Information Security Can't Rely on Pinky Swears

No one in your organization gets to be clueless about information security.

Matthew D Edwards
November 25, 2019

This article was originally published on LinkedIn.

"We hire great people" is something we all hear companies regularly communicate.

How do you feel about a hypothetical company that believes the risk of an information security breach is low largely because they hire good people? In other words, their information security strategy is to hire good people and trust them individually to do the right thing. Maybe they even sign a paper pinky swearing they'll always do what's right.

Let's say this hypothetical company houses some of the most sensitive data about you and your family or company that exists. Your information is passed around via email or attachments inside and outside the company. Information is even passed between teammates via chat tools sometimes. Said information is also accessible, editable and exchangeable between partner/vendor companies in the background. This data is unencrypted when stored (at rest) and when passed around (in transit).

Do you know about companies like this? Is this your company? Is a company like this minding your personal data?

While information security is everyone's responsibility, it is first the responsibility of the company itself. Hiring great people does not alleviate, or defer, the responsibility an organization has to be compliant with information security policies, legislation and industry best practices. If we can't trust a company to do the right thing, why would we value their brand?

Interesting Things We've Heard Through the Years:

  • "Our people, vendors, and partners do the right thing. That's why we work with them. I don't think we have anyone in the company who would abuse our customer data."
  • "First, we must get product to market and prove the idea is viable. We'll validate viability of our product by customer adoption velocity and demand for new features. If the numbers suggest customers want to buy and use our product, then we'll figure out what security we need thereafter."
  • "We're going to wait and see if this policy/legislation has any teeth. If we start getting fined for non-compliance, then we'll begin considering if, how and to what extent we need to invest in information security."
  • "Our industry is not very interesting to most folks. We don't believe our company, products or services are really a threat to anyone. And we believe the likelihood of being attacked or otherwise exploited is pretty low to non-existent. We'll wait until it makes sense before investing in some of the information security measures we hear about. It all sounds so expensive anyway."
  • "It is actually cheaper for us to pay the fines."
  • "Our customers don't know any better."

"Security first" or "security by design" is a choice. And it must first be the choice of the governing board and company leadership before it will become a reality for employees, partners and vendors. If it is not a top-down, constantly communicated, verifiable expectation, it does not exist.

7 Steps to Become a Security-First Organization

1. Internally declare that your company will become "security-first"

When initiatives start at the bottom of the company, they risk dying out due to lack of energy, resources, and attention. Sometimes they risk actually burning up the people trying to get the changes implemented as hope turns into apathy. It is the proverbial "fight against the man."

As a Board or Senior Leadership of a company, what is important to you is important to the company. If it isn't, that is a different problem altogether.

For a company to become a security-first focused organization, the declaration of importance, direction, and expected actions must come from Senior Leadership first.

An example "From the CEO" communication:

"Folks, effective immediately, we will put security, privacy, and compliance first in our daily operations. This means with every product, service, interaction, and communication, internally and externally, we will consider what must be secured, how it must be secured and under what conditions we must secure it – data, systems, teams, company and client interests inclusive. It is not a task to accomplish and be done. This must be our DNA. It must be our daily lifestyle. And it will take time to get to a proper baseline of competency and time to maintain, evolve and increase it.

From this day forward there will exist training expectations that must be pursued and accomplished monthly, quarterly and annually. Look for them in your Learning Management System (LMS) assignments. All roles, titles, and capacities. No exceptions. Me included.

And from this day forward you will see our CISO take a more prominent role in defining our pursuits, our strategies and validation of our compliance readiness. We as a leadership team choose to proactively educate our teams, protect our assets and behave in a manner expected by our Founders and those who have come before us to build this great company.

Thank you for your commitment to being the best."

Top-down declarations become realities.

2. Determine what industry regulations apply to your company

Information Security / Regulatory Compliance is a career. And there is a shortage of people who do this type of work. Find them. Hire them. Leverage them. Knowing what you must align to will save you money. Knowing what you need not align to will also save you money.

There are quick determinants to flush out directions, follow-up actions, and investment. The road will not be small, nor easy; though this list will help point you in a direction of what matters, when it matters and to what extent.

  • In what industry do you operate?
  • Is your business localized to your state only? Your country only?
  • Do you do business internationally? What countries?
  • Do you exchange money with customers?
  • Do you ask for and store personally identifiable information?
  • Are you working with non-governmental organizations? Charities? Governments? Militaries? Public companies? Private companies?
  • Have you failed any previous compliance audits?
  • Have you been fined by a third-party organization for non-compliance?

3. Determine what industry best practices will help your company

You may discover your information security folks want impenetrable castle walls, which eventually mean your employees are unable to use the bathroom in the name of security. An extreme.

You may also discover your engineers want the freedom to use anything at any time for any reason in the name of innovation, digital transformation or being competitive. Probable.

And your business unit leaders? You're expecting them to grow the business, delight the industry and client base. They want to do whatever is necessary and appropriate to meet the goals expected of them as well.

Security, innovation and growth are not mutually exclusive. They must be collaborative and it will require constant, purposeful and involved leadership. Otherwise, it is just theater.

Regulated industries communicate best practices and compliance expectations, which makes it easier to know what matters and what doesn't. Where your time will be spent is determining how tightly to dial up the security requirements on your operation and how they will impact friction, flow, deliverable velocity and value from the organization.

Unregulated industries still have communicated best practices and compliance recommendations. In the absence of all knowledge, ask the following questions of your Chief {Information Officer, Information Security Officer, Product Officer, Technology Officer}:

  • Against what information security / regulatory compliance standards must we be measuring ourselves?
  • How are we training our people to be predictably and repeatably compliant with these expectations in our everyday lives?
  • How can we regularly prove that what we expect is actually being employed?
  • How do we culturally make security and compliance a behavioral assumption versus a Learning Management System (LMS) assigned task?

4. Implement role-based security awareness training

No one is exempt from information security. No person, role or title. Like leadership and teams, security is a "we" endeavor.

Not all roles in the company have the same requirements. Some roles are specialized while others are more general. Below is a simplification of this idea.

Specialized: Information Security folks may say higher-level things like confidentiality, integrity, and availability. They may roll out policies, procedures and learning courses while facilitating internal and third-party audits. They'll even be discussing Plans of Actions & Milestones (POA&M or POAM) items resultant from audits. They'll need to know frameworks, behaviors, implementations, monitoring methods, and reaction/response ladders and industry standards like NIST-CSF, PCI-DSS, HIPAA and so many more.

Specialized: Engineers who focus on infrastructure, networks, data, and software technology stacks need to know about the what, but more importantly, they need to understand the why and how as they do their work. For example, data encryption at rest and in transit, authorization, and authentication, securing failover infrastructures, hybrid cloud solutions, bring your own device security, separation of duties, least privilege and need-to-know principles. There is more than one way to implement any one of these concepts and Engineers need to know them.

Generalized Awareness: Everyone else.

Figure 1. The diagram above demonstrates at a high level how role-based security awareness training could be rolled out and that everyone is a part of it. No one ever gets to be "clueless."

5. Include the information security role in solution delivery teams

Whether your company calls them Scrum, Strike, AgileProduct or Project Teams, the team construct used to deliver an idea from inception to conclusion often contains multiple roles and therefore multiple people.

In order to become a security-by-design or security-first company, your teams must be shaped to enable the desired outcome. Which then suggests that an information security/regulatory compliance expert must be included from project inception through the course of the project.

This conversation is less about the recipe for roles and teams and more about the desired outcome. Context-driven teams influenced by desired outcomes.

Strike Team Delivery Model
Figure 2. Trility's preferred team pattern is the use of a Strike Team that always includes an Information Security/Regulatory Compliance expert involved throughout the lifecycle of the project or product. While we tend to construct teams based upon the desired project outcomes, we include an Information Security expert on the team by default.

If the information security people are technical, they may be helpful with design, development, and implementation every step of the way, all day every day. If the information security people are non-technical, they may be more aptly leveraged in a principle-based guidance role during iteration planning, stand-ups, demos and reviews to ensure the project continues to move forward between the fences.

Either way, there must be a full-time champion for the company and clients in terms of privacy, compliance and best practices to achieve the desired outcome.

6. Determine how you will proactively test your ongoing compliance

There are any number of methods to test ongoing compliance. Blind trust. Word of mouth. Internal (infrequent) manual inspection. Third-party annual inspections. Or continuously through automation.

Our typical practice is to identify what attributes of compliance must continually exist, automate those attributes into a series of tests that are called, executed, logged and tagged every time new infrastructure and applications are built. When non-compliance happens, alert someone (as shown below). Otherwise, keep moving. We have some examples in our Github for you to thoughtfully consider.

Automated Security Tests
Figure 3. The diagram above shows how you can build-in automated security/compliance tests such that every build now has the capability of logging activity, events, alerts and compliance status.

7. Attach quality and compliance tools to the delivery pipeline

Continuous delivery pipeline behaviors are not new. Wide-spread awareness and adoption of new concepts takes time to expand across industries, companies, leaders, and teams. As more companies implement continuous delivery principles, more of the things many companies used to exclude because it took too much time, or did perform, but manually in arrears and infrequently, will be automated providing real-time information radiators.

Look for vendors and tools that are API-driven, have a great online community, openly available developer and administrative documentation, as well as, active tool support. These tools enable you to perform automated analysis-refactor loops now versus waiting until later and hoping for the best. It is worth your money to know your risk exposure now.

Continuous delivery pipeline with security built-in
Figure 4. This diagram illustrates wherein the continuous delivery pipeline predictable, repeatable and auditable security behaviors may be baked into the solution delivery process now versus waiting until later.

Hire great people. Cast a vision, communicate desired outcomes, define clear objectives, give them the resources to be successful, give them rules of engagement and stay involved.

Great people make mistakes. And even great people some times do not know what to do. Security frameworks help mitigate oversights, mistakes and provide guidance when people are in new, different and complex situations.