Weekly Wee One #8: Relying only on InfoSec Compliance is like…

Are you aiming for 100% compliance with the latest security standards?

Is your company working hard to get sign off for ISO27001 or PCI DSS without sparing a though for non-standard approaches used by cyber criminals? Do you spend the rest of the budget installing the very latest cyber tools? Is that the best way to tackle your key InfoSec risks (if you know what they are)?

Relying only on #InfoSec Compliance,

is like thinking everyone drives the same…

They Don’t

Security standards, like road rules, are situation agnostic frameworks

Do you mitigate the risk of a runaway truck by stoically staying put at the stop sign? Do you plough on (secure in the knowledge you are adhering to road rules), and take out that jay walking pedestrian? Do you drive right up to the speed limit even though visibility is getting poor? Taking an anecdote from my past…

Learner-driver_2570179bA friend started driving much later than most (in his mid 20s). He had a good salary, so after passing his test he bought a flash car with plenty of horsepower. I expressed concern that he was setting off on long road trips within a couple of weeks of getting his license. He assured me, with no trace of irony (and more than a trace of annoyance), that he knew how to drive.

That was due, in part, to him being a nationally recognised expert in his own IT field. He viewed driving as just another technical thing to master.

6 weeks later he was T-boned by someone leaving a junction. Someone who had been driving too fast. Thankfully it was only the car that died, but it was foggy and he admitted to police that he thought the junction was clear, when witnesses (who saw the other car’s speedy approach), said it wasn’t. They also said his speed to react left a lot to be desired.

His next and subsequent insurance renewal quotes did not make pleasant reading.

He did everything ‘right’ so what went wrong?

He shrugged off the risk linked to adverse weather conditions, ignored advice from those more experienced and didn’t make allowances for risks introduced by other road users. Namely;

  • Ignorance or inexperience induced daftness,
  • Reaction time sapping flouting of rules by arrogant petrol-heads (made more dangerous by his slow and inexperienced response).
  • Occasional malicious actors (think rear-ending folk for insurance scamming purposes or car-jacking). Things made more likely if you are a lucrative target and always follow standard routines (lessons learned from the personal protection trade).

While doing everything ‘right’ and despite his car having built-in best in class security, he failed spectacularly and expensively.

That is the challenge you face securing your business. You may drive things forward following the letter of latest security standards and buy top rated cyber add-ons for your network, but you need to learn from those who have been there and seen it. Folk with long experience tackling risks that creatively, maliciously or accidentally make highly polished compliant controls redundant. Risks that are almost invariably turned into incidents by the people with whom you share your building, local network, webspace and connected clouds.

The better known the controls, the more people will have the means and motivation to have a crack at getting round them. Either for the sake of convenience, speed, or criminal gain.

But don’t take my word for it…

Here are a number of great stories and articles around the same subject put together on Storify. Including a caution to avoid the ‘Standardisation Trap’ from Robert Duncan (CISO of Euronext) and other globally recognised experts asking you to put cyber fears aside and remember security basics. Clicking on the image will take you there.

Screen Shot 2015-05-03 at 21.13.51

The regular dose of tweet-size (or sometimes not so tweet-size) analogising has had a name change…Wednessday Wee Ones have become Weekly Wee Ones to take pressure of me getting them out by Wednesday. A lateral thinking approach to solving the problem 🙂

If you liked this, you can find more here, or full-size InfoSec analogies on The Analogies Project site (a huge range of novel perspectives on security from just about every big name in the security game, plus plenty of folk from other trades). It’s a fab resource.

2 replies »

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.