In Model-Netics methodology by Main Event Management you are taken through a management course that makes use of standard and what some would call common sense management rules to demonstrate and teach how to handle a lot of the items that come a leaders’ way during the course of a normal work day.  Two of the Model-Netics rules that I feel need to be used more widely by Information Security leaders are the Action T.N.T rule and the Eighty Percent Rule.  A lot of you are already familiar with the eighty percent rule but even though familiar it is seldom followed.

The Action T.N.T rule stands for Take Action Today not Tomorrow and encourages leaders to take action as soon as they have sufficient information to decide a reasonable course of action and not wait in paralysis until they have absolutely every bit of information that it is possible to have before moving forward.  For example:  I once worked on a project that had a project lead who was one of these paralyzed type of individuals and after 16 months we were still in the planning phase and talking about the implementation of a technology that was leading edge when the project started but that was quickly becoming outdated.  He finally recommended cancelling the project as the technology was no longer viable and he was able to show how successful he was by not “allowing” a technology that was old to have dollars wasted on its deployment.  He almost got by with that until one of the more astute executives asked him what the 5 million dollars he was given was used for and what the 20 resources assigned to the project for the past 16 months had been doing.

The Eighty percent rule, which is also known as the 80-20 rule or Pareto’s Principle is similar to the Action T.N.T method as it strongly recommends that leaders make a decision and start a course of action when they feel they have 80% of the information or 80% of the design completed and not wait for the remaining 20% before starting.  There are many right ways to complete a task and neither the T.N.T. or 80-20 methodology suggest that adequate planning not take place before making a decision but that action is taken in lieu of collecting more and more and more data that really has little impact on the leader’s overall decision.  When I lead my team(s) on projects and work items I do not allow more than 3 weeks planning to take place on even major projects, this ensures that once the planning is complete action actually takes place that ends up in completion of the final goal.   This doesn’t mean that adequate planning is not completed – it just means that we’re kept pretty busy during the planning stage.

Have I been successful in that approach and with implementation of infrastructure, enhancements, etc. using this approach – yes I have. It works, it is effective and IMO it is a leaders and managers job to make a decision and move in the direction of accomplishing your business goals.

© Kevin L. McLaughlin, probably cited re-use is acceptable

In 1948 in his book “The Seven Story Mountain”, Thomas Merton wrote “Success – the logic of worldly success rests on a fallacy:  the strange error that our perfection depends on the thought and opinions and applause of other men.”

Within the Information Security profession we must agree with Thomas Merton that the early definition of success is not one that fits our world.  Not many of us in the profession receive the applause of other men or women during the course of our duties.  Think about it for a moment, if you write a “Tough” Policy that forces people to do something that they are resistant to do then do you really think that the applause is going to start rolling in?  The opinions will so at least we’d be half way to the fallacy of “worldly success”.

Yet, as Information Security Professionals, we know that having Policies based on International Standards, best practices, etc. combined with a mechanism to enforce compliance with those policies is a critical component to having a successful program.

So, if we buy into the belief that success isn’t about counting on the applause of your community members than what does success look like for an Information Security department, or an information security professional?  The definition of success can be different for each Information Security department based on their self identified mission and vision.  One Information Security department I worked with decided to follow a modified version of Roger Allen’s formula for success, as explained in his book “Winnie the Pooh on Success,” in which Winnie and the gang discuss the formula for being successful.  The Key Success factors in Allen’s book are:

• Select your Information Security Vision
• Use your Information Security Vision to set your Team Goals
• Create an Information Security plan
• Consider resources
• Enhance Skills and Abilities as necessary – I have found SANs training good for this
• Spend Time Wisely
• Start! Get Organized and Go

While it is challenging to meet your Information Security success criteria I encourage you to continue to move forward in the belief that small systemic improvements over a long period of time will ultimately lead to both yours and your team’s success.

Said another way – focus on getting your wins where and when you can with the understanding that each win will move you closer to your goals and the fullfillment of your vision.  Do not worry or overly fret about the things you can cannot accomplish, focus your time and energy on those items that you can accomplish.

© Kevin L. McLaughlin, probably cited re-use is acceptable

So, the other day while teaching my Online Course in Computer Security for the University of Advancing technologies I had a student ask me what they should do if their CFO asked to have an unexpiring password in a publicly traded fortune 500 company.  I responded that in today’s age of heavy SEC and regulatory oversight I didn’t see that really being a problem.  I jokingly said that maybe 10-15 years ago it wouldn’t have been a problem either because most of us weren’t expiring passwords regularly.

The student came back with “No, I am serious I was just asked to please set our CFO up with a non-expiring password and the request came from my CIO directly to me, which as low as I am on the totem pole that just about never happens” –  my thoughts were all jumbled up for a minute as I thought we had surely gotten past this mind set with the news articles and all the coverage about regulatory compliance, internal controls, etc.  C’mon I mean really?  We are talking about the CFO – the Chief Financial Officer, the person with access to corporate funds, bank accounts, etc.  and they really don’t want to change their password because it is too much of an inconvienience?   When I asked more questions I wasn’t surprised to find out that the company does not have any sort of two factor authentication for their Executives as that is too cumbersome as well.

Why is it that Internal Audit, External Audit and others in that profession continue to miss items like that.  Is it because they are so far down in the minutia of systems that they have forgotten that in Enron it wasn’t the little folks in the organization like me and other IT Operations folks that caused the issue it was the corporations senior executives.  Things like Sarbane’s Oxley are supposed to manage and control the C level executives behaviors because no one that works for them is in a position to do so.  So, my call out in today’s rant is for the internal controls folks to pay more attention to the Corporate executives and what they are or are not doing and a bit less attention to the folks down in the trenches.

Oh, wait a minute ….. whether it is an internal or external auditor their pay still comes from the same executives that no one else in the company can challenge without fear of not being paid….  hmmmm… guess we won’t be seeing that type of oversight anytime soon.

Oh, and since this is my first posting don’t think I am anti-auditor,  I’m pro-auditor.  I just think that this is an area that we currently lack an answer for.

One last item,  please don’t comment on how lame you think passwords are and how they don’t do anything or provide any controls – please, if you are a security professional you should know they are simply one part of an effective defense-in-depth architecture.  btw – If you don’t believe in defense-in-depth you probably are reading the wrong blost….

© Kevin L. McLaughlin, probably cited re-use is acceptable