theReformed

I recently wrote an article for InformationWeek, How To Assess Offshore Data Security. You should read it, it is a good piece. Of course I am biased.

There are a few points I want to add that did not fit directly into the article. These points apply to all infosec programs, so even if you don’t care about offshore security keep reading.

In the world of information security there is a lot of FUD. Let’s face it, the industry was built upon that. In the late 80’s and early 90’s you had some people breaking into systems for various reasons. Eventually they grew up and needed jobs, this created an industry.

Ever since this time, information security pros have marketed the risks of new technologies, the cost of breaches, and why we are needed to protect company assets. Our reasoning and paranoia is not always well founded though. What does a breach really cost? What really needs to be done to protect assets?

Enter Risk Management. At some point the fancy pants MBA types got involved in infosec (full disclosure: I have an MBA). They insisted we quantify everything and apply proper measurement to risk. Unfortunately, the risk management industry doesn’t get infosec and infosec people don’t get risk management. Mix in that most infosec groups are horrible at selling their need and integrating with the business and this makes the risk management side even more useless.

Don’t get me wrong. Infosec is needed. Risk management is a good thing. Companies do not integrate these programs properly and do not integrate the hybrid with the business properly. Ask most any company on the planet, infosec is an after thought and a hard sell. I know a few top tier companies that “get it” but I can point to companies before and after on the Fortune 100 list that just don’t.

So how does this relate to my original topic? Offshore risks are seen in a different light and thus managed differently. Some companies believe they are at a higher risk once they go over the border and thus invest more into infosec. This is silly for the most part. Risks are risks and exist everywhere. There are some legal aspects to keep mind when going outside of your home country, but from an infosec point of view, a company should decide on a level of protection and enforce that same level globally. Is your asset worth any less in the US than in India? If no, protect it the US also.

The problem is a lack of understanding of infosec threats and misguided risk management approaches. People make an assumption that risks are only introduced once they go offshore. Why did the company not originally set a value on the asset and apply an appropriate level of controls, then reproduce these controls offshore? If they are like most companies, infosec has not been integrated into the business properly, they are not receiving the proper risk information, and thus were just clueless.

Recommendations:

1. Protect the noun

Define the noun. The noun is the asset that is value and you want to protect. Decide what level of protection the company needs on the noun and how much the company is willing to spend. Make it a dolloar amount and sell a solution of controls for that dollar amount. Reproduce these controls globally.

2. Follow Find the rich white man

I stole this line from one of the Rush Hour movies. Chris Tucker’s character had a theory about crime. Follow the rich white man. I say find the rich white man (the person who controls the money) and talk to him about how much risk and cost is associated with an asset loss. NO FUD! Bring the numbers, show the risk. But don’t be overly academic. There is nothing worse than sitting in the room with an executive who is being shown charts and presentations on risk formulas out of a book and being explained everything in pain staking detail. Keep it high level, get to the point. Nobody really cares, they just want to be sure their stuff is not stolen. Same concept as when you were 5 and didn’t want anyone to steal your candy but didn’t want to listen to the safety officer telling your class about strangers. Stranger Danager! Duh!

Don’t go for broke to start, ask for about 50% of what you really want. I say this because most security people are hardliners and want to protect from all risks. Some risk is acceptable to most companies. Remember this when talking to the rich white man.

The final word: Treat a threat as a threat no matter where it is. Apply proper measurement of the threat to build your controls strategy. Don’t sell FUD.