Friday, June 06, 2014

Why are we all doing Anti-Clockwise security?

At the SC Congress in London today I bumped into Allan Boardman of ISACA, and I talked to him about the fact that security professionals in the main think Anti-Clockwise. Which simply put, means we think first about stopping bad things from happening. Clockwise security on the other hand puts the premium on thinking first about ensuring that good things happen, and then minimising the negative effect of bad things.

I argued that CobIT in my analysis was primarily an Anti-Clockwise tool. I had hoped the ValIT was going to point the way to a more Clockwise approach from ISACA. Sadly it did not live up to my hopes.

Allan heard my analysis as an attack on the Infosec community as a whole and accused me of being disingenuous, and argued that most security professionals did in fact think of the business first. We explored my contention that if that were the case CobIT would have been subsumed into ValIT, rather than the actual case of ValIT being lost into CobIT version 5. The C in CoBIT does after all stand for Control.

As another carrot, I also believe that if we acted as true enablers, more of us would have a seat at the big table!

The day at the London SC Congress did nothing to dissuade me that we think primarily Anti-Clockwise, and worse Anti-clockwise with a technology and tool bias.. We talked mostly of identifying threats, we never talked about securing opportunities. We talked often of Controls. Basically our language all day was Anti-Clockwise. In fact I suspect, hopefully not disingenuously, that as Security professionals we do not know how to think and talk in a Clockwise manner.

Traditionally we think in the order incidents, threats, controls, risk, compliance, and only on very few occasions do we move onto Value, Need, and Positive Outcomes.

Our Formula One colleagues may have hit upon an important discovery. Which may help us to learn clockwise thinking. KERS is a hybrid control/enabler, it has a dual function, it serves both as a means of deceleration, as well as a means of acceleration.

Early Formula One engineers proudly stated that they put great brakes in racing cars so that they could go faster. This was pseudo-Clockwise thinking, or Anti-Clockwise thinking in sheep's clothing! If we go too fast we will crash (threat),  control = Great Brakes, Risk of not slowing down fast enough reduced, and we did it while complying to F1 rules.

(Aside: Let us not fall into the trap of becoming locked into Pseudo-Clockwise thinking.)

Then along came a Clockwise F1 Thinker; we want to win more races (Outcome), so we Need something to make us go faster, where can we get the energy from ? 
What about storing up the braking energy? Let's rewrite the F1 rules (Compliance). 
What are the risks? Fire Hazard, May not decelerate sufficiently. Let's design those risks out...
KERS designed. a control that is also an enabler.
Threat of crashing into corners reduced, in fact many F1 drivers are learning to approach corners faster, as that way they can store up more energy!
Incidents: few Laptimes: Faster

How can we become Clockwise Thinkers, what opportunities await us?

Can you create a control that can also be an enabler?

How should ISACA evolve CobIT? Perhaps the first thing to do is actually call it ValIT.

Let's put Value Creation as job #1 and value protection as job #2.

I find it very hard to think Clockwise. after many years of being encouraged to stop bad things from happening and berated when they do, it was and still is difficult to think first of Outcome.
My break through came when I learned that in the Pharma industry, getting the health outcome to the patient safely and quickly was the key economic drivers, the cost of a delay was $150 per second. All other considerations pale into insignificance. Many of our controls were burning time. I started looking to take out disabling controls and accelerate time, then along came the Cloud, a great place to think clockwise!

How many Hybrid Infosec Tools are you aware of?  ...I don't mean brakes that allows us to drive faster, I mean brakes that MAKE us go faster!

Imagine if you were involved in developing a process, tool or service that created as many opportunities as it reduced threats? What would it look like?

What Outcomes do your Customers value? How can you help meet their needs?

Then maybe we could start talking of the 8 Information Criteria. 

Information Value being the most important criteria of all.

I agree Allan it is obvious, but if we do not state it, we often do not strive for it.

As we agreed, the reason for the existance of any organisation is to create value for it's stakeholders.

But please don't get me wrong! An even greater sin than Anti-Clockwise thinking, is solely thinking about Value. A rather negative experience that I had was in the IoT session at this years SC Cogress. We talked of Smart Things that were not secure! Given the very effective lesson we had learnt over lunch about Smart Phones not being as Smart as we think; it is key that we complete all of the Clockwise Security cycle

Outcome
Need 
Value Created(data, thing or service)
------ we mustn't stop here ....
Compliance
Risk
Control, or even better Hybrid Control/Enabler
Threats reduced, and in the case of Hybrid Control Value increased
Value Protected

Finally, as with all things in life, the truth is a balance, for right in the middle of an attack the last thing I would argue for is Clockwise thinking, I believe we then have to very quickly revert to Anti-Clockwise thinking, clearly we shouldn't only use Clockwise Security, or Anti-Clockwise Security.




No comments:

Post a Comment

Thanks in advance for sharing your thoughts...