The "RISKY BUSINESS" Blog

It has been said “When it comes to achieving excellence, figuring out what needs to be done isn’t nearly as difficult as continuing to do what needs to be done over the long term.” A recent internal project illustrated this adage all too well.

As we continuously seek to improve the level of excellence of our professional services delivery a friend suggested we review ”Six Disciplines for Excellence” (a system intended to insure that an organization diligently executes on a well formed strategy). In reviewing the methodology, and considering its potential role to our services delivery function, it occurred to me that the methodology was also highly applicable to managing an Information Security Management System.

The system has Six Disciplines that are applied in a linear and continual cycle:

1. Decide What’s Important - Understand what your long term vision is and what your short term priorities are
2. Set Goals That Lead - Identify the initiatives and projects necessary to achieve your priorities and vision
3. Align Systems - Ensure the processes, policies, technologies, metrics, and people are aligned with your priorities and vision
4. Work the Plan - Execute on your priorities and vision
5. Innovate Purposefully - Learn and grow during the process
6. Step back - Based on internal change, external changes, and lessons learned revisit your performance. Now start over …

In thinking about how well we performed in each of these areas, I graded us as follows:

1. Decide What’s Important - B+
   (We have a bunch of smart people that understand what we do — if we didn’t get myopic on occasion this would be an A)
2. Set Goals That Lead - B
   (We usually identify required initiatives — but sometimes don’t flesh them out enough to ensure they will be realized)
3. Align Systems - D
   (This requires time and we are usually busy enough that this often takes a back seat)
4. Work the Plan - C
   (We have a bunch of people that work hard — unfortunately we sometimes need to “work-around” misaligned processes, technologies, etc.
5. Innovate Purposefully - B
   (Smart people innovate — unfortunately the lack of alignment means we’re innovating fixes to underlying problems instead of addressing underlying problems)
6. Step back - A
   (Last year we implemented a program to “close loop” our service delivery process to make sure feedback is captured and flaws are identified.)

Interestingly, I believe these grades closely match with those we see during infomration security assessments. Most entities would get very good grades for Steps 1,2, and 6 (strategy), largely because they usually have smart people. They would get good grades for Steps 4 & 5 because they usually have people that work hard and will find a way to get the job done – despite obstacles.

I think the breakdown we most typically see is in bridging the gap between strategy and execution and making sure that the critical processes, technologies, and personnel are in place to realize the strategy.

Hopefully our efforts to address our “excellence donut” (the hole in the middle of our systematic approach) will yield insights that we can share with our clients…

I recently read an interesting statistic – only 85 US companies have achieved ISO27001 Certification. Putting this info into perspective, over 3,000 companies in Japan have been certified. What’s more interesting is that we (Pivot Point Security) currently have four ISO27001 related projects on the schedule, where last year at this time, we had zero. Assuming our competitors are seeing similar interest, it appears as though we are on the verge of a real “break-out” for 27001 here in the US.

If you haven’t looked at 27001 – it’s not just a refresh of ISO 17799 (a popular misconception). Actually, in a sense it’s a “precursor” to 17799 (which is now referred to as 27002) in that it establishes an Information Security Management System (ISMS) that drives an organization’s security efforts. I referred to it as a precursor because the initial stages of the ISMS produce an understanding of information risk that supports the determination of the controls in 27002 that need to be implemented in order to mitigate the risk to an acceptable level

ISO 27001’s ISMS is an “approach” to information security that emphasizes:

1. understanding an organization’s information security requirements and the need to establish policy and objectives for information security;
2. implementing and operating controls to manage an organization’s information security risks in the context of the organization’s overall business risks;
3. monitoring and reviewing the performance and effectiveness of the ISMS; and
4. continual improvement based on objective measurement.

I think 27001 is poised for significant growth because of the growing need for third party attestation. Increasingly it’s not enough to be secure – we need to be able to “prove it” to a business partner, regulating body, shareholder, or investor. There have been many (largely failed) approaches (e.g., Systrust) to third party attestation – but none have achieved critical mass. Sadly, the notable exception is a SAS70, which many entities look at as a good form of attestation. Unfortunately, they fail to understand what a Type II Service Auditors’ report really contains and what their obligations as the recipient are upon receiving it. Too often this results in a false sense of assurance. In a previous engagement it took us 7 minutes to compromise a banking application and move (we actually didn’t — but could have!) $500M to an offshore account. The client was shocked as they had a “clean SAS-70″ relating to the company/application (the root/admin password on all servers was the name of the company).

ISO 27001 certification is not without its failings:

1. It focuses on certifying the “process” by which you determine which controls should be in place – not that the controls actually are in place.
2. Without some level of substantiative testing to validate that the technical controls are operating as intended – it can lead to a false sense of security.
3. It fails to provide controls guidance for Applications – a major source of risk.

On the “plus side”, however:

1. It focuses on the “process” by which you determine which controls should be in place (yes, I know, this was on the ‘failings’ list). In theory, if you have a process and you follow it, then the result the process intends should be achieved. We have often found an environment to be secure at a point in time – but understood that the entity lacked the ongoing processes necessary to maintain this secure posture over time.
2. It incorporates a requirement for continual improvement. So in theory – the posture should improve each year.
3. It’s an international standard resulting in a common lingua to discuss security providing a common point of reference across entities. Better – it gives us independent attestation against a reference-able standard.
4. Folks like NIST and ISACA are integrating their thought process with 27001. If we can get 27001 to incorporate OWASP and/or PCI to leverage 27001 – life would get even simpler.

If you haven’t taken the time to look at 27001 you should. I expect that in the next year that you will either be asked if you have ISO27001 certification or ask someone else if they do ….