to relearn the same old lessons Gordon Gekko taught us back in the 80s.   With each new communications channel comes a risk of misuse in violation of securities laws.  Let’s get over that and move to a world where well-intentioned employees can use modern technology in a way that benefits themselves and the firm comfortable in the knowledge that a full record of their use will be around if they ever need it.

• Steps to walk through in creating a security business case to get approval for your security project and hard versus soft benefits
• [3:43] Tips on creating the business case
• [5:43] Key flaws in logic when people present their business case
• Where security risk analysis plays a good role to build your case
• [9:14] Examples of where security can be tied to revenue
• [12:28] Examples of security adding value which don’t fall directly into the hard or soft benefit categories
• [15:35] Recommended resources for learning more on these topic areas and where he would like to see the industry go.  How you can tell a CISO is good.

Controls can be managed.  And we should continuously develop our ability to manage controls so that – at minimum – we keep pace with the rapidly changing threat landscape and the less-rapidly evolving state of controls and best practices.  On this Donn and I agree.  However, I believe that CISOs and organizations should be able to address a big risk (that is: (threat*likelihood of attack-success)*impact)) before they address a small risk which implies a crude quantitative analysis.  You could define “risk management” as “managing the controllable portion of risk facing the organization” and be done with the controversy.  Unfortunately, CEOs and CFOs will expect the implied definition — that when you implement your brand new control, overall risk to the organization will have been reduced by the amount you promised.  Donn’s point is that is folly and potentially career limiting if something bad does indeed happen anyway.

But hold on a moment.  Maybe it’s not career limiting after all to maintain a façade of risk management.  Take a look at two recent exhibits for the prosecution: (1) the housing-credit-crisis and the resultant recession, and (2) the TJX data breach.  I really want to write about (1) but I’m throwing in (2) for those of you who might say, “Well, that was a special case – an outlier and not something we should use to guide us.”  The housing-credit crisis was the direct result of a willful failure of risk management.  Executives at a small number of very large and powerful financial institutions, aided by regulators who were predictably transfixed by the beauty of their own financial models, took huge and – in hindsight anyway – unjustifiable risks in order to score big playing the financial markets.  OK, what they did was bad, right?  But look who lost their jobs.  Thousands of employees at Bear, Lehman, WAMU and Wachovia (and others).  But how many of the executives that actually made the bad bets?  Not many.  FNMA said house prices would decline by at most 5%.  Goldman’s WOW (“worst of the worst” cases) model said 30%.  The rating agencies, who hawked AAA ratings like papal indulgences in the fifteenth century, said 15% to 20%.  There you have “risk management” at its finest.  Smart economists have told us that you cannot spot a market bubble until after it has burst and unfortunately most investors tend to get in right before the bubble collapses.

Take a look at TJX, if you think the current recession is an outlier.  The accompanying chart shows that the March 28, 2007 announcement of a massive data breach at TJX had little or no discernible effect on the stock price of the company.  TJX recently announced record profits and – just a year after hundreds of billions of bailouts were doled out — Wall Street bonuses were up 17% over 2008.  Conclusion: there is no longer a penalty for taking untoward risk.

So what is the purpose of information security risk management?  Go to Donn Parker’s RSA session and find out for sure.  But my guess is it is – at best — a very fancy fig leaf.

But we did learn something very important about information security in 2009.  How firms and their senior leaders internalize risk and make decisions about risk was in many important ways laid open to public view in 2009 in a way that has never before been possible.  When discussing risk management programs in the past, I’ve always pointed to the financial industry with its chief risk officers, chief investment officers (the other “CIO”) and generally sober and serious approach to all things risk including audit and compliance, as the paradigm for risk management.  But in 2009 we found out that was not necessarily true.  Senior managers throughout the financial industry made risky decisions, “bet the farm,” and otherwise increased their firm’s exposure way beyond the levels of risk typically underwritten by information security departments, and did so in the face of clear evidence (now me with 20/20 hindsight, I admit) that a crushing downturn was coming.  Several senior leaders are no longer in their positions now in part because of the fallout of these decisions and the general leadership style that ignored or winked at this risky orientation. And all of this against a backdrop of what has been argued are unjustifiable compensation packages given the poor performance of many financial institutions (car companies, too) and the resultant taxpayer bailouts that took place.

What wisdom should we take from this?  I believe information security professionals have been given some of the best data points yet available about how firms and senior executives are likely to internalize risk that affects their organizations and their organizations major stakeholders.  This should influence how we communicate about information security risks and other risks inherent in the information technology function.  Many senior executives were paid for taking too much risk – and paid very very well for it.  The upshot of the mortgage meltdown, credit crisis, and resultant economic malaise is that unless organizations change dramatically, a risk-based approach to persuading business leaders about the advisability of implementing new information security controls and tools is less relevant and less likely to succeed than ever before. In short, it’s not enough to frighten them about the implications of the big breach or the potential expense of a forced remedial compliance effort after some other security incident.  How well senior leaders behave on security and other technology risks – which are far more esoteric and difficult to estimate than the kinds of financial risks that have brought down some of Wall Street’s biggest names — is likely to be even more freewheeling with corporate resources than ever before. I reiterate that this conclusion depends on a general continuation of the trend toward more aggressive risk-taking with company resources. If something happens to change the culture of how organizations view risk and accept risk on behalf of the firm, its shareholders and other major stakeholder groups, this could turn out to be an incorrect conclusion.  However, there is no evidence whatsoever that the incentives for taking excessive risk have lessened nor do we see increases in the penalties and disincentives for taking too much risk or for bearing the inevitable losses that will take place with too much risk.  No, it will become easier – not harder —  for managers to say “we can’t afford that level of security,” or to say, “We’ll run noncompliant for another year and see what happens,” after you present the implications of not being compliant with PCI again this year.  There is simply nothing to counterbalance the tendency for organizations to take too much risk and let others underwrite the losses.  In fact, what used to be “career limiting decisions” in the vein of accepting too much risk are now clearly in the realm of “moral hazard.” Top executives make so much money today that if something bad happens on their watch, they simply retire and go into consulting.  Or maybe someone will bail them out, too.  The millions they’ve been paid in cash and options will more than easily sustain a comfortable retirement even for the yachting crowd.  And about those “clawbacks” (of excessive compensation) we’ve heard about, the inevitable litigation will likely be almost as painful and the losses themselves, so we won’t see many of those either.

As a profession, information security must get better at defining and quantifying the risks inherent in not attending to information risk management. Simultaneously, we must continue to shift the emphasis from a risk-based justification for info security to a revenue-based justification. If the 1990s were years of “information security enabling the business,” then the decade just completed has been about learning that enablement wasn’t enough.  And the decade to come will be the one in which information security managers will be forced to take their place among those who generate revenue for the business and in so doing closely align information security with the products, services and customers of the company.

I’ve always advocated that information security managers keep a fresh copy of their resume at home. This is less humorous than it used to be.  Information security managers are increasingly the “designated scapegoats,” for the kinds of breaches and losses that are all too frequently occurring in IT today.  But if there continue to be no real barriers to the moral hazards of accepting too much risk on behalf of shareholders, and senior executives continued to be paid handsomely for short-term revenue, profits, and stock price objectives, then selling security based on risk alone will become “old hat” this year.

Here’s to a new year filled with new assurances that the vital information we manage is well protected against the increasing threats to it.  With that I know we’ll all have a very Happy New Year in 2010.

Some employers have stated that they intend to access the transit ride data — which includes date and time and information about rides — only when there is a need to investigate it after receiving other information about potential abuse. For example, a person claims five hours of overtime on a given day but transit ride information reveals that only a normal shift was worked. Or, a person calls in sick but transit ride information reveals that they traveled to see a ballgame that day. Other employers like Boeing have stated that they view transit ride information in a more “hands off” manner and do not plan to access it even if it might be relevant to investigate fraud. Of course, there will always be people in our country who are seriously confused about ethics, rights, and legalities. It is, after all, a complicated world we live in. However, this issue reminds me of something that happened to me twenty-some years ago and a continuing lesson for information security professionals for the future.

I once worked for a company that installed a new card reader system for door control. This required everyone to carry their own picture badge. There was a concern that it was too easy for unauthorized people to enter the premises which at that time was growing rapidly and would have six or seven buildings on the main campus and quite a number of smaller sales offices around the country. Automatic door control also enabled some doors to become unmanned rather than retaining the need for 24/7 guard staffing and the attendant high cost that implied. At the time of installation, there was great controversy about the potential for employer abuse of the door control system. People were moaning and whining about how the company was going to mine the door control system data and find them or penalize them for a few minutes of tardiness or other such miniscule infractions. In the several years I managed that system, there was not one single complaint of abuse of the door control data. In fact, to the best of my knowledge, the door control data was never accessed and used for anything other than (a) determining how an individual accessed a particular entry door when their cards had not been programmed for it (this usually means they used someone else’s card); and (b) determining if someone was at work after independent suspicions of absenteeism or timecard fraud had been raised. On a number of occasions, door control data was used successfully to pursue disciplinary action against an employee who was committing fraud about their attendance. But looking back, I can think of no one who would now claim that having picture badges and automatic door control systems at the many points of entry for this company in any way infringed on employee rights to privacy. In fact, most would have to admit that the system actually promoted efficiency and free flow of traffic throughout the offices.

The ongoing lesson for security professionals here is that when implementing a system that might be used for intrusive surveillance, define an ironclad policy of how the data will be collected, stored, destroyed and all permissible data uses. Communicate this policy clearly to all of those affected. Then walk the talk. Don’t use the data for any purpose other than that for which it is being collected. This also includes deleting the data when you know it will no longer be necessary. Ask yourself: have you ever been asked to conduct an attendance investigation using door control data against events older than a few months? Probably not. If you’re holding door control data I strongly urge you to delete all data older than, say, 90 days or 180 days. At the same company we implemented ironclad data control policies in other areas forcing the automated deletion of data after a certain aging threshold had been reached. This policy has paid for itself time and time again when we proved that the data no longer existed after outside agencies — including those armed with subpoenas — demanded we produce it. Unless employee data is specifically required to be retained by law or regulation, there should be a policy covering its collection, storage, use, and destruction. And make sure you follow those rules.

One other lesson I’m reminded about in this incident is that not all data use issues are the sole purview of the information security manager. I frequently see managers struggling to get control of controversial issues like detailed use of the Web, e-mail surveillance, cell phone and mobile surveillance, IM tracking etc., etc. These are not — repeat NOT — information security issues. They are policies that should be defined, justified, and carried out based on the needs of the business; whether information security needs to be involved due to the tools chosen to enforce these policies is a totally separate matter. It’s not up to the information security guy — or gal — to define whether certain religiously oriented websites should be accessible over the employer owned intranet. This task should be defined by someone in human resources according to the cultural needs of the company. All too often, information security tools are misused in a way that increases confusion and anxiety in the minds of employees and the information security manager bears the blame. Case in point: I once implemented a web tracking system at a major investment bank. Initially 10 or 15 categories of “inappropriate site” were implemented and on day one my phone began ringing. “Why can’t I access university research data?” “I can’t get to brewery sales information.” Etc. etc. We found out in the space of about one week many issues where an ostensibly “inappropriate” category of information turned out to be necessary for business. In the end, the things we stuck to in terms of implemented policy were hate, porn and gambling. These sites were never needed for business. But we did have to tinker with the filtering system because the word “sex” also appears in many situations that are most decidedly not pornographic but are in fact necessary for business. Also, I learned from my UK colleagues that online betting on the ponies is not considered in any way inappropriate in many UK cultures and so the restriction against gambling related sites also had to be fiddled with.

As an information security manager, it is important to be able to separate the concept of the tools we use from the policies we enforce. In a world of increasingly powerful tools such as data leakage prevention it is very important to have pre-established policies and methods to enforce those policies well in advance of implementing the tools. If a tool can be used for intrusive “snooping” then be prepared to show how such snooping never happened and demonstrate conclusively that effective controls exist for use of the tool that limit all potentially intrusive access to only those instances that are approved according to the company’s policy.

Banks have generally innovated and provided reasonably good security concerning the use of websites for online banking. However, this technology continues to depend on the static password and shared secrets for authentication security. In an age when a significant proportion of PCs have been infected by malware, including key loggers, this is a demonstrably inappropriate strategy for banks to take.

Banks need to improve the customer experience so that use of a bank’s website involves less marketing and more assistance. If I think that the next window is geared toward selling me a product I do not want nor have time to consider, I am likely to click any button that will get me past it. The use of a tiny “no thanks” button hidden somewhere on the window plainly demonstrates that banks think marketing is more important than security. And indeed it may be. Banks expect consumers to shoulder a disproportionate burden for resolving fraudulent use of accounts and what banks are spending themselves on security is a tiny rounding error compared to what they are earning as a result of fraud. How about devoting half of the $35 billion banks make each year on overdraft fees to new anti-fraud initiatives?

Next, banks should adopt a much more aggressive and industrial-strength approach to attacking those who misuse the Internet to propagate malware and fraud. Decoy accounts should be used to isolate and provide early warning on fraudulent activity. Aggressive forensic investigation should be used to track back to those responsible for malware and fraud. Aggressive and uncompromising use of cease-and-desist orders against all who prosper or encourage the use of malware and fraud must be pursued by the banking industry.

As anyone who has ever experienced fraudulent use of their bank account knows, banks tend to adopt a rather negative attitude toward customers who identify fraud. The attitude is very much that of “we’ll investigate and come to our own conclusion about whether or not these transactions are legitimate.” Banks need to recognize that their customers are the ones who discover fraud, and who bear the greatest burden for the resolution of fraud. Bank customers are banks’ greatest assets in fighting fraud. Why do banks persist in acting as though customers are somehow responsible for fraud? Yes, they may have allowed a sophisticated malware attack to infect their PC leading to fraudulent use of online banking credentials – but if the FBI Director himself gets fooled, doesn’t that show that consumers may be doing all they can do? Criminals are responsible for fraud, not consumers who’ve been fooled.

Statistics about this are hard to come by, however I have a suspicion that banks are benefiting from fraudulent activity way more than they would care to admit. For example, I recently had $3500 of fraudulent airline tickets charged my account. Thankfully, bank security flagged this on the day the charges were processed and sent me an email which I received on my Blackberry. The following day, I went into my bank to resolve the matter. I was overdrawn and needed to have the fraudulent charges and the $175 of overdraft fees reversed. The manager who helped me had me speak by phone with the bank’s fraud office to get this accomplished. Reversing transactions were put through that took effect on the following business day (a Monday ) on a temporary basis until a permanent resolution could be approved by the bank. For this business day the bank had use of my funds and the net effect on its balance sheet was to overstate the bank’s cash position by $3500 until the funds availability was restored in my account. The bank knew it was fraud but waited a day to restore my balance. I could not use this money. Multiply this by the thousands (millions?) of transactions that succeed in a similar way against bank customers every day, and you have a rather significant bit of dirty laundry to add to the already significant pile already accumulated next to the banks’ washer in the basement. In short, this incident — together with such things as overdraft fee abuse — illustrates that there is a significant moral hazard involved in banks handling of fraud related to their accounts.

This article depends on the premise that widespread use of online banking is a significant positive for the banking industry. I believe this to be true. Banks have achieved significant productivity benefits from implementation of electronic banking measures of all types. But if consumers develop the perception that banks don’t care enough about phishing and malware to really work hard to stop it, then the electronic banking revolution will fade before it reaches its full potential. One thing banks have learned over the decades is that customer perception about banks is very hard to change. And for their part, banks are rather clumsy in their own approaches to developing and managing their brands. If consumers believe that banks are content to let fraud take place and leave customers to pick up the pieces, that could turn into a huge negative that could take years for banks to reverse.

Hiding from the reality of organized phishing and malware attacks by pretending that all is well will not be productive. In the current climate of significant mismanagement of risk by banks (sub-prime mortgages, credit default swaps, etc. – dare I say wrongdoing?) banks should realize that the same old “safety and soundness” message they offer regarding handling of fraud creates a real cognitive dissonance among consumers. The notion that banks play the market like they’re in Vegas, then accept taxpayer bailouts, then pay themselves millions while they place a hold on your money as they “investigate possible fraud” should be killed with a stake through the heart by all banks who care about keeping their deposit base.

Banks should be known as the primary fighters against phishing, malware, and fraud that are out there causing consumers to think twice about using electronic banking services. When consumers are facing financial pressures like never before, banks should be their friend and advocate in fighting fraud, taking much more of a “we’re on your side” attitude. I would argue that if one half of the unneeded and unwanted marketing messages I receive from banks were converted to helpful and empowering messages about information security that would be a good start to improving our chances in the war against phishing, malware and fraud. Perhaps banks should offer a bounty to consumers who identify a fraudulent transaction on their online banking statement. I’d like to see more headlines about banks cooperating with authorities, filing criminal and civil complaints against individuals and organized crime who are engaged in criminal activities. Only when banks, together with the credit card companies, take the lead in this war will we stand any chance of stemming the tide of phishing, fraud and malware.

The managing director reiterated how serious an outage it was and when I pressed him for precise dollar estimates, he said “that morning, when foreign currency traders couldn’t logon they were unable to make certain bets in the marketplace. However, had they been able to make bets, they probably would’ve made the wrong ones given what happened later in the trading day. Therefore, we actually made money from the outage.”  I must’ve blinked my lack of understanding because he went on to say “that’s right, had my people been able to logon they would have made the wrong bets and lost money for the bank.”

It’s kind of hard to build this into the computation of the impact of an outage on the economic success of the firm.  When we made our own economic estimates later, we simply ignored this incident because including a positive number would have implied that it is possible to make money from having a system outage which cannot be a feasible financial outcome upon which a high-availability system can be based.  We did, however, try to calculate how much the outage might have cost had it come two and a half hours earlier and that was a big number…

This illustrates several problems with the computation of business impact of an adverse incident.  Even though statistically there is the possibility that an outage will produce a positive outcome, we ignore those.  By rights we should include them as just as statistically significant as the negative outcomes but our job is to provide protection against the negative outcomes, not the lucky ones.

Justification for information security is heavily biased on “soft dollars”. Attacks that weren’t successful, outages that didn’t happen, confidence that was improved and lower overhead from improved security interfaces are all quantified based on soft dollars. However, soft dollars don’t put food on the table or money into the shareholders’ pockets.  In fact, we always assume that the firm has something useful to do with the money we’d like to spend on information security if for some reason we didn’t need to spend that money.  This is what is behind the concept of “internal rate of return.”   If TJX had not experienced their breach, what would they have done with the extra earnings they made in 2007 and 2008 after all those customers did not desert them and all of those fines and penalties did not need to be paid?  Maybe TJX would have wasted that money on inventory or new stores that would have proved disastrous once the mortgage meltdown and the credit crunch reached their climax. The point is, you have to assume that the money you’d like to invest in security (or any other project for that matter) is precious and would otherwise be put to good use. The way to represent this in an ROI spreadsheet model is to use a middling return on invested capital rather than basing the hurdle rate on the most successful outcomes seen for other projects.  By using a middle range threshold, you build in the chance that some investments will go bad and not pay off.  In business school, the joke was that when you asked the professor about the hurdle rate, the answer was that it was a very complex calculation and unique for each different firm or industry, in short, “10%.”

TJX spent tens of millions of dollars on fines, penalties and damages resulting from its breach of more than 40 million credit card numbers in 2007.  In addition, it spent a lot more money upgrading its security infrastructure and may in fact have overpaid for those investments because they were made under some duress and perhaps lacked the full architectural thoughtfulness that might have attended less pressure filled in investments.  Assuming that excellent security would’ve prevented the breach, one would also have to build in as a benefit to security investments the lost margins, legal fees, and perhaps other softer opportunity costs to add to the total benefit stemming from avoiding a devastating information breach.  The stockholders might even like to get some of that stock price back as well.

TJX did not spend the money to have excellent security and instead suffered a breach.  We do not know if that decision was based upon an underestimate of the actual costs – including the soft dollar costs — of having a breach or real and pressing investments demanded elsewhere in the business that upstaged security.

There are two important lessons for security leaders and architects from this. The first is that there’s always something else to do with the money when considering making security investments. That consideration is more complex when one considers that oftentimes security is part of the overall IT organization and therefore might not substitute for investments made elsewhere in the firm but for investments in other technologies within IT. During the budgeting and planning process — or during a mid-year reallocation — it’s useful to consider the next project on the list and make certain that the opportunity cost from not investing in that project is appropriately figured into the security investment.

The second lesson is that the more you can drive benefits from the soft dollar side of the equation to the hard dollar side (real revenues, margins, or committed cost savings) the more clear-cut the investment decision becomes. This is not to say ignore or otherwise treat soft dollar benefits as trivial — this would be a mistake especially when such benefits can be quite substantial — but it does focus attention on the challenge of actually capturing the benefits after an investment in security infrastructure.  When they are all soft benefits, capturing and documenting financial success is a difficult exercise that can breed cynicism and distrust within the organization when not done well.  When two projects under consideration have equal benefits but one is all soft dollar benefits and the other is hard dollar benefits, the hard dollars or higher revenues or committed cost reductions will trump soft dollars every time.  Employees who can measure their own value to the organization by the  generated profits from their transactions in any given day or month want to see all of the promised benefits from new security infrastructure captured.

We can all think of projects that never reached their full potential.  The PKI implementation that never reached full roll-out.  The voice-activated password self-service tool that nobody uses.  The data from the IDS system that is not aggregated.  Etc.  These are all projects that were justified on substantial soft-dollar benefits and it is likely had untold opportunity costs beyond their out-of-pocket implementation costs.  If the opportunity costs had been included, would we have tried harder to capture the benefits?

Know your opportunity costs. These include the financial costs that we’ve discussed as well as the costs of having people devoted to your project versus other security or non-security priorities. Understanding the depth and character of opportunity costs can significantly improve your ability to justify and win approval for information security projects.  It can also galvanize the organization to drive the project successfully and capture the full measure of benefits.