CISO Soft Skills S O I ECURING RGANIZATIONS MPAIRED E P , A , BY MPLOYEE OLITICS PATHY I P AND NTOLERANT ERSPECTIVES © 2009 by Taylor & Francis Group, LLC OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Architecting Secure Software Systems Insider Computer Fraud: An In-depth Asoke K. Talukder and Manish Chaitanya Framework for Detecting and Defending ISBN: 978-1-4200-8784-0 against Insider IT Attacks Kenneth Brancik Building an Effective Information ISBN: 978-1-4200-4659-5 Security Policy Architecture Sandy Bacik IT Auditing and Sarbanes-Oxley ISBN: 978-1-4200-5905-2 Compliance: Key Strategies for CISO Soft Skills: Securing Organizations Business Improvement Impaired by Employee Politics, Apathy, Dimitris N. Chorafas and Intolerant Perspectives ISBN: 978-1-4200-8617-1 Ron Collette, Michael Gentile and Skye Gentile ISBN: 978-1-4200-8910-3 Malicious Bots: An Inside Look into the Cyber-Criminal Underground Critical Infrastructure: Understanding of the Internet Its Component Parts, Vulnerabilities, Ken Dunham and Jim Melnick Operating Risks, and Interdependencies ISBN: 978-1-4200-6903-7 Tyson Macaulay ISBN: 978-1-4200-6835-1 Mechanics of User Identification and Authentication: Fundamentals Cyber Forensics: A Field Manual for of Identity Management Collecting, Examining, and Preserving Dobromir Todorov Evidence of Computer Crimes, ISBN: 978-1-4200-5219-0 Second Edition Albert Marcella, Jr. and Doug Menendez ISBN: 978-0-8493-8328-1 Oracle Identity Management: Governance, Risk, and Compliance Digital Privacy: Theory, Technologies, Architecture, Third Edition and Practices Marlin B. Pohlman Alessandro Acquisti, Stefanos Gritzalis, Costos ISBN: 978-1-4200-7247-1 Lambrinoudakis and Sabrina di Vimercati ISBN: 978-1-4200-5217-6 Profiling Hackers: The Science of Criminal Profiling as Applied to the How to Achieve 27001 Certification: World of Hacking An Example of Applied Compliance Silvio Ciappi and Stefania Ducci Management ISBN: 978-1-4200-8693-5 Sigurjon Thor Arnason and Keith D. Willett ISBN: 978-0-8493-3648-5 Security in an IPv6 Environment How to Complete a Risk Assessment in Daniel Minoli and Jake Kouns 5 Days or Less ISBN: 978-1-4200-9229-5 Thomas R. Peltier ISBN: 978-1-4200-6275-5 Security Software Development: Assessing and Managing Security Risks Information Assurance Architecture Douglas A. Ashbaugh Keith D. Willett ISBN: 978-1-4200-6380-6 ISBN: 978-0-8493-8067-9 Information Security Management Software Deployment, Updating, and Handbook, Sixth Edition Patching Harold F. Tipton and Micki Krause, Editors Bill Stackpole and Patrick Hanrion ISBN: 978-0-8493-7495-1 ISBN: 978-0-8493-5800-5 Information Technology Control and Understanding and Applying Audit, Third Edition Cryptography and Data Security Sandra Senft and Frederick Gallegos Adam J. Elbirt ISBN: 978-1-4200-6550-3 ISBN: 978-1-4200-6160-4 AUERBACH PUBLICATIONS www.auerbach-publications.com (cid:53)(cid:80)(cid:1)(cid:48)(cid:83)(cid:69)(cid:70)(cid:83)(cid:1)(cid:36)(cid:66)(cid:77)(cid:77)(cid:27)(cid:1)(cid:18)(cid:14)(cid:25)(cid:17)(cid:17)(cid:14)(cid:19)(cid:24)(cid:19)(cid:14)(cid:24)(cid:24)(cid:20)(cid:24)(cid:1)(cid:114)(cid:1)(cid:1)(cid:39)(cid:66)(cid:89)(cid:27)(cid:1)(cid:18)(cid:14)(cid:25)(cid:17)(cid:17)(cid:14)(cid:20)(cid:24)(cid:21)(cid:14)(cid:20)(cid:21)(cid:17)(cid:18)(cid:1) E-mail: [email protected] © 2009 by Taylor & Francis Group, LLC CISO Soft Skills S O I ECURING RGANIZATIONS MPAIRED E P , A , BY MPLOYEE OLITICS PATHY I P AND NTOLERANT ERSPECTIVES R C M G S G ON OLLETTE IKE ENTILE KYE ENTILE © 2009 by Taylor & Francis Group, LLC Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2009 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4200-8910-3 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher can- not assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Collette, Ron. CISO soft skills : securing organizations impaired by employee politics, apathy, and intolerant perspectives / Ron Collette, Michael Gentile, and Skye Gentile. p. cm. Includes bibliographical references and index. ISBN 978-1-4200-8910-3 (alk. paper) 1. Business--Data processing--Security measures. 2. Computer security. 3. Information technology--Security measures. 4. Data protection. I. Collette, Ronald D. II. Gentile, Skye. III. Title. HF5548.37.G462 2009 658.4’78--dc22 2008040279 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com © 2009 by Taylor & Francis Group, LLC Contents Foreword ........................................................................................................xi Acknowledgments .......................................................................................xiii About the Authors .......................................................................................xvii Overview ......................................................................................................xxi Chapter 1 What’s Not Right .................................................................1 Overview .....................................................................................................1 What Is Security? .........................................................................................3 Why Is All This Important? .........................................................................6 Measuring Security ......................................................................................8 Security Program Strategy .......................................................................8 Mission and Mandate ............................................................................11 Security Policies ....................................................................................14 Roles and Responsibilities .....................................................................16 Training and Awareness ........................................................................19 The Security Risk Project Portfolio........................................................21 Other Methods of Measurement ...........................................................23 Security Constraints (Apathy, Myopia, Primacy, and Infancy) .......................................................................29 The Con of Security ..............................................................................35 Conclusion ............................................................................................39 Chapter 2 True Security Model .........................................................41 True Security .............................................................................................41 Part I—The Tangible Elements of True Security ..................................42 Part II—Modeling the Intangible Elements of True Security (The Hard Part) ......................................................43 The Two “Step-Children” Groups of the Model ....................................47 Tying It All Together .............................................................................49 True Security Summary ........................................................................51 v © 2009 by Taylor & Francis Group, LLC vi ◾ Contents Using the Model ........................................................................................51 Introduction to Systems Theory ............................................................53 Components of Systems Theory ............................................................53 Overlaying Security onto Systems Theory .............................................54 Putting It All Together ..........................................................................55 Summary ...................................................................................................57 Chapter 3 Apathy ..................................................................................59 Overview—What We Are Going to Cover ................................................59 Causes ........................................................................................................60 Causes of Apathy in Humans ................................................................60 Causes of Apathy within a System .........................................................62 Causes of Apathy within an Organization ............................................64 Causes of Apathy within a Security Program ........................................69 Equilibrium of Accountability and Authority........................................75 Security Interaction Points within an Organization ..............................76 Eating the Elephant in One Bite ...........................................................78 Missing Tangible Items of a Security Program ......................................79 Communication—The “Why” ..............................................................79 Causes of Apathy Section Summary ......................................................80 Cause and Effect of Apathy on the True Security Model .......................80 Apathy and the True Security Model .........................................................82 Apathy and the Board of Directors ........................................................83 Apathy and the Executive Team ...........................................................84 Apathy and Middle Management ..........................................................86 Apathy and the Supervisory Team .........................................................86 Apathy and Employees ..........................................................................87 Apathy and Consumers .........................................................................88 Effects Summary ...................................................................................89 Solutions to Apathy ...................................................................................89 Security Solutions ..................................................................................92 Chapter Summary .....................................................................................96 Chapter 4 Myopia .................................................................................97 Overview ...................................................................................................97 Causes of Myopia within an Organization ...............................................103 History and Myopia ............................................................................104 Complexity of Systems ........................................................................105 Those Who Perform the Work ............................................................106 Professional Fraud ...............................................................................108 Knowledge Management .....................................................................109 Causes of Myopia within a Security Program ..........................................110 What Is Security? ................................................................................111 © 2009 by Taylor & Francis Group, LLC Contents ◾ vii Techno-Centric Security .....................................................................111 It’s a Game of Inches ...........................................................................112 Pedigree Matters ..................................................................................113 The Generalist versus the Specialist .....................................................113 No Hablas Security .............................................................................114 Life is a Wheel ....................................................................................114 Buyer Beware ......................................................................................115 Security Training ................................................................................116 Causes of Myopia Section Summary ...................................................116 Cause and Effect of Myopia on the True Security Model ....................118 Myopia and the True Security Model ......................................................118 Myopia and the Board of Directors .....................................................119 Myopia and the Executive Team .........................................................120 Myopia and Middle Management .......................................................122 Myopia and the Supervisory Team ......................................................122 Myopia and Employees .......................................................................123 Myopia and Consumers ......................................................................123 Effects Summary .................................................................................125 Solutions ..................................................................................................125 Security Solutions ................................................................................126 Chapter Summary ...................................................................................134 Chapter 5 Primacy ..............................................................................135 Overview .................................................................................................135 Primacy Tune-Up ................................................................................136 Causes of Primacy within an Organization ..............................................141 Organizational Culture .......................................................................141 Causes of Primacy within a Security Program .........................................148 Walk Softly in the Land of the Giants .................................................153 Summary ............................................................................................153 Cause and Effect of Primacy on the True Security Model ........................155 Effects of Primacy ...............................................................................155 Solutions ..................................................................................................160 Security Solutions ....................................................................................163 Step #1: Assess Your Own Situation ....................................................163 Step #2: What’s in The Message? .........................................................165 Step #3: Be Gentle with Your Knowledge ............................................168 Step #4: Power Flows from the Top .....................................................169 Conclusion ...............................................................................................170 Chapter 6 Infancy ...............................................................................171 Overview .................................................................................................171 Infancy within an Organization ..............................................................181 © 2009 by Taylor & Francis Group, LLC viii ◾ Contents Summary .................................................................................................184 Infancy within a Security Program ..........................................................184 Nature of Security ...............................................................................185 Lack of Credibility ..............................................................................185 Pedaling Doom (or How Chicken Little Found His Calling in Security) ..................................................................187 Summary ............................................................................................187 True Security Model and Infancy ............................................................189 True Security Model ...........................................................................189 Board of Directors ...............................................................................190 Executive Management .......................................................................191 Middle Managers ................................................................................191 Supervisory Team ................................................................................192 Employees ...........................................................................................193 Consumers ..........................................................................................193 Summary ............................................................................................195 Security Solutions ....................................................................................195 First Things First .................................................................................198 No One Likes Big Brother ...................................................................199 Find Good Sources ..............................................................................199 Do Not Blindly Trust Sources Just Because They Appear Authoritative ...................................................................................199 Educate Yourself and Then Teach Others ............................................201 Organize Your Messages......................................................................202 Be Patient ...........................................................................................204 Summary ...........................................................................................204 Chapter 7 Tying It All Together .......................................................205 Tales from the Security Consultant..........................................................205 Overview ................................................................................................206 Warning: Awareness and Comprehension of Previous Chapters Are Necessary to Read Past This Point ................................208 How to Measure Constraints within Your Environment ..........................209 Localized Security Constraint Identification .......................................209 Identification of Security Constraints within the True Security Model .................................................................211 Summary ............................................................................................214 GAP the True Security Model .................................................................214 The Tangible Elements of the True Security Model .............................215 Measuring the Intangible Elements of the True Security Model .......................................................................216 © 2009 by Taylor & Francis Group, LLC Contents ◾ ix Organizational GAP Analysis within the True Security Model .......................................................................218 Summary ...........................................................................................220 Filling the Gap........................................................................................220 R.E.A.P.—Security Success Model ....................................................220 Final Steps ...........................................................................................231 Summary .................................................................................................233 Chapter 8 Closing Thoughts .............................................................235 The Final Tale from the Security Consultant ...........................................235 Concept 1: Recognize That the Security Constraints Are What Leads to All of the Failures on Security Initiatives and in Security Programs ....................................................................236 Concept 2: Be Reasonable in Your Approach to Mitigate the Security Constraints ...................................................236 Concept 3: True Security Is an Ideal ........................................................236 Concept 4: Treat Security Personally .......................................................237 Summary .................................................................................................237 Appendix ..................................................................................................239 Exercise 8: Apathy....................................................................................239 Exercise 9: Apathy....................................................................................240 Exercise 10: Myopia .................................................................................242 Exercise 11: Myopia .................................................................................243 Exercise 12: Myopia ................................................................................244 Exercise 13: Primacy ................................................................................245 Exercise 14: Primacy ...............................................................................246 Exercise 15: Primacy ................................................................................247 Exercise 16: Infancy .................................................................................248 Exercise 17: Infancy .................................................................................249 Exercise 18: Tying It All Together ............................................................250 Exercise 19: Tying It All Together ............................................................253 Exercise 20: Tying It All Together ............................................................257 Exercise 21: Tying It All Together ...........................................................260 Exercise 22: Tying It All Together ............................................................263 R.E.A.P. Templates: Exercises 24 to 30 ...................................................266 References ................................................................................................271 © 2009 by Taylor & Francis Group, LLC Foreword The brief histories of many information security teams are littered with abandoned projects, ineffective policies, ill-acquired technologies, and the blood of well- intentioned security staff and consultants. What is it that keeps so many of these programs from gaining ground even with dedicated staff members, widespread regulatory pressure, executive support, and financial backing? Let’s see if we can find the answer in a book. What we will find in most of the numerous books on my professional r eading shelves will probably be useful. However, none of these books in my experience delve into some of the fundamental deficiencies that organizations, security or otherwise, often exhibit—until now. Ron, Mike, and Skye have covered the fundamentals of an effective information security program with the True Security Model, but what really stands out in this book is the careful consideration of the formidable, though often overlooked, constraints that hinder an organization’s security program. Far from just considering these constraints, the authors provide some tangible and practical examples of how to deal with them. What are these constraints? Well, that’s for the book to explain, but I’ll give you a hint. They aren’t problems with the overall organization, they have nothing to do with budget, and there will be no whining about unsupportive executives. The constraints have everything to do with flaws within the security program itself. It’s probably worthwhile to toughen up your skin because this book is taking aim squarely at us security professionals as the cause of these problems. The refreshing perspective of self-examination in this book makes me certain that I will find myself back among its pages when tough questions need to be answered. Michael Boyd, CISSP xi © 2009 by Taylor & Francis Group, LLC