All posts by Alex Akinjayeju

Dear Cyber Security Risk Leader

Leave a comment

There appear to forever be a constant whingeing by a certain functional leadership within the senior management of organisations. There’s at least two such post on linkedin every week from senior professionals and leaders in the Cyber Security field. This is not to say that these complaints are unwarranted or unjustified – we’ll talk about that another time, but first, like I said in my presentation at the Whitehall conference in August 2015, (see the presentation here) we need to get our MOJO back first. But seriously, what does it mean?

Whilst I have worked with some very brilliant and articulate leaders in our industry over my two and half decade in the industry, some issues appear to constantly appear, topmost is the seeming lack of transparency of a correlated vision and strategy which aligns to the organisations for which we work. This is the key to engagement with the “board and business”. I must also quickly add that I have been fortunate to work with some colleagues who had this down to a Tee.

This engagement with board and business is not a political tool as it is so often used, our teams must also be engaged and brought into it to ensure we all pull along in the same direction allowing everyone to know their responsibility and contribution to the whole.

Whilst I don’t want to sound like preaching to the converted or teaching people how to suck eggs, I reckon it is always useful to be reminded of why we do what we do and see how we can improve our relationship with the rest of the business and organisation.

From time to time, it is important that security leaders review our approach and strategy to defending our organisation both from outside and from within. Our Strategy must be a living and dynamic document/artefact, which should be reviewed at least quarterly preferably with other members of our team.

So where to start? The mindmap below shows some of the key areas and aspects of a cyber security strategy. Strategy is a top down approach as it is a governance and oversight responsibility.

As the saying goes, a picture says a thousand words, the mindmap help illustrate, articulate and highlight the key drivers, risks and control areas important for the business; you may use it to.

  1. Identify the organisation’s pain and stress points. It is not an audit tool but may be used by auditors to make their findings more aligned to the risk exposure of the organisation and avoid the ding-dong with CISOs over remediation priorities. It helps the conversations between the auditor and the CISO as to why some controls/risk are less important than others and why the CISO would downgrade them or spend scarce resources in other areas.

The pain and stress points should be about the organisations business objectives which are often measured in KPIs. None compliance to any standard may be dealt with as a business risk in an open and transparent fashion with the business stakeholders.

  1. The Information, data and key business systems that support business objectives are the key elements of Cyber security assets to protect and preserve. These information will relate to what business type/sector (manufacturing, aviation, logistics, banking etc). It helps identify the nature of information and data the organises processes or uses and their importance. For example, the information security risk profile of an Airport is different from that of an Airline. An Airport is a logistics similar to train station or bus garage business, the purpose of which is to be a temporary holding place for passengers in transit between two locations. It holds very little data on the passengers other than Volumetrics for planning of facilities, Conveniences and others services travellers may need. The “station” does not even have to provide any of the facilities by itself, it can outsource and lease out the space to others to provide the services. The station however must ensure that passengers, travellers and visitors to its station are physically safe and secure while on the premises. If it’s and international border “station” such as the Airport it must ensure facilities are available for border control and provide a “transitory” security checks to the Airlines before passengers are handed over to them. The Airline on its part is responsible for security while passengers are in the air.

In this example, both the stations and the transport operators have no requirement to hold passengers personal information at least while we are not in a Gestapo state, but of course anything can happen under COVID -19. However since 9/11, airlines may be obliged to hold certain information of passengers for a limited period of time depending on jurisdiction

  1. Still on the Information, Data and information systems, it is important to know, the critical and sensitive business data & info, where they stored or processed within and outside of the business etc, their value and relative importance to the organisation’s goals. What is it worth in pounds and pence? Can the business live without it? What’s the opportunity cost?

This point is all about value and provides a basis for how much should be expended on controls. It may also provide the basis for how much risk the organisation is willing to take i.e. how much or level of control are we aiming for? What security maturity level is sufficient for our organisation? What do we do with risks that we cannot control? Certainly we cannot control or eliminate every risks even after we have applied our controls besides there’s a limit to the effectiveness of controls.

Of big importance is the question; what level of security capability maturity mapped to a risk level are you aiming for ? Would you know when you arrive there? What does it look like?

  1. We should not be talking about implementing controls until we have considered all of the above, however as most environments are brown fields where controls have already been deployed this is why most newly appointed security leaders start with the controls and security improvement programmes and why they struggle. The discussion should start at the Infosec Risk Strategy Considerations on the mindmap! A newly appointed CISO should spend the first 90 days between steps 2 and 3 (Infosec Risk Strategy Considerations and Controls) on the mindmap. Of course this does not exclude addressing platform burning low hanging fruits!

You need to understand who might be interested in your organisations information or data as an adversary, what are their resources and capability.

  1. There are very many drivers for Information security in an organisation and hopefully our risk considerations would have covered them. They serve as the principles on which our controls are based. Cyber security policies are the first expression of those principles in how we want to control them. The biggest challenge in most environments is “should our policies be holistic and cover all of our principles against our risk” or “should our policies only stipulate the controls we already have in place”. The argument is often that if we take the first approach we would immediately be non compliant to our own policies which most CISOs finds puts them on the back foot against auditors, potential customers and the board. My approach which I must say have not won me a lot of friends is the holistic policy covering all risk areas. This should then be supported by a gap analysis of where we are against the policy thereby providing a basis for continuous improvement. It is transparent and shows you know where your risks are, and that you have a plan in place to address them.
  2. Key Risk Indicators have a bidirectional input, however I tend to favour the top-down direction, because it talks to the business objectives and linked to the organisation’s key Performance indicators (KPI). The lower level indicators are often technical consideration which should have been adequately covered if the high level indicators are robust enough. Low level KRI may also be used to validate the high level indicators.

Essentially KRI should form the basis of metrics to be reported back to the business, anything else is superfluous! Metrics may be subsumed or called out within the context of KRI. This information should be available or extracted from security controls and GRC tools at the click of a button 24/7/365.

So what are the KRI for your organisation, are they aligned to the business objectives, are you reporting on them, can you call then up in real time?

After all is said and done, there are some factors such as organisation’s culture that affects every aspect of the implementation and success of the discussion above. The CISO have little or no control over organisation’s culture and will do well to assess whether it supports him/her in delivering what the organisation has asked for, or what they need. Is he/she prepared to give them what they have asked for or what they need. The organisation may actually not know what they need and may just want him/her to be a tick in the box. If it doesn’t, I will consider my position or else be prepared for a very rough ride.

Data Security and Data Governance – Siblings from the same Parents

Leave a comment

This article was originally published on July 17, 2020 on  http://www.nicolaaskham.com

Cyber security is a term often interchangeably used instead of Information Security or other scope specific terms such as Data Security,  IT Security or Digital Security etc.

The keyword here is “Security” of information in whatever format or scope it is presented be it Data, Cyber, Digital, IT etc. For the sake of this write up, I shall use the generic term “Information Security”.

Information security discipline can be seen as a science or as an art depending on your point of view or context.

Science is defined as “A systematically organised body of knowledge on a particular subject” while Art on the other hand is defined as “A skill at doing a specified thing, typically one acquired through practice”. A core concept in Security is the threat of an “enemy” willing to steal, disrupt or otherwise make information invaluable.

Information security is an organised body of knowledge (Science) on the protection of information, often involving fighting wars with internal and external enemies (Art).

The subject of Information Security concerns itself with the protection of the Confidentiality, Integrity and Availability attributes of Information assets.

Data Governance (DG) is defined in the Data Management Body Of Knowledge as “The exercise of authority, control, and shared decision making (planning, monitoring and enforcement) over the management of data assets.” It is part of a larger discipline that has traditionally been called enterprise information management (EIM).

What’s the link between Information and Data you may ask; the illustration below sums it up.

Relationship between Information and Data
Relationship between Information and Data

Knowledge and information is everywhere, it is converted into multiple formats such as data, audio, pictures etc for usage. Data and inherently the information it conveys is used in business processes and interacted with by humans, transported through physical papers, computer hardware and networks and stored in computers (files, applications and databases) throughout its life-cycle. Data is also now being extensively used in Artificial Intelligence and machine learning to create new devices and tools while at the same time driving process efficiency across all areas of human endeavors.

There is no gain saying that Data is valuable to many organisations including non commercial ones such as the military or public services, particularly more so in the current digital age revolution where Data is said to be the “New Oil, we even coined a new word “Big Data”. The illustration below shows the volume of data that was created every sending of the day in 2019.

Internet Data Volumes
Internet Data Volumes

The implication of this amount of data is that it drives the global economy which makes one to conclude that there is a lot of value in the data; traditional industries including banking and finance have been disrupted while completely new industries have sprung up in recent years, for example, Uber and AirBNB did not exist 10 years ago, neither of them own physical assets in their operating model; Uber’s revenue was over $14 billion in 2919 and AirBNB is valued at $38 billion. Guess what? Data as their main asset!

The remit of Information or Data Security is the protection of the value of Information and Data assets!

There are a few stressful periods in the working life of a security executive :

1. Annual ritual of budget planning and decisions on the allocation of scare resources is a very stressful time for business executives involved in the process. The process involves a lot of data, numbers and logical articulation of projections for the coming year, this is about cost of security. However oftentimes the value of the data to be secured/protected is not often included in the discussion.

2. Initiation of strategic security programme either as an improvement or as a complete green field setup. These programmes are often driven either by compliance obligations or as a result of audit findings or general information security risk management.

3. Identification and location of critical business data, the level of control required and the amount of resiliency required to ensure business continuity when disaster strikes. In order to search for an item the minimum requirement is that you know what you are looking for, perhaps a description or characteristics and other specific features.

Prioritizing the most effective controls to deploy within the constraints of defense in depth principles. This challenge is premised on the fact that resources will always be limited, even nation states don’t have a bottomless pot of resources. It’s also a fact that some data and applications are more important and sensitive than others. When we prioritize there is always an opportunity cost of the things we forgo, therefore we want to ensure that we are choosing the right assets and controls to protect and deploy.

As you can see from the above list of items, none of the items are exclusive to the security function. At the heart of it all is the “Data” that need to be secured, if we don’t know the attributes such as characteristics and description, we cannot find it; if we don’t know its importance or criticality to the organisation we cannot apply a commercial/financial value to it neither can we prioritize it neither can we know whether it is within a compliance scope.

The Chief Information Security Officer and his team does not own the Data which it is expected to protect, he/she doesn’t know its relative value, nor does the team understand the risk appetite or tolerance of the firm without active collaboration with the business or stakeholders. The Security team cannot define the security attributes or level of protection a Data Asset requires.

The consequence of the above is massive! It causes either an inadequate or over investment in security, opaque decision making process, false sense of security, misuse of limited resources protecting low value assets at the detriment of critical assets as well as poor business resilience and disaster recovery planning among others.

The answer to all of these can be provided by Data Governance programme or function.

The need for collaboration between Data Governance and Cyber Security team is often critical particularly of Data Loss Prevention projects. It is an indisputable fact that modern businesses have a lot more data and data channels to contend with both structured and unstructured. Data is ingested from multiples sources and may be found on on-premise servers, in Cloud apps and storage, on users devices including mobile devices and smartphones and many more locations – the dispersal surface is forever widening. It is inefficient and way more expensive to expect the security function to effectively secure all data regardless of their sensitivity as their criticality is not known, part of the consequence in the high level of Data breaches frequently reported in the media, as resources are spread too thinly rather than focusing limited resources on the “Crown Jewels”.

In my professional career I have seen time and again on different assignments that a lot of organisations don’t know where their critical data are stored, they have no understanding of its flow within the business or what business processes interact with them. These are the everyday issues that security people have to content with and often playing piggy in the middle between different departments to arrive at ad-hoc conclusions and decisions on data attributes. This approach leaves the business exposed to risks on many fronts.

The Data Governance function would help Data Security function with the fundamental question of Data Attributes, it will provide the details of value to allow logical decisions to be made around managing security risk to the Data. In return the Security function will assist the DG function in deploying and operating controls to enforce its principles, policies and standards as well as monitoring for compliance. It is a WIN! WIN!

I recognise that Data Governance function is relatively young and evolving however, Information security function will do very well in engaging and collaborating where they exist, wherever possible the CISO may even suggest the establishment of one within their organisation.

Does your Cyber Security Rigour match the Rigour and motivation of a Hacker?

Leave a comment

This article was originally published on Linkedin on August 31, 2016 @ https://www.linkedin.com/pulse/does-your-cyber-security-rigour-match-motivation-alexander/

This question is becoming more relevant each passing day following the wave of high profile cyber attacks and data breaches reported in the media in recent times. As we all know for every reported breach there are hundreds if not thousands of unreported ones.

From analysis, most of these attacks appear to have a common underlying thread – Sloppiness!!. Of course there are the high end crypto breakers and nation state attacks but these are fewer.

When you look at the profile of a typical Cyber attack, the actors are knowledgeable and intelligent (it’s just a shame they’ll rather be on the other side of the law; the attack vectors they use and exploit are also known to us on this side of the law. There are very many of them across the world and cyber space representing a sort of “ragtag army” as opposed to a few or sometimes a single individual in an organisation with the responsibility of securing the front.

What did Alexander the great have to do to defeat king Darius III of Persia in the battle of Gaugamela? – Strategic Thinking!!!

Considering the associated cost of these breaches and the immeasurable cost of trust eroded by these events. Then there’s the value of the data stolen to the organisations.

Information security industry is supposedly worth several hundred billion pounds and organisation are spending vast sums of money investing in their cyber defences. One thing is however clear, a typical hacker is more determined and rigorous in his methodologies, than defenders are in protecting the empire!! Or is this just me moaning?. Excessive amount of faith is put into technology than human intelligence that’s why we spend so much on tools than on “cerebral” activities. Or is it because they are intangibles?

A hacker spends a vast amount of time “casing” a “joint” before he makes his move. He thinks, collates data, analyses the data; more research more reflection, then pokes here and there, before he goes for the kill and cleans up after himself leaving no trace or in some cases leaves a back door.

What methodology or approach do we utilise on this side of the fence to match the hackers rigorous process? Don’t say about risk management, how does it translate to your prevent, protect, detect, and respond processes. How does your controls framework match up to your strategy if you have one?.

In my career, have seen organisations spend millions of pounds on information security projects yet cannot articulate the central objective of all these controls. It’s a fact that most organisations don’t know where their critical data resides within their IT infrastructure or how it should be protected – shall we ask “anonymous”. Information life cycle management sounds laboriously academic but these things are central to a sound information security management. How up-to-date is your network diagram; does your security team understand the “normal” data flow? If not how are they going to recognise anomalies. Or perhaps your outsourcers, when was the last time you tested their security processes or even assessed the effectiveness of their security controls?

Information security is not just about deploying technology! technology deployment requires thinking too it doesn’t deliver out of the box, technology configuration is also iterative!! Indeed, all of the processes and mechanism of Preventative, Protect, Detection, and Responsive controls require continuous “cerebral” application. I don’t mean don’t do anything because you are thinking or that you have to be 100% accurate all of the time neither. Again it needs to be iterative.

Let’s stop giving the game away, engage security professional services, if you are struggling. The alternative is to wait till you get breached or hacked before you act.

Office 365 Does not Eliminate SaaS Application Risks

Leave a comment

This article was originally published on Linkedin on August 22, 2016 @ https://www.linkedin.com/pulse/office-365-does-eliminate-saas-application-risks-alexander/

There appear to be some misinformation or misconception out there about what office 365 (O365) is and what it isn’t.

O365 is a cloud based subscription of Microsoft office suite of productivity tools as opposed to desktop or locally installed versions. Essentially it is a SaaS application with potentially all of the inherent risk in a typical SaaS application.

Office 365 however have a lot of built-in security capability compared to others but it is just one application, a productivity tool in its own right. It has a number of default security settings but there’s a lot more that requires tweaking. For example, auditing, logging and monitoring for policy violations, threats and vulnerabilities.

Some of the comments I’ve heard recently include: I have O365 I don’t need to do anything else my data is secure; I don’t have any risk around SaaS apps; my users will do as they are told and only use O365 (when has that ever happened?); and much more.

There’s no question that O365 has far more security capabilities out of the box nonetheless, the responsibility for identifying and classifying data still reside with the customers because without these O365 DLP cannot be enabled or expected to function as required. There’s also the use of encryption of sensitive data and the associated key management – these are not out of the box!!

In a typical organisation where there are hundreds of SaaS applications, what about the security of the tons of corporate data already within them? Has that risk suddenly evaporated?

Of course there’s good old Microsoft Azure through which you can gain visibility into and control access to other cloud apps in use in the environment. All of these is not out of the box and there are dependencies. It needs thinking and context. How do you plan to tackle 3rd party (partners and suppliers) who your staff collaborates and their disparate identities?

While Ms Azure may provide a mechanism for “enterprise” (as opposed to external extended enterprise users) level visibility and control, it is doesn’t provide a risk rating capability that help you decide which application to sanction or block. We all know what happened the last time security decided to implement arbitrary blocking – we birthed ShadowIT.

Security – A Digital Transformation Enabler

Leave a comment

This presentation was first published on Linkedin on August 13, 2015 @ https://www.linkedin.com/pulse/security-digital-transformation-enabler-alexander/.

Event:  Whitehall Media Identity Management conference.

The promises of the digital new world is inextricably locked with cloud computing technologies.

Cloud computing technology is central to the converging interconnecting forces of collaboration, mobility, BYOD, IoT and social enterprise.

The information/data security needs and entitlements of users of these services and apps is bound to their identities and the contexts within which they may partake in this ecosystem.

Traditional security models, information governance, identity management and role based access control don’t quite cut the mustard.

However, new technologies are yet to be tested both commercially and functionally.

The potential benefits to the enterprise such as seamless collaboration, agility and efficiency are too rewarding to ignore. The security industry must help organisations balance the risks and rewards"

See full video of this presentation on youtube @

https://www.youtube.com/watch?v=PFnIIy7PAgw&feature=youtu.be

Why Information Security May be Constraining Business

Leave a comment

This article was originally published on Linkedin on  August 5, 2015 @ https://www.linkedin.com/pulse/why-information-security-may-constraining-business-alexander/

The Information security function is first and foremost an information management discipline. Its main focus as we all aware is around the protection of information with particular emphasis on its confidentiality, integrity and availability.

This is all well and good provided there is “ceteris paribus” i.e. all other things being equal.

Wikipedia defines Information management as “…. a cycle of organisational activity: the acquisition of information from one or more sources, the custodianship and the distribution of that information to those who need it, and its ultimate disposition through archiving or deletion”

It is not difficult to see why we are where we are today because

  • Information and data is acquired using technology;
  • Information and data is held/stored and distributed using technology;
  • Information and data is disposed of or archived with technology;

Alas, technology is everywhere and it is information and data agnostic. This explains why the information security function in most organisations are technology and controls focused, it doesn’t explain why there’s seemingly no accountability/ownership for information management or governance.

Sure there are “data owners” in some organisations but more often than not it is seen as a title, there are no clear definition/description of what it means or what these people are supposed to do, nor are there adequate guidance to help them fulfil this responsibility.

A lot of resources have and still are being poured into “technology security” in the name of information security but it doesn’t make our information any more secure judging by the number of cases of high profile data breaches reported in the media every year. Is it not time for us to look critically at how we are currently do things and get creative. I absolutely agree with Bruce Schneier - the famous American security guru of counterpane fame when he said “If you think technology can solve your security or privacy problems then you don’t understand the problems and you don’t understand the technology.”

Information security is the most visible stakeholder (among several) in the cycle of information management/governance. It is grossly unfair to dump far reaching information and data management/governance decisions on the function without equipping it with the full facts around all the attributes of the information or data. This in my view is the crux of the matter!!! This leads the poor security managers and analysts scratching around for business criteria against which to make his decisions, he is then accused of constraining the business. This is where we get the famous line “security concerns” of course it’s a concern! However it should not be so-called but rather called business governance concerns.

Corporate governance must assign the accountability for information management and governance, who must be charged with the responsibility of defining the attributes and framework around corporate information and data management. This is “top down” as opposed to “bottom up” governance approach where rules and standards are defined beforehand, to assist everyone involved in the information management chain to fulfil their responsibility.

Therefore, organisations must assign accountability for governance of IM; within the existing models this could either go to the CIO or the Legal counsel. The CIO or legal counsel can then assign this to either a new role or their CISO, who can then further recruit a specialist non-technical resource to manage the challenge. This resource will liaise with all business unit owners and stakeholders that capture, process and use business information and data. This position will not only collate information/data attributes but also share it with other stakeholders within the business that may require it for their function.

This initial level is that of oversight and coordination, it is not for them to own and define the information attribute for all of the business.

No-one except business unit managers know or should know the attributes of the information or data handled by their team. They should have the accountability for defining the attributes of all the data they handle, which they can then share with the coordinator.

There is a huge amount of value in information, efficiencies to be had as well as improvements to information and data security. New innovation such as cloud, mobility, business process improvement cannot be fully explored without a full understanding of the ramifications to the information/data that will be processed through it. Information management/governance of information/data is a foundational requirement on top of which all else is based.

To my security professional colleagues my advice is for them to get their mojo back, engage and challenge the business, project sponsors and senior managers and stop shying away into the corner for fear of being seen as difficult. You are probably already being seen as that. Guard your credibility and integrity. What have you got to lose!