Articulating the Value of Security…
It’s an uphill battle to convince the decision-makers in any business that they need to invest in security. Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience.
If you walk in and tell them, “We need more security,” they hear, “We need a more annoying layer of cost and inconvenience.”
Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses. Fear, uncertainty and doubt are not the cleverest tools to use anymore. The security industry is undergoing changes as it adjusts to the convergence of IT with physical security, and businesses are changing, too. Now businesses want something that sometimes seems like a foreign concept to the security profession: value. If you don’t adapt and start answering the questions your business is really interested in, you’ll never get the green light on new projects and upgrades.
Remember, nobody wants security; they want the benefits of security. That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance. She wants a comfortable, happy place to raise her family.
Businesses also want something other than security. If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options. She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers. Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we may balance your account.” That wouldn’t work either, obviously.
The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing.
Security was never the point. The bank had a business objective and achieved it by using some security. That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.
Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business. But they don’t even think of it as security.
The manager responsible for an online ecommerce business wants a few things. He wants to know who is using his Web site. He wants to ensure that each one can do everything on that site they need to do. He has a lot of people doing a lot of things, so he needs an easy way to manage it. And at the end of the day or the end of the quarter, he needs a report that tells him what has happened so he can improve customer satisfaction, reduce errors and increase profits.
In that example we have all four fundamental categories of security—authentication, authorization, administration and audit—but the manager doesn’t think of security once! That’s because security is not the point.
Focus on Value
I have suggested many times that, whenever possible, security professionals should purge the word “security” from their vocabulary. Instead, answer the questions inside your boss’s head, and don’t simply spout the ways security keeps bad things from happening.
Your upper management thinks in terms of money, not security. What people will be needed? What headcount can we reduce? How much will it cost? How much will we save? What new revenue can we earn as a result of this investment? And they think not in terms of security risks, but in terms of credit risk, market risks and operational risks. That’s where you can shine.
One U.S. company spent $35 million on physical security upgrades after 9-11, and $4 million on IT security upgrades. Last fall they failed their Sarbanes-Oxley audit because of poor security. How? Visitors were given a badge for the day, but they could still walk unescorted past cubicles with unattended computers logged into financial systems. At that moment the audit no longer had confidence in the integrity of the numbers. Anyone could have moved a decimal point or added a zero.
If you know your facilities need more security, tell your managers how it will help them measure or achieve compliance to regulations like Sarbanes-Oxley: You audit employee behavior, or lock up financial systems, or shred financial documents, or do background checks, or secure backup tapes. For any business problem, you should be prepared to help your management identify the ways that the authentication, authorization, administration or audit solutions you’re proposing will solve their problem, or help customers make the gains they hope for.
Remember, it is not our job to secure the building. Our job is to secure the business.
The last time business managers were worked into a tizzy about “Mobile,” we called it Mobile Computing or Mobility and we talked about remote workers, laptop computers and USB memory sticks (thumb drives). Organizations routinely provisioned employees with both, and employees routinely wanted to use their personal laptops and USB sticks for business use. Therefore, companies had to deal with a mix of business and personal mobile computing devices. In those days Neohapsis recommended that its clients create strong “personal use” policies, promote awareness of the risks, and deploy technology measures to mitigate some those risks. Today’s mobile discussion is similar in theme but quite different in details.
Mobile no longer merely means mobile computing or mobile workforce. Its common use now includes social networking, mobile websites, mobile apps, new messaging and communication platforms, photos, crowd sourcing, and videos used for personal and business reasons on a vast range of technologies including home PCs, corporate workstations, laptops, smartphones and tablets on the business network, the home Internet connection and in the Cloud.
The technology eco-system of Mobile is vast. Phones, cameras, PDAs (like the iPod Touch©), portable storage devices (external storage, iPods, memory sticks) and tablets are all included, but so are computers, servers and entire data centers. The glue that connects all of these systems in the Mobile conversation is simply one thing: the Internet. Mobile touches nearly every aspect of your IT environment.
So what does a business manager need to know in order to approach Mobile with reasonable security? That is the subject of Neohapsis Labs’ newest paper: The Secure Mobile Enterprise. Download it here.
Being a thought leader is a really hard job. I’ve been doing it for so long it’s second nature. But for those of you who wish to know the secrets of thought leadership, check out this video by Chris Eng, and maybe you can become as cool as me.
My colleague, fellow Neohapsis researcher Michael Pearce, wrote a great article about smart phone platforms (iPhone, Android, Blackberry). He argues that you should give the platform appropriate for the security-savvy-ness of the recipient. I love that.
He writes, “Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.”
See the rest of his comments about Blackberry and iPhone and Android in the full article.
In recent years the company has been doing more in the physical security arena, such as assessing the security robustness and durability of physical security products, like electronic locks, IP video cameras and other physical security devices.
Kevin Mitnick’s story will give new meaning to your understanding of security & business – Book Review
Ghost in the Wires: My Adventures As the World’s Most Wanted Hacker, By Kevin Mitnick
Book Review by Steve Hunt July 2011
Kevin Mitnick taught me how to play blackjack in Las Vegas. He sat next to me at the Golden Nugget and coached me while I played. I won several times and walked away $400 ahead. He lost about that much. He just didn’t know when to quit. As I read his memoir, I would sometimes shout out loud at the pages. “Kevin, what are you DOing?! It’s time to quit!”
Ghost in the Wires: My adventures as the world’s most wanted hacker is the complete story from Kevin’s point of view about his life of hacking and running from the law.
In the book, Kevin speaks with disarming frankness about his parents, his home life, his girlfriends and friends. He makes no excuses – leaving the reader free to assume root causes of his’ behavior. Maybe it was the parents’ messy divorce, Kevin’s strained relationship with his father, the abuse he suffered from Mom’s boyfriends, betrayal by his friends. However, one thing shows Kevin’s character more than any other. He does not blame anyone. He takes full responsibility for his actions and obviously sees things from others’ points of view.
That clarity and ability to connect with people is doubtless one of the reasons he was so successful deceiving people using a technique known as social engineering. Law enforcement and the press absurdly painted him as a monster with magical, diabolical skills. But ultimately it was his humanity that allowed him to connect to people and get what he wanted. He deceived people, to be sure. It was his stock and trade as a hacker, but also yielded many insights he shared with us in his best-selling book The Art of Deception.
When I met Kevin Mitnick for the first time, he struck me as nervous, humble and self-deprecating. He had just been released from prison and was still under very tight probation in Las Vegas. I was hosting a conference on behalf of my employer, Giga Information Group. Kevin was our keynote speaker – his first speech in public ever. As I got to know him, I saw he was very bright, funny and forever playful.
A year or two later, I arrived in Athens Greece to speak at a conference where Kevin was the keynote speaker. I checked into my hotel that evening, exhausted from a full day of traveling, and fell right to sleep. At about 2 am my room phone rang. I grabbed it and mumble, “hullo?” The voice at the other end said “This is the front desk. There is a problem with your credit card. You need to come down right now and see the manager.” I said, “It’s the middle of the night! I’ll come down in the morning.” The voice said very firmly, “Sir, you must come right now and re-process your card. The hotel is very full and if you cannot pay we have to make the room available for others waiting in line.” “That’s outrageous!” I said, now finally waking up and getting mad. Softening a bit, the voice said, “I understand sir, perhaps you could just read your card number over the phone.” I grunted, grabbed my wallet and started reading the number, “3715 4118 6…KEVIN!!!!!” That’s when he broke character and busted out giggling.
His skill at manipulating people and computer systems made him a great hacker. By that, I mean “hacker” in the original sense of someone seeking the limits of a system. His inability to stop made him a great criminal. By that I mean his crimes became a great challenge to a law enforcement infrastructure, including the FBI, poorly prepared to understand his crimes. His years as a fugitive made him a great story. Meaning he became both a folk hero to legions of computer experts and hackers who understood him and an arch villain in newspaper articles, in the New York times and elsewhere, determined to sensationalize him and his crimes.
The story of Kevin Mitnick as the world’s most wanted hacker is funny, exciting, sad, and sometimes horrifying – especially as we read how the courts so grossly misunderstood his crimes and thereby punished him in some ways worse than the most heinous mass murderers of recent memory. Here lies the critical aspect of Kevin Mitnick’s story. Computers, networks and the Internet were so mysterious to people outside of the geek or IT subculture when Kevin was hacking that people were afraid of the unknown and needed someone or something to take their fear away. Kevin was a sacrificial lamb to his accusers, many of whom needed to defend their pride, and to the public, who loved seeing a villain take a fall.
Like other sacrificial lambs, Kevin Mitnick also became a symbol. To the hacking underground he was a freedom fighter. To us in the security profession, he was a manifestation of the enemy, the “threat.” To law enforcement he was a catalyst for changes in law and improvements in technological savvy. For all of us, though, he elevated the conversation about risk management. Before Kevin, data security was all about control. If we ever lost “control” of data, we felt as though we “lost” it altogether. That mentality still exists and is common in discussions of data leakage, today. The lessons we learned since Kevin’s adventures on the wires, however, bring us to a much more useful and business-oriented view of security and risk management. Security — control — is not the point. No business executive wants security. He or she wants business to run efficiently and effectively, no matter what else is going on. This idea of robust business process is the new view of security and one built firmly on the foundation of Kevin Mitnick’s hacking. Kevin proved to us that “control” of data is not the point. “Securing” the network is not the point. Resilency is the point. Securing the “business” is the point.
The myth of Kevin still haunts many people in technology, business and law enforcement. But the myth is all we’ve had till now. This memoir gives us finally the man, Kevin Mitnick, whose adventures as the worlds most wanted hacker, bring us to a very human view of the intersection of technology, business, law and security.
You are invited by Steve Hunt, noted industry analyst, to attend a special reception in midtown Manhattan on Monday, July 18, 2011 4:30-7:15 pm.
Food, Fun and Giveaways – Better Metrics, Best Practices and New Technologies
The most successful security directors have evolved into business executives. They do that by mastering one important principle: Understanding that the “stuff” of security is data. Event logs, alarms, video streams, door and network access, identities and privileges are all data that may be organized into information and then put to use as business intelligence. A security executive becomes a business executive when he or she successfully measures and communicates the value of security initiatives.
SecurityDreamer events are your opportunity to learn the newest and most successful methods for running a security program like a business unit. Steve Hunt’s techniques, developed over many years as one of the world’s top technology consultants, will transform how any CSO, CISO or security director manages IT or physical security up the ladder and down.
Enjoy wine and hors d’oeuvres while networking with your peers. Steve will share his recent research gleaned from hundreds of end user interviews. You will have an opportunity to learn about new techniques for calculating and communicating the true value of a security project, and ways to motivate your employees to optimal performance.
If you’d like an invitation, tell me a bit about yourself in an email to firstname.lastname@example.org
Space is very limited, so you’ll have to hurry.
About Steve Hunt
Steve Hunt, CPP CISSP, is an industry adviser, futurist and consultant whose career has spanned the breadth of the security industry: physical, homeland, corporate and data. He was inducted into the ISSA Hall of Fame in 2009 for his achievements in IT security, and named one of the 25 most influential people in the physical security industry (Security Magazine). Steve Hunt ran the security and risk management think tanks at Giga Information Group and Forrester Research. As a recognized expert on best practices, security trends, and emerging technologies, Steve has advised hundreds of the world’s largest organizations,
Steve is a frequent speaker at business and security conferences around the world. His analysis has appeared on CNBC, Fox News, CNN and in the Wall Street Journal, Financial Times, The New York Times, Business Week, and other global publications. Steve’s diverse background in security lends a fresh perspective on the industry.
Steve authors the popular blog SecurityDreamer.com
Follow Steve at www.twitter.com/steve_hunt
Thanks to the editors at Security Magazine who featured an excerpt from my recent research CEOs’ perceptions of security executives. You can find the analysis on page 20 of the May 2011 issue.
Among the findings, I report that CEOs are frustrated by the lack of business acumen of most security and IT directors. Misuse of ROI is one of the most common failings of technology managers. ROI is designed to measure the delta between apparent costs and apparent benefits, but is unsatisfactory at measuring the degree to which a specific investment achieves a specified goal. In other words, you can buy the product with the biggest ROI and still not solve the problem you hoped to solve with it.
If this rings a bell, let me know and I’ll direct you to some better methods for measuring the value of a technology investment.
From the “Least Surprising Developments” file, the acquisition of Proximex by ADT Security Services was announced this morning. Why did this acquisition, or something like it absolutely have to happen?
ADT Security Services has been very intentionally (if haphazardly) adding wider and deeper services related to security monitoring. If you look at PSIM (physical security information management) clearly, you see it as a set of technologies for more efficiently responding to events, as opposed to merely recording events. That mission has been the stated objective of ADT for some time. Of course ADT would want to buy a PSIM vendor to put some consistency in its otherwise hodgepodge security offering. The question is which one? NICE is too big, publicly traded and not looking to spin out its PSIM product, Situator. One down. CNL has many good points, but not enough customers to prove its versatility. VidSys might have been a good choice. It would likely have been considerably more expensive to acquire, in light of its market penetration and VC funding, but what a boon it would have been for ADT mind-share in the Commercial space.
What about other PSIM contenders? There are some vendors that are not fully committed to the PSIM architecture and newcomers trying to make their name, but trial by fire in real life customer deployments bubbled Proximex and a few others to the top of ADT’s short list. ADT probably looked at Proximex and saw a technology and brand that was just sexy enough and the price was right.
That leaves the question of why would Proximex want to sell. Proximex, like other PSIM vendors, was not growing at the rate its investors (most notably Proximex’s Jack Smith of Hotmail fame) assumed or hoped. There are many reasons for that lack of growth in the PSIM world: misleading and confused marketing, misaligned pricing strategies, missed technology opportunities, poor channel partnerships, and of course challenging market dynamics and fickle customers. For example, when an investor puts a ton of money in a commercial technology, he’ll be inclined to sell it at a high price. Selling something at a high price means marketing it as an “enterprise solution.” An Enterprise Solution requires extremely mature and rich technical functionality, driving more expensive product development and constantly dissatisfied customers. You see? Greedy eyes create an impossible spiral for a fledgling technology segment like PSIM.
I’m happy with the ADT acquisition, and so are my end-user clients, who nearly every day tell me another example of how PSIM technology helps them or would have helped them run a more efficient and effective operation. ADT will find a delighted customer base.
I interviewed New York City Department of Transportation Commissioner Janette Sadik-Khan at the ribbon-cutting ceremony launching the new Joint Transportation Management Center in Long Island City. The Commissioner is an articulate advocate for collaboration between government agencies and between public and private sector. In this interview she describes the role of technology for making streets and roads safer and less congested.