If You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk
Too Many Security Assessments Start and End With Technology – Big Mistake!!!
Data Security is a BUSINESS RISK issue, not a technical exercise…
Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.
The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…
With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…
In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.
Over the past several months I’ve written a series of articles on how to approach data security risk assessments.
However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.
The approach you take, and the people you include, have a lot to do with your conversion rates and business success.
Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).
Remember, the purpose of assessing risk is to move the company forward on remediation efforts.
If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES. Threats and security vulnerabilities are everywhere!!!
Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.
By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.
The First and Only Place to Discover a Company’s Most Valuable Assets
Years ago I was struggling with just how to get executive attention with security assessments.
We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).
In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).
DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.
When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.
In order to create a successful failover, business people have to be involved. Every step must be planned and tested.
The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).
DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture. But DR is SECURITY! That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.
In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS. They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.
Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…
And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact. It’s UNTHINKABLE.
Only These People Can Tell You How Data Gets Created and Where It Sits
Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.
The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…
Maybe in a very small business…but go upstream and talking to end-users becomes necessary.
Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews. Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.
Finally, It’s Time To Invite Technical People To The Party
It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)
Enter the SECURITY technical subject matter expert(SME). In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let the tech guy do it.
Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…
However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.
You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…
Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.
You and your team are asking the question: What would need to be true to keep this company safe?
DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).
NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).
It is from this list your technical team will begin their analysis.
You May Now Look At The Network
List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance. Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.
Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.
ASSET FOCUSED – I call this…
Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?
In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!
And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.
Time To Deliver Results – Don’t Leave Out This One
You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????
In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).
Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.
If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.
Important Factor: After All, You’re Liable!
Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment. Insist on it! Don’t take NO for an answer.
After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.
© 2017, David Stelzl