What to ask when conducting your security risk assessment
Archives For how to perform a risk assessment
After All The Work That Goes Into Security Assessments, This One Thing, If Missed, Will Make The Entire Process a Waste of Time…
When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act. With Security Your Message Must Connect and Your Audience Must Feel The Pain.
You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.
Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.
However, getting the company leadership to see these business-crushing threats, before they happen, is not easy. Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.
Rule One: Don’t Present Without The Asset Owners!
Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.
Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.
Bring in the asset owners and something different begins to happen.
When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).
Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.
The Underestimated Power of Free
But what happens when you show up and the asset owner is suddenly not available?
If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.
However, if you’ve conducted your assessment pro bono, you’re also in good shape!
As a free service, you control the deal. You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.
(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).
Your Meeting Agenda Re-Engineered to Convert
Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.
Here’s Your Agenda:
Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.
You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).
Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent. Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent. You’ll need to now why, and how to prove it. Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.
Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.
“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”
“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”
“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”
In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.
Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.
© 2017, David Stelzl
If You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk
Too Many Security Assessments Start and End With Technology – Big Mistake!!!
Data Security is a BUSINESS RISK issue, not a technical exercise…
Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.
The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…
With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…
In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.
Over the past several months I’ve written a series of articles on how to approach data security risk assessments.
However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.
The approach you take, and the people you include, have a lot to do with your conversion rates and business success.
Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).
Remember, the purpose of assessing risk is to move the company forward on remediation efforts.
If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES. Threats and security vulnerabilities are everywhere!!!
Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.
By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.
The First and Only Place to Discover a Company’s Most Valuable Assets
Years ago I was struggling with just how to get executive attention with security assessments.
We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).
In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).
DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.
When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.
In order to create a successful failover, business people have to be involved. Every step must be planned and tested.
The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).
DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture. But DR is SECURITY! That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.
In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS. They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.
Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…
And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact. It’s UNTHINKABLE.
Only These People Can Tell You How Data Gets Created and Where It Sits
Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.
The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…
Maybe in a very small business…but go upstream and talking to end-users becomes necessary.
Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews. Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.
Finally, It’s Time To Invite Technical People To The Party
It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)
Enter the SECURITY technical subject matter expert(SME). In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let the tech guy do it.
Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…
However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.
You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…
Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.
You and your team are asking the question: What would need to be true to keep this company safe?
DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).
NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).
It is from this list your technical team will begin their analysis.
You May Now Look At The Network
List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance. Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.
Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.
ASSET FOCUSED – I call this…
Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?
In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!
And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.
Time To Deliver Results – Don’t Leave Out This One
You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????
In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).
Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.
If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.
Important Factor: After All, You’re Liable!
Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment. Insist on it! Don’t take NO for an answer.
After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.
© 2017, David Stelzl