The Info-Sec Idiots Guide
[caption id="attachment_219" align="alignnone" width="595"]
Info-Sec Idiots Classification[/caption]
“Can you get us a security certificate in a week’s time?”
If you have been in the infosec consulting business long enough, you will, for sure, have come across this sentence. In this post, I want to vent my frustration and tell you the answers that I actually want to give - not the answers that I actually give!
1. “Sir, If I may ask you - Who made you the f****** CISO?”
2. “Yes, sure. Would you need a colour print or can I print it in black and white?”
3. “Would you like fries with that?”
4. “You hare-brained idiot. Security is not a switch you can turn on and off at will. You must be one of those idiots who have moved to infosec from IT after implementing a few firewalls and believe that there is nothing more to infosec.”
5. “We would like to be paid up front.”
However, what really happens is that I get into a very long monologue of how to implement security in an organisation and why implementing infosec is a culture shift and that they need to understand their risk appetite before they can even think of writing and implementing policies. This is usually met with blank stares. Then, enlightenment dawns upon him. He says “..but you are an experienced team of consultants. You must have all the policies and procedures. Why don’t you give them to us so that we can start implementing them?”
By now, I have moved to auto-pilot mode. I know what is going to happen. I go to my stock response - “Every organisation has different needs. If you need generic policies, I can give them to you today by downloading them from NIST or SANS.”
His eyes light up with my reply, “What are the websites for those?”
“But you do know the best practices, right? You also know our business a bit, right? What policies do similar organisations adopt? We don’t need anything elaborate.”
“Good policies are seldom elaborate. We generally create policies which are simple english statements that are easy to understand and the length of the policy is minimal.”, I say, knowing exactly what to expect.
“Not too short though, our customers / stakeholders / regulators would like to see elaborate policies”
I am now close to finding out who has mandated this madness on the organisation. I persist a bit longer.
“I am sure a smart customer will be able to recognise a good policy, not from its length but its relevance and content”
“Yes, I know, but the regulators are coming in for an audit next week and they are not all that smart”.
There you go. Elementary, my dear Watson! The regulators are sending over auditors next week and the CEO is sitting on the CISO’s head asking him to get this done. The CISO probably brought up the budget issue that he has had for a long time and has, with one week to spare, obtained a blanket approval. “Do whatever is needed to get the regulator/ customer / stakeholder off our back”, the CEO must have said. This is how I find myself sitting in front of the idiot trying to answer THE question.
This is probably not just the CEO’s fault. The CISO I am talking to, must be one of 4 types of idiot CISOs that I have identified over a period of years. The classification is attached to this post for your easy reference and suggestions!
How do YOU deal with such questions / CISOs?