AKF Partners

Abbott, Keeven & Fisher PartnersPartners In Hyper Growth

Category » Security

AKF is launching an Information Security Service for Clients

In today’s digital world, cyber security is one of the biggest areas that keep CEOs and business executives awake at night. Further, regulation and compliance are continually changing, as both governments and customers are modifying the rules in an attempt to keep pace with rapid changes in technology. Keeping up with these changes in regulation, and particularly how they will apply to your business, is a monumental challenge. As a very recent example, if you operate in both the U.S. and Europe, you’re probably familiar with Safe Harbor (https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles). Up until mid 2015, Safe Harbor permitted U.S. companies to store EU customer data on U.S. soil, so long as the infrastructure and usage met the privacy standards of the Safe Harbor Act. However, in October 2015, courts struck down the US-EU Safe Harbor agreement, leaving companies again wondering what approach they should take. Then on Feb 29, 2016, the European Commission introduced the EU-US Privacy Shield (http://europa.eu/rapid/press-release_IP-16-433_en.htm), which is similar to Safe Harbor but, in conjunction with the Judicial Redress Act signed by President Obama, extends the ability of European citizens to challenge U.S. companies that store sensitive personal information. With the changes coming quickly and furiously, what is your company to do?

SecPic1

In addition to those challenges, customers today put more and more demand on companies to not only protect sensitive customer data and IP, but many customers DO expect you to store and process sensitive data in a highly available and scalable manner. Balancing the needs of maintaining data on behalf of customers with regulation and compliance is one of the biggest challenges for any modern company, whether you store or process sensitive data for your customers or not. Sometimes just operating in a regulated industry subjects your company to the long reaches of compliance standards.

Finally, who is in charge of security in your company? Is it spread across teams? Is there a single CSO/CISO and security organization? How well do the security organizations work with your technology and business teams?

Our clients ask us frequently if we can assess their security programs and help develop plans for them, similar to the work we do with system architecture and product development. At AKF, we look at security the same way we look at availability and scaling. It is about managing risk. You can build a system that has nearly 100% availability, and you can build a system that scales nearly infinitely… but you don’t always need to, as it’s not always the most cost-effective way to run your business.

SecPic2

You want to build a system that achieves very high availability, up to the point where the cost of “near perfect” availability exceeds the value it brings to the business. Similarly, you may never be able to completely eliminate each and every risk to your information security. Some industries, like health care and credit card processors, need to be “near perfect.” But other may not need to be quite as perfect. Some may just require that you have ample controls, tightly monitored systems, secure coding practices, and top notch Security Incident Response plans.

Finally, there are plenty of overlaps in regulations that if applied once, can solve several of your security compliance concerns. For example, PCI, SOX, and HIPAA all have requirements about audibility and accessibility, although they apply to different types of data. If you’re subject to more than one of those, why not put controls in place that help solve them for ANY regulation?

SecPic3 SecPic4 SecPic5

We have begun a new program to help our clients with their security needs. Our approach is to help you understand your regulation and compliance landscape, look at the security measures you’ve put in place, and work with you to design a program and projects to close the gaps, focusing on the highest value projects first. We’ll also help you understand where security fits into your organization, and guide you on how to break down barriers that prevent organizations from working cohesively to manage security across the enterprise.

If you are interested in our security program services, please contact us.


Comments Off on AKF is launching an Information Security Service for Clients

Sensible Security

This post is the last in a 3 part series and will cover the last 2 points from our post entitled the Top 4 Failures in Corporate Information Security.  Here we are going to focus on why firewalls aren’t always the best solution to your problems and how to use your security team properly in your risk making processes.  We’ll end with a quick review.

Firewalls Can Be Bad Too

Firewalls can absolutely be overdone.  In fact, in our experience they are very often overdone.  Often firewalls are cited as being necessary to be compliant with certain regulatory requirements or industry standards (such as PCI compliance).  Sometimes companies feel they must put them in place simply because similar “comparison companies” have installed them.  Many times the driver of this need isn’t as much the requirement, standard or “comparison” company as it is misinformation on the part of firewall vendors or decisions made without complete information.

Firewalls, besides not being free either in terms of labor or capital (obviously), almost always reduce your availability and decrease your flexibility.  Like any other piece of hardware and software, they fail from time to time.  These failures often either lead to idle employees who cannot perform their work or even worse, the turning away of revenue generating customers from certain functions on your site.  There’s no way around it – if you put a firewall in the way of a transaction sooner or later it will cause a problem.  Sometimes this is both acceptable and advisable, such as the additional protection that a firewall provides a database that stores PII information such as credit cards.  Other times, it is just an unfortunate cost and burden such as when firewalls are used to protect static image servers that have very little valuable information on them and which are of little interest to money-focused bad guys.  And finally they can really harm employee productivity by stalling business initiatives.   It’s not unusual to spend thousands of dollars of labor several times a year troubleshooting why a new service won’t work or an why an old service quit working  before identifying that a port in a firewall needs to be opened or was recently closed.

Security Teams as Contributors – Not Decision Makers

Your security team very likely has a lofty and aggressive goal – to keep your company, your systems and your data (or your customer’s data) free from being abused by bad guys.  This goal doesn’t come cheaply and the only way to guarantee it is attained is to either go out of business or spend so much on your risk adjustment initiatives that you will never make a profit.

The security team rarely has the business background and overall business context to make business tradeoffs when it comes to risk.  While they may in fact have a number of people with advanced business degrees, their focus on reducing risk means that they are not focused on maximizing profits within the context of all of the available business levers.  And you may not want them to have such a broad business focus as some practitioners argue that you want your risk team focused singularly on the available risk options rather than making the risk tradeoff decisions.  The bottom line here is that the team should be involved in the decision process, but they are not necessarily the best decision makers for your risk management options.

Acting Sensibly

Treat your security and risk initiatives as you would your personal property and valuables.  Lock up and keep out of sight those things of significant value, but retain enough flexibility to allow you and your team to do your jobs quickly.  You probably don’t put deadlocks on every bedroom in your house as it just doesn’t make sense and you probably don’t need to put firewalls on every LAN segment in your network for the same reason.  Add passive detection advices such as intrusion detection systems to increase your level of security.

We covered four failures in corporate information security:

1)      Fear rather than Risk and Profit driving decisions

2)      Teams not understanding financial drivers of the “enemy”

3)      Overemphasis on Firewalls

4)      Security decisions made by the wrong team

By understanding what motivates your enemy, approaching security with risk and profit rather than fear as a driver, acting sensibly when it comes to risk mitigation and making risk decisions at the appropriate level you can both decrease risk and increase profitability.


Comments Off on Sensible Security

The Financial Drivers of Security

Our last post, Top 4 Failures in Corporate Information Security, kicked off a 3 part series on security addressing some of the most common themes from our work with clients.  This post will cover the first 2 failures from our last post in greater detail.  The first section will focus on why financial concerns, and not fear, should drive your security decisions.  The last section focuses on the financial motivations of potential thieves and the ramifications to your security architecture and design.

Focus on Finance (or profits) and not Fear

Has your security team (or have you) ever presented a project justification that something has to be done “or else we will be horribly exposed?”  Or maybe the proposal was worded such that the project must be done or you risk “irreparably tarnishing our brand”.  Or how about “Our front doors are basically wide open, nearly anyone can walk in and take whatever they’d like”.  The problem with all of these statements is that not only are they difficult to prove or disprove, they are positioned to elicit a fear response for the purposes of attaining a goal.  How does one quantify fear and evaluate it against other business initiatives?  Our position is that one can’t and that one shouldn’t.

Our jobs as managers and executives are to make sound business decisions that maximize shareholder wealth.  The appropriate management of risk is an example of such a decision.  We spend money on risk management initiatives to offset potential future losses associated with the realization of that risk.  We might invest in fraud detection systems for instance to reduce future potential losses.  In doing so we pay the expense and capital of putting such a system in place, and potentially lose some revenue through the “false positive” identification of fraud within our revenue stream in order to significantly reduce the amount of real fraud going on within our systems.  Similarly, we might decide to put firewalls in certain places to reduce the probability of a penetration and associated brand damage at the expense of the labor to put those firewalls in place, the capital to purchase the firewalls, and the decrease in availability and scalability those firewalls might present.  Those firewalls also might slow our time to market for certain initiatives or increase the cost of those initiatives by adding steps in order to put new rules in place for new applications, etc.

On a project level, the point at which we should stop adjusting risk in any given area is the point at which the incremental cost of effort of risk adjustment exceeds the incremental value.  On a portfolio level, the cost and value of the risk adjustment above should be compared to all other capital and effort based projects.  Just because the project has a return, doesn’t mean it is the best use of our time and resources.  So, if we add a $10M fraud system that is only likely to return $8M in total benefits over 3 years have we made the right decision?  What if it returns $10M in 3 years?  The point here is that the initiative should be couched in business terms and compared appropriately against other business initiatives in terms of its financial benefit.  Don’t let fear motivate your decisions.

Bad Guys Like to Make Money Too

Sun Tzu is attributed with saying “If you know both yourself and your enemy, you can win a hundred battles without a single loss.”  How well do you know your enemy?  While some of your enemies are out to brag about their accomplishments , a majority of your enemies are out to make money.  The people who perpetrate technology crimes are generally skilled and intelligent (though morally bereft) people who see the perceived benefit of stealing your data as being significantly greater than the perceived cost.  It is this equation that we are going to address in this section.

In our equation Perceived Benefit (PB) > Perceived Cost (PC) the word “perceived” is very important.  We need elements in our security architecture that decrease the perceived benefit of a potential security breach.  This might be one-way encryption of sensitive data such that it can’t be used by someone stealing it, or it might be hiding our data and valuables so that “passers-by” don’t ever perceive any value in attacking you.  Maybe you can develop marking technologies for your data or “beacons” such that the data can be tracked if used.

Elements of perceived cost include the perceived cost of obtaining the data and the perceived cost of getting caught.  This implies that not everything need to have the same “actual” cost of protection as it makes little sense to spend money protecting something that has little perceived value.  The perceived cost of getting caught is at least partially influenced by your track record with catching would-be thieves as well as how well you publicize your successes.  If I am choosing between attacking site A and site B, each of them equivalently physically protected and of equivalent value to me, I will likely choose the site that appears to me to be the least likely to catch or prosecute me.

In our next post, we will discuss who should make security decisions and why firewalls aren’t always a good thing.


Comments Off on The Financial Drivers of Security

Top 4 Failures in Corporate Information Security

This post is the first in a three part series about security.  This first post introduces the top four failures that we see in clients when it comes to information and technical security operations.  Our next two posts will each take two of the areas below and cover them in greater detail

1)      Fear rather than Risk and Profit Drives Security Initiatives

Too many teams and companies allow their security decisions to be made based on the fear of potential loss rather than focusing on how to maximize total profits through loss minimization at an appropriate cost.  Business is inherently a risky enterprise and the only way to reduce your business risk to zero is to get out of business.  Every security (or other risk reduction) initiative you undertake has an actual cost to you in terms of capital (equipment), expense (headcount) and lost opportunity of revenue associated with slower processes or lower revenue that is quantifiable.  All of those costs should be evaluated, in a level headed fashion, against the potential loss you expect.  Why would you possibly spend $10M to offset a potential (probability = .05%)  loss of $8M happening sometime in the future?

2)    Team Doesn’t Understand the Financial Driver of the Enemy

While there are folks who will hack your site or corporation simply to gain a reputation, the vast majority of the bad people out there are in the business of being bad to make money.  Bad guys act when the perceived benefit of success is greater than the perceived cost of effort or failure.  As such, security needs to be more than just locking the doors (increasing the cost of effort for the bad guys), it needs to be about lowering the perceived value of your belongings and increasing the perceived cost of getting caught.  Hide your valuables and rather than making them just difficult to obtain, think about ways to make them meaningless to other people if they should get them.  Remember that many incidents involve employees who already have the keys to your house – so make sure that if they get away with something that it isn’t of value to them once they leave the building.

3)      Security Decisions Made by the Wrong Team

In the words of Garrett Hardin, the famous ecologist and author of “Filters against Folly”, for responsibility and delegation to work the person making the decision must be held accountable for that decision by the people it directly and indirectly affects.   This is almost never the case for security initiatives.  Security is about risk reduction at an appropriate cost and as such it is a question for the general manager.  Unfortunately, what typically happens is that security teams are given a goal of reducing risk as much as possible and are asked to justify a budget.  As risk has a direct impact to both revenue and cost, it is something that should be managed at the highest level of the company with input from the appropriate technical resources.

4)      Overemphasis on Firewalls as a Deterrent

Firewalls are perimeter security devices.  They serve a similar purpose to locks on your house.  But just as you wouldn’t likely put locks and deadbolts on every door inside your house, so should you not put firewalls everywhere within your infrastructure.  An overemphasis on firewalls will ultimately decrease your overall availability due to the multiplicative effect of failure well beyond their expected long term benefit as a deterrent.  Rather, firewalls should be used as part of a broader security initiative.  Just as you likely have locks, a security system, a neighborhood watch and potentially cameras in your home and neighborhood so should you have some number of firewalls in the right places, relationships with law enforcement and a “community watch” program as well as intrusion detection systems within your corporation or platform.  And remember, hiding your valuables is as important as locking them up.


3 comments