Ken Kojima, CISO, CA Department of Corrections and Rehabilitation
While traversing the roads of information security leadership and executive management, I was constantly reminded of proverbial phrases to help me navigate the path. Amongst the many to choose from, I distinctly recall the phrases “empower the workforce” and “model the way” as being two of them that stood out and were simple to remember. Modeling the way was rather easy to embrace during day to day operations; show up, engage in respectful discussion, and when present…be present. Of course it may be oversimplifying an important subject, but it was pretty clear what type of behavior one should expect from staff and leadership. But what about “empowering the workforce?” Inherently I believe, that the empowerment needs to include trust and within an industry that is often surrounded by well place distrust, that is not so simple.
Trust, but Verify
Ronald Reagan on several occasions, none of which I experiencedat the time it happened as I was only in grade school and paid little if any attention to politics, stated a Russian proverb “trust, but verify” during a time in which the US and then Soviet Union were discussing nuclear disarmament. It embodied the tone at that time; trust those with which you are working, but also establish a way to mutually validate each other’s trust. In any occupation where security is emphasized, the goal is to allow staff to do their work and establish proper audit mechanisms so their actions can be verified when necessary.
Verify, then trust?
So in an age where security leaders should be constantly making their staff aware of threats, what kind of advice are we trying to instill? Communicate? To hopefully better illustrate this let me try to explain; as security experts I believe that we continually caution organizational employees from clicking strange links, opening suspicious emails, and providing information to the “wrong” people. The intent is to train employees to be more cautious to prevent potential malware incidents from taking place; so does that mean verify then trust? Should they trust the email that the Information Security Officer just sent or is it a test? The reality is that quite commonly after sending out “helpful tips” or “security alerts” that have embedded hyperlinks, I get a handful of “trained” employees that do verify prior to clicking. My question is what about the other 50,000 or so, did they not get trained or are they clicking everything? Verifying everyone is unreasonable, so finding the balance is the key.
How much trust should security experts place in new technologies that are being marketed by private vendors? How do you know if a security technology, appliance, or product is the right solution and does what it says it will? How will you navigate this path of cutting technologies, when the science that was used to build it was not even a formal degree offering when you attended the university?
“Once the security community understands the problems that need to be solved, security leaders and experts can now focus on specific efforts rather than struggling to figure out what needs to be addressed”
Technology conventions or “product showcases” tout the latest and greatest security solutions and I often harvest a great deal of information within about a small city block. On the west coast we have RSA in San Francisco, BlackHat in Las Vegas, and Gartner Catalyst in San Diego that are historically known to be a wealth of knowledge on how to solve strategic, tactical, and operational problems with appliances, software, and services. Although I have yet to attend Gartner due to timing, I’ve attended both RSA and BlackHat and had the pleasure of examining industry offerings and see what bleeding edge solutions are being showcased. In both cases, while looking to potentially enhance my security solutions within my own organization, I kept asking myself was, “what is the problem I’m trying to solve?”
While spending hours on the convention exposition floor and viewing (not attending) the long list of training opportunities during conventions’ day light hours, never once did I feel like I discovered a problem that needed immediate attention that required a sense of urgency. I mostly consumed sales pitches of how products would make operations more efficient or solve my strategic roadmap goals. Even if the solution was going to solve a problem, how do I know a) it’s a problem I need to address and b) will the solution actually solve my problem c) I need to solve it now
The local or national news is a great source of “problems.” Folks can tune in each night to see the issues that plague the nation, state, or city depending on which broadcasts are chosen. Apps such as NextDoor allow locals within a community to be aware of problems through social media with mixed results. To properly be prepared, most people need to know what issues are a problem so can choose to take action. DefCon is the “news” for cyber and information security issues. Demonstrations show you how to potentially compromise official voting machines. Hackers show how malicious code can be injected into webpages to gain access sensitive and restricted data due to unforeseen code vulnerabilities. Packet hackers explain why all data should always encrypt your data transmissions. This particular convention shows you the problems that are exploitable and where exactly the vulnerability lies. We need more conferences and conventions that show security personnel what are the problems and where the weaknesses exist so organizations can choose to take action.
Show People the Problems
Once the security community understands the problems that need to be solved, security leaders and experts can now focus on specific efforts rather than struggling to figure out what needs to be addressed. Especially when you have stories of “snake oil” presentations at BlackHat 2019, rather than focusing on product centric showcases, I feel that more demonstrative security conventions will help educate the community on the simplicity and impact of prevalent cyber threats and allow organizations to determine what impact such potential threats could have to their future. It is an effective method that has been used in motor vehicle education (safety belts), cigarette packaging (cancer), and correctional system (“scared straight”); show people what can happen if something doesn’t go as planned and then show them what to do to prevent that from happening.