22 April 2012

WHO ARE YOU PREACHING TO ANYWAY?...

Google
I recently was privileged enough to be asked to present at a merchant forum in London. Interestingly, the intended recipients had been very much in the driving seat since they had selected the topics themselves. After my previous posts (Part 1 and Part 2) on connecting the dots between information security, risk and fraud, you can imagine my pleasure that I, alongside my fellow speakers, were asked to do just that... A delightfully interactive audience, some very interesting chats at the breaks and the recent buzz about the value of security conferences prompted me to share some thoughts on how actively to engage with your stakeholders and get the results you need...
Down memory lane...
Four years ago, when I started on this crusade, I inherited a very specific audience. The industry push on PCI DSS was starting to be felt and organisations decided they ought to know a bit more about it. Enter the reluctant software developers, IT managers or network security engineers who’ve been told that they’d better get clued on and report back so the higher powers could decide the next course of action. So what did they do first? What everyone does: Google and find the PCI SSC site, try to make sense of the documentation (Oh my gosh, it’s an American standard!), talk to people who are just as clueless, attend technical conferences and webinars, read white papers and get approached by vendors swearing they’ll make you compliant. They soon came to the conclusion that it was something complicated to do with security their organisation had to comply with lest they suffer The Financial Penalties. So the message went back up the line: it’s very complicated and terribly technical (trust me, I’m a specialist...), needs a lot of investment (shiny new boxes!) and you have to do it otherwise the acquiring bank will strike you down... This is 2008, and the audience I regularly address wants to hear about the 12 requirements, so I tell them. I also tell them about non-compliance and data breach fines and associated fraud losses. This is not popular and I encounter two types of organisations. Those where the Finance Director thinks that they’ve done very well so far and that they really don’t believe anything could happen to them because they have brilliant IT teams (you know what, I’ll take that risk, because I don’t believe you, and I haven’t seen anyone suffer yet...). The other type is where the IT Director is influential and sees this as a way of securing investments in shiny new tech under the sacred banner of “mandatory/regulatory” (often with no relation to PCI DSS). At the same time, non-compliance fines started to rain on the acquiring community and this was being felt, with outrage, by merchants. A whole industry was born (well in the UK anyway, as it started a bit earlier than that in the US, but the principle is the same).
2008 RESULT: PCI DSS is technical, standalone, very expensive and unpopular. Organisations don’t really understand why they have to do it, many projects fail and much money is spent. No connection has been made with other similar areas of the business (e.g. information security, data protection). The perceived stakeholders are the techies. They attend security conferences because they need to understand more about what they think they need to do and see what tech is available to achieve it. At the same time, the CSO and CISOs concentrate on controls and policies and are seen as “business preventers” (see earlier post). So the techies want to learn, that’s great, because we need them on board, so we all keep catering to this audience. But in 2008, I also wished I could talk to the decision makers that were not involved in technology to try and show them that infosec could really benefit their business, but they were simply not interested (and data breaches hadn’t made it to mass media notoriety yet...)
Fast forward to 2011-2012...
Well, we all know 2008 turned out to be a big year for data breaches (in fact, as big as 2011 according to DataLossDB.org) and we all felt it one way or the other. This contributed to raising the awareness of cybercrime in the ensuing years, at all levels. Unsurprisingly, the audience at the forum I mentioned in my introduction included Risk, Fraud, Finance as well as Security professionals. Uncannily, have you noticed that there has not been a new Mordac strip since 2010?
Mordac May 2008
I am a firm believer of popular culture as a good barometer of socio-economic concerns...
So what happened since 2008 that contributed to this change of attitude?
  1. Data breaches, lots of them. (public attention - Boards questioned their IT: “can it happen to us? Make sure it doesn’t).
  2. Fines and financial penalties, lots of them (FDs and Treasury suddenly paid a lot of attention, and for those that were breached, they paid even more attention).
  3. Everybody talking seriously about Risk Management since 2010 (I don’t mean just infosec professionals, I mean everyone, and the current economic climate contributed to that).
  4. More and more industry conferences dedicating slots to security related topics (Finally, I get invited to them!). Having said that, I had to organise a few of my own industry sector conferences to target this new audience, but it paid off in the end. The trick: 1) don’t talk tech to business people (don’t even try) and 2) explain how you can help in their own language (which is usually income or turnover related).
In the meantime, hard core security conferences continue to happen and continue to be successful, and long may it continue. We still need the techies to make sure we have the right tech to support the people and processes in our businesses. We also need the techies to try and keep ahead of the bad guys. One thing I would suggest, however, is that, in the same way infosec/risk/fraud professionals want to talk at business conferences, security conference organisers should think about inviting business speakers so they can explain what’s important to them...
Going back to my introduction of this post, I was having a chat during the break at that forum, and a good friend said to me: “I have the buy-in of my Executive Committee, that’s not the problem. My problem is all those developers that are paid and measured to deliver business applications on specific deadlines, and they really don’t want to hear about security matters that might delay their projects...”. Here we go, another income/turnover related problem... Let’s examine it.
How to contribute to business development...
Situation: my company wants to develop a new mobile application. The business case suggests that it will deliver x income over y years.
The first question to ask is: Have you (as an infosec/risk/fraud professional), been involved in the development of that business case?
If you have, good. You have hopefully incorporated all the (financial) metrics of security by design (rather than as an afterthought) and everyone understands the cost of bolting on or retrofitting security/fraud prevention compared to building it in (and let’s not forget the cost of remediation should anything go wrong, and important regulations –existing or coming during the life time of the product).
If you have not, here lies the problem. Why have you not been involved? May be you haven’t yet convinced the people that matter. Who was the accountable executive? Whether this lies with Sales, Business Development or Marketing, your task is the same. Try to understand the objectives and the pain points they are trying to address and the pressures they are under. You will always be able to come up with a mutually acceptable plan if all sides understand each other and no one wants to 1) be in the news for the wrong reasons 2) suffer fraud for lack of adequate controls 3) take unreasonable risks. After all, the developers that are not listening to you are accountable to these people... Convince the top, the rest follows, unless the top didn’t really mean it... And yes, the Chief Marketing Officer may not want to talk to you, but have you shown him what some fraud monitoring tools can do for web session behavioural analysis or how he could use security as a USP for mobile apps?...
So who are you preaching too, really?...
Well, the techies need to continue attending those security conferences, because we need them totally aware of what’s out there. Security professionals need to continue looking at risk management and get closer to fraud professionals and vice versa. Security conferences should invite business people and industry/verticals/segments event organisers should invite more and more security/risk/fraud people... Just mix it up and make it happen... We’re all part of the business.

Until next time...