Jeff Northrop—personal blog

Note: This is post represents a somewhat rambling collection thoughts. If you've been following my blog for a while you'll recognize that I have an interest in the psychology of "privacy." This post is a formation of my thoughts as I extend my interest towards the broader topic of security.

It's well known that human error from inside a company is the most prevalent cause of a security incident. This is a well studied phenomenon yet still we—information security professionals—don't apply considerable resources towards addressing this.

Sure, we pay lip service to the importance of awareness and training, but it is often treated as ancillary to the "larger plan" and not elevated to that of an operational priority. As a result, a corporation will generally set aside some small amount time for training, but the challenge of persuading a non-security related professional that securing data is important is much too difficult to adequately cover in a standard 20 minute Powerpoint presentation. Exacerbating the issue is that our regulations, frameworks and other best practices, the ones we rely so heavily on and measure ourselves against, barely touch on this issue.

We must learn the art of persuasion. Information security needs to become much more than just a function that installs technical controls, writes administrative policies, trains, monitors and apply patches to adequately perform its function. It needs to include a significant dose of communication and psychology which extend the demands of the discipline far beyond the traditional breadth of responsibilities. We need to give serious consideration to the task of getting the entire organization on board and convincing them of the benefits of security. As I stated, most breaches result from human error, not zero-day exploits.

574 recently surveyed IT professionals ascribed 60 percent of their company’s 2005 security breaches to human error, 20 percent to technical malfunctions, and the remainder to a combination of the two. Those results come from a study commissioned by the Computing Technology Industry Association Inc. (CompTIA), a training and security certification, for the third year in a row. According to the survey results, “One of the constants found in this ongoing study has been that the bulk of security breaches are caused by some kind of internal human error.” Source

In its 2006 survey, “Information Security Breaches,” the DTI and PricewaterhouseCoopers found that 32% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners. Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly." Source

Earn Their Trust
The first step to effective communications is to earn everyone's trust—without successfully executing this step no one is likely to listen to you, regardless of what you say. And therefore, if you don't understand how people earn trust you will likely fail to earn it.

Being confident, arrogant or selfish may have worked for the "popular" kids in high school, but that doesn't work in a professional environment. And while strong policies are wonderful—they will ensure the best protection— if they are so onerous that it makes someone's job difficult they are likely to actively subvert the policy making it more of a vulnerability than if the policy was more lax in the first place.

As Simon Sinek artfully describes in his presentation You Don't Understand People, You Don't Understand Business, the key to earning someone's trust is to first share someone's values. If you don't share values and you aren't surrounded with those who believe what you believe, you simply cannot build trust. And without trust no one will believe what you say or believe in the reasoning for the policies and priorities you set.

The things you say and do are symbols of what you believe, and people will instinctually be attracted to it. The key is to make sure that the beliefs you espouse synch with those whose trust you are trying to earn. That means you need to learn what they do, how it contributes to the organization as a whole and within that framework find common ground to work with.

Proceed with caution: You can't fake it and you can't lie about it—authenticity matters.

Focus on the Familiar
Once you've earned their trust and they are willing to listen, ensure that the context you provide focuses on things that are familiar and ordinary. Resist the urge to focus on rare and spectacular or new risks and downplay common ones. Focusing on spectacular and otherwise unconsidered risks is commonly used to garner attention (people are easily scared), but if you work to help people understand that the severity of common risks is enough to warrant action, you are more likely to successfully implement your policies.

Bruce Schneier, in his essay The Psychology of Security, does an excellent job explaining how the brain operates with respect to understanding risk. He states that "assessing and reacting to risk is one of the most important things a living creature has to deal with," and notes that "there's a very primitive part of the brain that has that job." That ancient "reptilian" portion of our brain is wired to hair-trigger reactions and striking fear through spectacular examples will engage that portion of the brain, but it is not the best approach when trying to instill long-lasting behavioral change.

We humans have a completely different pathway to deal with analyzing risk. It's the neocortex, a more advanced part of the brain that developed very recently, evolutionarily speaking, and only appears in mammals. It's intelligent and analytic. It can reason. It can make more nuanced trade-offs. It's also much slower.

Therefore, if you want to effect a cultural change in your organization or a change in behavior so that becomes routine, you need to make a less spectacular case but one that will personify the risk in a way that is meaningful and familiar. For example, why do we decide to eat healthy? We eat healthy not because that is the easiest thing to do, and certainly not because it provides immediate satisfaction, you do it because you understand the balance of the long-term risks and benefits.

Presenting that "long view" of the benefits of compliance is the only way to successfully win over security converts.

Assess and Adjust
Now that you have the tools to get everyone on the same page and primed to follow your guidance, it is time to assess your policies. Are they too strict? Does it prohibit someone from doing their job? If answer to either of those questions is "yes" you need to rework your policies.

If you are unsure, answer this question: Do you break any of your own security policies? If so, then go back to the previous questions and rethink your answers. And make sure not to fall into the God Complex trap.

Often times security administrators will rationalize a reason why they don't need to comply with their own policies. Not only is that bad practice but it can ruin trust (remember authenticity matters!). It's important to keep in mind that security is a trade-off. To achieve perfect security you would have to not only unplugging all of your computers, you'd probably have to encase them in concrete and then bury them for good measure.

Since that isn't practicable, you must compromise. You have to trade-off some security so the company can continue to operate. There is plenty written on risk assessment so I won't cover that here, but make sure to incorporate into your risk assessment equations some consideration for how acceptable the security control will be to the end-user, not just the typical cost of the control versus the cost of a breach. If the control restricts the user too much they will actively work to subvert it—and that is possibly the worst scenario because you cannot control what you don't know.

When assessing your policies remember you are not running a military organization (if you are none of this post really applies) and you can't fight against people's nature inclination to maximize the efficiency of their job. Your job is to ensure the policies balance that out. Which leads me to the last word on this topic.

Job Satisfaction
As a final statement to encourage you to pursue perfecting the art of communication: A fulfilled job is one where we do something for someone else, and just about everything in security is doing things to help (or protect) someone else. Therefore you will be more satisfied with your job if you are generous without need for reciprocity. Work consistently to make it about users, not about "ideal" security.

I believe security is beautiful. It's a real art form and the better it is done, the more it disappears but unless the entire organization sees value in security, the security team will be frustratingly chasing rainbows.

Late last year I wrote about the differences between information security and privacy. What was true then is still true now: That information security professionals, often by default, are tasked with handling privacy for their organization—and I wouldn't want to discourage that. I believe those who possess the knowledge, skills and experience to protect data are well positioned to extend their responsibilities to handle information privacy as well.

However, the mechanisms with which information security professionals perform their functions don't fully cover privacy. Compliance with laws and regulations such as DSS-PCI, HIPAA and GLBA work to ensure that certain types of data are well protected from improper access and use, but as the field of data analytics (a.k.a. Big Data) continues to mature, those narrow protections are inadequate.

Consider the tension around privacy for a moment. On one side you have a growing fear among consumers: A fear of a loss of control over their personal data. As consumers we willingly share our personal information thousands of times a day. When we post to Facebook or Twitter, use Google or just surf the web, we are sharing bits of ourselves. We also divulge information when we use our credit cards and rewards cards, when we talk to our doctors and when we use the EZ-Pass in our cars.

We do this willingly because we believe the value we derive is worth the expense of sharing our personal information. But what we don't willingly agree to are tertiary uses of the information. This is where paranoid fantasies and conspiracy theories come into play. Is the knowledge that I purchase a gallon of Ben & Jerry's every week being sent to my insurance company? Is EZ-Pass recording my average speed and sending that to the State Troopers?

The answer is likely "no" in both of those cases, but Netflix did share video rental history, AOL did share search data, MySpace did reveal identities to advertisers and Target did calculate who was pregnant based on purchase history. As the prevalence of these stories increase, the public gets increasingly less comfortable with the idea of divulging personal information, and it is within that context that I state that people have a growing fear of a loss of control of their personal data.

On the other side of this tension is the Big Data engine—the practices of taking disparate sets of data and combining them in novel ways to derive some sort of business value. Big Data is making businesses both smarter and more efficient. It is helping serve customers better and manage inventories more closely. There are now businesses themselves built solely on the value driven from these modern analytic techniques. Big Data has moved rapidly from the realm of "unique competitive advantage" to simply a "cost of doing business."

It's prevalence can not be understated. And what is fuel for this Big Data engine? Largely it is personal information. The very same information that consumers are increasingly unwilling to reveal. This tension between consumers' fear of revealing too much information and businesses demand for that very same information is growing.

Trying to address this tension are the regulators and lawmakers. They are walking a tightrope in attempting to alleviate the public's fear while not stifling business innovation. But the current laws and regulations don't adequately address the problem. If it did I wouldn't be discussing this growing tension and, in fact, there likely would be no privacy issues at all.

Given our current situation, if information security professionals intend on tackling privacy, is it imperative that they understand this tension and understand that simple compliance with laws and regulations aren't enough. Compliance doesn't address this tension. Frameworks and guidelines such as ISO 27001, COBIT, CERT and NIST don't address this tension either. And that is why I believe information security professionals don't have privacy covered.

We, as information security professionals, can assume the privacy responsibilities of our organizations, but to do so means we need to extend our practices. Unfortunately the discipline of privacy isn't nearly as mature as information security so we don't have the same depth and breadth of resources to rely on. On the other hand we are fortunate that privacy as an issue isn't nearly as deep and wide a security in general. While there is no ITIL or NIST in this space there are resources that can help us develop our own programs.

But what is available and how it can be used is a large and tricky topic so I'll reserve that for another post. Until then look to organizations such as the FTC and HHS in the U.S. or the myriad of other data protection authorities around the world for guidance. It can be hard to parse the documents put out by those agencies but there is a mountain of excellent information for those willing to tackle them.

My presentation two weeks ago at the Security Congress went a bit differently than I'd expected. I wanted to take a stab at challenging the audience and inviting an argument. It's not that I enjoy disagreement, but I thought that it might be helpful to encourage a debate. The main thesis of my presentation was that information security professionals, while often tasked with the responsibility to handle privacy, do a lousy job of it.

Given that I was talking to predominantly information security professionals, I thought that it would likely insult a portion of the audience, and I expected to be called to task for it. Much to my surprise no one seemed to disagree, and I even had a fair number of what I like to call "head bobbers" in the crowd. A head bobber is a person that nods affirmatively in response to whatever you say.

Then this past Thursday I spoke at an Application Developers Alliance event on privacy. Again my preconceived notion of the crowd was mistaken. I figured this crowd, mostly comprised of early-stage startup developers and entrepreneurs, would believe the topic of privacy contained nothing deeper than getting their privacy policy right. The entrepreneurs I've met in the past considered privacy more of a distraction then something deserving critical focus. Boy was I wrong. These folks were engaged, asking smart questions and delving deep into the philosophical debate around privacy.

It's amazing how two short weeks can dramatically change one's opinion. I now realize that what I initially thought was only a small subset who considered privacy something worth more than a cursory glance, appears to be considerably larger. Until these recent events I hadn't crossed many professionals tasked with protecting privacy who considered the topic with such deep interest. Maybe, just maybe, the maturity of thinking about the concept of privacy in the United States is much further along than I thought. And, certainly among these folks, their notion of privacy is far ahead of our current laws and regulations.

There is a significant amount of ground to cover on what I presented and what I heard so I'm going to spend the next two to three weeks blogging over the details. I think it's worth laying out what I've learned and it'll be fun to make some predictions on what the near future will bring. I'm likely to change my mind as I start to bring these to text, but the topics I intend on covering are:

• Security compliance doesn't mean you have privacy covered
• Privacy laws and regulations will move from user responsibility to corporate accountability
• What developers are worried about with regard to privacy

This marks a return to regular blogging. Thanks for the nice comments and your patience during my seven week absence.