Over-communicate. If you're not sick of saying it, you probably haven't communicated enough. So said Gene Frederiksen, the CSO at Raymond James Financial, speaking at a recent SC Magazine event in Atlanta, Georgia. His comments underlined the need for us security people to make an effort to get our voices heard at the highest levels in the company.
Of course, communication is traditionally not a strong point for anyone involved in IT. Human-to-human communication can often be a challenge for technical types.
But as security takes on a higher profile, communication – and the ability to express risks and solutions in terms that can be widely understood – is a skill that needs development.
Frederiksen advised his audience to try expressing strategic plans in the form of business scenarios, portraying situations to senior management in terms they understand. He even suggested a book (The Art of the Long View, by Peter Schwartz) as a good place to learn the technique.
One member of the audience had his own suggestion. Instead of trying to persuade the whole company board in one go, his idea was to identify a sympathetic board member (whether marketing, finance, HR) and take them out to lunch and get to know them.
With an ally on the board, then you have a chance of being heard. This should not be news to anyone. As former NHTCU chief John Lyons makes clear on page 18, security has to be a collaborative affair to be at all effective. Unless you get buy-in from other disciplines and the board, you're doomed to failure.
You only have to look at recent events to see the point. The Sumitomo Bank job in London was made possible by insiders planting keyloggers on systems. In New Jersey, a criminal gang recruited staff at four banks, including Bank of America, and got them to copy customer data that was then sold on for profit. No firewall or IDS would have able to stop that kind of scam. At the last count, the number of clients affected was running close to 700,000.
So security goes well beyond mere technology, and should include physical security and staff vetting. But is this news?
After all, the two mantras of security are CIA (confidentiality, integrity and availability) and "people, process and technology."
People have always been part of the equation. It just seems that, with so many toys to play with, we've forgotten that most threats still come from inside.
Which brings us back to Frederiksen's message. By all means, over-communicate with the powers above and around you. But don't get so bored repeating the same message that you forget to follow your own advice.
Ron Condon is editor-in-chief of SC Magazine