Communication is an essential part of the CISO's role, but too often we get it horribly wrong. That was the message laid out by communications expert David Porter at the RSA Conference in Europe recently.
We know that a large part of the CISO’s role is to influence, cajole and encourage our business leaders to make the right choices, enabling our firms to manage risk and move forward safely. Creating compelling communications is a differentiator, but too few CISOs excel in this area and this is holding back their credibility, their career and the risk posture of their employers.
David Porter proposed spending a great deal more time than most of us would be used to, refining the introduction to any piece of communication, and actively crafting it to flow from ‘Situation’ (“Once upon a time there was a beautiful princess..”) to ‘Complication’ (“..who was imprisoned in a tall tower by her wicked step-mother”). That sounds pretty standard, but it was interesting how David then analysed different RSAC submissions and showed how even the professionally written ones deviated from this model, and how much clearer they were once the rule had been applied.
This simple setup opens up the readers/listener's mind and plants questions that seek to understand how the story can be resolved, and stories are powerful communication tools.
Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack. This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter.
Photo Credit: Renee Murphy
Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.
It might be an occupational hazard, but I can relate almost anything to security and risk management, and my visit to the Titan Missile Museum at AF Silo #571-7 was no exception. The lesson I took from my visit: there's room for manual controls in security and risk management.
On Monday, Hurricane Sandy slammed into the East Coast of the United States, flooding entire towns in New York and New Jersey, triggering large-scale power outages and killing at least 17 people. The health and safety of individuals is the first and foremost priority, followed by the recovery of critical infrastructure services (power, water, hospital services, transportation etc.). As these services begin to recover, many business and IT leaders are wondering how they will resume normal operations to ensure the long-term financial viability of the company and the livelihoods of their employees and how they will serve their loyal customers.
Most likely, if you have offices that lie in the path of Hurricane Sandy, you are experiencing some sort of business disruption, large or small. The largest enterprises, especially those in financial services, spend an enormous amount of money on business, workforce and IT resiliency strategies. Many of them shifted both business and IT workloads to other corporate locations in advance of the storm, proactively closed offices and directed employees to work from home or a designated alternate site.
If you are small and medium enterprise and, like many of your peers, you didn’t have an alternate workforce site, robust work-from-home employee capabilities, an automated notification system or a recovery data center, what do you do now? While it’s too late to implement many measures to improve resiliency, there are several things you can do now to help your organization return to normal operations ASAP. Here are Forrester’s top recommendations for senior business technology leaders:
The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
The news this week in the UK has been awash with articles in relation to the potential problems that the Olympics 2012 could bring with reports of transport chaos, security rehearsals happening near Forrester’s London office to secret security documents being left on a train which detail policing measures. This is undoubtedly a unique occasion but with many eyes watching the UK this coming summer it’s something the planners simply have to get right.
At Forrester, we believe that IT functions need to seriously prepare for the Olympic period also and so we will be holding a half day, collaborative event for our FLB members and interested prospects on Wednesday, 22nd February 2012 from 12:45 – 4:30pm at Forrester’s London office to explore strategic and tactical solutions to these risks. This session will be led by Senior Analyst Dave Johnson, a former software executive with 15 years of industry experience focused on client management and related operational processes and tools.
As a follow-up to my blog post yesterday, there’s another area that’s worth noting in the resurgence of interest in BC preparedness, and that’s standards. For a long time, we’ve had a multitude of both industry and government standards on BCM management including Australian Standards BCP Guidelines, Singapore Standard for Business Continuity / Disaster Recovery Service Providers (which became much of the foundation for ISO 24762 IT Disaster Recovery), FFIEC BCP Handbook, NIST Contingency Planning Guide, NFPA 1600, BS 25999 (which will become much of the foundation for the soon to be released ISO 22301), ISO 27031, etc. There are also standards in other domains that touch on BC, security standards like ISO 27001/27002.
And when you come down to it, several of the broad risk management standards like ISO 31000 are applicable. At the end of the day, the same risk management disciplines underpin BC, DR, security and enterprise risk management. You conduct a BIA, risk assessment, then either accept, transfer or mitigate the risk, develop contingency plans, and make sure to keep the plans up to date and tested.
In my most recent research into various BCM software vendors and BC consultancies, as well as input from Forrester clients, BS 25999 seems to be the standard with the most interest and adoption. In the US at least, part of this I attribute to the fact that BS 25999 is now one of the recognized standards for US Department of Homeland Security’s Voluntary Private Sector Preparedness Accreditation and Certification Program. The other standards are NFPA 1600 and ASIS SPC.1-2009. I’ve heard very few Forrester clients mention the latter as their standard.
During the last 12 to 18 months, there have been a number of notable natural catastrophes and weather related events. Devastating earthquakes hit Haiti, Chile, China, New Zealand, and Japan. Monsoon floods killed thousands in Pakistan, and a series of floods forced the evacuation of thousands from Queensland. And of course, there was the completely unusual, when for example, ash from the erupting Eyjafjallajökull volcano in Iceland forced the shutdown of much of Western Europe’s airspace. These high profile events, together with greater awareness and increased regulation, have renewed interest in improving business continuity and disaster recovery preparedness. Last quarter, I published a report on this trend: Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And 2011.
A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.
The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.
In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.
Even in the toughest times, winners will invariably emerge. With the way expectations are changing regarding corporate controls and disclosure, risk management professionals (whose lack of influence was seen as a substantial cause of our current state of affairs to begin with) will likely be among the first beneficiaries of our new outlook on business.
Forrester customer inquiries seem to have taken a step back when it comes to risk management. While there are still plenty of incoming technology and vendor selection questions, there has been a noticeable spike in calls about fundamental issues, such as how to build and organize risk management programs. Knowledge and experience in risk management basics is in high demand.
Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’... a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here.
But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.