Yesterday (May 9^th), I was honored in just such a way. I was afforded the opportunity to speak at the 7^th annual Secure360 Conference. The conference attracts 1000+ information security professionals each year, and it’s held at the St. Paul RiverCentre (a great place to speak and attend a conference).

The topic of my presentation was “Ten Information Security Principles to Live (or Die) By” and it’s based on FRSecure’s governing principles that guide our everyday work. The conference was very well attended, and my presentation seemed to be well received.

An online copy of my presentation slides can be found here:

Ten Information Security Principles to Live (or Die) By

Overall, it was a wonderful experience and opportunity. I caught up with some old friends, made some new ones, and hopefully made a small positive change for our industry. I’m looking forward to next year, and hopefully another opportunity to preach!

We all have a set of principles, or fundamental truths that guide us in our day-to-day lives. Some base principles on faith; some base principles on what they’ve been taught and for some of it’s a combination of influences and experiences.

For those of you who don’t know FRSecure, we’re an information security consulting company. We strive to be the best at what we do, and we’re passionate about it! Four years ago, soon after we started this company, we defined our principles (or fundamental truths) to guide and govern our approach to information security.

This article is the first in a series of articles where we’ll dissect each of these principles and explain what we mean.

FRSecure’s Ten Information Security Truths

#1 – A business is in business to make money

Information security must align with business objectives.

#2 – Information Security is a business issue

Information security is NOT an IT issue.

#3 – Information Security is fun

That’s right, we said “FUN”!

#4 – People are the biggest risk

Not technology.

#5 – “Compliant” and “secure” are different

We shouldn’t confuse the two.

#6 – There is no common sense in Information Security

If there were, we would have better information security.

#7 – “Secure” is relative

One of many reasons for ongoing measurements and comparisons.

#8 – Information Security should drive business

Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.

#9 – Information Security is not one size fits all

No two businesses are the same.

#10 – There is no “easy button”

So stop looking for one.

There you have it. We use these principles to keep us grounded and to guide us in our approach to our customer’s challenges. Over the course of the next few months, we’ll take each one of these principles and break it down.

What are your principles in life? In business? Have you written them down?

I have been blessed with the privilege to work in this industry (information security) with passion for a long time. I am blessed with leading a dynamic information security consulting company alongside a group of great people, and we’re growing by an astounding rate! Life is good, right? For me and our customers, the answer is yes. I can’t help but think how can we make things better?

A dear friend of mine stopped and talked with me this week, and what he said really resonated. He asked me why we tend to point out the negative things about information security so much. Why do we seem to stress what people are doing wrong, and how things don’t work?

Why ARE we so focused on the negative? Things like:

• Information security is NOT an IT issue,
• Compliance is NOT information security, and;
• There is no “easy button” in information security

These are three of our core principles by the way. ;)

Part of it is the nature of what we do. Often, we are paid by our customers to find, quantify, and fix information security problems (vulnerabilities). This means that we point out what our customers are doing wrong so that we can help them do what’s right. Fine, but can we also find, quantify and communicate the things they do right?

Just this past week, I met with 27 customers and prospective customers. Don’t you think I can find a few things that they are doing right and rave about that? Let’s give this a try…

On Monday, I met with a customer who leads a small start-up company that markets their product to large regulated companies. We’ve been engaged by them to develop an information security program that will serve them well as they grow, and satisfy their large corporate customers. What are they doing right?

• They are building information security into their culture at an early stage. This is so much better than trying to “tack on” security after significant growth.
• They are satisfying their customer’s information security requirements now. They aren’t trying to get by and truly want to do the right things out of the gate.
• They are learning how information security can benefit their business. Information security built into this stage of their company will help differentiate them from their competitors (when and if they encounter them).

We are privileged to be working with these guys!

On Tuesday, I met with a prospective customer who manages information security for a large utility company. We discussed what they’ve been doing with information security and some of the challenges that they face in their environment. What are they doing right?

• They employ a dedicated and well-trained information security officer. Judging from our discussion, he knows how to get things done and what he wants to do.
• They have buy-in from C-level management. How awesome is this?!
• They have a good plan. Strategic information security planning is a specialized skill, and integral to success.

On Wednesday, I met with a bunch of hospitals and a prospective customer who manages information security for a pretty good sized regional bank. The discussions were invaluable. Among the highlights:

• Information security awareness is at an all-time high in healthcare. People are exploring their responsibilities and ways to make things better. I love it! They’re asking great questions, and the dialogue is beneficial for all.
• The regional bank representatives openly discussed challenges with vendor risk management. They understand (and embrace) their responsibilities for protecting the information they share with their vendors.
• Resources are being slated for and dedicated to information security. An information security budget?! People are not just talking, but they’re acting!

On Thursday, I met with a few more hospitals. Check this out! Hospital CEOs actively participated in our meetings, and we had fantastic dialogue. I even had somebody at one of these meetings tell me that they think working with us will be “fun”! Can information security really be “fun”? Heck yeah it can!

On Friday, I met with another hospital, two lawyers, and a software development company.

• The hospital has engaged us to help write better information security policy. They get the importance of good information security policies and how they will drive all of their information security efforts.
• One lawyer leads a pretty good sized firm, and we finished an information security building project with him. He now has a great start towards integrating information security into his firm’s day-to-day practices and some protection against the demands of his customers.

It was a great week, and we saw many things that people are doing right! More people are doing the right things than ever before, and I think it will only get easier to focus more on the good and less on the bad as time goes on.

These are good times to be an information security professional!

-Evan Francen, FRSecure President

We want to thank Medi-Sota and the participants from their member hospitals for having us out! It was well worth it!

The four motivations are:

• Everybody else is doing it
• We’ve been forced
• Reaction to an adverse event (breach)
• We understand the importance

Everybody Else is Doing It

We all have a herd mentality to some extent. We watch what other people are wearing, we pay attention to the cars other people are driving, and we emulate those people we admire. The tendency is to take this same herd mentality into the area of information security. We compare what we’re doing with what other organizations in our industry are doing. There are some real pitfalls in following this logic:

• If other organizations are doing the wrong things, so are you. – If your peer organizations are unwisely spending on information security, so you will likely be.
• You are in competition, aren’t you? – It makes better sense to set yourself apart from, and do things better than your competition.
• Your organization is different from theirs. – You employ different people. You employ different processes. You’re located in a different town. You use different technologies. Why would we expect your information security controls to be the same as theirs, and still be effective?

Effective information security requires leadership, and good leaders don’t follow the herd.

We’ve Been Forced

Being forced to do things is more painful than doing things on your own. Nobody knows how to run your business better than you do. How would it feel to have somebody else told forced you to secure your business in a manner that doesn’t fit your business? Some of the factors that lead to you being forced into securing information (their way):

• Customers – Customers want to know how you’re protecting their information, and they demand certain controls. Often times, they don’t even know what controls they’re asking you for or why. It doesn’t matter; you have to comply if you want their business. Can you ask the right questions to determine what your customers really want regarding information security? Can you translate what their asking for into whats best for you?
• Regulators – This is a can of worms, isn’t it? Can you predict what your examiner or regulator will ask you for in your next review? Whatever they tell you to do, you do, but do you have to? If you can justify the risk in your business operations, or if you have mitigating controls in place that address the control they ask about, will this work? At the end of the day, yes. The trick is managing risk. If you always did what the examiner or regulator told you to do, how costly and ineffective would that be?
• Others in your industry – There may be (and probably are) competitors in your industry who do a better job of managing information security than you do. They don’t follow the herd. They use information security efficiently and use it as a market differentiator. Eventually, you will be forced to play catch-up. Catch-up means lost money.

Reaction to an Adverse Event (Breach)

Have you ever let something go only to have it nip you in the bud later on? Later on have you wondered why you didn’t listen to that little voice in your head that told you to do the right thing in the first place? These are the common types of questions people ask themselves (or others) after a breach is discovered. Why didn’t we take care of this before the breach occurred? Some reasons why it’s not a good idea to wait for a breach to happen:

• Prevention vs. Reaction – Most breaches could have been easily prevented with basic protections.  According to one study from a well-respected source, the cost of responding to a breach (reactive) is seven times more costly than preventing the same breach.  It makes good business sense to have basic protections in place.
  
• Reputation – Executives don’t want to be on the cover of the business section for a breach.  The cost of lost trust and lost customers is hard to quantify exactly, but we know it’s not good.  Businesses work hard to establish and protect their reputation.
• People overreact – The tendency is to make extra sure that this kind of thing doesn’t ever happen again.  No matter what!  This kind of reaction clouds judgment and leads to poor information security decisions.
  
• We have little or no defense – What would your defense be if your organization experienced a breach for which there was a likelihood of civil (or in rare cases criminal) litigation?  It’s hard to claim you didn’t know any better when you read or hear about data breaches almost every day in the news.
  

Complacency is an enemy of information security. If for some reason you think that you are the exception, let me tell you the truth. You are a PERFECT target for an attacker. They just haven’t found you yet.

We Understand the Importance

In case you haven’t guessed already, this is the only motivation of the four that is legit. Information security has its place in EVERY ORGANIZATION; the questions are how much and where. Well designed and managed information security provides real value to an organization. Not only can its proper application be used to protect a business (i.e. prevent a breach), its proper application can help a business be more efficient and stronger in the marketplace. As time passes, the importance of information security will only increase. Don’t you think it’s a good time to formally address information security in your organization NOW?

About FRSecure

Would you like to know more about FRSecure and how we can help businesses like yours?

• Information security resolutions for the new year
• CISSP Training Program
• What we do

January Newsletter

It’s the time of year for New Year’s resolutions. Certainly, we all have areas in which we want to improve. How about areas of your business? One area of business where there is often plenty of room for improvement is information security. When managed effectively, information security can be a tremendous value to any organization.

So, why not make a business New Year’s resolution for information security improvement and stick to it?

Information Security Improvement

It doesn’t matter if you’re a large enterprise with millions of dollars in your information security budget, or if you’re a two-employee company with no budget; there is always room for improvement. What are some areas where you should improve your information security this year?

Some areas of improvement to consider:

• Policies – Policies provide the rules and boundaries to your information security efforts, and are critical to success. Don’t assume that everyone knows what they should do to protect your critical information, state it plainly in policy.
• Training & Awareness – Technology isn’t the most significant risk to your information, its people. The people you trust the most are the very same people who can do the most damage; often times accidentally.
• Assessment – Take the time to understand what your risks are before spending thousands of dollars to remediate them. Approaching risks blindly is ineffective and costly. How well do you build something without first determining what you will build, where and with what?
• Mobile Device Management – The past few years have brought an explosion in mobile device usage, and the amount of information leaving the office in employee pockets might scare you. Understand this risk, and do something about it.
• Incident Management – You’ve heard the old saying “it’s not a matter of if, but when”. Be prepared for an information security incident. A poor response can cost more the original incident itself.

Take a look at your organization and come up with a list of four or five information security improvements that fit you best.

Stick to It

Once you have identified some areas of information security that you should (will) improve upon in 2012, resolve to stick to it!

According to statistics, only 20% of people who set out with a New Year’s resolution actually stick to it. Don’t let information security fall victim to these same statistics. Turn your New Year’s resolution into yearlong results by implementing these simple principles:

• Commit – Just like anything worthwhile, information security requires a commitment and it requires a commitment from the top. Company executives must be familiar with their roles and responsibilities in respect to information security, and set the standards.
• Document – Documentation provides direction, reference, and proof. Direction for everyone to get on the same page, reference for measurement and enforcement, and proof of due care and due diligence. For some; if it’s not documented, it doesn’t exist.
• Measure – Measure how well you are doing in what you set out to do. If you wanted to lose weight, wouldn’t you check the scale every once in a while?
• Review – As your organization changes, so should your efforts to protect the information your organization relies on. Things that are not regularly reviewed and updated and bound to die and fail.

So, look around and be honest with yourself. Do you have areas of information security that need to improve? Make 2012 a year that you resolve to do just that!

Evan Francen is the president of FRSecure, a full-service information security consulting firm. FRSecure has helped hundreds of organizations by providing cost-effective strategies and solutions to secure today’s challenging business environment. For more information about FRSecure or FRSecure’s services, visit www.frsecure.com.

Led by Evan Francen, FRSecure President and 20 year Information Security veteran, our training program is designed to not only help you prepare for the exam, but give you real world experience that you can put to use in your organization.

Our last class went 5 for 5 passing the exam on their first try!

If you are contemplating getting your CISSP certification, or if you have information security responsibilities, this class is for you.

Click here for more information or to register.

Recently, Guy Bauer from Chicago’s FM News 101.1 did a story about the United States’ response to cyberwarfare.  In the interview, Guy asks FRSecure’s Evan Francen some questions.

From the interview; “In a report to Congress the Pentagon says, when needed they will respond to hostile attacks in cyberspace as they would to any other threat on our country.  Evan Francen owns an information security company and says cyberwarfare is nothing new…”

Click below and listen to Version 1 of the interview:

In this second version, there were no “Russian hackers”, but oh well.  We didn’t tell him that there were.

Click below and listen to Version 2 of the interview:

Cyberwarfare is not a topic that we discuss much with our clients, mainly because it isn’t directly relevant to your business.  It’s an intriguing topic that we always open to discuss, but we’d rather discuss the things that are going to help you!

Want to know more about FRSecure, read about us!

Subscribe to the FRSecure Blog by Email, or by using our RSS feed.