Shostack + Friends Blog Archive

 

Communicating with Executives for more than Lulz

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on there, and want to unpack it.

First, a quick model of getting executives to do what you want. I’ll grossly oversimplify to 3 ordered parts.

  1. You need a goal. Some decision you think is in the best interests of the organization, and reasons you think that’s the case.
  2. You need a way to communicate about the goal and the supporting facts and arguments.
  3. You need management who will make decisions in the best interests of the organization.

The essence of my argument on Friday is that 1 & 2 are often missing or under-supported. Either the decisions are too expensive given the normal (not outlying) costs of a breach, or the communication is not convincing.

I don’t dispute that there are executives who make decisions in a way that’s intended to enrich themselves at the expense of shareholders, that many organizations do a poor job setting incentives for their executives, or that there are foolish executives who make bad decisions. But that’s a flaw in step 3, and to worry about it, we have to first succeed in 1 & 2. If you work for an organization with bad executives, you can (essentially) either get used to it or quit. For everyone in information security, bad executives are the folks above you, and you’re unlikely to change them. (This is an intentional over-simplification to let me get to the real point. Don’t get all tied in knots? k’thanks.)

Let me expand on insufficient facts, the best interests of the organization and insufficient communication.

Sufficient facts mean that you have the data you need to convince an impartial or even a somewhat partial world that there’s a risk tradeoff worth making. That if you invest in A over B, the expected cost to the organization will fall. And if B is an investment in raising revenues, then the odds that A happens are sufficiently higher than B that it’s worth taking the risk of not raising revenue and accepting the loss from A. Insufficient facts is a description of what happens because we keep most security problems secret. In happens in several ways, prominent amongst them is that we can’t really do a good job at calculating probability or losses, and that we have distorted views of those probabilities or losses.

Now, one commenter, “hrbrmstr” said: “I can’t tell you how much a certain security executive may have tried to communicate the real threat actor profile (including likelihood & frequency of threat action)…” And I’ll say, I’m really curious how anyone is calculating frequency of threat action. What’s the numerator and denominator in the calculation? I ask not because it’s impossible (although it may be quite hard in a blog comment) but because the “right” values to use for those is subject to discussion and interpretation. Is it all companies in a given country? All companies in a sector? All attacks? Including port-scans? Do you have solid reasons to believe something is really in the best interests of the organization? Do they stand up to cross-examination? (Incidentally, this is a short form of an argument that we make in chapter 4 of the New School of Information Security, which is the book which inspired this blog.)

I’m not saying that hrbrmstr has the right facts or not. I’m saying that it’s important to have them, and to be able to communicate about why they’re the right facts. That communication must include listening to objections that they’re not the right ones, and addressing those. (Again, assuming a certain level of competence in management. See above about accept or quit.)

Shifting to insufficient communication, this is what I meant by the lulzy statement “We’re being out-communicated by people who can’t spell.” Communication is a two-way street. It involves (amongst many other things) formulating arguments that are designed to be understood, and actively listening to objections and questions raised.

Another commenter, “Hmmm” said, “I’ve seen instances where a breach occurred, the cause was identified, a workable solution proposed and OK’d… and months or years later a simple configuration change to fix the issue is still not on the implementation schedule.”

There are two ways I can interpret this. The first is that “Hmmm’s” idea of simple isn’t really simple (insofar as it breaks something else). Perhaps fixing the breach is as cheap and easy as fixing the configurations, but there are other, higher impact things on the configuration management todo list. I don’t know how long that implementation schedule is, nor how long he’s been waiting. And perhaps his management went to clown school, not MBA school. I have no way to tell.

What I do know is that often the security professionals I’ve worked with don’t engage in active listening. They believe their path is the right one, and when issues like competing activities in configuration management are brought up, they dismiss the issue and the person who raised it. And you might be right to do so. But does it help you achieve your goal?

Feel free to call me a management apologist, if that’s easier than learning how to get stuff done in your organization.

2 comments on "Communicating with Executives for more than Lulz"

  • Chad says:

    Adam,

    I don’t necessarily agree with your statement that “Communication is a two way street…”. I think it is the job of the “communicator” rather than the recipient to communicate the message. It’s the responsibility of the communicator to “know” their target demographic. You tailor your message to meet the needs of the recipients. Which is what I think you are attempting to communicate through your blog postings. Are your thoughts the following?
    –> The INFOSEC group in aggregate is experiencing miscommunication with the necessary business owners.
    –> The “images” of computing security failure being manifested by the actions of groups like LulzSec and Anonymous are managing to communicate a message to those same business owners.

    My question is, do we really know what message is being communicated. Because LulzSec and Anonymous (to my knowledge) aren’t engaged in a dialog with the owners of the systems they’ve compromised, they have very limited control over the message. My fear is that the message being communicated is simply “We don’t like you. Therefore, we are going to cause you trouble.” Which is not the same as “Your systems aren’t very well secured and here is why (explain). The risks of having systems operating with this level of exposure is (explain).” Is this acceptable to operate in this fashion?”. One is perceived as malicious, the other as beneficent.

  • Peter says:

    I’m going to have to disagree with you on this one. It’s all about incentives and there isn’t a business incentive to spend money on black swan events, the ROI just isn’t there regardless of how you massage your ALE numbers. This is why things like OSHA are mandated with criminal penalties. Nobody with decision making authority which led to these breaches will get fired, loss of reputation is marginal over the long run, and any loss would have been covered by insurance. TJ Maxx is still around last I checked, ditto Microsoft, Verisign, IBM, etc etc.

    Security isn’t getting fixed until there is a true personal liability cost at the level which controls the budget and that simply isn’t going to happen, i.e. the powers that be aren’t going to pass laws which hold the CEO criminally negligent for not ensuring his systems are patched nor will, as the losses aren’t significant, insurers jack premiums up to a level to force compliance.

    What we all know as security professional, and secretly hate though understand, is the CEO’s really are making the right risk decisions. The cost of non-compliance and black swans events including loss of reputation over the long run is weigh less the risk mitigation so just insure it, hire a good PR firm to do good jaw jaw, and move on. Security professionals, not counting hard technical security engineers, learned long that we are on staff simply to say you have one, just like safety inspectors, equal opportunity professionals, and quality assurance.

Comments are closed.