Advancing the Profession of Security

While ethics and morality are both are human constructs rather than scientific properties, one of the key differences is the rate of change and the percentage of those agreeing with a defined code.  At an unnuanced, abstract level, ethics are based on a code of behaviour defined by an external source, morality is an individual’s view of right and wrong.

So what does this have to do with risk management, cyber security or the profession of …?

I was reviewing an article in my reading list and struck by the author’s claim that very few people are members of an IT professional association since that doesn’t reflect my experience. Facts always trump opinion and a quick search will reveal ISC2, ISACA and ASIS membership for 2022 is approximately 350,000 while  Statista pegs full time ICT north of 50 million. Therefore, disregarding membership overlap, at less than one percent,  John Mitchell’s  minority statement seems charitable. Personally that percentage disappoints me as I see that gap as a barrier to the profession of security gaining legitimacy since the existence of professional groups and substantial membership are one of the ways professionalization is judged by society at large. Adherence to codes of practice and ethics are ways professional organizations can distinguish their members from those that merely have similar skills.

Reexamining the CISSP code of ethics I agreed to uphold nearly two decades ago with both the perspective of time and a master’s degree research module I am wondering if the ethics discussion needs to be given more than lip service by security professionals. The transformation of ethical perspectives takes time but occurs none the less and organizations need to realign to changes in societal expectations. Ideally ethical discussions should incorporate the widest collection of stakeholders reasonable, but these days partisan echo chambers seem to be the norm, even within the security community, expect some turbulence.

The pace of business often finds us distracted with deliverables and accountabilities, consequently, guiding principles have a tendency to fade into the background. With full transparency I’ll admit looking up the details of the CISSP code of ethics, fortunately I was well within the lines. That said, I felt compelled to commit my interpretation on paper, if for no other reason than to open dialog on a subject we need to align on within the industry since we are in a position of trust.

Reflecting on the CISSP Code of Ethics

The topline preamble is almost a mission statement or guiding principle on it’s own, adherence should avoid any issues of conscience.

“The safety and welfare of society and the common good, duty to our principles, and to each other…”

At the more prescriptive and externally measurable level the first two canons provide a concise description that seems to cover the majority of scenarios I have encountered in my career.

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.

Items three and four seem to be leaning slightly toward areas that will demand a bit more personal interpretation of one’s accountabilities  and compliance.

  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

Providing diligent and competent service” is most certainly subjective and on any given day our best is going to vary. If we can truthfully say we are meeting or exceeding the standard of a reasonable person is that all we can ask of ourselves and our peers? One way to answer that would be to try a thought experiment like the one below. Be warned there is not enough context for a true correct answer, just an opportunity to reflect. Another tactic is to truly understand your organization and where their point of diminishing returns is, our job as risk professionals is to bring the most important concerns to the right level of accountability and they can rely on our judgement if we are consistently striving to be ethical and diligent.

While doing another task I discover a deficiency, I knowingly leave a security control broken because:

  1. We had sufficient compensating controls and the implementation team is already at 130% of capacity with no end in sight.
  2. Although the compensating controls have flaws of their own, the treat community size is small and this is one node in a long attack tree.
  3. The person accountable for fixing has a strong personality and is very clear they don’t want negative attention from upper management.

As for “advancing and protecting the profession” each of us can contribute regardless of skills, tenure and even personality. Consider the following:

  1. Anyone who has spoken to a near empty conference room will agree that your very presence in the audience, (physical or virtual), advances the profession by encouraging  that presenter or researcher to continue their work.
  2. Sharing articles and research you stumbled upon with others in your department, peer group, social networks. If it is genuine and relevant to them most people don’t cast you or the content in a negative light
  3. Share the skills and personality you do have without regard for notoriety or compensation. We are all experts compared to the general population, when a relative or casual acquaintance asks a security or technology question take the time to make sure they understand or send them a link to someone who does explain it well.

Call to Action

Most in the industry will acknowledge, at least privately,  we are adopting technology  faster than we can secure it and are seldom afforded the time to consider the many ramifications of our choices.  Reflecting on the ethics we have agreed to follow and how we are personally aligning to those commitments is something we can all do as an internal process.  Externally, I challenge all us to incorporate our ethical lens as we asses and contribute to peer dialog on security matters to collectively advance our profession.

Intro to ESRM

We talk about Enterprise Security Risk Management (ESRM) a lot during our podcasts with our guests, but we haven’t taken time to introduce our audience to the concepts and practice of ESRM. It’s time we changed that!

We’re going to post about the concept of a risk based, business focused security program and how it can benefit organizations. We’ll explore some of the successes we’ve had over the years – and some of the mistakes we made along the way.

We’ll reference real-world examples and highlight some of the great work that’s going on in the security profession by some really talented individuals. And we’ll try to keep it honest. We all need more of that as we look back over this past little while as we plan for what may lie ahead.

We hope you join us and let us know what you think…so stay tuned, folks. There’s lots more to come!

Bring on the New Year

2021 really can’t be worse than 2020, can it?

I’m not saying this to jinx us, honest! I’ve just spent some time this past little while looking back on 2020 and trying to assess how bad the dumpster fire really was. Globally we are still dealing with COVID 19 and have seen the worldwide death toll surpass 1.8 million. Vaccines are being distributed, albeit not as well as planned. And globally, businesses continue to struggle to survive in this “new normal”.

We also watched in horror as the insurrection of the US Capitol unfolded in real time. Right, that’s now…in 2021…not 2020…sorry.

We’re seeing risk profiles and threats change dramatically as well. Our new acronym – WFH – is both a blessing and a curse. More workers continue to clock in from home, but the threats to data now target these same individuals. Setting up our home users for success is seemingly easy, but we’re still seeing them being targeted in phishing campaigns now using misinformation or purported facts on a variety of topics: vaccines, supply chains, elections, travel, and fund raising.

We’re going to lean into some of these topics in our monthly shows, and talk more about these and other issues. Don’t worry, I know some of the bigger cyber news is top of mind so we’re going to check into that as well. I can’t offer any technical comments – that’s where my partner comes in! But I can work through some of the risks we see and how to approach them with your management and leaders. That’s what we’re really here to do – help you find that voice to present risks and inform your leaders!

Why We’re Here

I wanted to add some back story to Caffeinated Risk. We’ve been part of the security profession (both physical and logical) for the past few decades, worked together for some of that time and had a chance to learn about each other and our strengths. Over the past couple of years we’ve gotten together for coffee or lunch and, as two grumpy old security professionals do, started talking about our careers in security.

Both of us realized we have a similar goal – to give back to the profession that’s been so good to us. We thought a book would be a great way to help others…but that’s a lot of work! And we have real jobs we spend time at during the day. And I have a couple of dogs that are pretty needy…

So Doug came up with the idea of producing a monthly podcast for security professionals – by security professionals. We’d focus on the principles of Enterprise Security Risk Management (ESRM) and delve into technical and managerial topics regarding information security risk. The podcasts would be 20 to 30 minutes long and we’d interview other security risk professionals to learn how they worked through a project, a program, or their careers using a risk based approach to security.

It’s an opportunity for us both to talk about what we’re passionate about, how we struggled through the early parts of our careers and the lessons we picked up along the way. We’re not representing any company – the views posted here at Caffeinated Risk are solely our own personal narratives. We’re relying on all the mis-steps and successes we experienced to help others. We’ve got lots of stories so I’m not worried about finding material.

If you’ve made it this far, let me leave you with this final comment. Both Doug and I are doing something we’ve always wanted to do – give back to a profession that is in transition. We’ve seen how the security profession has grown from being the “department of no”, to becoming trusted advisors to organization executives.

Caffeinated Risk is our opportunity to talk about that journey.

And to let folks know how we learned that, in security, we don’t sign shit. Don’t worry, we’ll talk about that too.