I committed to producing a light hearted, positive post before the end of the year.
Here goes.
Many years ago, I stated that just when you feel you have hit the bottom of the human stupidity barrel, you find a false bottom and the rabbit hole goes even deeper.
It took a 30 year carrer to finally cross an entire ecosystem that did not follow the same negative progression of downhill motion that I observed in so many enterprises.
As a security professional, I spend most of my time explaining risks to some level of management and watching the message die at that level. Rarely are the board members advised of serious issues and senior management usually stays in the dark. This is mostly based on peoples Ego's with a capital E. So I spend a lot of time trying to get the message to the right people. In fact that is why at the start of 2010 I decided to move to senior management coaching almost exclusively.
Enter a new client, circa 2014.
I'm brought in by a friend and told very little on the client. Aside from the type of business and their yearly revenue. The numbers being large, I first refuse the client, as I do not want another "traded" company in my client portfolio. Traded companies are synonymous with cover ups, lies and messages that do not get to the top.
Robert.... wait for it.... this is really positive!
My friend explains that this is a privately owned company, and that the CIO is a really nice guy.
Strike two. Security reporting to the CIO is a nightmare scenario. A daily conflict of interest. The security initiatives essentially critiquing the CIO. Who wants to live through that.
For some strange reason, I still went to the meeting. After all, I am an optimist.
Hence started a long term relationship that I qualify as one of the best of my career.
It had to happen at some point, statistically these ingredients had to exist somewhere.
I started working with the CIO and the staff that comprised the IT team, and started seeing the light that was missing for so long in so many places. The staff is overworked and understaffed, same as in all enterprises, however they are professional, knowledgable and usually pretty reasonable.
You see, this client is fundamentally different. No one is lying. if it's blue it's blue, if it's orange with green dots... so be it.
That's right, people just say what they think, and you don't get shot in the face, fired, pushed aside or asked to leave the tribe.
When highlighting some security issues, management wants them fixed. All of it. I found myself in a new situation. One that reversed my roll of 30 years. You see at this client, you have to do two very important things:
1) Prioritize security issues based on risk
2) Push back and refuse to address all of them based on the identified risks
Number 2 isn't new, it's the basis of risk management, but REFUSING to allow them to fix something is. In other words, I actively participate in saying NO we are not going to fix that.
Like many large enterprises, external audits happen. At one point we get a bunch of enlightened auditors who find some really important findings (sarcasm is positive....)
Here are two examples (classics for auditors who might not have a strong technical background)
a) SNMP using public community strings for hardware that isn't important and isn't manageable through SNMP (only statistics can be accessed).
b) Out dated network hardware managed through HTTP.
So what do you think happened. It was a priority to fix all issues including these two lame ducks. The Security teams role was to say NO, we are not wasting (sorry... positive terms.... investing) valuable time in addressing these findings.
The reasoning is simple, (A) cannot be used to reap any benefits, and (B) uses a unique password, over a switched internal network, used less then once a year, on outdated hardware, with no value once compromised.
So we wrote up a derogation stating why we weren't going to fix it, and the CEO signed off on it. That's right, the CEO wants to see everything and wants to keep informed of our security posture. And he doesn't just want to sign off on it, he wants to understand it.
This still makes my eyes tear up. A series of senior managers who accept their current condition, want to be aware and take the best decisions, AND decide to take actions as required and as identified by the experts they have in their teams.
Holy shit.
In fact, perhaps I shouldn't write this part down....
A few weeks ago, I stumbled on something security related, and I immediately (like a high school freshman) fired off an email to inform the CIO that I was investigating XYZ.
Well that genius went and told the CEO immediately !
My phone rings, it's the CIO. He says "hey about that thing, the CEO would like an update this afternoon"
Son of a bitch ! An update ! I don't even know what is going on yet and I'm the one who saw it first !
I've never had this issue to manage !
For the first time in my life, the entire ecosystem is transparent and I have to take a pause and figure it all out (mostly) before sending a memo if I don't want to be questioned about how we are going to fix it before I know what it is!
This being all said, the security admin and myself now have an agreement that we should hold off for at least an hour and figure things out before we tell anyone.
A long way from the usual attitude of telling senior management years later that most companies seem to have.
Note for my client: Don't worry.... wink wink... we will tell you immediately if it seems grave. But like all emergencies, we will gather a reasonable amount of information to better communicate the actual situation to you before plugging you into a cerebellum.
So in this holiday season, I count my blessings to have had the chance to cross an enterprise with good family values across all layers.
Are there things that can be improved, of course. From a security point of view, this is the healthiest attitude I have seen in any enterprise.
Perhaps as far as attitude is concerned, this company should write a book.
This by far is the most positive experience I have had as acting CSO in any enterprise.
So there you have it Robert, one positive post, with a dabble of sarcasm, a little bit of realism and a lot of hope for other enterprises.
_______________________________________________
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Twitter @ericparent
LinkedIn : EVA-Technologies
www.eva-technologies.com