Skip to main content

Featured

What Motivates Young Cybercriminals?

In the world of cybercrimes, the majority of cybercriminals always seek financial gain, but this is not the primary motivation. Aside from the advanced sophistication of state-sponsored incidences, the young cybercriminal venturing into the dark side boils down to their ego. Adolescent criminals seek out recognition among their peers eager for a sense of success in an effort to prove themselves.

Many seek out popularity within internet hacking communities driven by a feeling of accomplishment they compromised a target. This provides them with a rush, a demeanor to develop their skills further becoming tragically involved with organized crime immersed in their addictive and dangerous sphere of influence.

Others find inadequate employment opportunities and thus are lured into the dark side to learn a skill as a matter of survival by participating in online hacking groups. They are easy prey for organized crime and state-sponsored groups to recruit indoctrinating them into …

The Politics of Information Security


As the Greek statesman, Pericles once said, “Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you.” It’ll track you down, smack you around and show you what the real world is all about. Know it and understand it so you can play along.
I will be discussing common political issues facing Information Security such as:

  1. In Denial
  2. Management Self Interest
  3. Reporting Structure
  4. The Job Market
  5. An Excerpt of a House in Disarray
Information security is exceptionally complex that it’s often done the wrong way or not done at all. To the seasoned security professional that’s some understatement, but I’m not referring to technical complexities. I’m relating to political complications like the people, power struggles, hidden agendas and related crazy nonsense that make up the average business. Politics often drives security and can primarily affect the organization’s overall risk management.

1. In Denial

The first thing that needs to be understood is that many people in the administration believe security is something that doesn’t really affect them until all hell breaks loose, like the recent breaches occurring. Sure, most projects I was engaged in with high ranking VP department heads were telling me “We don’t have anything the hackers would want” dozens of times. A common perception is that security is one of those “technical” issues that the Information Technology (IT) folks can hash out. Those famous last words that resonate off the walls we all hear, its an IT issue so let them deal with it.

How many times executives have said to you that things are under control and everything has checked out just fine? After all, the company recently passed its audit and is in compliance with government laws and industry regulations. Ask those same questions that being compliant means you are secure, not by a long shot! Ironically, many executives are often told one thing about security, or they just missed the boat entirely and misunderstand it. As current reality has indicated and the plethora of high profile breaches illustrates – it often proves otherwise that now we see their livelihoods are at stake because of this shortsightedness, I will point to the retailer Target as one example. James Champy in one of his best-selling business management publications summed up when he said:
“Many executives are insulated from reality and consequently don’t know what the hell is going on.”
The essence of security is controlling who has access to what and what they can do. Interestingly, many executives are this way when it comes to funding information security initiatives. It may not make sense, but “it’s not in the budget” usually means “it’s not on my radar and therefore it doesn’t matter.” It’s the same old adage that security does not add any value to the organization, on the contrary, it means a lot! It implies the existence of the organization from the Cybercriminals who ruthlessly and to no end steal your crown jewels. One thing is an absolute, audit and compliance are on the radar of most folks in management, so perhaps security can be addressed that way. It is to a growing number of organizations with the plethora of security frameworks such as COBIT, ISO, SAS, and NIST. In fact, audit and compliance are often the extents of information security in the business, but that approach is very short-sighted and is not sustainable.

Managing information security goes way beyond checklists and a snapshot-in-time status but is real-time. It typically requires a decently reasonable investment in things such as enhanced endpoint and mobile controls, improved Web security, patch management tools, awareness training and periodic security assessments involving ethical hacking tools and techniques. This all must be governed by security policies, government, and industry regulations. The soft side of security, which requires responsibility oversight and process tweaking is much cheaper. The labor is already there, it’s just a matter of people choosing to do the right things which happen to fall back on leadership and the culture that’s been established. Management often overlooks this low-cost element of security and focuses only on the technical costs often times persistent in doing more with less. How many times have I seen organizations hire the wrong people or promote them from within giving them glorified titles and are not equipped to handle the job?

2. Management Self Interests

Digging deeper, it’s important to understand that people have varying agendas. Turn of the century satirist and journalist Ambrose Bierce once said politics is “a strife of interests masquerading as a contest of principles. The conduct of public affairs for private advantage.” So politics is politics an art of looking for trouble, finding it everywhere, not understanding it correctly and applying the wrong solutions.

Don’t ever forget about the human ego. Some people want to be able to flex their muscles and enforce their own policies.

Others want to please the internal audit group or outside auditors. It makes it look like things are being done for the good of the business. I’ve even seen some people go through the motions of performing in-depth security assessments only to end up completely ignoring the results and recommendations. Still, others will go to great lengths to ensure that not a single dollar is spent on something that doesn’t provide any perceived value. In the end, information security is not an on/off switch that’s easily flipped just because it seems essential. It’s way more complicated. Don’t think that the complexities of information security are someone else’s issue to worry about.

3. Reporting Structure

When CISO are hired, they generally report to the CIO, and that creates conflicting interests. For example, CIO’s weight their budgetary expenditures against a Return on Investment (ROI) while the CISO weighs them against a Return on Risk (ROR), two differentiating mindsets. The CISO’s job is to establish a company’s overall approach to security and to take full responsibility for the successes and failures of policies and procedures. The chief security exec is also responsible for making sure the company’s board and CEO are aware of any technical problems.

An effective CISO must be able to present significant security expenditures to the CEO, CFO and/or to the board. It often conflicts with the capital IT expenditures the CIO wants, and significant conflicts arise when the CIO has the final say in matters and is more than not in their favor leaving the CISO without adequate funding to protect the organization. This is one prime example why the tenure of CISOs in many organizations is low lasting on average 3 years and usually jettisoned when a major breach occurs, some leave sooner seeing the writing on the walls handicapped without full financial support from top executives. What also commonly happens is rampant scapegoating where the CIO and other top exec insulate themselves from breaches holding the CISO accountable for the calamities. In other reporting structures often times the CISO is buried within an organization making security ineffective.

Information Security touches EVERY part of any organization and is a horizontal silo much like an internal audit is. The CISO must report directly to the CEO or to the board’s Audit Committee, which is the operating panel overseeing financial and compliance reporting. The CIO can easily be overridden in matters where IT operations and security operations are concerned.

Taken this a step further is Booze Allen’s corporate decision in April 2014 to flip the reporting structure so that the CIO now reports to the CISO. Although this is the reverse of what is right in most organizations, Booz Allen Hamilton “elevated the role of security function associated with information to an all-encompassing umbrella in which they consider systems operations. The nature of the company’s business requires that it demonstrates the importance of security in its operations.
In my opinion, this reverses merely the conflicts where the CISO can directly influence the CIO’s IT operation requirements. CISOs and CIOs must realize that IT and security operations are intertwined in any organization regardless of how we look upon it. The CISOs operations depend upon the IT infrastructure the CIOs provide, the data at rest, in motion and in use is within that infrastructure. The CIO and CISO must be peers and work in harmony with a common cause to provide the organizations that they work for the foundations of a reliable IT infrastructure and the security that is so vital to protect the crown jewels, its data.

4. The Job Market

Security is indeed a high growth industry, and yet I view it as two-faced even with the demands that we hear companies having a severe shortage of security talent. I am an open critique in the job market and a staunch advocate for security professionals with regards to the perils they experience. The job market I am sure many can attest is described in one word, “insane.”  Back during the Great Recession where many of us suffered hardships, I collaborated with CSO Magazine to produce an article titled:

How To Succeed in a Two-Faced IT Security Job Market.”

As quoted by me in that article: 

“George Moraetes, a Chicago-based information security executive and enterprise architect, has seen first-hand evidence in his work as a consultant that companies are trying to cut corners and give the CIO or CTO the additional task of security so new hires aren’t needed.

More CSOs and CISOs exist in the much larger companies, but go down to the small- and medium-level businesses and you see them giving people two hats. The CIO ends up being the security guy. I’ve recently talked to one CTO who is having to double as security administrator and he hates it!”


Reflecting back then to what is happening now I see it where companies want to hire a CISO or director with little to no staff having them be the hands-on engineer to writing up policies to set up a security department. An all-inclusive one-man show deal never minds the inadequate compensation levels. I see that in many job postings, for example:

Interim CISO / Security Director needed for 3 to 6 months.
Must be experienced in retail or wholesale distribution, have some merger and acquisition experience, and be familiar with a transitioning culture. The technical experience should include network security and an understanding of SIEM (Security Information Event Management).

Requirements:
    Hands on with Palo Alto, MdAfee Web Gateway
    Interim CISO / Security Director needed for 3 to 6 months.
    Must be experienced in retail or wholesale distribution, have some merger and acquisition experience, and be familiar with a transitioning culture. The technical experience should include network security and an understanding of SIEM (Security Information Event Management).
    perva Gateway
    Experienced in building security programs
    Network Security assessment and Architecture
    SIEM (Security Information Event Management)

    In yet another case and this one is laughable and verified from other security executive colleagues is this healthcare organization that wants to train one of their individuals who has little to no security background nor certifications to be prepared as a CISO in 6 months. Somebody needs to give this healthcare organization a healthy dose of a reality check as it takes years to acquire the expertise and management polish, only then have the metal necessary to evolve into a CISO. Note the last qualification:

    The Position:
    Provide interim CISO services to a healthcare provider organization. Assist in mentoring candidate CISO from customer’s organization toward assuming role and CISSP certifications at our client site in Boca Raton, Florida.

    Primary Responsibilities:
    Provide interim security program oversight and security certification mentoring for one individual specified by Customer (the “ISSO Candidate”) at Customer’s location

    Interim Security Program Oversight. This will include:

    Make recommendations for improvements based on observations and activities
    ISSO Candidate Mentoring. This will include:

    Provide mentoring in both ISSO responsibilities and Security Certification(s) requirements and processes to the ISSO candidate
    Regular progress reporting to the CIO or her designee During the initial month of the agreement, the Consultant will provide these services on-site resource for five days per week. For subsequent periods, the Consultant can, at the sole discretion of the Customer, perform services remotely to reduce travel and living expenses.

    Regular Mentoring Meetings The Consultant will schedule regular meetings with the ISSO Candidate to provide mentoring as noted above. Progress Reports The Consultant will provide regular written reports
    Acting as Customer’s ISSO, as required by Customer’s Security Program
    Acting as mentor, to the CIO or her designee on progress of the ISSO Candidate toward certification.

    The completion of this project is dependent on certain activities and information which will be required of Customer’s IT team The activities contemplated in this proposal assume timely availability of information and staff, and completion of activities assigned to Customer’s team members (including the ISSO Candidate). Deliverables: The deliverables for this engagement will consist of:

    A report of the review of Customer’s security program, Attendance at all applicable meetings, including those required by Customer’s security program, Regular reports as required by Customer’s security program, Regular reports to Customer’s CIO (or her designee) on progress of the ISSO Candidate toward certification

    Qualifications:
    Provide interim CISO services to a healthcare provider organization
    Assist in mentoring candidate CISO from customer’s organization toward assuming role and CISSP certifications

    We hear organizations screaming they need security professionals and a vast shortage exists in the job marketplace. They must be blind or ignore the fact the talent is all around them. As one respected CISO in the industry stated: 

    “We don’t have a shortage of talent, what we have is a shortage of information security professionals willing to work for peanuts!”

    I will paraphrase that further as illustrated from the job posting above by saying: 

    “Some organizations want the wisdom of a 50 year old, with the experience of a 40 year old, having the youth of a 30 year old all at the price of a 20 year old.”

    5. Excerpt of a House in Disarray

    The Cybercriminals and military adversaries know this as I have known many CISOs and CIOs in industry. What I am about to reflect is one voice of many working in a county government setting in the United States. His comment to me resonates clearly to the corruption and political turmoil so many of us experience. This phenomenon exists worldwide in both government and in private industry, should be of no surprise. His voice along with others will be one of several foundations why we are experiencing the massive and systemic breaches costing billions of dollars to defend against. In my next article, I will elaborate on why a house divided cannot stand in a war against the Cybercriminal. And I quote from his own words: 

    I went to work for the county of “Shangri-La” 6 years ago. In reality, I already made what I wanted in life as a career . I worked with a lot of government agencies as a consultant and thought nice place to work in my final days prior to retirement. My miss calculation was as a consultant you go in get job done no politics. This job as enterprise security director as been horrible. has been the worse experience of my life. In my 6 years we have been though 4 CIO’s, 2 CTO’s, 1 sorta of a CISO. Every decision is all about politics. We get going on a direction and all strategy changes. NO upper support at the Agency’s IT staff can so what ever they want, No policies in place, no standards. If someone tries to speak out you become a target and will be gone. I work endless hours of no pay overtime. The last 8 months I have been CISO and still had to run the operations security, ESI, audits, etc.. I ask to step down as CISO and they would not let me. I’m now on admin leave as I finally spoke up. Make me sick to give so much of your life and no one cares . Every where I have worked in the past I was respected. The government work is just all polices, no care of anything else and no support to change. Half the upper C-level is all under investigations, to which I had to gather discovery items. I suspect one day we will be reading of a large breach. We have several close calls. We have now also outsourced all IT go include security. I have been assisting the integration of it all. All I see is less security and more cost.

    Politics is one of those unfortunate realities in life, the power to influence others to serve their own agenda, not for the good of the whole. In this article, we discussed five key areas that loom big for Information Security, organizations that are in a state of denial – to the self-interests of management – to the reporting structure of a CISO – to the insane world of the job market. But most profound is the untold damage it does to organizations, the words from a fellow CISO and a perfect example of why politics causes significant issues in security.

    Information security professionals from the seasoned executives to the entry-level people have to learn to play and adapt to the politics in the workplace. To be successful and many times that is easier said than done is to view the environment holistically benefiting the whole.