Tag Archives: Security

Project Management Fundamentals

One of the tools required for a consultant is the ability to project manage. The entire engagement may have sub projects, involve a lot of staff and stakeholders all of which increases complexity. Complexity increases the risk profile for engagements, hence any reduction in complexity is always welcome.

Having said that, the core items relating to basic project management are often overlooked. There are legitimate reasons behind this but the truth remains that there is no excuse for not getting things right in the first place. Yes, I’ve been here but hopefully have learnt something from the experience and will not do it again.

This is a short list of common mistakes that some PMs make and tips which I have learnt or have gained from working with some brilliant PMs.

You might ask: What does this have to do with Security?

Security is a rapidly changing area. All security professionals work to very short delivery dates. Mistakes, job reworking, delays are extremely costly, especially in a recovery situation. The importance of ‘getting it right’ the first time is critical!

Define and enforce Scope

Scope creep is a project killer. It happens and could be one of the following (not an exhaustive list): poor planning, inadequate requirement analysis, lack of funding.

Define the boundaries and stick to the scope at all costs, enforce the scope. Don’t allow scope creep to set in. It is a matter of pride, both yours and the project sponsor.

Going the extra mile: if it changes, get the person requesting the scope to justify the change. Discuss alternatives and embed a ‘penalty option’ for the requester. The penalty provides contrast to the alternatives as you will need more resources to get the job done and provides a balanced view of the scope change.

Metrics for everything

How do you know if you hit a milestone if you have no way of measuring it?

Anything that impacts on the project: time, resources, funding, etc. must have a metric.

It provides tangible evidence for a lot of things: due diligence, coverage, costs, elapsed time, you name it.

Going the extra mile: If there is no metric, think of what the goal of the metric is, think of a suitable metric, keep it simple and create one. Sometimes, you can’t retrospectively create a metric. There is no such thing as a small task that should not be measured. Finally, repeatable automation of metrics gathering is a lifesaver!

Do not underestimate the power of the Subject Matter Expert (SME)

Assumptions are risks!

Unless if you are the SME, the SME is your friend. More often than not, they will have a better idea on what is possible (or impossible).

Iterate through each assumption and ask for their input. Where possible and if appropriate, go through the entire plan and show them the bigger picture.

They may also have a better way of doing the task which may improve on delivery. Win-win situation.

Going the extra mile: Engaging SMEs as early as possible will make them feel important and their input would be valuable. Keep in mind, they are SMEs and may not have a PM mindset, so get them to think like a PM, take them to an area free of distractions and ask them, ‘what is required to get the task done? What do you need to get the job done? etc…’.

Dreaded Deadlines

Like scope, stick to it. Enforce a dead line for your subordinates. Deadlines make people accountable. Deadlines are more important when tasks are on the critical path. As mentioned, slippage is expensive.

Don’t consider the deadline as the end of the task, try to get the task done before the deadline, even if you have included contingency time.

Going the extra mile: be people friendly when defining deadlines, don’t call it a deadline. Importantly, to get them to be part of ‘the team’, you have to understand their deadlines, constraints! when you relate to their world, it builds rapport, they are more likely to proactive.
They could also go the extra mile by getting extra resources, re-prioritising your task as a high priority, etc.

Importance of communications

Communication is core to getting everyone working in unison.

Is a phone call necessary, is an e-mail necessary? Consider the criticality of the message you’re trying to send across. Scheduling a meeting, can be done via e-mail and chased by phone if an urgent response is required.

Think closely about the aim of the communication, articulate that clearly.

Everyone is time poor, unless if they really need to know, avoid paragraphs full of information.

Mass communication should be structured in a way that a primary school kid should be able to understand and importantly, acknowledge/follow.

Going the extra mile: important points first (including actions), what the goal is, what is involved, keep it positive, be short and succinct.

While there are may other areas of improvement and each point can be explained in much detail, consider this to be the start of a well oiled consulting/project management experience.

Integrating Security with Asset Management Part 2


  • Business alignment with security projects will help persuade the decision makers to  approve and endorse security projects
  • Being creative helps to obtain business alignment

As mentioned, when looking at frameworks eg: ISO27001, SANS top 20, etc. several of them mention Asset Management as an action and it is a task quite high on the list.

Several things will need to be done:

  • Out of scope for this blog but a procurement structure is in place so that staff know who to go to for acquiring equipment.
  • Procurement and security policies, standards and guidelines, covering acquisitions to securing devices in place
  • Policies are communicated to staff

All is good now but how does it provide benefits for the business?

Well, this is where metrics come in.

The decision makers will want to know how successful your project will be and they will be interested in how the project has saved the business money, increased productivity, etc. Metrics is a way to provide this information.

The ability to measure provides opens opportunities to be ‘creative’ with business goals.

Let’s look at business strategies:

  • Saving costs
  • Reducing downtime
  • etc.

Taking the two examples:

  • Saving costs-Asset discovery, license management, lease management, whole of life, power consumption, etc…
  • Reducing downtime-hardware failure, software failure, system performance, etc…

There should be enough information in the Asset Management database to establish metrics to determine the basics:

  • Number of systems
  • Where are they located
  • When systems go out of warranty

Now with some cross matching against other systems you can do things like:

  • Find out which systems have not been on the network for a while and find out where they are (are they in a cupboard, if they are, can they be redeployed saving the cost of purchasing a new system, configuring, etc).
  • Find out which systems are nearing the end of their warranty (if they are going to be out of support, a new system can be pro-actively ordered reducing downtime and for asset management purposes you won’t need to upgrade them, saving time and resources)
  • etc.

All of these are strategies that can be translated to security wins:

  • If you know the system is in storage, you know it requires updates to be compliant or if it is to be deployed to new staff, the status of the device must be updated.
  • If a system is old, there is a good chance that it may have legacy software which may be a security risk

With this intelligence, the asset management would provide a return on investment and help achieve security goals.

Aligning Security with the business: Recent News


  • Recent surveys show that CxOs lack appreciation for CISOs
  • It is up to us as InfoSec professionals to show the importance and value of integrating security with the business

Security is a cost…heard that one before? This is the primary goal of this blog, to change this mindset to ‘Security is an investment‘.

It is hard to show how security has saved an organisation’s bacon, after all, if nothing happens, everything must be fine…right?

Let’s put this into perspective:

  • Traditionally, businesses depend on IT solely for day to day inhouse functions. Now, it is required for new/modern functions such as: business intelligence/strategy, R & D/innovation, data warehousing, marketing, etc. This changes IT dependencies within a business from ‘just a tool’ to core business functions, entire departments are created through information technology.
  • Information is a valuable commodity, just ask the NSA or a competitor.
  • Freedom and accessibility to information is easily accessible to all, anywhere at any time. This increases both perceived and actual anonymity and educational standards in everyone.
  • As long as an organisation is valuable, there will always be malicious financially motivated threats: espionage, extortion, etc.
  • Information security is about maintaining the CIA: Confidentiality, Integrity and Availability of information.
  • As an adversary, carrying out a threat and disrupting the CIA by obtaining or destroying something of value has never been easier.

C-level executives need understand that the above points outline the current situation on information security.

Now for the evidence showing otherwise:

A recent survey show that CxOs have a lack of appreciation for CISOs.

One piece stands out, quote:

More than half of the C-suite executives in the survey said that CISOs provide valuable guidance on cybersecurity matters. However, they also felt that their CISOs did not possess enough broad awareness of organizational objectives or business needs to deserve a place at the leadership table.

This just re-iterates the importance of getting security functions aligned with the business.


Adding to this is the fact that C level executives are not aware/don’t believe that cyber security is a priority. The Homeland security in the US thinks otherwise: C level execs need to know that Information Security is a business issue.


Just as we are good technically, we also need to be able to be proficient on a management level (or get a CISO that is!). By being creative, providing ways to show that information security can provide a return on investment for the business is key to help change this mindset.

Integrating Security with Asset management Part 1


  • First in a sequence of blogs which will outline how to implement security measures with business support.
  • Know what you know and investigate what you don’t know
  • Leverage existing systems but apply some intelligence to achieve security goals
  • Refine by identifying the weaknesses, fix the weaknesses and monitor for improvements.

Simple question: Can you tell me right now, who has disabled their AV?

It’s amazing to find the number of organisations that would not be able to give you an answer to that.

‘You cannot protect what you can’t see’

Consider these scenarios:

  • decentralised procurement/budgets, leading to authorised/unauthorised purchases such as a computer, for one reason or another, the asset is not tracked in the asset register, computer is compromised, leading to security issue.
  • staff connect a custom built system to the network, system gets infected, causes issues on the network, leading to security issue.

I’ve been an advocate of having asset management as part of a security function for quite some time, it may not be managed by the security team but the security team could and should have some input and exposure. Reasoning behind this stem from the implementation of the SANS 20 Critical Security Controls.

The first control is to create an Inventory of Authorised and Unauthorised Devices


The win is that you know what to protect within your organisation, providing the availability of statistics. As mentioned, statistics then can be used for a lot of things: metrics, milestones, forecasting, planning, KPIs, etc.

Remember, before any system is implemented, it is important to note that business support and approval must be obtained otherwise the project will be doomed for failure.

No matter how good your asset management is, you will get rogue purchases, staff circumventing the system. This is where planning, policy and processes are required to stop the leaks.

Not everything has a technological solution, in fact, planning/strategy, policies, procedures and guidelines help drive the technology selection process for an organisation.

Planning/strategy allow for the right decisions to be made so that the company infrastructure can be designed to support the organisation. This also provides uniformity to a common goal for all staff.
Policies are required to steer procurement decisions for the organisation and also used to curb deviations from the corporate norm. (for procurement and delinquent departments)
Standards are defined to ensure alignment with the policies for procurement, IT and all staff. As mentioned, standards are also there for system identification
Guidelines assist planners by outlining what could be used within an environment

With this in place, the laws of the land is set out and referred to by all.

A good resource for policy creation is the SANS Security Policy Project:

The primer is a good read.

Having these in place will help reduce the number of ‘rogue’ devices within the organisation as well as set the framework for a solid asset management system.

The Business as Stakeholders


  • The business must be involved as stakeholders as they are the owners of the data
  • The business must be made aware of not only the risks but also quantify the fallout
  • Financial, productivity, competition losses, legal or compliance violations are terms that the business understands
  • Any pitch must be at the CxO level in order to filter down to the business

It is easy to throw blame at the business for going out and acquiring systems without IT input however, if the business does not know who to contact to help with the selection process, what are they to do?

Like a high visibility vest, security people must be visible in order to provide protection. You want to be there for the business and come to you when it is too late.

Any security program must work with the business for a number of reasons:

  • Applicability: does the business require a particular security control/countermeasure (you would find out through a risk assessment but it also shows that you understand the business and that they are more likely to work with rather than against you)
  • Practicality: will the security control hinder productivity (if it does the business may complain or worse still, reject/counter act the control)
  • Metrics: the business will be able to provide constructive feedback, this way you can gauge the effectiveness of a countermeasure
  • Consequence: explaining what the consequence from a failure in business terms will help them better understand the importance of the security program

As an example, metadata in public documents would provide information about the internal structure of an organisation which can lead to targeted attacks.

Explaining to the CEO that:

  • what is information disclosure and how it occurs
  • provide a case study: his/her login details can be found in a public PDF that
  • can lead to an attacker being able to social engineer a password reset and
  • accessing the CEO’s email and latest financial statements via VPN
    is a potential risk (this is also another way of obtaining funding for two factor VPN).
  • This will lead to a loss of business confidence, CEO’s privacy and could be used against him in the future…

By pitching this to the CEO, he/she are aware of the risks, losses and can help you with obtaining the resources required for the security program and help leverage your way to send out the security message throughout the organisation.

The importance of strategy, metrics and KPIs


  • Security has always been and will continue to be a moving target
  • Information Security has always been and will continue to be a fast moving target
  • Doing ‘security by audit’ only fail. Security strategies are required to adapt to new threats.
  • Strategy, metrics and KPIs must be available and flexible enough to adapt to changes in the business

There are people out there that may remember this:
Centralised computing (Mainframes)->Client/server computing->Centralised  computing(Data centres/virtualisation)->Decentralised computing(Cloud)…

During each stage, information has shifted back and forth between computing models and business boundaries.

What has always been at the core is the ability for any Information Security discipline to identify and secure this information where ever it may be.

There are organisations that are at the cutting edge and there are some that still use mainframes.

If the organisation’s security strategy is to ensure that all systems are behind a perimeter but yet, data is in a 3rd party cloud, the strategy is destined to fail.

This is one the reason why organisations only doing ‘security by checkbox’ continue to get compromised. Iterations of audits/standards must consider change in order to keep pace with the current threat environment. Ticking checkboxes can only provide you with a *baseline* level of security.

Security gaps appear between the last checkbox review and new developments from the adversary.

Strategy or to be precise, Information security strategy is designed to ensure that information remain secure, agnostic of business/computing model.

Strategy should consider and respect the basic security tenets: CIA triad, need to know, data at rest/transit, etc…

Metrics are used to gauge what the current state of play is. Nothing complex, just plain and simple information. Items of interest include: computing equipment, applications, data and associated classifications, etc.

KPIs are used to ensure that any program being implemented meet or exceed the intended level of protection. eg: ‘Strength’ of countermeasure, level of compliance, effectiveness/penetration of policy, etc. This is continuously reviewed based on the security strategy/scope, ie: strategy/scope changes the KPI changes.

As a specific working example (don’t implement to this level of detail, it should be from a higher level)

  • Strategy: ensure that the passwords remain secure and only accessible to me and another person, passwords are to be kept in a centralised location and not transmitted over the wire, etc…
  • Metrics: Who has accessed it? How many times has it been accessed? Number of attempted breaches? Number of successful breaches? etc
  • KPI: Has there been any attempts to gain unauthorised access to the passwords? How long did it take for the breach to be reported? Was it handled promptly and closed?

Without the above, adapting security to a changing environment is an extremely difficult task.

What makes for a well oiled security strategy


  • CIOs/CISOs need to be able to determine and provide a unified communication strategy to other CxOs and staff outlining what needs to be protected, risks associated and how to mitigate these risks.
  • Security efficiency is achieved by integrating as much as possible as normal business functions.
  • To measure the effectiveness of any security program, it must be measurable
  • Scope, timing, statistics and integration is required.

As all good security conscious organisations, you have security policies, security software, procedures, etc is all well and good but how effective is it?

Coming from an incident response/project management background every task is quantified hence (aim), scope, timing and statistics/metrics are extremely important. Integration is to ensure that there is no disjoin between the business and security functions, this also avoids missing out/overlooking security tasks.

The CIO/CISO is steering the security ship, communicate to other C level executives and get their support to communicate to other staff.

Aim needs no introduction, for completeness, the aim is to protect the organisation’s assets by identifying risk against the assets and developing measurable strategies to ensure that the exposure is reduced in the shortest period of time.

  • To understand the impact of the situation and to reduce resource utilization in critical situations, scope is very important, what assets are you trying to save/protect? Prioritise what is critical to the business. This also has the added benefit of getting everyone on the same page by knowing that information staff handle should also be protected accordingly.
  • Timing is critical. Timing is used to test how long it takes before a threat is detected, to see how long it takes to break into a system, time to immobilise incident response teams, to neutralize any threat, determining resourcing consumption/availability, etc.
  • Statistics/metrics is used throughout to determine if a response has a positive effect, milestones are used to determine when to stop neutralising a threat and assist with the next course of action, mark how far a system has been compromised before detection, etc.
  • Finally, much of this should be integrated/embedded into the business ideally through an existing business function. Functions such as system life cycle management, asset management, incident reporting, etc.

If we relate this to a racing team we have the following:

  • Aim: to win the race
  • Scope: only dealing with cars and not trucks etc, prioritise on improving the performance of the car, provide constructive feedback to the driver, etc…also each discreet unit perform a well defined, unique task
  • Timing: it’s a race, quickest team wins, how long each component/process/team is taking
  • Statistics: How fast is fast? How do you know you’ve improved? Where can you improve?
  • Integration: This is what makes the team, every discreet unit works together with a common goal.

What is the end result:

  • business intelligence gained from this can be applied to other disciplines eg: strategy/planning, project management, forecasting/projections, etc thus delivering tangible benefits to the organization
  • business agility can be achieved as changes can be implemented quickly and effectively
  • risk assessment/planning
  • from a security point of view, security visibility will improve, anomalies would be easier to detect, posture is easier to assess, improved delivering simplicity when performing security functions

In the upcoming blogs, we discuss a working example where this can be integrated.

Security is a balance between offence and defence.


  • How do you know that your defences are good if you don’t test them?
  • What lengths would your adversaries take to compromise your systems?
  • Adopt the same offensive mentality as your adversary in order to test your defences

You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…


As mentioned in a previous blog, security must be tested either by you or by your threat.

The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)

Let’s be ignorant and ask a few questions:

  1. How did they get through our defences?
  2. Why did it take so long for them to be detected?


Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?

This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.

From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.

Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.

A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.

Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.

As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?

To answer this, you need to put your defensive hat on…

1. https://www.mandiant.com/threat-landscape/

Defining Security Scope: Another way of saying ‘know thy enemy’

You cannot protect what you can’t see


  • Know your assets and threats based on industry, size, image, political, social factors, etc.
  • Conduct high level identification and assessment of the threats
  • Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business

Without knowing your assets and understanding the threats against your assets it is extremely  difficult if not impossible to protect your environment.

Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.

Each industry has its specific threats and they range from amateurish to well-funded nation states.

There are models available to help map out what threats your organisation could potentially face.

The areas to consider are:

  • Industry-Is it a high competition industry
  • Size-How large is the organisation?
  • Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
  • Political-do political events affect the organisation?
  • Social-Is the organisation operating in an environment where social tensions work against the organisation?


Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.

To put it into perspective, your corner store is probably not going to be targeted by a nation state.

However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.

For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.

Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.

By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.

Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.

The What, When, Where and Hows of security

What is security?

The objective of having security is to stop and/or limit the pain inflicted on the asset/organization.

Would a desperate car thief stop at the garage door to steal a rare car? Would a storm stop because it would cross international boundaries? Why would a determined person with malicious intent stop if they have a set goal in mind?

When do you know if you are secure?

If the asset is worth securing, how much time, effort, cash are you willing to put in to secure it? What are your threats?

You wouldn’t spend $50 to protect a jar of $3 biscuits against a 5 year old cookie monster. However, with a bit of innovation, it is quite possible to spend $1 to protect a jar of $3 biscuits simply by moving it out of sight.

Where is security placed?

Security must be a core part of what ever asset(s) you are protecting. It must be part of any project design/planning process. Security will cross over departments, systems, etc. Security is not down to one individual, it is a shared responsibility.

What would happen should a family member take down the cookie jar and place it in reach of a determined 5 year old cookie monster?

Is my Security implementation effective?

Security will be tested, if not by you it will be by that one determined individual.

Just like any test, you need to know what is it you’re trying to protect, what you need to be able to measure the effectiveness and the duration of the protection required.

Remember: Security HAS an expiry date! A security strategy must adapt and grow in accordance to the asset that it is protecting.

What good is a moat if your adversary has access to planes and helicopters?

How do I be ahead of the security game?

Innovation, before you can be innovative, you must have the appropriate tools at hand. Policies/Procedures/Information/Statistics/Metrics…

With that in mind, this blog will help anyone that is in charge of an asset that is worth protecting implement a well oiled security plan.