Blog

Laymen often think that privacy principles are at odds with security.  This post explains why privacy needs security – at last the kind of security I endorse.

Privacy is all about control over our personal information – guaranteed since 1791 by the 4th Amendment to the US Constitution.  Privacy protections exist in telephone conversations (1934), health records (1964), US mail (1971), education records (1974), financial records (1978), identity information (1982), cable communications (1984), electronic mail (1986), polygraphs (1988), license and motor vehicle records (1994), telecommunications (1996), and information about children (2000). 

Security ensures that control of our personal information, or at least that what it’s supposed to do.  Reasonable efforts must be made to prevent the loss of collected information.  Individuals are also entitled to know when and what information is being collected and be able to opt out of such collection.

The conflict comes with the other duty of security – the identification of violators and collection of the evidence needed to prosecute them.  Enter “Apple vs FBI”.  So, how can the two sides of the security coin exist in peace?

The same framers which guaranteed privacy also established the process to which wrongdoings would be investigated and prosecuted.  Security must either establish probable cause – the belief that a search will discover criminal activity – or the consent of the accused to conduct a search.  If consent is not obtained, law enforcement must submit a warrant to search and receive written permission from a court of law.  Regardless of consent, property cannot be seized without a warrant. 

So what about “Apple vs FBI”?  In this case, a warrant to search was approved but the appropriate evidence could not be seized due to the strong encryption.  Unlike previous cases involving telecommunication carriers, the accused has the encryption keys, not the technology company.  Does law also allow law enforcement to break security?  No.

The debate goes a step further.  Imagine all authorized software having back door keys available for law enforcement.  What prevents criminals from using unauthorized, black market cryptography?  We’d have law abiding citizens with weaker security – not the criminals we are attempting to prosecute.   

This post is one in a series on Innovating Security Management practices.

According to many standards for control systems, control activities involve proper business process design, information system design, and policy development.  Those same standards also suggest that each area be part of a broader and integrated architecture.  Auditors typically play outside the system providing feedback to management on their system and controls.  So where does “security” play?

When the auditor identified a finding, it is given to the manager must responsible for the defective business practice.  The finding is not assigned to the CISO unless the CISO’s business unit was the subject of the audit.  Note no touch point yet for “security”.

Those same frameworks also suggest that either Management or Personnel perform the control design and implementations.  In my experience, managers know how to manage people and budgets, and drive completion of their “functional” service activity.  Unless they are a CISO, they likely don’t know how to properly design their controls.  They assign the task to their staff to figure out. 

It is no wonder that a recent survey suggests that a wide majority of executives and Board members don’t prioritize recruiting skilled “security” professionals.  They don’t use them.  Security is some other functional business process and activity, and doesn’t relate to risk management and control integrity, right?

So who is at fault?  Someone has to be at fault for this broken control framework!

Management is responsible to ensure that management decisions are based upon quality information and their actions evolve quality information and communication.  So bottom line, this is a “quality control” issue.  Time for a title change?

When most reputable standards are fully implemented, information and communication must flow through security staff and certified technology.  Problem is, most organizations are not at that stage of maturity.  So how do we get there?

In my opinion, it all comes down to maturity.  All key roles including Audit must recognize the maturity of the business and prioritize the appropriate entity level controls to:

1. Establish a security-centric quality control SME
2. Ensure they (and their respective organization) is plugged into the management decisions going forward. 

References:

1. http://www.esecurityplanet.com/network-security/75-percent-of-execs-board-members-dont-prioritize-recruiting-skilled-security-pros.html

The following post provides the rationale for and simple steps to realign your career with the job market.

Every business worth its salt knows that survival demands discovering their market and maintain alignment with that market going forward. Progressive companies even take it a step further and lead that market by adopting innovative products and services. Why should your career be any different??

Being aligned with your job market may be tomorrow’s reality. According to the Wall Street Journal more than 5 years ago, an average American will go through SEVEN careers in their lifetime – and that’s not counting how many jobs you will see within a given career. The trend is going up, by the way. Who knows that that average is now?

Post-graduation I’ve had at least 3 careers and now 8 jobs – and I’m one of those loyal, establish-roots kind of guy. In early 2014, I thought I was in my last career and then the re-organization happened. Before long I was on the outside looking in – in the job market for the first time in over 18 years. Could you be next?

Nearly 18 months later, I can say that I’m in a better place – thanks in part to Lee Hecht Harrison, and my job coaches Brian Coughlin and Pauline C. Fournier. You can be too, and avoid the hard lessons I had being on the streets underemployed. Try these four simple steps to connect you with your market:

1. TAKE A LONG LOOK IN THE MIRROR – Most companies have a process for reviewing job performance and offering feedback. Get all of your performance appraisals together and start reading. Identify the skills and attributes you are consistently excelling at, and those that identify your warts. Don’t worry, we all have them. The key is accepting these issues and doing something about them.
2. EVALUATE YOUR JOB MARKET – Go to your favorite job board and search for jobs similar to your current roll. Even better, search for where you want to be next. What skills and qualifications are they looking for? Now compare them with your credentials. See any glaring gaps? I know for me, one element was professional certifications. The job market valued certifications over my master’s degree. Why not demonstrate both to my next employer?
3. DEVELOP A MARKETING PLAN – Most job seekers have just a resume. Don’t sell yourself short. Your network cannot help you with your job search unless they know your value proposition and where you think you fit in the job market. Create a separate marketing plan and clearly define your professional objective, positioning statement, competencies, target market, and target companies. Have those that know you best review it and provide feedback.
4. MARKET YOURSELF – Positioning yourself for that next job is more than applying through the front door. Put yourself out there. Use social media like LinkedIn to showcase your strengths. Join professional associations and engage in the discussions leading your practice area.

References:

1. https://www.wsj.com/articles/SB10001424052748704206804575468162805877990