Wednesday, September 24, 2014

Don't Be A Solution Without A Problem

Technology people tend to be problem solvers.  We like to get our hands dirty, getting bits like grease under our fingernails as logs flow on the screen.  Problems are self-evident, must always be solved, and solutions are simple and straight forward.

For the business, talking to Technology is a little like showing up at a 10 minute oil change place.  They expect to be done in 10 minutes.  They want to do the minimum necessary to maintain their investment; today, it's an oil change.

Instead of just doing the oil change, the shop goes "above and beyond". They check tire air pressures, add windshield washer fluid, check the spark plugs, wires, and test the coolant.  They check mileage and compare to the maintenance schedule for the car.

Then there's a ceremony of pulling out the engine air filter and cabin air filter for presentation (they're always going to be dirty), with the explanation that the engine filter can have a huge effect on engine performance and efficiency and the cabin air filter ... well ... filters the air you breathe in your car.

(What they don't tell you is that most air filters work better mid-life.)

Like my lovely wife when she gets an oil change and is presented a dirty, nasty looking air filter that was replaced with the last oil change, the business feels ignorant and frustrated, not knowing whether this is classic up-sell or something that really needs to be done.  The answer they give, regardless of what it may be, is wrong.

This is the problem.  We present solutions to problems our counterparts don't recognize or don't accept.  In other words, we present solutions to problems that don't exist.

Most businesses place emphasis on learning "business acumen".  As leaders, we're expected to be familiar with the financial drivers within the company so we make good decisions from the perspective of the bottom line.  As leaders, we are expected to know basics about human resources.  Purchasing.  Contracts.  Legal.

Unfortunately for technology and information security people, the same doesn't necessarily apply to our area of expertise; there's still (generally) a disconnect.  We are surrounded by self-proclaimed experts because they know how to run their PS3 blu-ray player, but they've only the vaguest idea why upgrading their FiOS to 50Mb/50Mb didn't make their games faster.

We end up in a position where we identify problems our counterparts don't sufficiently understand and propose solutions that mean little to those same counterparts except the feeling they [ impede business | cost too much money | create work | serve only to self-justify technology and security investment ].

I was recently on a conference call where many of my peers were talking about the problem of Sensitive Data and Data Classification.  There was a strong sense of "it's all about the data", a solid mantra every InfoSec professional should recite daily when they wake, and many felt it important that they get a program out and enforced.

The complaints, however, were that adoption was fractured, organizational involvement limited, progress slow, benefits difficult to realize.  Some companies couldn't even get people to the table to talk about the problem, let alone discuss a potential solution.

Data Classification is an intellectual topic.  Some companies don't have this problem - Intellectual Property is in their DNA; instead, they struggle with other problems.  But, even in those companies, the problem can take form; IP is lifeblood, other data types get short shrift.

It took some thinking after the call, but I realized we were missing the point.  We were providing an answer, but our peers didn't understand the question.

So let's make it practical - for everyone.

1) Start with the end in mind, but don't jump there.

The natural response: How do I control this?  What should I put in place?  How do I measure adoption and success?

Most of us intellectually, or instinctively, know the answer to the problems we face.  Although that's why many of us are in the positions we hold, going straight to the end of the road doesn't allow for anyone else to follow the path; you'll get there alone.  Start at the beginning, and help your peers reach the destination.

Remember: You can tell an executive, you can't tell an executive much.

2) The solution isn't always technical.

Sometimes the solution isn't shiny new technology - sometimes it's simple adaptation of business process.  Perhaps the solution will be to encrypt a sensitive data package, or perhaps the solution will be to eliminate the sensitive data from the package altogether - resolving the immediate risk while reducing long-term risk at the same time.  There may be low-cost and no-cost ways to mitigate risk and each must be weighed against the technical option and the potential disruption to process the technical solution may present.

This is even more important when working on control design.  Business processes typically define the control space, leaving the business process as the easiest and best place for control implementation to deal with residual risk.

3) Document for engagement.  Illustrate for ownership.

You could also say: Awareness requires action.

The best case for action on information security risks is the one that gives someone else understanding and ownership of that risk.  Otherwise, you're just trying to replace the air filter in a car when all they want is an oil change.

As frustrating as it may be, don't take the "just fix it" path.  Information Security is a system, not a check box on a form, and ownership is assuming responsibility and setting accountability, not point-and-click; "fixing the glitch" just leaves Information Security holding the bag.

Take the problem back to the individual(s) responsible for the business process and the data involved in that process.  Provide insight on the process and the risks that make the the process a problem to be addressed, quantifying the likelihood and impact (any CISSPs out there?) to the extent reasonable.

Bottom Line: CISOs have a limited amount of political capital to burn pushing remediation without sponsorship, and doing so risks continued ownership of the problem and continued investment of political capital.  Information Security leaders are best serve their interests through problem identification, business engagement, definition (transition) of responsibility, and partnership to resolution.

It when the owner understands that their air filter is important, and the CISO shows the air filter truly needs replaced, that the opportunity for a strategic problem-solving partnership, and long-term resolution, can be found.

Tuesday, September 16, 2014

Suddenly, Autumn!

I've had the opportunity to live in many places across the US - Vermont, Virginia, Illinois, and now Texas.  Every place I go I hear the same thing: If you don't like the weather, wait 5 minutes and it'll change.

Summers in Texas tend to bring very consistent conditions.  Hot.  Sunny.  Convection oven breezes.  There's no "wait for to change", it simply doesn't change for 3 months.

This year was different, with the bulk of July avoiding any real resemblance of heat.  We even set some records for lowest highs with some places reporting highs in the upper 70s.  Seriously.  In a state where July usually means LOWS in the upper 70s, frequently the low 80s.

As cyclists, we were not just enjoying this, we were living it up.  It was wonderful.

Finally, summer arrived in August, and we've been seeing more "normal" temperatures.  With that heat came my typical heat-induced physiological failure: my performance guttered.  For 3-4 weeks, I suffered through having a short wick that burned far too fast, and dealt with much longer recovery times that reduced me to a single hard ride a week - and that ride was still soft.

Demoralizing, every year.  This year, it hit right as we came into the prime of the Texas road racing season, kicked off by Hotter than Hell.  Well, at least it continued to live up to its name.

August is the build up for the grand finale of the year, the Texas State Road Race Championships, ridden on Fort Hood outside Copperas Cove.  The heat played a double-whammy on me this year, waiting until August to shred my month of preparation going into my first "real" attempt to race (and hopefully place) in the Championship.

Tuesday, Wednesday were late-blooming heat waves last week, setting new high temperature records on Wednesday (101F).  I had intended to reel back the effort on my ride Tuesday so I'd be rested for the upcoming weekend of racing, but the group was spritely and I let myself get sucked into 25 miles of attacks, and blistering pulls, and generally hard riding.


Cloudy skies on Thursday kept temperatures reasonable as I managed to dial back my effort in our group ride.  I took out the TT rig to make sure it was riding reliably before the second stage of the upcoming race: an individual time trial held on Saturday afternoon.

But as they say, if you don't like the weather, wait a bit.  It'll change.

And change it did.

Texas is amazing in one regard - the ability to have downright radical changes in weather in a very short period of time.  A few years ago at the Texas Time Trials the overnight countryside temperatures reached 32 degrees; we were freezing our asses off.  12 hours later, 4 in the afternoon, and it's 96 - with a 30mph south wind.

That was without fanfare.  More amazing is when fronts roll through, taking 80F to 50F in minutes.  Those tend to have a little more excitement - 60mph straight line winds, at least, as the front passes.

So this past weekend was the Coleman Chevrolet Stage Race held in Douglassville, TX, about 30 miles outside of Texarkana in the east Texas countryside.  And it was 101 on the Wednesday before.

But not this weekend.  Friday morning brought the sound of raindrops on our skylight as we awoke.  It was downright chilly as we drove to work that morning.   WOOHOO!

We were fortunate to have perfect weather conditions all weekend, with highs in the upper 70s and lows in the upper 50s or low 60s.  You couldn't ask for a better race weekend.

This coming weekend is the Texas Time Trials, where I plan to ride the 6-hour solo "upright" (non-recumbent) event.  TTT is technically not a "race" per se, although the promoters make that mistake on occasion.

That said, I have, or had, designs to chase the course record, but again Texas weather will likely get in the way: we're going to get heavy rain Saturday afternoon.  Looks like I'll be taking precautions to ensure I have a safe ride.

I have a State Road Race Championship to prepare for.