Why I'm Skeptical of "Due Diligence" Based Security
Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”.
Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that we’re doing best efforts and that should be enough. Now conceptually, I love the idea that we can prove our “compliance” or diligence and get a get out of jail free card when an incident happens. I always think it’s lame when good CISO’s get canned because they got “unlucky”.
Unfortunately, if risk management is infeasible, I’ve been thinking that the concept of Due Diligence Security is complete fantasy. To carry the analogy, if Risk Management is the United Nations, then Due Diligence Security is the Justice League of Superfriends. With He-Man. And the animated Beatles from Yellow Submarine. That live in the forrest with the Keebler elves and the Ewoks and where the glowing ghosts of Anakin, Obi-Wan and Yoda perform the “Chub-Chub” song with the glowing ghosts of John Lennon and George Harrison. That sort of fantasy.
DUE DILIGENCE BASED SECURITY IS AN ARGUMENT FROM IGNORANCE
Here’s the rub – lets say an incident happens. Due Diligence only matters when there’s a court case, really. And in most western courts of law these days, there’s still this concept of innocent until proven guilty. This concept is known as the argument from ignorance in logic and it is known as a logical fallacy.
Now arguments from ignorance are known as logical fallacies thanks to the epistemological notion of falsification. Paraphrasing Hume paraphrasing John Stuart Mill – we cannot prove “all swans are white” simply because we’ve observed all white swans – BUT the observation of a single black swan is enough to prove that “not all swans are white”. This matters in a court of law, as your ability to prove Due Diligence as a defendant will be a function your ability to prove all swans white – all systems compliant. But the prosecution only has to show a single black swan to prove that you are NOT diligent.
Sir Karl Popper says, “Good luck with that, Mr. CISO”.
The result is this – the CISO, in my humble opinion, will be in a worse condition because we have a really poor ability to control the expansion of sensitive information throughout the complex systems (network, system, people, organization) for which they are responsible. Let me put it this way: If information (and specifically, sensitive information) operates like a gas, automatically expanding to where it’s not controlled – then how can we possibly hope that the CISO can control the “escape” or leakage of information 100% of the time with no exceptions? And a solitary exception in a forensic investigation becomes our black swan.
And therefore… When it comes to proving Due Diligence in the court of law – Security *screws* the CISO. Big Time.
Here’s how I demonstrate due diligence. I show that I’ve met the reasonable assurance standard. Where do I get that? Its what everyone else is doing. Like PCI, or even showing the VZN breach study 😉 Have I done that? Yes, then I’m doing the best that I can reasonably expect to be done. And that’s pretty much how most court cases go.
Bonus, a good third of my due diligent reasonable controls are refused by the very customers they’re supposed to protect. Too expensive, too inconvenient, etc. I explain the risk and they say “so what?” Then I make em sign off and I’m done.
Of course, to get this state, one needs to do some good risk analysis. And that is part of what is reasonably expected – as baked into almost every compliance standard. But you knew that.
Great post on the topic. It seems like there is a basic acid test that can be applied: Would you apply the same diligence to all data regardless of classifications and value? If the answer is yes, then a diligence based approach could be just the thing for you. Otherwise, you’re doing a risk based approach whether you realize it or not.
I’m interested to know who exactly would take such a blind approach to security, not including those I come across who are tasked with it due to being ‘the network guy’? Anyone who works in security who just proves they are ‘doing enough’ knows deep down they are already owned surely?
Oh, sigh. Ignoring the peanut gallery above, and assuming I was one of those people you chatted with, I think you’ve missed the point completely.
1) Presumption of innocence only applies to criminal cases, not to civil litigation. So, you’re working from a faulty premise, since the majority of litigation over breaches are going to occur as civil proceedings.
2) In civilian litigation, there is no prosecutor. You only get those when you’re talking about breaking laws, which I’ve already noted is not the majority of cases relative to breaches (today, anyway).
3) You’ve cast “due diligence” in an inappropriately severe and sparse role. If the defendant argues, and demonstrates, that they’ve done what was reasonable in defending their organization, then the plaintiff finding anomalies will not be sufficient to undermine the defense. Your statement that “your ability to prove Due Diligence as a defendant will be a function your ability to prove all swans white” is then incorrect. It is *not* an all-or-nothing position.
In fact, if one builds their security strategy from the perspective of expecting to be breached and doing what is reasonable to protect, detect, and correct, then the plaintiff’s burden of proof will actually be much higher in terms of proving wrongdoing. If we assume that a breach is going to happen, then your legal defense is less about that you didn’t stop the breach from occurring, and more about demonstrating that you took reasonable measures to prevent it, detected it in a reasonable period of time, and took reasonable steps to resolve the breach in a reasonable period of time. This is the premise of my “legal defensibility” argument, in fact (I’ll be blogging about this tomorrow, in fact), complete with ties into networked systems survivability.
4) As a side-note, a legally defensible position would absolute leverage risk management. *I* certainly never said it wouldn’t, but have said that I think too much focus is put on risk management when very few people/organizations have the slightest inkling of how to do formal risk management. If you’re not doing formal risk management, then I seriously question the validity of claiming to be doing “risk management” since it quickly devolves into subjective and biased flailing.
5) Finally, on your conclusion, I must disagree, but only to a degree. Yes, it could back-fire and put the CISO in a tough spot, but I think what you’re overlooking is that the main reason to use a “legal defensibility” approach (which you’ve boiled down poorly into the inadequate and antiquated “due diligence” phrase) is that it squarely puts the ball into the court of business leaders, removing a lot of the abstraction that goes along with much of info risk mgmt and security practices these days. Starting from the perspective of “when a breach happens and we get sued, how will we prove that we did what was reasonable?” then I’m finding that business leaders actually understand what I’m talking about, whereas when I’ve tried talking risk management in the past they immediately fall into the checklist+compliance mindset of “just resolve the critical and high findings, report as necessary, and otherwise leave us alone.”
More importantly, legal defensibility as an approach can lead to legislation with hooks because the concept meshes very well with the court system, and can even some day translate into criminal code that could apply some much-needed teeth.
MAJOR CAVEAT: Much of this line of thinking hinges on what is “reasonable,” which is obviously not cut-n-dry by any stretch of the imagination. Even better, it ultimately comes down to what is “reasonably foreseeable.” This kind of gets into that fabled “unknown unknowns” 😉 territory, and who knows what that even means. What it does *not* mean is just complying with a given regulation as we have ample examples that such a narrow focus is *not* reasonable. The good news is that this is where good lawyers become invaluable, and where the real fun of Law comes into play. 🙂
Ben,
Nope, wasn’t you I was talking about.
AH
D’oh, oh, well! Nonetheless… 🙂
@Ben – Nonetheless your distinctions are welcome – and you’re right, most (but not all) clauses of “PCI as law” or data breach notification laws live in the civil realm of the US legal system. This blog post is inspired by the logical absurdity of the Due Diligence perspective – that, say, failure to always and in all cases encrypt statute-defined sensitive information would count towards mens rea and establish a case for criminal negligence. I could be wrong, but I believe that criminal negligence can be established when there is a failure to foresee data leakage (the DBIR’s “unknowns” section serves as inspiration here) and thus allow an otherwise avoidable situation to come about, causing harm/loss.
As preposterous as this might seem to you, IIRC – the UK at some point in the not so distant past has discussed prosecution under criminal law.
I do have to admit that after posting this and explaining my thoughts on interpreting the concept of criminal negligence, Mrs. Hutton (Esq.) gave me the “well, it’s certainly possible” (which means, “not likely” in her estimation), and in the States (at least), she thinks that these sorts of cases are difficult to bring against corporations.
RE: Civil procedures, I’ll argue that the concept of falsification still stands. Be it a government or industry acting as plaintiff – the Burden of Proof doesn’t seem to be so burdensome at this point. From what I understand, rather esoteric violations certain standards are used to make the plaintiff’s case.
The negligence angle is definitely interesting, and in fact was one discussed at the eDiscovery & Digital Evidence committee meeting preceding RSA. However, the context was less about negligence in protecting the enterprise, and more about negligence (or gross negligence) related to preserving data after action has been indicated or commenced (apparently some subset of the world thinks it’s ok to destroy evidence after it’s been requested).
I disagree with your falsification point, but online insomuch as its colored by my theory of legal defensibility, not as it pertains to this antiquated “due diligence” concept. Ultimately it hinges on what is “reasonable,” and that can end up costing the plaintiffs more than is worthwhile in a civil proceeding.
Of course, IANAL, nor do I play one on TV. I’m always reminded of my cyberlaw prof who started the first class by asking “Can you sue?” The answer is always “yes,” but it also turns out to be the wrong question. It’s not a matter of “can,” but rather “should you sue?” 🙂
diligence vs.negligence
most execs understand this concept
it is not just a concept relevant to a legal context
not every jurisdiction is as litigious as the US
I regularly use the concept of diligence vs.negligence in positioning an information security program .
A view of “Negligence” arises when a post incident review, audit or regulators report arrives at a position that there are inadequate security controls and that this either directly or indirectly contributed to the incident and or breach.
assurance, risk management and directors accountability are defined in the context of diligence, adequate vs negligent and inadequate
so advising an exec that the current state of information security capability and controls are inadequate and if subject to an independent and standards based review, that the overall assessment would be that the exec had been negligent is a useful narrative
Late to the party, er, discussion, but here goes… In the debate regarding due diligence vs. risk management, there are a couple of other points to consider:
1) Due diligence — i.e., doing everything everybody else is doing — may be a great objective, but how do we know where to begin and what our most important issues/problems are? That’ll only come from being able to reasonably and defensibly evaluate/measure risk. So the two things (a due diligence approach and risk management) can co-exist, even compliment one another.
2) At least as I’ve seen it practiced generally, the “common practice” (due diligence) approach often ignores the fact that not only are we tasked with helping our employers manage security/risk, but also manage it cost-effectively. And as “good” as common practice might be, it’s often not particularly cost-effective (one-size-fits-all often doesn’t). Sometimes common practice is exactly the best and most cost-effective option, sometimes it’s not. As a responsible professional, our job is to recognize when it is or isn’t. Here again, the effectiveness component of cost-effectiveness is a matter risk reduction efficacy — which requires risk measurement.
Just my $.02