Alias:  M-7 2015

Seven trends impacting Information Security Officers!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Shhh . . . . . I’m sneaking this article in at the
end of January.  Hopefully no one will notice . . .

So . . .

. . . those of you who follow me . . . and I know there are a couple of you out there . . . I can tell by the view count . . . have probably noticed that I have been procrastinating on my annual Magnificent Seven post.  Okay, I admit, you probably didn’t notice that.

But in my pretend world, some of you are counting on my annual Dan’s New Leaf Post, affectionately dubbed “M7,” about the seven trends in bank technology that will impact Information Security Officers.  It was my year-end prediction, to help you organize your thoughts for the trend monitoring season, so you can update your IT plans and have good fodder to point at as your justification.

But it didn’t go out.

You see, this article is due in December.  The goal is to reflect on what happened in 2014 and predict seven big trend areas for 2015.

I could say the reason I am procrastinating is because there are now as many trend articles out there as there are consultants, and thus this article could be renamed “T7 – Trend of Trends” and then point to the seven best trend articles I’ve found.  But that’s not it . . . I don’t mind being one of the pack, and I’m thankful that I have an audience that sees me as one of the pack they enjoy reading!

You might say the reason I am procrastinating is because in last year’s article I only nailed five of the seven trends I was predicting in 2014.  I was expecting technical awareness training and process simplification to be bigger, and they were certainly overcome by the events of 2014 called “Target, Home Depot, Nieman Marcus, Dairy Queen, Sony, and Etc.”  You could name this “The Big Surprise.” It caused the simultaneous sucking sound of “the rest of the executives” pulling their heads out of the sand everywhere!  We had been predicting this for years, and we should have seen Target as the beginning of the end (of non-regulated industries and SOX companies ignoring information security.)

(The other big surprise in 2014 was the FFIEC’s Cybersecurity Assessment and we should have seen that coming as well.)

So you could say that I was afraid to reveal what I think the major trends of 2015 will be, because I fear failure.  But in reality, I didn’t do that bad in my last Magnificent Seven Article, which was called M7 2013.  (Yes, we’re skipping 2014 and calling this M7 2015).

5 out of 7 is only 71%, I agree, but if you look at what we got right . . . the Importance of Incident Response Processes, Increased demand for IT Auditing, Simplification of Risk Management Processes, 2013 Guidance Driving 2014 audits, and Continuation of Mobile Security Mitigation . . . we armed those who read the article with some relevant trends to focus on.

But I don’t believe the normal cause of procrastination . . . . fear of failure . . . . has delayed this article.  We all fail, especially in our predictions.  Those that know me, unfortunately, know I’m not afraid to fail!

Though fear is USUALLY the cause of procrastination, I think in this case the cause is more positive.  Yes, I’ve been very busy of late but that’s not what I mean.  I mean that early-on I had already made my mind up that one of the top trends in 2015 would be “Awareness Training In All Directions,” that we were going to finally start providing awareness training to the Board, Management, the Technical Team, our Users, Vendors, Customers, and a new inward direction . . . . Ourselves.  Yes, the article would articulate how we’ve pulled our heads out of the sand, and how our community is now finally motivated to learn basic controls on our own.

But that ended up being an article about Awareness Training and not trends.  So I shelved it for a March release (just ahead of the IBA’s Physical Security Conference.)

So we brainstormed, analyzed the T7, and found eleven trends that should be in this year’s article.  And that’s actually when the procrastination started.  Three factors drove the delays:  1) We couldn’t decide what to name the top trend.  2) We couldn’t get the list from  11 down to 7.  And 3) I wanted to do justice to the entire concept of naming this article “The Magnificent Seven.”  What I realized in mid-November . . . . yes, I actually started the article on time . . . was that the plot of this article’s namesake describes what we ISO’s have been through the last decade of our career.

You see, The Magnificent Seven is 1960 western based on The Seven Samurai.  In it, a Mexican village is at the mercy of Calvera, the leader of a band of outlaws.  Incapable of standing up to Calvera, the village hired seven American gunslingers to protect them during Calvera’s raids.

And then the professional gunmen, played by Yul Brynner, Steve McQueen, Charles Bronson, Robert Vaughn, James Coburn, Brad Dexter, and Horst Buchholz, realized that they would NEVER be able to truly protect all the citizens of the community, unless they taught the villagers to defend themselves.

And the number one trend of 2015, in my opinion, is the realization by Board of Directors, Executive Suites, Management Teams, Customers, Users, Vendors, and even our Relatives that if they want to stop the bad guys from causing problems, THEY need to learn to protect themselves.  They have finally “woken to the notion” that we must rely upon each other to secure information, that the responsibility for security rests on us all, and that we must TEACH OURSELVES some basic habits and disciplines.  (We can add “Ourselves” to the four corners!)

So yes, Awareness Training is #1 on my list, but . . .  as  you can see . . .  I needed to be sure I worded this article in a manner that helped us all celebrate the fact that we are finally here, in the new paradigm, where Information Security rivals Customer Service as a business process.

It is . . . . after all . . . . the Information Age.

And now that there are less heads in the sand, we can truly begin the task of protecting information.  We should be glad that lawyers, politicians, talking heads, and even the Hollywood Studio Executives are finally on board.  In fact, I bet even Jennifer Aniston is using strong passwords now.

The Magnificent Seven 2015

Ironically, it was difficult to discuss the six other trends without circling back around and discussing Awareness, because Awareness integrates with everything.  And the seven top trends to consider as we embrace 2015 are:

1. The End of Procrastination: Though we knew from the start this would be the number one trend, we didn’t know what to call it.  We almost called it “Awareness Training In All Directions.”  The third proposal was “We Become Aware” and a fourth “We become aware that we need to be aware.”  The worst name, as used above, is “We’ve Woken to the Notion!”   I chose “The End of Procrastination,” given the them of this entire article!
2. Continued Escalation of Breach News: We believe the “Breach News Cadence” will continue (though our reaction won’t be one of such surprise . . . remember, our heads are no longer in the sand.)  This dribble will start to slow towards the end of the year, but there are some “false impressions” driving the intensified attack pace:  A) the criminals have the impression that they better “take while the taking is good.”  Now that we’re all starting to educate ourselves, bad guys perceive a window of opportunity closing.  Meanwhile, they incorrectly fear the EMV chip will eliminate their attack vector.  Though the chip will substantially reduce fraud at the point of sale, I’m not seeing how it will mitigate on-line fraud risk.  B) The good guys may end up with the false sense of security surrounding the EMV chip, thinking it protects them from on-line fraud.
3. Who gets attacked: As trend number two states, we’ll continue to see an escalation in attack breach stories.  And who gets attack will continue to evolve.  Right now the bad guys are focused on the unregulated industries and commercial accounts using ACH and Wire Transfer over the internet (Corporate Account Takeovers.)  I fear that sometime in the near future an attack on K-12 schools will be the buzz of the talking heads.  But as we control this risk, criminals will start to focus more and more on our noncommercial consumers.  We hear reports of pretext calls meant to populate databases that could help attackers sort the rich from the poor.  The controls we’re using on ACH and Wire Transfer may need to be extended to Billpay . . . not as much in 2015, but by the end of the year we may be having discussions about implementing stronger authentication and detect and response for more than our “high risk customers.”  Another way of putting this . . . in 2015 we may be considering adding “Average Daily Balance > X Using Billpay” to our definition of “high risk customer,” and apply Supplement Controls (Multifactor Authentication, Detect and Respond, and Customer Education) accordingly.
4. Asset Based Protection: Last year one of the trends was “Simplification of Ongoing Risk Management Processes”.  The need to risk assess everything had driven the development of integrated enterprise risk management applications.  This year we still see this as an M-7 qualified trend, but with a twist.  Given the power of Risk Management Applications (over the manual, spreadsheet method), we are now using our risk assessments to identify changes in threat vectors and then changing the asset focus to where the risk lies.  A great example of this just occurred, when the industry started to realize there are new threats against ATMs.  This realization, in a simplified risk management process, flowed through to new controls surrounding ATM withdrawal, patch management, and vendor management processes.  We think this will drive more Information Security Officers to see Host-based IDS, SIEM, and Endpoint Security as new controls to reduce high residual risk on specific assets.
5. Lawyers join the Incident Response Team: I’m seeing this phenomenon rising everywhere.  Part of taking our heads out of the sand is that Incident Response will no longer be a specialty that only a few law firms can handle.  And though at first it may take a little getting used to, we need to trust that with a team approach the mitigation of legal risk can be properly balanced with the mitigation of reputational risk.  But the control called “transparency” can be at risk if you don’t involve your lawyer in incident response testing.  (Have the argument in a test, or your management team might be siding with your lawyer in a panic.)  One scary aspect of this trend is that we’re seeing the Talking Head world sprout up all kinds of “experts” in the field, and the chatter is creating false senses of security (as well as over-reaction to threats) all across the board.  This will be good in the short run, but eventually we’ll want the media to enlighten, and not frighten, “users.”
6. Adoption of Security Information Event Management Systems: SIEM (what infotex has always called ELM):  We think auditors, regulators, and examiners are going to start waking up to the fact that you are not really watching your logs and your MSSP is not correlating network traffic to event logs.  Note:  We may prove wrong on this again.  We developed our first SIEM in 2005, and have been patiently waiting for this trend to actually occur!  Still, in conferences at the end of last year, we all heard both auditors and regulators describe SIEM as a “basic control.”  The NIST Cybersecurity Standard sees it this way as well.
7. The NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/   given all this new awareness, unregulated industries are going to start seeking a framework that fits their needs.  As this framework is new, is “incident response oriented,” is “industry-neutral,” and will be adopted by the Federal Government, I’m predicting this becomes a very important framework.  One trend that did not make it to M7, the Capability Maturity Model, can be used in implementing NIST and thus I’m sneaking mention of it into this trend.

So there you have it.  Let’s face it, the community needs a new Magnificent Seven, to teach our employees, partners and customers information security best practices.  If you haven’t seen the movie, know that the Village eventually wins over Calvera.

I guess that might be where the metaphor breaks down.  I don’t believe there will ever be an ending to the movie, “IT Governance.”

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”