Note to Self - Communication is Vital

Someone on the team recently told me, in a huff, “…just let me do my job!...”.  Which, made me think, what is the disconnect here?  What am I doing that is frustrating this person?  A wise person once told me that, if there is a problem between two people, the problem is half mine.  I take that to heart.

We all have “…a job…” to do, no doubt.  But, do we all agree on what doing that job means?  Are we all in agreement that the job we are doing is the correct one for where we are now and in the future? 

As we go into the long, Holiday weekend, I’d like each of you to think about what you think YOUR job is, and send your thoughts to me so I can better understand where your motivations are coming from on a day to day basis.  This is truly just me, asking you to let me know you better.  No hidden agenda.

It’s no secret that we are under a new contract with CoSD, and that the new contract is quite different from the old contract.  I am at the County Admin Center all day, one day a week, and the single most prevalent comment I hear when talking to the GITM’s, CTO office staff and others is, “…when will the Perspecta team deliver according to the new contract?...”.  Rightly or wrongly the customers perception is that we, as their business partner are stuck in the past and not embracing the future.  Perception has a way of being accepted as “…fact…” if you don’t talk about it and level set.  Human beings are social, communication is key.  Real communication, not just waiting for your turn to talk.

This is how I lead an organization:

I have three guideposts I use as a leader:  (1.) “The absolutes of leadership”, by Phillip Crosby; (2.) “Traction: Get a grip on your business”, by Gino Wickman; (3.) “Structuring the Chief Information Security Officer Organization”, by Carnegie Mellon University.

One is about leading people.  One is about ensuring that your business is effective and perceived as a valuable resource to the larger business enterprise.  One is about ensuring that you have an effective, business driven, Security, Compliance, Audit and Risk [SCAR] Organization.

If you are scratching your head wondering why things are changing (sorry, we are not done changing), you are free to pick up a copy and read any of these.  If you’re interested, let me know and I’ll send you a copy of any of these.  If you want my job one day, I strongly suggest you read and embrace all three.

Just so you know, this is what I KNOW my job is:

Priority One:  To Develop Enterprise Security, Compliance, Audit and Risk [SCAR] Programs that drive business value.  I will empower each of you to lead a Program, with all that entails.  The work we do MUST have a business driver or we are working against the Perspecta Contract. 

Priority Two:  Identify, Report and Control Incidents – learn from each and continuously evolve.

Priority Three:  Monitor Business Risks and Take Preventative Measures.  Meet often, continuously follow up (not micro-manage) and drive progress.  Things need to get completed, not just drag on without success.  This contract has deliverables, we are paid to meet them, if they are dumb or broken, WE MUST FIX THEM, this is our responsibility.

Priority Four:  Lead, Mentor and Train Staff Members.  We have serious problems, and we need serious people to solve them.  We have some great training coming up in January 2019, if you don’t know about it, ask your Manager or ask me!

Priority Five:  Continuously and Effectively Communicate.  If you have a question about why we as a team are doing something, just ask.  I’m available every Monday from 08:30 ~ 09:30 AM PST for talking to anyone on the team about just about anything.  If the customer has questions, count to ten, then answer their question or set an expectation when you will get back to them.  Never sugar coat problems, never embellish facts, never shade the truth.

Priority Six:  Drive tasks to completion.  Success is all that matters in business.  Things that get measured get done.  In ten years, I want to be knee deep in contract renewal negotiations because we have WOW'd the customer, continuously.  If you can't see yourself there, with me, we need to discuss the nature of our relationship.

I look forward to reading your job descriptions and getting to know each of you better and understand you’re your unique skills and talents fit into our changing team, while working with you to mold our current team into a more effective team in the future that is perceived by the customer as “…getting it…” and driving continuous improvement.

...don't let your residual risk manage you!...

How is your Business managing "residual risk"? 

We've all dealt with "fast tracked" projects, things are prioritized by the business (rightfully so), the downside to this is that there is always residual risk to manage.

We use the OMB 02-01 to develop a "Plan of Action and Milestones" that allows us to time-box and ensure accountability, as well as allow key executives to have a window into ongoing risk mitigation's. 

How does your team manage and mitigate residual risk? Residual Risk is a fact of doing business, just don't let it fall between the cracks and come back to haunt you.

Great article on residual risk

...making a more significant contribution to business success...

Work Smarter not Harder? Is this meaningless or meaningful? How can adopting this work ethic make a measurable, statistically significant contribution to the business of Security, Compliance, Risk and Audit?

When you learn to ... "Do Less Then Obsess!", going all in, with a fanatic attention to detail, dedicate every ounce of effort to those things that truly matter at the end of the day, always seeking perfection, you'll notice new heights of personal job satisfaction as well.

It's a fact that top performers can and will concentrate on fewer things, but obsess more about them. 

The key to success is working with your leadership team to enable them to validate that the results are significantly more valuable than sheer quantity of mediocre work product. Remember that "value metrics" that accurately measure benefit to the customer are infinitely more relevant than internal metrics that we create.

Dr. Morten Hansen shares his seven work smarter practices to help us all excel.

Perform Better

...work the CIS top 20 like a BOSS!...

There is no Information Security "labor shortage", there is a lack of understanding of the challenges and a level headed, business driven laser focus on success. 

OWASP, OASIS, NIST, CIS, SANS, ITIL, COBIT,...these are our role models, our mentors, our "Avengers", our "S.H.I.E.L.D.". 

Vendors that drive the hype cycle are just that, sales people, none of them know your challenges like you do. Identify your risks, work the list relentlessly, each and every day. Share the list with your teams, get their inputs and insights, make it a shared concern, empower them. 

For my labor dollars, I look to my IT Department for recruits, they understand Information Security and Risk, just not the lingo. My training/recruitment dollars are better spent on internal IT Dept team members to boot strap them into INFOSEC...to "solve" any perceived shortage. 

It's a fact, Sys Admin's make great INFOSEC pro's. 

Next step would be to truly KNOW the current state and the desired end state, to do and measure what is truly important not just the shiny penny of vendor hype driven security. 

Stop playing INFOSEC Whack a Mole... Work the CIS top 20 like a BOSS!

Center for Internet Security

...cultural entropy...don't let it blind side you...

Resistance to change, my concept of "ENTROPY IMPACT" related to changing behaviors that potentially serve the business better.

I would summarize this as the negative impact of effected technology teams injecting passive aggressive slow down behavior into positive change.

Almost everything in my "things to change" list is low cost but with a high ENTROPY IMPACT quotient.

An enigma, wrapped in a conundrum.

Entropy in the Workplace

...if it was easy, anyone could do it...

For me, I think we've all known this since NIST stood up the Computer Security Resource Center in the early 90's.

My desktop "short list of things to fix" has thirty-two major topics on it, 50% people and process, 50% web services and plain old security "POS".

The one thing they all have in common is the ROI & ENTROPY Impact: little or no cost, high risk because of internal change requirements, high ROI. If it was easy, anyone could do it.

We are all in this together.

DHS asks for YOUR help

...ransomware or a denial of service attack...is there any difference, really?

"RansomWare" a rose by any other name...another form of the denial of service attack. Complicated but not complex. Does your "ransomware" planning encompass: Reputational Risk? SCADA System Risks? Various service/daemon/human and non-human account compromises? ID badge systems? Telephone systems with an E-Lan/VOIP component? Many other attack vectors, these are some of the ones I see overlooked with the most frequency.

...what works for Security and Compliance Orchestration and Automation...

Real time "Security Orchestration", Apollo Moon Shot sized game changer or the next "100 VG Any-LAN" dinosaur?

Head on over to OASIS OPEN to read thru their OSLC Architecture Management Proposal and review the vendor support list, it reads like the Who's Who of Silicon Valley Titan's.

This is as strategic as it gets...

https://lnkd.in/giquSgr

http://oslc.co/

...I am Jack's smirking revenge...

...drive it like you stole it!...

Friday at last!

Work hard, play harder!  Remind yourself what is truly important in life.

Give it no less than 110% each and every day.

For all of my hard working friends, family and co-workers, this is YOUR anthem.

I give you the man himself...

Big SMO!

System Complexity is the Problem

Complexity is the antithesis of Information Security.

Hats off to Thomas Dullien for his excellent analysis of numerous aspects of supply chain, processor architecture and software security.

A compelling, easy to understand analysis.

Link to Video Lecture

...Government Over Reach...

The US Government "Encrypt Act"...why not?

...hmmm....That pesky 10th Amendment thing...

First step might be to gain State, Local and Federal consensus on just what "CIP" means. 

Consensus takes you a step closer to a shared risk model with a firm grounding in quantitative analysis. 

There are large state and local investments for critical infrastructure parts and pieces that pre-date Federal Govt involvement that need to be addressed.  Heavy handed "fear, uncertainty and doubt" based approaches will fall on deaf ears of knowledgeable decision makers, as well they should. 

Not to mention that the "Encrypt Act" will mandate LEO back-doors in the encryption that will be exploited instantly by the black hat cracker for hire community. 

Then we start the compromised consumer credential circus all over again.  We remember how this played out with Equifax (Teflon US Govt approved monopoly).  This will create yet another Teflon US Govt Monopoly devoid of oversight.

Some tasty "glasnost" on the Encrypt Act

...Maximum Effort - Leadership...

Great Leaders are not born, they get fed up with poor leadership and make a personal commitment to do better when they are put in a leadership position.

Organizations reward positive results, which, are mostly focused on short term gain.  Effective Leaders focus on long and short term gains, striking a balance between, personnel, customers and profits.  It's the smart play.

My top Leadership references:  "The Absolutes of Leadership", by Phil Crosby; "The Starfish and the Spider", by Rod Beckstrom; and "Leadership in the Shadows", by Kyle Lamb.  An esoteric mix I know, take a look and always remember...

A great manager, is seldom a Great Leader.  In business you must, "...Lead, Follow, or get our of the way!...", so says my Lakotah Great Grand Father.

Rod Beckstrom speaking on his excellent "starfish" book.

...setting expectations...and getting what you need...

If you want great results, learn how to set expectations with your team like a BOSS!.

Clearly communicating expectations, while gaining and maintaining agreement on deliverables, is the key to a culture or individual accountability.

A team that self organizes and internalizes both individual and team accountability is unstoppable.

Success is enhanced when ambiguity is eliminated.

Thus clear communications, agreement and follow up are key success factors.

For expectation to thrive, don't under estimate the power of "time boxing" deliverables, as a matter of fact, go ahead and time box everything.  You'll be glad you did.

Some great, in depth follow up on "time boxing".

Who is "180A Consulting" and what do we do for your business?

We are a boutique Cyber Security and IT Program Management focused consulting firm with offices in Portland, OR., Austin TX. and San Diego, CA.  Working with clients in numerous business vertical markets.

We partner with clients to provide the following value:

 

We are your Cyber Security, Risk and Compliance  "Second Opinion".

• Turn around information technology organizations that have become adversarial to the business by, business re-alignment, leadership training, mentoring and facilitation to:

• Re-focusing the IT organization on business priorities
• Re-focusing the IT organization on the four types of “work:
• Business initiated IT project work
• IT initiated project work
• “Keep the Lights On” [KLO] activities
• Un-planned work

• Breaking the cycle of over promising and under delivering

• Evangelizing to the CEO and his/her direct reports the value proposition of the “IT Program Management Office” [PMO] concept based on the work of Mr. Satish P. Subramanian

• Assist with planning, hiring, training and ongoing support for the CEO’s direct reports via the IT PMO, focused on creating a lean, responsive, nimble IT organization with a 100% customer service satisfaction rating for internal and external business customers.

• Analyze and recommend long term strategies for Cyber/Information Security & Compliance program automation plus integration with a focus on:

• Global Corporation “requirements traceability” analysis and planning to manage US and International compliance framework requirements.

• Mapping regulatory, legislative, and contractual obligations to Policies, Processes and Procedures to remake these into a vibrant cost saving and risk mitigation strategies.

• Create an “audit artifact” validation program that integrates business, IT, Information Security and Compliance organizations to maximize effectiveness, maximize automation, minimize costs, and mage risks.

• Data Loss Prevention / Data Leakage Prevention

• Guide CEO’s, Boards of Directors, senior IT / Legal / Compliance and HR executive teams to gain a better understanding of Intellectual Property and Trade Secret protection risks and mitigations of those risks.
• Facilitate and plan for long term success and minimizing employee “blowback”.

• Risk Mitigation via “best practices” analysis:

• Quantifying risks to key business processes, monitoring and managing those risks
  
• Risk analysis and mitigation strategies
• Risk planning strategies for BYOD systems within the corporate perimeter
• Software Licensing compliance strategy, planning and negotiations
• API, Web Services and Micro Service security risk analysis and management
  

• DEV / SEC / OPS - effective security controls analysis and implementation

• Using cloud and your existing SDLC methodologies as well as time proven capabilities to:

• Minimize your software development, QA and Pipeline program risks
• Working with software and QA team leads to reduce risk and duplication of efforts
  
• Implementation of technology "service catalogs" for development teams so they are focused on business requirements and not "security stuff".

 

Artificial Intelligence, Ethics and Society

Just rambling here a bit…brainstorming…

I think as an industry, we tend to overestimate the short term gain of new technologies and under estimate the long term impacts of the same.  

 I’m not a “shinny penny” INFOSEC practitioner, not usually an early adopter, however, when it comes to “…artificial intelligence…” I think I can see the future clearly.  From a business perspective, AI will fundamentally and in a statistically significant manner change the Information Security Game in many ways.

Today, most INFOSEC defense approaches are static.  I’m a big proponent of dynamic defense but most folks I know in the industry are not.

It’s inevitable that AI will be leveraged to tilt the playing field in ways that we can’t fathom today, but we should be giving it some thought, alot of thought! …when AI based “Attack/Defend” battles come (they won’t be exploits, they’ll be like actual military combat), it’ll come on like a tidal wave, when we’re breathing a sigh of relief about repelling the next “wanna cry” variant…  it won’t be prepare for breach, it’ll be like watching two trains colliding head on, in slow motion, knowing that your family is on that train.

It will be a continuous "...relentless strike..." the Military doesn't refer to it as the "...forward edge of the battle space...(a.k.a., "meat grinder") for no reason!

There will be winners, losers and survivors…Haves and never will haves, no more have nots.

We should either be actively looking for a vendor who is preparing an AI based Attack/Defend capability or passively putting feelers out.  This will be like purchasing insurance, you hope you’ll never need it, but your eternally grateful that when you need it, you had it.

Come to think of it, why would you even trust the vendor selling you AI capabilities?  Where is the upside / profit in selling you something that will, in an autonomous manner, constantly be improving itself?  This fly's in the face of each and every current technology solution provider vendor on the planet.

Just my .02 cents worth.

"...this business will get out of control!..."

...let the seller be honest...

Some key take aways from the Cambridge Analytica "event"... 

Cambridge bought data from Facebook, the onus is on Facebook to only sell what their customers/privacy agreements allow. 

Ask yourself, who is benefiting from this public blow-back? 

Cambridge's leadership team needs a communications capability transplant, give Rob Weinhold over at the Fallston Group a call, stat! 

Many entities are looking at what was brought to light about Cambridge as an indicator of a much larger problem/concern related to consumer data protection, that is a good thing. This is not so much a Cambridge problem as an industry problem. 

Want an easy, visual sense of real-time 3rd party data sharing?  

Install "Lightbeam" in your Firefox browser, let it run and watch the 3rd party data exchanges (since 12 APR 2018 I've visited 285 sites and they've shared my data with thousands of other sites), many of these sites, I've "opted out" of data sharing, tracking, etc....but the "sharing" continues none the less. 

Granted no one seems to like what Cambridge (and other company's) do or are doing with our data, but, when you opted in by not reading the privacy agreement, this is what you get. 

Caveat Emptor -- the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made, sage advice.

Chris Wylie of Cambridge Analytica 

...things that just plain work! Port Knocking...

Some times, something just does the job, so well that you have to ask yourself, "...why change..."?  

For me, the time tested methodology of "...port knocking..." is one such capability.  It just plain works! 

As a young soldier and most recently as an experienced business person and tax payer, I have to ask, why does the US Air Force hate the A-10 so much? 

Never has there been a better, more battle tested, ground support capability at such a marvelous price point? Oh wait... ground support is not a "Top Gun" kind of thing, but the most essential capability on any battlefield. 

Perhaps public outrage should reach the proportion of the Ground Troops Helmet controversy, championed by "Team Wendy"?   Your soldiers demand your support! 

Get on board America and give yourself a much needed tax cut!  Call your Congress person and tell them that America's finest DESERVE America's finest!

Team Wendy!

Air Force "slow rolling" to kill the A-10

...on being bought and sold like a slave...

Some key take away's from the Cambridge Analytica "event"...

As a consumer, don't allow yourself to be misled, this is a classic, "...shiny object..." media slight of hand con.  Ask yourself, who is benefiting from this?  

Cambridge bought data from Facebook, the onus is on Facebook to only sell what their customers/privacy agreements allow.

Cambridge's leadership team needs a communications transplant, give Rob Weinhold over at the Fallston Group a call, stat!

Many entities are looking at what was brought to light about Cambridge as an indicator of a much larger problem/concern related to consumer data protection, that is a good thing.

This is not so much a Cambridge problem as an industry problem. 

Install "Lightbeam" in your Firefox browser, let it run and watch the 3rd party data exchanges (since 12 APR 2018 I've visited 285 sites and they've shared my data with thousands of otehr sites), many of these sites, I've "opted out" of data sharing, tracking, etc....but the "sharing" continues none the less.

Granted no one seems to like what Cambridge (and other company's) do or are doing, but, When you opted in by not reading the privacy agreement, this is what you get.

Caveat Emptor -- the principle that the buyer alone is responsible for checking the quality and suitability of goods before a purchase is made, sage advice.

The Fallston Group - make the call!

Take care of yourself first!

Ever have those days where you just can’t seem to drum up your usually way out front mojo? 

It’s hard to fathom in our health aware culture but maybe you’re suffering from a micro nutrient imbalance? 

Take a few minutes to listen to Dr. Rhonda Patrick discuss how out health aware culture can inadvertently restrict your intake of valuable micro nutrients and the impacts these can have on our day to day work and home lives. 

Her TED Rx talk and her other materials are truly fascinating! 

 TED Rx Talk Series...

The XACML standard, or....what makes you a visionary?

I remember reading Forrester Research predicting in 2013 that XACML was dead...all I could say way, “I’m curious, what evidence brought you to that conclusion?” 

Not hardly, some of us are visionaries...Authorization, API's, MicroServices, RESTful service implementations, attribute based access controls, the list goes on and on and on... 

 OASIS and industry leaders continue to leverage XACML. 

XACML 3.0x just keeps delivering.  

A brief intro to XACML