Category Archives: Leadership

Security Policies IRL (Part 1)

If you’ve been following the news lately you would have heard about a large real estate group in China with a large debt problem. In short, the Chinese government decided to reduce risk by limiting the amount of debt held by Real Estate companies. To accomplish this, they implemented a new policy which could play out to a major disaster.


tl;dr:

  • Implementing a policy without consultation could lead to chaos
  • Creating policy requires lots of communication and solid knowledge of the macro and micro environment
  • Consultation with functional units and effective policy metrics serve as good indicators as inputs for current and new policy

Now here lies the problem: by implementing a new policy in a short space of time meant that, companies that are heavily exposed without adequate cash flow are suddenly unable to service their debts. Evergrande is one of those companies with large unserviceable debts.

You have probably seen this in the InfoSec realm, policies that are dysfunctional, out of place in the real world? We’re not talking about the no personal floppy disk policy rather, policies that prevent the business from, well, doing their business. If you ever heard the phrase, sorry, you can’t do that because it’s against security policy then that is the problem right there.

Take a step back for one second, remember why you are creating the policy in the first place? It is to protect and enable the business to operate in a secure manner (add your own seasoning to that but generally speaking, it is in the same theme/spirit). However, if you are creating policies without business consultation, you’re effectively creating policy in a vacuum, leading to distrust, policy circumvention and ultimately, a policy fail.

Back to Evergrande for a second, while this is not a suggestion that Beijing created their policy in a vacuum, they knew companies were in debt but had to take corrective action they, pulled the plug to available credit expecting the problem to resolve itself or worse still, actually implemented a policy without stakeholder consultation.

Beijing is now playing a game of chicken, either Evergrande resolves their debt issue or they will step in. Why? Beijing does not want an economic meltdown, citizens losing funds, supply chains closing, etc at the same time they can’t afford to bail Evergrande out as other companies would then seek to request funds. Damned if you do, damned if you don’t, the intent was good but the execution, not so.

Unless if your operating within an authoritarian organisation, then a democratic approach to the solution is required to enable the business. You still want the business to curtail risk while consultation will allow the policy makers to understand the current situation and devise an appropriate strategy to level out risk over an appropriate timeframe to a mutually agreed, manageable level.

Well, where to I start? How does one know if a policy is causing fires within the organisation? Simple, ask the people on the ground for feedback. For existing policies, if the people on the ground have used the phrase, it’s against security policy so many times, well, it’s time for a review. Naturally, there are reasonable bounds in which the business may operate but if this the phrase is being used time and time again, it is time to change the policy or devise a solution that is capable of fulfilling the request.

Does this mean that the policy is bad? Not necessarily, it could be as simple as tweaking the wording, providing standards, guidelines to supplement the policy or a test case to identify how the policy could satisfy all parties. The point being is that all of the mentioned solutions cannot be completed in a vacuum, they all require consultation, constant, regular consultation.

Secondly, if you caught on to the fact that the phrase sounds like a policy metric, that’s because it probably is. Consultation will allow for open lines of communication for feedback, any feedback positive and negative is a metric. No consultation, no feedback, no metric, simple. What about other ways of obtaining policy metrics? You may not have time to consult all the business units, communicating that there’s a feedback line is a start or better still, speak to the front line staff, establish regular catchup sessions.

Other metrics could be obtained through other business functions, Shadow IT is just one example, the fact that it exists could suggest that a policy could be hindering the business. Assuming that you have a procurement function, significant IT purchases for assets or services that are not completed through approved procurement channels could suggest a policy failure. However, you would never know if you have not established a communication channel with Finance/Procurement.

Another way is to employ technical means to verify the effectiveness of the policy. It could be as crude as leveraging your support ticketing system and categorising the tickets. If there is trust in the establishment, expect constructive feedback. Unless if there is a structural problem with your policies, you should not expect an avalanche of responses either because it working or there is no trust and your policies are being circumvented.

So what happens if my policies are circumvented? Well, aside from implementing a dictatorship, asking your IT support, security teams in ways to look for holes would be a first step. They may also provide information on technical solutions such as infrastructure monitoring to provide metrics.

Now this is no means a comprehensive list, context is required to devise an suitable approach and effective solution but let it be known that, unchecked, ineffective policies leads to a divisive environment for ripe for abuse but change is possible and assistance can be provided by starting one simple constructive dialog.

In the next blog we will discuss policy development.

References:
https://www.bbc.com/news/business-58579833

https://edition.cnn.com/2021/09/24/investing/china-evergrande-group-debt-explainer-intl-hnk/index.html

Avoiding Cyber Burnout

After a very late night out, something possessed me to check Twitter and up came a tweet:

It’s Saturday but I still have to ask: what was your win for this past week? Everything counts. – @jessysaurusrex Mar 19

It struck the late night philosophical side so I asked, why the question?

…I think it’s important, esp, in infosec (bc there’s a high failure/burnout) to refocus on – @jessysaurusrex Mar 19

It got me thinking again in the morning, as leaders/managers/peers what do we do to reduce burnout?

I used to manage a virtual team for patch management with members geographically distributed. We all had our respective workloads but as patch Tuesday came in, it was all hands on deck, every month, without fail. Maintaining morale with a big workload is hard to do. Just as detecting emotional state is difficult over email, how do you know that the team is keeping well?

In our team, there were some punishing moments but we all managed ok. Part of this was due to the fact that we had short weekly phone conferences.

Why weekly? I wanted to know if there was something in the pipeline that could scuttle the ship. Did another manager just assign a piece of work that would detract from patching? Did a priority one come in?

The meetings also allowed members to openly express any immediate concerns or challenges. Just like the tweet, I wanted to know if we made any wins between meetings? If we didn’t, was there anything that other members could do to help out? Has anyone else experienced any problems? Is there something that I can escalate or offload?

It was a chance for others to help collaborate and help another person out.

Some other things that helped:

  • The ‘Vegas’ policy, what happens in the meeting, stays in the meeting
  • Updates, anyone assigned with an action item, owns it and is expected to follow through. If we have to chase, it is understood to be urgent and not monitoring.
  • Leave management to management, if a SME needs management support, the management rep would own the task, leaving the SME to focus on their turf.

We can’t control the world but we can always help others in need.

I’d like to know if you’ve had any techniques that could help reduce burnout amongst your teams?