Alyssa Miller invited me to join her on the Securing Bridges podcast. We talked about board conversations, building roadmaps, the power of storytelling, and the use of metrics. Somehow, security geese and free phish, wizards and alchemy, cottage core and goblin mode also came up. Somehow. But hey? What else would you expect when I’m on a coffee-fueled rant?
A bit of fun…
MEL interviewed Men named Wolf on the Kardashians dragging their good name through the mud. After Kylie Jenner and Travis Scott announced they were changing their baby’s name to something more fitting than ‘Wolf,’ other Wolfs — Wolves? — started howling.
Goerlich: I think you need to grow into being “Wolf.” You’ve got to be a little bit scruffy, a little bit older, a little bit worn around the edges. Maybe there’s a chunk taken out of your ear — you’ve got to look like a fighter. You’re not going to look like that when you’re young, so I can see why they said, “He doesn’t look like a ‘Wolf’ yet.” But give the kid time. He’ll get there.
Read the full article: https://melmagazine.com/en-us/story/wolf-kylie-jenner-travis-scott-baby-name
Everyone has a pandemic story. Here’s mine.
Before the lockdowns, before we were all wearing masks, before travel ground to a halt, I was in Switzerland. It was a good time: I had a presentation to give about securing DevOps, and after a couple of days at the event, I took my wife on a rail trip around Europe. We were celebrating the completion of her recent book manuscript, which she had submitted to her publisher on our way out of town. Our plan was to travel through mid-March.
Then we got the call. We were in Budapest. My employer telephoned to say that there was a travel ban going into effect on midnight, March 13th. With very little notice, we returned to our hotel, threw our clothes into suitcases, rushed to the train station, and we took an overnight train to Prague. By the time we got to Prague, they had an idea of how to get us as far as Paris. So we took a flight to Paris. We landed in Paris and there was bedlam. Everyone was trying to get off the continent. Somehow? We were able to get the very last seat on the very last flight to the States. We made it home two hours before the travel ban.
After that, everything shut down. We did our part. We saw the risks and did our part to bend the curve. A month went by, then three months went by, then six months went by. And each time I was preparing for events, certain that things would reopen in a couple of months. Surely this was going to end. Surely this was going to wrap up.
And a weird thing happened to me. After watching the Covid numbers day in and day out, I found myself very habituated to the risk. After waiting for months, even though the numbers were frankly worse than they were in the beginning of the pandemic, I figured the risk must have subsided. Surely there was no longer a monster outside of our cave. It must have wandered away by now, right? There’s no way that we are still in danger. The caveman brain in all of us does curious things when it comes to risk management.
That sense, that nagging sense, that cognitive dissonance, that tension between logically knowing the risks but emotionally feeling everything must surely be fine, that led me to study how risk was being managed and communicated during the pandemic.
I’ve been the person providing numbers to the executive team from my security team. I’ve been the one to explain, “I know the numbers are the same and I know everything feels like it should be okay, but we really are in a bad spot.” But the pandemic gave me the experience of the other side: hearing the numbers and struggling to interpret the data to make informed decisions. There’s a great deal of overlap, I believe, in these two domains, cybersecurity and healthcare.
What can we learn from behavior science and from the psychology of our shared experience over two years? How can we take these lessons back to cybersecurity?
On the two-year anniversary of taking the last flight home from Paris, I’m going to look at risk management in a blog series. I’ll detail some of what we learned in the pandemic about how people process risk. I’m going to share here with you in the hopes that collectively, as information security and risk management practitioners, we can learn something about the nature of human psychology and thereby do a better job at protecting our organizations.
This is part one of a nine-part series. I welcome any and all feedback. Let’s learn together.
I was a guest recently on the In Scope podcast: Security doesn’t have to be the department of no.
“In this episode, Mike welcomes Wolfgang Goerlich aka “Wolf” Advisory CISO at Cisco. Join us they discuss the tendency within security to disregard the human element leading to a lack of adhering to security protocols and working around those protocols. When this happens, we see a correlation to a human need not being met. If that is understood and considered, the result is the development of much better security products all around.”
CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal. These steps will help you respond quickly, without letting a crisis turn into chaos.
3. Bring in the business
CISOs should be looping in business during the triage process, security leaders say, a point that’s often overlooked during active responses. As part of this, security teams need to immediately identify what impacted components are critical for conducting business, who owns those components and who controls them.
As J. Wolfgang Goerlich, advisory CISO with Cisco Secure, says: “This is a business problem. But in a security breach, a very technical person will be thinking, ‘I have to remediate.’ However, one of the things that CISOs need to remember is that a breach is a business problem not a technical problem. So there should be a secondary process that’s running business continuity and disaster recovery so that the business can keep doing what it needs to be doing.”
12. Stay calm; tend to staff needs
Goerlich says he has seen teams “run themselves into the ground” by working long hours without breaks and even a day or more without sleep. Although that grueling schedule shows a level of dedication, it’s likely to lead to mistakes.
“People get into their zones and work well beyond the times that they should,” Goerlich says, noting that CISOs should plan for clear lines of communications, caps for work hours, staggered schedules, and post-event time off. He adds: “As much as possible, organizations should think out in advance how to handle the human elements.”
I was a guest recently on the Always On Podcast.
“The past year has brought about an enormous shift in how we work which has led to security issues on a much broader scale. On this episode of Always On, Wolfgang Goerlich from Duo joins me to discuss how organizations are handling secure access and deploying trusted access at scale. You won’t want to miss our review of a secure outcome study, so press play to listen.”
You will want to hear this episode if you are interested in…
- Trusted access [1:22]
- The challenges that customers are seeing with the remote workforce [4:18]
- Learning what Duo can do for an organization [9:45]
- Improving the user experience [18:50]
- Intangibles that customers are getting from Duo [25:04]
- The outcomes of a secure outcome study [30:18]
Have a listen here: https://nwncarousel.com/podcast/secure-and-trusted-access-at-scale/
In writing the book Rethinking Sitting, Peter Opsvik manages to do with chairs what we should do with cyber security: study the item in the wider context of how people interact.
Peter Opsvik’s critique is that furniture design isn’t “particularly concerned with the needs of the sitting human body.” Many rituals, he believed, are driven by a need to relieve people and compensate for poor seats; like kneeling to pray or standing to sing. Opsvik considered how the positioning of a chair, say in a kitchen or dining area, can make a person feel more or less connected, more or less important. He also spent considerable time thinking about how sitting changes as children grow into adults.
Design spans time frames: an experience lasting an hour, a stage in life lasting years, a lifetime. It spans contexts: personal, communal, societal.
We struggle with this in cyber security. Take, for example, break glass account. Right then. We setup an account with administrative-level access, write the password on an envelope, and stuff the envelop in a vault. But what happens when most administrators are working remotely? Fair point. Let’s move the password from a physical vault to a password vault, and share the vault with our backup person. But what happens when the vault goes down? How about when the person resigns and leaves for another company? How do we handle the longer lifecycle of this seemingly simple control?
Peter Opsvik’s answer to the lifecycle question is the Tripp Trapp chair. The chair is well-made, long-lasting, and stable. Simply change the seat and footrest, and the chair accommodates the user from infancy to adult. Five sets of adjustments as they mature.
The chair reminds me of the five stage maturity models. Security capabilities move from initial, repeatable, defined, capable, and finally, to optimized. To design a Tripp Trapp security control, think through how to reconfigure the control to support the evolving capability. Ideally, simplify these adjustments down to a small number of items.
What’s the seat and footrest in our break glass example? I suggest the credential storage and credential access. That is, how we set it up, and how the person handling the emergency breaks the glass.
Tripp-Trapp-Tresko is Norwegian for Tic-Tac-Toe. In the kids game, like chairs and like security, you succeed by thinking ahead. “The best sitting position,” Opsvik once said, “is always the next position.” Start with minimum viable security. Plan for future stages early, and identify the adjustments we can make. Good security controls support an evolving capability maturity.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
I was recently a guest on the Detection at Scale podcast: Rebuilding Trust in Security Tools.
“Why is SIEM an area of unease for so many security officers? To make detection and response successful, we need tools capable of upscaling the practitioners as well as equipping them to be successful. We need tools we can rely on.
In today‘s episode, we had an inspiring conversation with J Wolfgang Goerlich, Advisory CISO at Cisco Secure. We discussed how trust is a determinant factor in building the security tools of the future, why so many CISOs lost trust over SIEMs and what we can do to rebuild it.”
Nudge and Sludge: Driving DevOps Security with Design
Security people say users are the weakest link. When security becomes burdensome, users take shortcuts jeopardizing security. Design offers a solution. We will walk through affordances, nudges, sludge and principles to inform and direct our design. Come learn how better usability leads to DevOps security.
This talk was given at DevOpsDay Tel Aviv 2021.
Google last week revealed that it was coordinating efforts with global partners to hand out free USB security keys to 10,000 elected officials, political campaign workers, human rights activists and journalists, and other users considered to be at high risk of getting hacked.
“Whenever a major organization makes a major announcement bolstering their security controls, it sparks conversation and movement in the broader industry,” agreed Wolfgang Goerlich, advisory CISO at Cisco Secure. “Google’s announcement that it is enrolling 10,000 people in authenticating with strong security keys will make it easier to explain a similar need in other organizations.”
And this isn’t the first such corporate endorsement of hardware-based authentication. Among the companies using FIDO’s standards for Universal 2nd Factor (U2F) authentication keys is Yubico, which like Google has been working with DDC to provide its hardware-based authentication keys to campaigns from both major parties.