The Power of "Play"

One of the recent things I've sat back and thought about is the dramatic impact "Play" has in our workspace.  Specifically, when engineers are tasked to work the concept of "Play" or fun has a much different meaning than in other work cultures.  The ability to derive "play" or "fun" from the work activity itself is bound to the overall ability to technically solution something.  When these things are removed even the overall accomplishments of the team fall to the wayside and the individual is left with a sense of loss of identity.  More to the point, their identity and value are comingled into the ability to produce technical solutions.

As managers of information security organizations our main task is to secure the enterprise.  The combines a couple of things.  First and formost, what is the overall risk areas of the enterprise and what are our solutions.  Second, how do we prioritize those risk areas with our management constraints that are placed upon us?  i.e. capex/opex funding, labor capability, labor skill sets, political headwinds, threat vectors, etc.  To this, the focus or priority of "Play", in this context, takes a significant back seat.  Most notably as we drive to a vendor solutioning that takes the "Play" completely out of the picture.

In thinking this through I believe there can be a balance.  We can have key projects that will allow for the "Play" which will entice overall technical identity as well as provide appropriate solutioning.  In addition we can do this in concert with our vendor or non technical governance models we put in place.  Instead of having it be a afterthought or "Pet project", which never really works, we need to make it a core function of how we manage the risks to solution process.  In both raising the bar of the identity of the team and bringing that "fun" to the culture.

S3 Survey Results

Well, it only took me a month from sending out the first email to finishing the report.  Lots of lessons learned in doing this survey and all of them fun.  Have to say it was the best way to get reconnected to all of my peers and everyone else in industry in a long time.  Next time I'll do the survey over drinks in SF.

The results were interesting and refreshing.  Having a survey that focuses, not on the threats, but on how we manage security internaly and hopefully identify some key areas of lessons learned is what I was looking for and got it.  I'm really interested in your thoughts and feelings on this as the second one will be more mature and include all of the feedback that I've gotten so far and will get.

You can find the 2011 S3 results HERE!

Survey Says!!

I've been debating for a while and am thinking of doing some surveys to focus on how we actually manage our environments.  I've posted in the past how cybersecurity surveys are poorly done or are very focused on showing a problem but not very scientific.  What are your thoughts?  Are we too inundated by surveys or are we just inundated by poor ones?  If you had a chance to get to ask a question to CISO's across the globe what would it be?

Security Theories Part 1

In going over my past posts, I realized that I never talked about the governing theories that drive the management of security.  I've talked about a sub component of them but not starting from the top.  I've also stated that I would write about it in my paper (see utter failure due to vacation between jobs).  In spirit of me never really getting to that paper I've decided I will start talking about them in blog posting bite size pieces.

We have a bunch of problems in industry and need a better model of solving them than what we have today.  More importantly, there is no proper theory that drives to a methodology and all the way down to a programatic model.  Seven years ago I was banging my head against the wall trying to figure out how to get out of a highly reactive function into one that was more predictive.  The result was the development of my Risk Management model.  In the past couple of years, the focus on the people aspect of the problem has driven me to a mutual model around the metaphorical aspects of "security".  Both of these points have driven to the two models (Equilibrium and Risk Management) that I use today.  There are sub components to each of them, however, for right now we need to start from the top.

Equilibrium Model and Risk Management Model

The Equilibrium Model is based on the need to get a firm handling on two aspects of perception.  The premise is that security is about balancing the "threats" with mitigating "controls".  Yet, we do this based on the perception of the need for those controls relative to the threats.  More importantly, it's not our perception that is ultimately important.  For the most part, it's the businesses' perception that is all important.  The most significant failing is that I've rarely seen any security organization even attempt to figure out what that perception is or even to manage it.  As a secondary point, we can't change the threats or the controls, to a great extent, but we can change perception.  If we know where the perception level is regarding specific things then we can focus on marketing our belief to those individuals to change it.  As a result we can then increase the adoption of more stringent controls based on their coming to our perception.  

The questions or areas of focus in establishing balance are:


  • Allowed Financial Loss
  • Allowed Public Vulnerability
  • Allowed Public Data Disclosure
  • Allowed Availability Loss
  • Allowed Future Revenue Loss


Where these are not all of the focus areas it's the basic elements of them that start us off.  I'll get into the specific questions in a later post.  Yet, with these we can then start the balancing of our controls.  With the problem of "security" being a metaphorical statement, it introduces an inherent problem in how we see it.  The equilibrium attempts to establish a more concrete, albeit qualitative, understanding on what "security" means.  From the practitioners point of view, we can then leverage the results to understand the more significant influencers (financial, brand, operational) to drive a more secure environment by expressing impact more to those areas.  e.g. if they are more financially motivated we need to ensure we focus on explaining how the financials (future or today dollars) are at risk and to what extent.

The Risk Management model, I've talked about in previous posts, takes an very detailed approach to mapping threats to controls and assessments.  This is to drive an explicit management of controls and explain, in great detail, as to why.  I'll repost that in my next section with more detail.