Category Archives: Information Security

Even if you are good at what you do, you may get a job…or not!

Another post that might raise comments from “colleagues” saying “you shouldn’t talk about it” although there is nothing new in this post. It is more a philosophical approach in the sense we try to deconstruct the way we work. Our goal is not to explain that the market is saturated and that it is difficult to find a job, even if you are skilled as, fortunately, it doesn’t seem to be the case, at least from our point of view. The goal of this post is to highlight the facts making difficult for most companies to discriminate (and then hire) really skilled people.

In 1970, George Akerlof, who will receive later in 2001 a Nobel price of economy for his work, wrote one of the most quoted economic articles: “The Market for ‘Lemons’ : Quality Uncertainty and the Market Mechanism. This article explains the effect of assymetry of information on the used car market behaviour. In short, as most buyers are not able to make the difference between a good quality used car and a bad one (called Lemon), the model suppose they are ready to pay 3/4 of the price of the best quality car for all cars (as they cannot make the difference) instead of 3/2 of the price of the car according to its quality (see the Wikipedia article on “Market for Lemons” for more details on the economic model).

In june 2013, in a New York Times interview, Lazlo Bock, senior vice president of people operations at Google, revealed that, according to their internal statistical researches (You may imagine how good Google people are at doing statistic) showed that it was very difficult to find a good predicator of an employee performance during interviews. According to Bock : “It’s a complete random mess, except for one guy who was highly predictive because he only interviewed people for a very specialized area, where he happened to be the world’s leading expert“. The only person that was good at hiring specialist was the leading expert in the field.

You may already see where we are going. We work with large organizations employing numberous specialists in IT, risks management, security, business laws, recruitment, marketing, finance, tax, logistic and so on… While talking to a specialist, you might get to the point where he (or she) will state something you cannot (easily) verify (like: “What you ask is impossible” or “This is the best and only viable solution”). Rings a bell? As he’s your specialist and you have to trust him (else, how can you work with him if you don’t), you accept the statement as the truth… until you discover, from another specialist’s mouth or by your own experience, that it is’nt true. You’ve been there before, for sure!

Maybe, at some point, if you have such experience repeating, you might wonder how reliable your specialists are? If you have other specialists in the same field working for you, you might ask them what they think of their colleague (and maybe start doubting how reliable they are if you don’t receive the correct answers – welcome paranoïa). If you don’t have a lot of experts at hand (what is most likely the case as, by definition, experts or specialists are rares and expensives), how can you tell? You might ask to an external party to help you but, most of the time, you will not be better equipped to determine how skilled this third party is and, evenmore, there is a potential conflict of interest as any other independant specialist might be interested in a  mission to replace the presumabely un-skilled specialist you have and fix the issues.

In their excellent and famous book, Rework, Fried and Heinemeier Hansson highlighted the numberous advantages to hire someone only when you have performed his job first. At least, you will become a kind of expert yourself and you will have some clue about the potential candidates for the job. At least, you will be more likely to discover if they try to bullshit you.

Is there no other way to assess how good our specialists are? Yes, of course!  Asking people what they did in the past (and how) and checking their background with previous employers might probably give you more relevant insight. But it is rarely the path followed.

Often, we, people, call other people that are renowned expert or at least that looks like experts. Unfortunately, we are often victims on numerous cognitive biases. One of the first should be the Halo effect. To make it short, our judgement of one person caracteristic will be influenced by a global first impression that we might have deduced from a tiny litlle detail. As an example, if you are not well shaved, I might have the impression that you are a messy person. The halo effect is well known, at least intuitively, by most people. If you go to a job interview, you will likely wear your best suit and ensure it is neat, just to make a good first impression. As multiple experiments like the one from Young, Beier and Beier (1979)1 or Bull & Rumsey (1988)2 showed, we all know how important it is to make a good first impression to get a job.

The halo effect is often based on extrapolation of small details. Nowadays, we could perceived a consultant as more skilled because he has an expensive car (Porsches make good impression not only on women), a lot of recommendation on Linkedin (or even just connections), a nice suit, because he’s tall and fit or even just because he has a louder voice and he displays more facial expressions of agressivity (that is often seen as a sign of authority). Maybe, the simple fact that you read this blog could give you a false impression of our notoriety and skills.

All this facts may sounds confusing but, here comes the link. Let’s take Akerlof’s model and apply it to the expert world, let even narrow this to the area of experts (or senior) consultants for the purpose of the exercise. We can easily presume that there is an effective information assymetry between the buyer (the organization) and the seller (the consultant) as the latter knows much better what he’s capable of than the organization wishing to hire him. Most of the time, organizations are not able to make the difference between a good and a bad expert consultant. Consequently, organization are ready, according to Akerlof’s theory, to pay a certain price for a consultant, whatever his quality is. Let’s call this price the market rate. If a skilled consultant (let give  him a note of 9/10 for his quality) believes his services worth more than the market rate (matching a consultant with a 7,5/10 quality level) because he provides better quality services (better, faster), he might want to raise his rate. Unfortunately for him, as his potential clients (luckily, it will not be the case for all) can not assess his quality, they might just find him too expensive and discard his candidacy. Instead, they might select a less skilled consultant (quality=5/10) with a high opinion of himself that will see and sell himself like a 8/10.

The rate we pay for a consultant might create a halo effect and generate the perception (and our trend to confirm our believes) that the consultant is more skilled, of better quality, than what he is in reality. Unfortunately, the rate of a consultant is not the direct result of his experience and abilities but more of non-relevant factors (for the hiring organization at least) like the markets perception, its capability to sell himself, to bargain, his ego, his reputation, his financial needs and its intermediaries (As you know, more intermediaries mean higher rate as each middle-man will add his margin – often between 10 to 30% – on top of the others). Also, reputation is sometimes assimilated to quality by hiring organization. “Famous” or more visible consultants may ask for higher rates as they are perceived as more qualified (although their reputation is often not based on their intrinsinc qualities but more on their visibility and the halo effect).

Some consultants have sometimes so well understood this principle that they managed to build their own reputation not on the quality of their work but more on their presence and their visibility, thanks to their involvment in organizations, meetings or magazines. They also benefit from the halo effect generated by their more skilled peers in the organisation. Consequently, organizations are often victims of personal marketing.

So, what to do? Use your common sense! Ask specific questions and expect practical answers. As Bock mentionned in his NY Times interview, ask your candidate what did they do during their previous assignments, practically. What where the challenges (so you will at least know what they consider a challenge)? How did they react? Ask them to explain why they did things and why they believe you should make things the same way or another way. When you know your job, you should be able to explain it to a layman. At least, we should expect that from a skilled specialist. If you don’t understand what he tells you, ask again! Don’t assume you are not skilled enough to understand. Too often, bad consultants impersonate experts by using complex and/or meaningless babbling. As you will likely pay the price for a consultant of 7,5 or 8/10 quality, you should expect at least to understand what it does or it is likely that you will get screwed.

If we were not good at what we do, we could get a job because we understand these principles. And, unfortunately, even if we are good at what we do, we might not get a job if we don’t want to play the game, out of respect for our customer, or just because we have better things to do than drinking cocktails and play golf (just for the stereotype) to lobby and build our reputation in another way that just the word of mouth of our customers. But, fortunately, you already knew it, like most of our customers and readers.

You should’nt share this with your “coopetitors” as it might help you if they continue to hire the bad consultant for the price of the good one. This way, the real good one will still work for you.
1Young, D. M., Beier, E. G. and Beier, S. (1979), Beyond Words: Influence of Nonverbal Behavior of Female Job Applicants in the Employment Interview. The Personnel and Guidance Journal, 57: 346–350. doi: 10.1002/j.2164-4918.1979.tb05408.x

2 Bull, R. & Rumsey, N (1988) “The Effects of Facial Appearance in Persuasion, Politics, Employment, and Advertising” in “The Social Psychology of Facial Appearance”, Springer Series in Social Psychology, pp 41-79 http://link.springer.com/chapter/10.1007/978-1-4612-3782-2_3

Is happiness at work a security concern?

A recent Gallup report estimates the cost of absenteeism due to depression to 28 billion US dollars. It is not the first report nor the first time a link is made between depression (and consequently  happiness)  and absenteeism at work (and it direct and indirect costs). If we extrapolate these numbers for an average company of a 1000 employees, we will have, on average, 60 employees (we use de more conservative numbers and consider only people actually diagnosed and in treatment) suffering from depression having each an average of 4,3 additional days of absenteeism (the more conservative number) with a cost of 250€ per day (conservative currency conversion). If we do the math: 60 x 4,3 x 250€= 64.400,-€ per year just for absenteeism (likely to be twice the cost and to have an additional cost for loss of productivity as it was estimated by other studies).

In terms of risk management, for most large corporate of 1000 employees (or more), 65.000€ is not a number big enough to be a major concern (even if you triple the figure, what could be a more realistic estimate of the cost for large european companies, even more in Belgium where salary costs are extremely high) for risk managers. However, the financial, operational and human benefits of having happier employees might not be ignored as “happy” companies seems to have higher productivity, client satisfaction and revenue than others “less happy” organization.

Nevertheless, we do believe it is a wrong question to ask. In order to succeed, engaging an organization into a “happiness at work” journey should be a human decision based on a true believes, on inner values from senior management . Doing the things right should be the main purpose. Return on investment will “only” be the cherry on the cake.

Information classification: practical guidelines

Some information security standards or best practices require organizations to have an information asset classification policy. ISO27002 1 requires an information classification policy; The NIST has even published a FISP2 on the topic, PCI-DSS 3 doesn’t speak about it as it focuses on Credit Card information considered as sensitive information by default; and IT-Grundschutz4 require potential damage and protection requirements classification.

Goal

Even if some people will consider the need for compliance with security standard a sufficient reason, the real purpose of such policy is normally to differentiate valuable and critical information from other information in order to provide an appropriate level of protection and keep the residual risk low. Objectives of an information classification policy should likely be:

  • Simplification of risk assessment process
  • Proportionate cost of protection
  • Consistent and adequate protection of information throughout its lifecycle;
  • Fosters adequate behaviours when handling information, independently of its form.

The three first goals are common risk based security benefits. The fourth is more typical to information classification. As you define classification for information and assets, you put label on them informing users how valuable are the assets and how we are expected to behave with it. In behavioural terms, classification is the first step to a good conditioning. The label is the stimuli that shall trigger the appropriate behaviours.

However, as logical this may sound in theory, in real life, the goal does not seem so easy to achieve.

Common issues

Most government agencies, armies, financial institutions or large corporations have an information classification policy or an asset classification policy. A January 2008 report of the US Office of the Director of National Intelligence on information classification guidance 5 underlines several common issues encountered with information classification policies within US government agencies (mostly defence).

The report points out the “little insight into the reason for setting classification and limited guidance for discriminating between classification levels”. Also, operational difficulties are often observed has some rules or criteria are sometimes conflicting or, too often, not understood, leaving the user in an administrative nightmare leading to inadequate classification. This report also reminds the relationship between information sharing and information classification: sometimes the latter may be an obstacle to the first.

In an other report on US information classification, coming from the US Congress Congressional Research Service 6, the author highlight the growing cost of information classification and the downward trend of the number of declassification, resulting in a vexing cost for the government. Such a report showing issues with information classification inside a security minded community like the US defence agencies is likely to show only the tip of the iceberg of what less security culture prone organizations might face.

For what its worth, we made a list of common issues we encountered during our various assignments (in all kinds of organization like public, military, retail, finance or electronics)

  • Classification model does not fit the needs of the business (too complex, impossible to apply, not aligned);
  • Policies are not known or not well remembered;
  • Policies are not understood correctly (assets are over-classified or under-classified);
  • Reason of the existence of the policy is not understood and, consequently, motivation to apply is very low (even amongst the senior management sometimes);
  • Policies are not applied (security requirements are not met or applied, assets are not classified although the policy is known);
  • Assets’ classification does not reflect the real value or cost of damage of information but more the relative value compare to other assets (relative classification);
  • Number of exceptions to the security requirements is growing and this process is sometimes overwhelming;
  • Some risks are not covered by information classification model (compliance, fraud);
  • Information classification prevent or delay information circulation between people or entities needing this information (loss of performance);
  • Difference between different level of classification is difficult to understand;
  • Information is classified “forever” resulting in inadequate classification of information as the classification is not aligned anymore with the residual value of the information
  • Different entities sharing information don’t have compatible classification policy, jeopardizing information’s security throughout its lifecycle;
  • The scope is not well defined (too many or too few assets are classified)
  • Cost of over classification is not understood and information is systematically over classified because “you will never get fired because you were to cautious”

To change or not to change

When we notice dysfunction in a process, we ask ourselves: “should we change it?”. For sure, if it works, we don’t try to fix it. But if it doesn’t work, or, if it doesn’t work well, do we really have to change it (all)? Creating a new asset classification is one thing. Changing one is for sure another thing. If something doesn’t work you have to understand what is not working, figure out how to fix it and manage change to achieve this new desired state. It might cost a lot of time and money.

We won’t spend time on the choice of one specific model (The ROI7 model might not be as relevant as the ROSI8, even more if your security baseline is already providing a high level of protection) for the business case or on the parameters to take into account. Just remember that sometime, not fixing things may be the financially most interesting solution.

For the purpose of this article, we will suppose we have a business case and that the expected benefit will largely outweigh the expected costs (while keeping a large security margin in our estimates). We could probably use a lot of approaches to improve an existing asset classification policy. As usual, we prefer simple & pragmatic approaches.

Assessment

First, we try to understand why the organization want to change the policy (known issues), what are the goals and what are the expected benefits (it should have been made clear by the business case or at least the reflexion about the funding of the project). More precisely, we will try to answer the following questions:

  • What is going well with the policy? What are the benefits of the policy?
  • What are the known issues? What are the consequences of these issues?
  • What is unknown (grey areas, immeasurable results)?
  • What are the needs or requirements (legal, regulatory, business)?
  • What is the motivation (compliance, risk reduction, increased agility,…)?
  • Was there “famous” success inside the company?
  • Was there incidents? What were the causes and consequences?
  • When has the policy been originally created?
  • Who created the original policy, for what reason?
  • How was it supported by the management?
  • How was it perceived by the personnel?
  • How is it applied?
  • What are people remembering from the policy?
  • Do people understand the need for security and asset classification?
  • Which parts of the policy are applied correctly?
  • What were the expectations when drafting the first policy?
  • Did we already try to change it before? What was the result?
  • Why do we want to change it now? What did changed recently?
  • Who is happy with the policy at the moment?
  • Who is complaining about the policy?
  • How many exceptions are processed? What are the main reasons for exceptions?
  • What is the main goal of the organization? What are the constraints (like in Lean)?
  • What are the priorities of the organization (and also, more precisely, Sharing versus protecting information)?
  • What is the level of the organization security baseline?
  • What are the organization’s values?
  • Is there a risk management policy?
  • How are risks evaluated?
  • What is the risk appetite of the organization?
  • Who are the stakeholders (decision makers, influencers, beneficiary, and impacted entities)?
  • What are the deadlines?
  • What are the success criteria? Is there related KPI & KGI?
  • How will you see (practically, not through KPI) that the new policy works?

While gathering information to answer these questions, we will be able to construct a representation of what is going wrong and likely come to a good idea of what should be improved and how to improve it (with a little creativity)?

New model(s)

At some point, we will be able to draft propositions for one (or more) new model(s) that should fix the issues or at least greatly improve the situation, in theory.

In order to reach our goal (effectiveness and efficiency of asset classification), we will apply a few requirements or constraints to this new model and its related document:

  • You must KISSS (Keep it short, simple and sexy): People don’t have time to read through hundred of pages (it cost a lot of time to the organization), to make it simple, we must make our thought clear and making it sexy (using icons, brief sentences, images or whatever communication team uses to make their document appealing) will clearly help having the document read and applied.
  • It must make sense for everybody: Everybody doesn’t have a security or risk background. You cannot expect or assume that everybody has an understanding of the reasons why we do things like classifying assets. So , you must explain it so it can make sense to the reader (it will increase the engagement)
  • You must use the organization’s culture and the daily life of the reader to select your examples and explanations (it will be easier to memorize and it will make a long lasting impression)
  • You must use positive actions to describe what you expect from the reader. So, you must define what they have to do and not what they have to not do. We, humans, tend to have difficulties to process the negative form. If what you describe can be better achieved by a dead person, it is not a good expectation.
  • Highlight, as much as possible the important words: You see why, I guess. Select carefully which words you want to highlight as too many highlighted words will make the benefit of the highlight void.
  • Use name, label, levels that make sense, intuitively. When you use different level, it can help if we clearly understand which one is higher or more important. As an example, it should seem clear to everybody that TOP SECRET is above (top) SECRET. But what is higher: SECRET or CONFIDENTIAL?
  • As much as possible, use clear and discrete categories or at least, provide the necessary criteria that should allow anybody to consistently discriminate between two categories. As example, what will make the difference between to level of integrity (precisely, measurably and operationally)?
  • If you have different categories, each category should have matching security requirements. If the requirements are the same for two categories, do you really need the two categories or shouldn’t you add new security requirements?
  • Simplify and reduce processes and documents as much as possible. Having to open two different documents to get an answer is a waste of time if it has to be done repeatedly. Having one document on privacy and another on information classification can generate a lot of redundancy.
  • Be consistent throughout the document and all policies.
  • Give as much relevant information and insight, at least the “big picture”, within the first pages of the document so readers don’t have to go through the entire document to find answers. Put the most often needed information in the first pages.
  • Make responsibilities clear as well as chain of command and the processes to follow for common actions (new document, review, declassification, incidents,…)
  • Link, as much as possible, your categories (or levels) to the risk or the potential impact.

While drafting a new model, we don’t hesitate to go beyond the classical CIA triad (Confidentiality, Integrity and Availability).  Relevancy of additional dimensions must be investigated: Retention or archiving time (often based on regulatory requirements), restitution format, privacy or any other that can make sense in your business.

Also, we would suggest to use caveats to add a sense of need-to-know to the confidentiality classification (Like EMPLOYEES ONLY or  FINANCE RESTRICTED) or to add some flexibility to the model (like RESTRICTED WHEN FILLED or AVAILABILITY CRITICAL DURING MONTHLY FINANCIAL CLOSURE). Using caveats to define the target group for information (people having the need-to-know) is certainly the most meaningful approach. When you have a RESTRICTED, SECRET or CONFIDENTIAL document (whatever your naming convention is for a very sensitive document), knowing to whom it is restricted to will be more than useful.

Testing

While gathering our information for the assessment, we also build a list of business process owners. When we have a good model, we sit together with them and we test the new model on real data “from the field”.

First, we ask business owners to read the asset classification document and to explain what they have understood. We take note of their questions, comments and misunderstandings in order to improve our document.

Then we test the model on existing processes and on common flux of information, application and documents. We validate that assets are well classified and that matching security requirements9 will be proportionate to the risks

Of course, we don’t forget to asses the complexity of the process and the impact the new model would have on business units. Security policies, in general, should bring an added value and not an extra burden on the business. Security can also be a business enabler and brings value additionally to some peace of mind.

Improvement

Base on the test and discussions with the business owners, we may update the model and document (if necessary) in order to address any new issue discovered or to improve the usability of the document. We’ll do it more than once if necessary until we reach an acceptable level of understanding and acceptance of the model. Amongst the classic reviewers like legal or HR, the communication department might bring valuable insight or guidance on the tone of voice, the organization’s style and the format (remember the KISSS directive) as they are probably better at judging the simplicity and attractiveness of a document and models that you master (contrarily to your main audience)

Approval

We’ll arrive to the classic phase of having the new model approved by senior management. An executive summary and a very brief presentation of the changes and their motivation will help the senior management to understand the process leading to this new policy. Presenting the new policy to direct reports of senior managers prior to submitting it for approval will also likely facilitate the process as it will build the trust and the awareness on the new classification model.

Implementation

Once the document approved, the job is far to be finished. In fact, it is just the beginning and the easiest part is now over. It is likely that the changes we made to the classification model are relatively small hence significant. However, we must also adapt the organization’s processes and change people behaviours. Likely, we will, in fact, have to change people’s attitude and behaviours in such a way that they will start applying a policy they were previously ignoring.

Lead by example

“Be the change you want to see in the world”. This quote, sometimes attributed to Ghandi, is likely the first advice to follow when we want to change something in an organization. “Leading by example” should be more than a smart quote from expensive People Management training. The first person we need to educate about information classification is surely senior managers. We cannot assume they know how, what or why we do asset classification it is not their job. Their job is to make it applied by all their reports. If we fail showing senior managers the benefits of information classification, it is likely we will have huge difficulties to make it apply across the organization. If your boss doesn’t follow the rule, you will understand that the rule is not important and you will be less likely to follow the rule yourself. If he insist you follow the rule but he still doesn’t, we call that paradoxical communication (do what I say, not what I do) and it is the worse way to induce change.

So, if we want to have a return-on-investment on an asset classification model improvement, we need time with senior manager to show them the expected benefits and how it will work, to make them the first ambassadors of our new model.

Tone of voice

When we want to convince people of changing something in their life, we have to be convinced ourselves first. Consequently, we will likely use wording and tone showing we are convinced, raising the probability of being followed by our audience. We must speak in positive terms, consider people as intelligent and of good will (else we shall believe your organization must have a real recruitment issue). We keep in mind that we speak to responsible adults (We don’t patronize). We appeal to their inner sense of doing the things right. We also give as much freedom and responsibility as possible. We have to believe in their ability to do it right (if we don’t, we will create the condition for our failure).

Being pragmatic

We must keep it as simple as possible. There is (too) often too much bureaucracy slowing down the core business. If we classify documents, we prepare templates taking classification into account, where you just have to select the classification when creating the document. Same thing with be made for emails. We will display labels in sensitive applications, order stamp for paper documents, letters and folders.

In fact, based on the list of security requirements matching the new classification model, we will list all the necessary changes or supporting assets that will be needed. Here is a fairly comprehensive list (but unfortunately not yet exhaustive) of what should be taken into account:

  • safe, locks, secure cases,
  • shredders, demagnetizer
  • screen filters, secure room, signal jammers, secure phone
  • alarms, UPS, monitoring, IPS, IDS,
  • encryption software, secure USB storage,
  • Backup systems, external hard drives
  • Logical access approval process, change management, asset management
  • NDA, standard contracts, standard RFP
  • Labels, stamps, envelopes
  • Templates
  • Emergency Response procedure, Incident management, BCP, DRP
  • Double encoding process
  • Remote whipping
  • Awareness material, training sessions
  • Central database of asset’s classification and owners

Measurement

As always, we will not have a managed security if we don’t measure our successes or failures. Directly or indirectly , we will monitor the effect of the new policy: Incident rates and costs, awareness campaign results (through questionnaires),  number of classified assets, audits, tests. As much different indicators you have, the more accurate the measure will likely be.

That’s all folks!

Footnotes:

1 International Standard Organisation, Standard 27002 (version of 2005): “Information technology – Security techniques – Code of practice for information security management“ – [http://www.iso.org]

2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 199: “Standards for Security Categorization of Federal Information and Information Systems” [http://csrc.nist.gov/]

3 Data Security Standard from the Payment Card Industry [https://www.pcisecuritystandards.org/security_standards/]

4  Best practices from German Information Security Agency (BSI Standard 100-1) – [https://www.bsi.bund.de/]

5 Office of the Director of National Intelligence “Intelligence Community Classification guidance: Findings and recommendation report“ [http://www.fas.org/sgp/othergov/intel/class.pdf]

6 US Congress Congressional Research Services report for Congress: “Security Classified and Controlled Information: History, Status, and Emerging Management Issues’ [http://www.fas.org/sgp/crs/secrecy/RL33494.pdf]

7 Return on Investment

8 Return on Security Investment

9 If security requirements are not yet defined, we can just compare the assets (documents, applications, systems) between them and see if the same kind of controls will make sense on the group of assets created by the classification