If practicing information security can be a tough job, security journalism is aguably tougher. You’re often not an expert, yet to you have to translate between experts and the public, the public and experts, identify a sales pitch and yet still pull out an interesting story that’s worth the bits and bytes it’s written on. Then repeat daily.

However, a healthy dose of cynicism is always in order. Take one article I was discussing the other day – SC Magazine’s coverage of the UK ‘cyber reserve’ force. The problem isn’t the journalism, the problem is that in a specialist field the loudest voices will almost always be those with the biggest agendas.

In particular, reading takes some translation.

Francis Maude says his government is “”constantly examining new ways to harness and attract the talents of the cyber security specialists that are needed for critical areas of work”.

Translation? We really don’t know how to do this, and we’re still trying to figure it out. We just needed some progress for the annual report so we thought we’d shout about it anyway.

ISC2 says: “Funding new research centres and denoting ‘Centre of Excellence Status’ to universities that are already delivering graduate courses in this space does not begin to address the skills shortage that we all acknowledge is adding to the threat. There are already 55 to 60 graduate level courses in the UK and most students don’t pursue an education at this level. More is needed at the undergraduate level where awareness of the career opportunities can help reach the numbers required.”

Translation: The government should send more introductory training so people can move on and do CISSP.

And Detica says: “When we look back in five years’ time we will see that the government’s strategy has provided a catalyst for a series of innovative and useful activities, particularly around how industry can respond to and protect itself from cyber incidents – most notably the recent Cyber Incident Response Scheme announced by GCHQ. Nonetheless, there is still a long way to go before we can say that we are successfully countering cyber threats.”

Translation: It’s great that we’re one of a small number of companies to get privileged access to contracts through CIRS, but we still think there’s scope to be paid more money.

All these agendas are reasonable, understandable, and in the case if ISC2 clearly beneficial to security. The question then has to be – so what it not being said?

Well, that we don’t have a clue how to deliver this, for one. What it will do for another. And who will do it. And why.

All questions worthy of an answer.

Over the last few months, a consistent theme in the media has been the threat posed by Chinese security and network solutions. It’s unsurprising that the birth of China as a modern post industrial giant strikes fear into the hearts of many – particularly countries and companies who would see China, or it’s industry, as a threat. It’s also entirely rational to assume that foreign agencies will use all the tricks in the book to obtain a national advantage – most countries have a long history of doing just that. Minus the trappings of 20th century world leadership, China may well be less reserved about it than others such as the USA or Britain.

There is no doubt whatsoever, that the Cyber Security threat has crept upon us quietly over the last decade, without being noticed.  Only in the last few years have International governments started to acknowledge the systematic nature of the threat and the serious focus it requires.

This is a fair and qualified justification for greater investment in the Cyber Security arena, for public debate, and for reprioritisation of national defence programmes – not for politicisation, but to serve a very real, tangible defence against what is now an ever present, and current threat.

However, the nature of current headlines makes it reasonable to conclude that too much of the current cyber security agenda is now being sold on Fear, Uncertainty and Doubt – the same ‘FUD’ that the Information Security profession has spent the last few decades trying to shed.

The furore around Huawei is a perfect example – by virtue of its nationality the company has been blocked from bidding for major contracts in several countries, and been subjected to such criticism from the US that picking a Chinese security supplier must now seem to many businesses like an act of treachery. There is no evidence to suggest that they have been anything but open about their technology, and no-one has yet demonstrated that their products demonstrate a threat. Could a rational caution be going too far and closing the door to technology that could offer a competitive advantage? With not all the facts in the public domain it’s hard to say for certain – but from the consumer media, it looks that way.

Certainly, any information security manager attempting to build a business case on the back of insubstantial evidence would get a less sympathetic hearing from a corporate board than the world’s press appears to be giving to current claims.

The worry remains that government agencies are playing on fears that often appear unfounded to the public, or at least unproven. By doing so, we may risk undermining the case for national cyber security when it most matters; just as selling FUD in business has made it harder to sell investment in security today.

Continuous low level espionage attempts have always taken place, and always will, and the only thing that has changed is the means, and ease, of doing it. That does not justify escalating espionage attacks to the status of ‘CyberWar’ simply because they are committed with computers, but nevertheless does need to acknowledge that some systems could, one day be leveraged to underpin Cyber Aggression against a designated target. To access this, we need a more mature debate that moves away from FUD and towards an evidence based approach.

What is required to address the underlying threat is not a focus on fear, but a consistent resolve across governments to build security into the national business model at every step. Unfortunately, this is not an exciting answer. Security, when it works, is like accountancy – invisible and boring. Responding to cyber threats does not require a global panic, but simply the building of security into how we all operate organisations and live our lives, and the development by governments of high expectations across both government and industry, combined with a security aware culture.

The current inability to protect against cyber threats will not be solved by vast central programmes and costly cyber-weapons; it may be solved by enforcing consistent expectations and by building security awareness and technical competence into primary school curriculums.

Certainly, it will not be solved by FUD.

Information Security exists to manage enterprise risk. Fact.

There can be no disputing this simple point. Information Security does not exist to keep all information absolutely secure. It can’t, even if that was a good idea.

Which, incidentally, it isn’t.

Completely secure information is about as much use as that classic beginner’s programming challenge: “Design me a useful program with no inputs and outputs”. The answer of course is that it can’t be done. Information, like a computer program, has to do something useful.

Of course somewhere out there, someone is thinking that’s not true. OK, it’s not. You can have useless information (like this blog, that same person is thinking…), however in a business context if you have information you’re not using, it’s time to bin it. Information has to be useful or we might as well not have it. Fact.

So, if absolute security is an absolutely rotten idea, we must all be in it for something else. That’s risk management then – keeping information as secure as it’s sensible to do so whilst allowing the business to operate – even whilst helping the business to operate.

So, some questions:

1. Why are we so bad at explaining the business consequences of security threats and vulnerabilities?
2. Why are so few security metrics risk orientated?
3. Why is security so often seen as a hindrance to achieving business objectives, rather than an enabler?
4. Why is information security theory and practice so divergent from operational risk theory and practice?
5. How do we fix it?
6. And finally, accepting that we can’t achieve perfect security, how do we deal with the fact that at some point, it will go wrong?

If you’re interested in the answers, let me know when you find them. If you’re interested in discussing some of these issues, join me at InfoSecurity Europe at Earls Court, London this Tuesday for the keynote debate “RISK: Defining ‘Risk Management’ & What It Means In The Context Of Information Security” with myself, Prof. Paul Dorey of the IISP, Boris Goncharov of G4S and Matthew Lord of Steria UK.

• RISK: Defining ‘Risk Management’ & What It Means In The Context Of Information Security, Keynote Theatre, 24th April 14.30 – 15.30

Are we at risk of looking away and missing the action?

Legal and regulatory pressure is risking turning security into a tick-box exercise. Boards rely on security professionals to deliver on corporate issues such as compliance without forgetting the underlying risks. Changes such as the European Commission proposals on Data Protection will only increase the focus on regulatory risk. From a security standpoint, it’s the wrong focus.

If we’re actually going to reduce data loss incidents we need to change the way people behave. That’s about convincing directors that security isn’t just a compliance issue, which will be hard to do when compliance is the easiest way to build a business case for investment.  It also means getting beyond ‘tick box’ awareness exercises and influencing corporate culture in order to embed security into the way staff think on the job.

A shame then that so much of the current focus is on legislation.

A fe days ago I suggested that understanding a user base starts with ourselves. Of course, that doesn’t mean ignoring tools that allow you to build on that understanding, after all, politicians are customers of the state but still use polling every day.

Fortunately, there is no shortage of good tools available to bring security closer to the user base, and which ones you use will depend on the audience. Directors and non-executives might benefit from dedicated seminars to drive engagement with security risks facing the business. For most staff however, it’s about getting beyond annual CBT exercises and scary posters to actually engage with people in a two-way conversation – for example, offering a prize in exchange for feedback, or providing advice on home IT security that people will connect with. It means taking people’s ideas and concerns on board and providing feedback to show that you’ve listened.

Why does understanding users seem to require a science of its own? We have to remember that we’re users too, so the starting point is to understand our own needs and frustrations with the systems we use. If we’re irritated by inflexible systems, complex password requirements, an inability to use new technology in the office, or network connectivity issues, then it’s a fair bet that our colleagues feel the same. The difference is that we are closer to the issues and understand why corporate security isn’t as responsive as we’d like it to be. Your average user doesn’t have a clue and frankly doesn’t care – they just want work systems to be as good as the ones they use at home. It’s not an unreasonable demand.

After all the focus of the last few decades, it should be surprising that information risk is still one of the least well understood risks most organisations have to deal with. Mature industries are used to looking at issues like capital, finance and operations as business risks, but information security is still often seen as an issue for the IT department. Alternatively, it’s seen a regulatory issue with compliance, rather than customers, in the driving seat. Reputations take a long time to build but companies like Sony have proved that a security incident can cost you that reputation overnight. Despite this, few business understand what security breaches really cost.

McAfee’s 2012 security report suggests that incidents cost on average $0.5 – $1m, but also reveals that only a third of respondents had any idea what the cost was to them, and that a quarter of respondent’s didn’t feel they knew what security risks their controls were protecting them against. Until we can make an accurate quantitative assessment of security risk Boards and security professionals alike will find it hard to decide what level of resource to deploy, or how best to deploy it.

Security departments can no longer count on increasing resources when organizations are stretched. Over the next few years, that stretch should become a little less. But will security feel it?

Security risks still have to be addressed but the expectation is that organizations will save money at the same time. That puts the focus on projects that reduce, for example, complexity and device proliferation in data centers, improve flexibility and support changes to business processes. Any investment in staffing or equipment needs a sound business case that demonstrated better risk management and bottom-line impact. Organisations now understand that security functions can deliver on this, so these expectations will be here to stay.

The poor economic conditions have also not made it any easier to recruit. There is still a skills shortage in the industry, particularly for technical specialists with a business perspective – in application security, for example. What has happened is that the number of companies looking to recruit has fallen, as has the number of people looking to move. Obtaining the budget may not get any easier, but at least recruitment should.

McAfee today released their report on the ‘state of security’ 2012. 19 pages of interesting reading is let down by one thing: the inevitably low quality of the quantitative information they obtained.

Highlighted in their report is one critical statement that should, if it stacks up, demonstrate the value we in the information security profession bring to our organisations. The statement? That organisations with a mature security stance face costs of a data breach just half that of their less mature competitors. Instant value to the tune of $0.5m per incident.

Before we all pat ourselves on the back however, it’s worth taking a moment to consider the quality of their information, and the report gives us all the information we need to do that.

Firstly, it tells us that only around a third of respondents were confident they were able to assess this financial impact. When you consider that those companies who can quantity this are unlikely to have the same security profile as the other two thirds, you are already left wondering whether their calculation is of much merit.

Later in the report, McAfee reveal that again only around a third of respondents felt they were both aware of their security risks and protected against them (a worrying 38% said they were aware of the risks but didn’t feel they were protected against them, and a scary quarter of respondents felt adequately protected but didn’t know what their risks were).

What does this mean? Quite simply, that in addition to not really being able to assess how much incidents that were managed and detected actually cost, it’s quite likely that most incidents simply went under the radar because either the company didn’t know to look for them, or didn’t have the controls in place to detect them.

Overall, it’s a pretty fair reflection of where we are as an industry. But there’s nothing worse than misinformation, and so far attempts like this to quantify the costs of data loss and the value of security are sailing very close to the wind.

Monetary penalties for local authorities issued by the Information Commissioners’ Office have officially hit £1m, isrisk.net is first to reveal.

Our analysis of ICO penalties for local authorities (click to download pdf) confirms the total as £1.040m as of 15th February 2012 when the latest penalty was issued to Cheshire East Council.

The eleven notices issued covered the loss of at least 1,914 records to a total 730 unauthorised recipients.

The analysis reveals a number of interesting trends:

Frequency

Fines are becoming more frequent. During 2011 there were gaps of several months between fines, towards the end of last year and in the first two months of this year, penalties were issued every few weeks. We can expect many more penalties in 2012.

Highly sensitive data

All the penalty notices issued were for loss of highly sensitive data, specifically child or adult care records. Whether this reflects a conscious focus for the ICO or simply where the losses have taken  place is hard to say, however it is clear that the ICO are reserving their power to issue financial penalties for those cases where the information at risk is sensitive and the data subjects are vulnerable.

Just one record lost is enough for a fine

45% of penalties were issued for the loss of just one record. This calls in to question the common view that only the loss of multiple records would be of interest to the Commissioner. Clearly the Commissioner considers that even one record can justify a penalty where the data lost would have a signficant impact on the data subject.

Data in transit

Every single fine related to data in transit. Four were for email sent to the wrong recipients, five were for paper documents sent to the wrong person or address, one to a fax sent to the wrong number, two Ealing and Hounslow) for the loss of an unencrypted laptop, and one was caused by a Council officer leaving documents in a pub on the way home from work, None were the result of third parties obtaining access to Council networks, however whether that reflects a lack of interest by hackers or Councils’ lack of capability to identify such attacks is a matter for speculation.

Human error

The most revealing aspect of these penalties however is that every single one was the result of human error. All could have been avoided if the individuals concerned had been properly trained and were conscious of their obligations. Equally, many could have been avoided if manual processes had been replaced with more efficient automated ones, or data sent in a more secure manner.

Lessons for the future

There is s strong message here for local authorities and other public sector bodies: securing your network is not going to be enough. Instead, the focus should be on investing in better processes and staff training and awareness.

The tokenistic approach many organisations have deployed in the past of annual refresher training on organisational policies does little to embed the importance of security in the minds of staff on a daily basis. Instead, Councils and others need to foster a security culture where everyone understands the contribution made by their activities.

Just as importantly however, the penalties reveal an opportunity to build a stronger business case for developing processes that are inherently more secure. There can be no excuse for sending bulk personal data be email, storing records on laptops rather than in enterprise systems, and sending highly sensitive data using obsolete and inefficient faxes.

Ultimately, we’re paying twice for these mistakes: once in high taxation driven by poor processes, and a second time in monetary penalties for data losses. The monetary penalties are, therefore, the tip of the iceberg.

Any local authority getting to grips with the process issues highlighted will surely make their budget savings and improve services at the same time.

You can download the analysis of ICO penalties for local authorities here.