AKF Partners

Abbott, Keeven & Fisher PartnersPartners In Hyper Growth

Tag » Security

Sensible Security

This post is the last in a 3 part series and will cover the last 2 points from our post entitled the Top 4 Failures in Corporate Information Security.  Here we are going to focus on why firewalls aren’t always the best solution to your problems and how to use your security team properly in your risk making processes.  We’ll end with a quick review.

Firewalls Can Be Bad Too

Firewalls can absolutely be overdone.  In fact, in our experience they are very often overdone.  Often firewalls are cited as being necessary to be compliant with certain regulatory requirements or industry standards (such as PCI compliance).  Sometimes companies feel they must put them in place simply because similar “comparison companies” have installed them.  Many times the driver of this need isn’t as much the requirement, standard or “comparison” company as it is misinformation on the part of firewall vendors or decisions made without complete information.

Firewalls, besides not being free either in terms of labor or capital (obviously), almost always reduce your availability and decrease your flexibility.  Like any other piece of hardware and software, they fail from time to time.  These failures often either lead to idle employees who cannot perform their work or even worse, the turning away of revenue generating customers from certain functions on your site.  There’s no way around it – if you put a firewall in the way of a transaction sooner or later it will cause a problem.  Sometimes this is both acceptable and advisable, such as the additional protection that a firewall provides a database that stores PII information such as credit cards.  Other times, it is just an unfortunate cost and burden such as when firewalls are used to protect static image servers that have very little valuable information on them and which are of little interest to money-focused bad guys.  And finally they can really harm employee productivity by stalling business initiatives.   It’s not unusual to spend thousands of dollars of labor several times a year troubleshooting why a new service won’t work or an why an old service quit working  before identifying that a port in a firewall needs to be opened or was recently closed.

Security Teams as Contributors – Not Decision Makers

Your security team very likely has a lofty and aggressive goal – to keep your company, your systems and your data (or your customer’s data) free from being abused by bad guys.  This goal doesn’t come cheaply and the only way to guarantee it is attained is to either go out of business or spend so much on your risk adjustment initiatives that you will never make a profit.

The security team rarely has the business background and overall business context to make business tradeoffs when it comes to risk.  While they may in fact have a number of people with advanced business degrees, their focus on reducing risk means that they are not focused on maximizing profits within the context of all of the available business levers.  And you may not want them to have such a broad business focus as some practitioners argue that you want your risk team focused singularly on the available risk options rather than making the risk tradeoff decisions.  The bottom line here is that the team should be involved in the decision process, but they are not necessarily the best decision makers for your risk management options.

Acting Sensibly

Treat your security and risk initiatives as you would your personal property and valuables.  Lock up and keep out of sight those things of significant value, but retain enough flexibility to allow you and your team to do your jobs quickly.  You probably don’t put deadlocks on every bedroom in your house as it just doesn’t make sense and you probably don’t need to put firewalls on every LAN segment in your network for the same reason.  Add passive detection advices such as intrusion detection systems to increase your level of security.

We covered four failures in corporate information security:

1)      Fear rather than Risk and Profit driving decisions

2)      Teams not understanding financial drivers of the “enemy”

3)      Overemphasis on Firewalls

4)      Security decisions made by the wrong team

By understanding what motivates your enemy, approaching security with risk and profit rather than fear as a driver, acting sensibly when it comes to risk mitigation and making risk decisions at the appropriate level you can both decrease risk and increase profitability.


Comments Off on Sensible Security

The Financial Drivers of Security

Our last post, Top 4 Failures in Corporate Information Security, kicked off a 3 part series on security addressing some of the most common themes from our work with clients.  This post will cover the first 2 failures from our last post in greater detail.  The first section will focus on why financial concerns, and not fear, should drive your security decisions.  The last section focuses on the financial motivations of potential thieves and the ramifications to your security architecture and design.

Focus on Finance (or profits) and not Fear

Has your security team (or have you) ever presented a project justification that something has to be done “or else we will be horribly exposed?”  Or maybe the proposal was worded such that the project must be done or you risk “irreparably tarnishing our brand”.  Or how about “Our front doors are basically wide open, nearly anyone can walk in and take whatever they’d like”.  The problem with all of these statements is that not only are they difficult to prove or disprove, they are positioned to elicit a fear response for the purposes of attaining a goal.  How does one quantify fear and evaluate it against other business initiatives?  Our position is that one can’t and that one shouldn’t.

Our jobs as managers and executives are to make sound business decisions that maximize shareholder wealth.  The appropriate management of risk is an example of such a decision.  We spend money on risk management initiatives to offset potential future losses associated with the realization of that risk.  We might invest in fraud detection systems for instance to reduce future potential losses.  In doing so we pay the expense and capital of putting such a system in place, and potentially lose some revenue through the “false positive” identification of fraud within our revenue stream in order to significantly reduce the amount of real fraud going on within our systems.  Similarly, we might decide to put firewalls in certain places to reduce the probability of a penetration and associated brand damage at the expense of the labor to put those firewalls in place, the capital to purchase the firewalls, and the decrease in availability and scalability those firewalls might present.  Those firewalls also might slow our time to market for certain initiatives or increase the cost of those initiatives by adding steps in order to put new rules in place for new applications, etc.

On a project level, the point at which we should stop adjusting risk in any given area is the point at which the incremental cost of effort of risk adjustment exceeds the incremental value.  On a portfolio level, the cost and value of the risk adjustment above should be compared to all other capital and effort based projects.  Just because the project has a return, doesn’t mean it is the best use of our time and resources.  So, if we add a $10M fraud system that is only likely to return $8M in total benefits over 3 years have we made the right decision?  What if it returns $10M in 3 years?  The point here is that the initiative should be couched in business terms and compared appropriately against other business initiatives in terms of its financial benefit.  Don’t let fear motivate your decisions.

Bad Guys Like to Make Money Too

Sun Tzu is attributed with saying “If you know both yourself and your enemy, you can win a hundred battles without a single loss.”  How well do you know your enemy?  While some of your enemies are out to brag about their accomplishments , a majority of your enemies are out to make money.  The people who perpetrate technology crimes are generally skilled and intelligent (though morally bereft) people who see the perceived benefit of stealing your data as being significantly greater than the perceived cost.  It is this equation that we are going to address in this section.

In our equation Perceived Benefit (PB) > Perceived Cost (PC) the word “perceived” is very important.  We need elements in our security architecture that decrease the perceived benefit of a potential security breach.  This might be one-way encryption of sensitive data such that it can’t be used by someone stealing it, or it might be hiding our data and valuables so that “passers-by” don’t ever perceive any value in attacking you.  Maybe you can develop marking technologies for your data or “beacons” such that the data can be tracked if used.

Elements of perceived cost include the perceived cost of obtaining the data and the perceived cost of getting caught.  This implies that not everything need to have the same “actual” cost of protection as it makes little sense to spend money protecting something that has little perceived value.  The perceived cost of getting caught is at least partially influenced by your track record with catching would-be thieves as well as how well you publicize your successes.  If I am choosing between attacking site A and site B, each of them equivalently physically protected and of equivalent value to me, I will likely choose the site that appears to me to be the least likely to catch or prosecute me.

In our next post, we will discuss who should make security decisions and why firewalls aren’t always a good thing.


Comments Off on The Financial Drivers of Security

Principles of War as Applied to Business Leadership – Part 2

 

This is the second on our two part post on the Principles of War and our interpretation of them relative to the business world.  The 9 US Principles of War (derived from von Clausewitz’s essay “Principles of War” and his book “On War”) are Objective, Offensive, Mass, Economy of Force, Maneuver, Unity of Command, Security, Surprise and Simplicity.  We will discuss the last four of these in this post.

Unity of Command.  The US Armed Forces definition is that for each objective, there should be a single owner or commander and that the forces necessary to achieve that objective should be placed under the authority of that commander.  In the business world, this does not mean that you should slice your technology, client services and product teams into separate groups under each general manager or objective owner.  Rather, it means that the person responsible for achieving some business objective should have the authority to direct the resources necessary to achieving that goal.  These resources could be set up in project teams that respond to the needs of the objective owner, or they could be “dotted lined” to the individual.  The key here is that for any objective there should be a clearly defined and empowered owner of the objective.  

 

Security.  Security enhances freedom of action by reducing vulnerability to hostile acts, influence or surprise.  While you may jump immediate to “information and technology security” implemented as policies within firewalls and such, we believe this has a much broader meaning.  Portions of this principle speak to your actions and efforts to get early warning of competitive threats – not just the threats afforded by hackers and the like.  What are you doing in an ethical fashion to find out how your competitors are responding to your actions?  How do you monitor the strategies and products of your competitors?  How well do you know your competition?

 

Surprise.  Strike the enemy at a time or place or in a manner for which he (or she) is unprepared.  This principle is the hardest to achieve within the business world, but can have incredible results when it is in fact achieved.  Surprise is achieved when a struggling computer company releases a portable personal music device such as Apple did with the iPod.  Sony, the creator of the portable music device phenomenon was taken completely by surprise and had previously never even considered Apple a competitor.  Surprise, therefore, does not have to be a principle you apply to those you currently consider to be your competitors – it can be applied to markets tangent to the ones in which you currently operate.  Surprise can also manifest itself as a change in approach such as Nintendo’s approach with the Wii.  While Microsoft and Sony focused on more complex graphics and processors, Nintendo took the surprise approach of using less sophisticated graphics and processing power (thereby offering a lower initial price) and focused their approach on a revolutionary game controller (the Wii Nunchuk and motion system). 

 

Simplicity.  Prepare clean, uncomplicated plans and concise instructions that ensure thorough understanding.   This is perhaps the most easily understood within the business context of all the principles of war.  Simply stated, you need to make sure your plans, orders, and objectives are understood by all parties and are unambiguous.

Summarizing the nine principles from our two posts, then leave us with 9 Principles of Business in a slightly restated fashion:

 

  1. Create Clearly Defined Aggressive But Achievable Goals (Objective)
  2. Be First to Market and Aggressive in Your Implementation (Offensive)
  3. Align Your Companies Organizations with Your Objectives (Mass)
  4. Employ Your Teams and Organizations in Accordance with Their Capabilities (Economy of Force)
  5. Maintain Business Flexibility but Do Not Oscillate Constantly (Maneuver)
  6. Clearly Define Ownership of Objectives and Empower those Individuals (Unity of Command)
  7. Sense and Respond to your Competition (Security)
  8. Surprise your competition with your timing or approach (Surprise)
  9. Constantly Communicate and Simplify Your Plans (Simplicity)

Comments Off on Principles of War as Applied to Business Leadership – Part 2