HITBSecConf: Security is all about mind-games – the good kind

• Key for any CIO or CSO pushing the security agenda is understanding the motivations of others
• Akamai CSO’s biggest concern is how the NSA has subverted encryption; interesting times ahead

THERE’S a plush penguin named George who travels from desk to desk at Akamai Technologies Inc, an internal badge of honour for employees who have gone above and beyond the call of duty when it comes to the organisation’s security.
 
It was a grassroots initiative that developed organically, according to Akamai’s chief security officer (CSO) Andy Ellis (pic, seen here with George … or his body double).
 
Speaking to Digital News Asia (DNA) during the HITB Security Conference (HITBSecConf KL) taking place at the Intercontinental Hotel in Kuala Lumpur, Ellis recalled that it began as a social engineering trick, with a team member requesting permission to purchase the penguin toy as her way of ‘gaming the system.’
 
It turned into an inside joke amongst the Akamai security team, with the penguin dubbed ‘George’ taking a place of honour on her desk.
 
“Then one day a systems administrator really went above and beyond the call of duty for a security issue and we thought ‘Let’s give George to him for a week!’ and it just snowballed from there,” said Ellis.
 
These days, all senior Akamai executives know of George and the plucky penguin even has his own Twitter account (@SecurityPenguin) and LinkedIn profile. He also has body doubles travelling the globe, attending conferences.
 
“It got to the point where George was spending 50% of his time travelling in a FedEx shipping tube, so it just made more sense to get body doubles to fill in the gaps,” Ellis added.
 
The purpose of sharing George’s story was to illustrate how chief information officers (CIOs) and CSOs could reach out to their colleagues and inculcate awareness of security protocols and incentivise a pro-active internal culture.
 
According to a recent Forrester report, Understand the State of Data Security and Privacy, employees were the top source of breaches in the last 12 months, with 36% of breaches stemming from inadvertent misuse of data by employees.
 
The study also found that only 42% of the North American and European workforce in small and medium businesses had received training on how to remain secure at work, while only 57% say that they’re even aware of their organisation’s current security policies.
 
In an interview with PC World, Heidi Shey, a Forrester analyst and the author of the report, said: “People don't know what they don't know. You've got to give them some kind of guidance and guard rails to work with.”
 
According to Akamai’s Ellis, perspective and understanding the motivations of other departments and colleagues is key for any CIO or CSO aiming to gain traction in fulfilling internal security objectives.
 
“The first step is understanding the culture and the language of the company. For example, in the manufacturing sector, they have it easier because they’re big on worker safety and can talk about cyber-security as a sub-culture of their overall safety initiatives,” he said.
 
“Too often, we take our own language and push that onto others,” he added.
 
After learning the language, the next step is the figure out what would make good incentives to get employees to take security measures seriously.
 
Oftentimes, Ellis noted, initiatives such as security awareness training are important as they serve three purposes: Firstly, to ensure employees know what to do when they discover a security breach; secondly, to teach them how to recognise the warning signs; and lastly, to fulfil compliance requirements.
 
“But the trick lies in finding a way to give positive feedback when an employee does the right thing – to teach people that security is not just a job requirement but also their reward; so they know they are protecting the company and feel good about it,” he added.
 
Deconstructing bad decisions
 
In his keynote presentation at HITBSecConf KL, the annual security conference organised by Hack In The Box (HITB), Ellis broke down the drivers of bad decisions, telling attendees that the biggest takeaway they needed to come away with was the need to put themselves in the other person’s shoes.
 
“When you hear someone make a decision and think it’s bad, ask yourself, what has to be true in their world for them to think it was a wise choice? No one likes making bad decisions and if you can find that out, you can have a lever in figuring out how to change it.
 
“What truth can you add to their world to make them see differently? It’s about how you can reprogram a person’s way of thinking and it doesn’t mean scaring them with dangerous ‘what ifs’ as they will then view you as the adversary and won’t care about the real risks,” he added.
 
Ellis also cautioned against thinking all scenarios can have been saved in this manner, as sometimes it could very well be a choice between a bad decision and an even worse decision.
 
When it comes down to influencing the decision-making process, Ellis advised CIOs and CSOs to align themselves with the business objectives and emphasise the awareness of risks to management over an outright rejection due to security concerns.
 
“It’s about saying ‘Here are your risk factors, are you aware of them? We would prefer that you include us earlier on in the process, but as long as you are aware that these are the associated risks, then the decision is yours.’
 
“Business is all about risk-taking, so you need to ensure that the decision to accept the risk happens at the right level, and not from CSO,” he added.
 
Ellis noted that taking a less antagonistic and indirect approach to highlighting the need for security risk assessment is one way to hook people into thinking about risk.
 
“It’s about adaptability and flexibility. The common truth is that there is a right way to interact with the business side of a company and CSOs who can do that, tend to last longer in their roles,” he said.
 
When asked for his top three tips to his C-level peers on how to cohesively approach security strategy within their organisations, Ellis shared the following:

1. Focus on operationalisation and optimisation: “Do have grease in the engine, and deploy new elements that will make your job easier and not incur technical debt.”
2. Figure out where the business is going to be in three years and build a security model that gets you there: “You need to design a security service that will help the business gets to where it wants to go, and champion its causes. This will earn you credibility, a seat at the table, and relevance.”
3. Figure out how you can provide extra value to the company: “In Akamai’s case, we weren’t a security company years ago, but today we have a security product line and entire division devoted to it. It’s a bittersweet success that outgrew the security department. You need to learn to find those opportunities and make them flourish.”

When asked what his biggest current concern was, Ellis said it was encryption technologies, in light of recent information about subversive efforts on the part of the US National Security Agency (NSA) to weaken industry standards.
 
It was reported in the New York Times that beginning in 2000, as encryption tools were gradually blanketing the Web, the NSA invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop.
 
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products.
 
“I don't even know what crypto to recommend to anybody anymore. It used to be as security practitioners, we’d say as long as you use peer-reviewed cryptography to secure your data, you’d be fine – but that’s no longer the case and it’s a jarring world to be in now,” said Ellis.
 
He added that while there are “no great alternatives,” internally Akamai is shifting to Transport Layer Security (TLS) 1.2 on the notion that while “it’s something the NSA can break, at least everyone else can’t.”
 
The real question is centred on the issue of next-generation protocols, and finding consensus on what they should be.
 
“How are we going to pick the next generation of protocols when we have reason to believe that we can't trust the process? This is something that going to be really interesting to watch over the next year,” he said.
 
For more on HITBSecConf, which ends today (Oct 17), go to http://conference.hitb.org/. Follow developments on Twitter with the hashtag #HITB2013KUL.
 
Related Stories:
 
Security heavyweights from Akamai and FB at HITBSecConf KL
 
Bigger, better HackWEEKDAY at this year’s HITBSecConf
 
HITB: An eco-system of disruptions and dependencies
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.