Who Is Qualified For Cybersecurity?
It’s always complicated to find good help. It’s more difficult in some fields than in others. It’s certainly difficult when it comes to cybersecurity. Organisations find it difficult to acquire the professionals qualified to effectively protect networks from outside threats.
Why is this?
Qehilla ARM-LP is less a security consultant than it is a security integrator. The organisations ARM-LP anticipates serving are small-to-medium enterprises (SMEs), typically (though not always) community-based cultural, learning, or religious communities.
ARM-LP communities will almost always run small business networks. A few will have a dedicated IT department, but likely not most. The resources to manage network security will be minimal, if any exist at all.
Cyber Degrees has an interesting (though flawed) perspective. Cyber Degrees lists five types of cybersecurity program:
The sample syllabi that Cyber Degree lists for each option have one significant flaw: people are not considered. Each syllabus stresses technology. None stresses people.
That’s ridiculous. Here are some of the non-essential duties Cyber Degrees lists:
- Determining the most effective ways to protect endpoints and the network from attacks
- Responding to breaches and other emergencies
- Assessing security risks
- Interviewing staff on security preparedness
- Researching and preparing for new security threats
- Provide reports to management.
- Compose cost estimates for necessary security expenses to management
These duties only seem essential. Each would be except for the fact that people are missing from the list in all but one instance — and that instance is absurd:
Interviewing staff on security preparedness? What on Earth does that mean?!
Cyber Degrees insists that these are some of the “specific skills” a cybersecurity position requires:
|Secure Coding Practices||Firewall Protocols||Intrusion Prevention||SQL and other security frameworks|
Technical skills are important. They are not more important than a good grasp of marketing, and they are far less important than knowing how to meet the basic needs of any SME.
I’ll continue this rant in the next post, How Deep Is The Talent Pool?
An Encyclopedia of Cybersecurity
An Encyclopedic Dictionary of Cybsersecurity (EDoC) is ready for your perusal. The links on this page open a new tab in your browser.
Useful vs Informative
It’s much to difficult to find really useful content on cybersecurity.
Encyclopedic Dictionary of Cybersecurity (EDoC)
My head is not buried in the sand. I know there’s a lot of information on cybersecurity. Is this useful content? No, I’d say not.
Cybsersecurity information mostly reaches across to teach. That’s not useful for most of us. We need information that reaches down. The difference:
The vast majority of cybersecurity information reaches across — it finds coders, network admins, and vendors. This helps them help us. Most of us are not coders, network admins, and vendors.
Cybsersecurity information that reaches across does not help us — and that means…
It does not help us help the people we hire to help us.
Executive directors and CEOs almost always know how to read a balance statement.
They commonly know enough accounting concepts and terms to understand what the experts say — and some of them are themselves such experts.
This is not so when it comes to computers generally, and certainly not with respect to cybersecurity.
I understand why general managers are not adept at computing: a computer is a tool — and I need not be a locksmith to use a key.
Locking the door, though, makes me more secure. So does understanding cybersecurity.
I do not understand why most GMs do not understand cybersecurity better. Cybersecurity is about only one matter, which every GM should be well-informed about:
Organisations cannot function without confidence — and no one is attracted to an organisation that does not inspire them with confidence. Markets behave best when they attract people rather than promote to them.
- Markets rise and fall on the confidence people place in the goods and services they purchase.
- Every organisation occupies a marketplace.
Markets are people who gather to buy and sell, and people behave best when they are confident.
Are you confident about cybersecurity? Probably not. To be confident, to instill confidence in others, you need to understand cybersecurity the same way you understand a monthly balance sheet.
With you in mind, I compiled the Encyclopedic Dictionary of Cybsersecurity (EDoC). It’s concise, it’s informative, and it’s useful.
Is it about management? Maybe it’s about leadership? Technology might also be an issue. I guess. Why can’t we motivate our staff, volunteers and leaders to be secure?
Cogent security planning assesses risk. Some risks are more likely than others. There’s a reasonable risk of fire on any campus. There’s a reasonable risk of accident. Depending on the community, there may be a reasonable risk of predictable natural disaster. Floods, for example.
Canada’s most costly natural disasters in terms of property damage, floods are commonplace so we prepare for them. We can’t always accurately predict when it will happen, but we still prepare for it as best we can. We all have insurance that covers this — don’t we? Occupancy insurance will typically cover sewer backups and so on, but it’s prudent to check. What about when the river overflows its banks?
Natural weather disasters in the United States cost more than $300 billion in 2017, according to this article at Business Insider (a new tab will open in your browser). Let me put this somewhat differently:
This is about 8% of the US government’s $4 trillion budget — and almost all of Canada’s $330 billion dollar budget.
Security is everyone’s responsibility.
I agree. Tell me, if you can, how I convince the person who doesn’t think security is her (his) responsibility?
Security is bought rather than sold.
Security is bought rather than sold. No one buys security without a need. Many are they who think they have no need of security or the planning it requires. I accept that reality. Let me frame it as two questions:
1. Am I the trusted servant who tells you what to do? or
2. Am I the trusted servant who goes and find out what your needs are?
Your community doesn’t have security managers or directors — it has trusted servants who serve the community when they share what they know of security and life safety. People respect this, and they especially respect the time and effort their trusted servants give freely.
Responsible Security Planning
Responsible Security Planning?
I am told over and over again that “management must” buy in if security planning is to succeed. Nonsense. Phrases like “management must” tell me no truth and tell you only lies. Passive voice is a grand way to hide irresponsibility.
What is responsible security planning?
Responsible security planning assesses risks, decides what risks are likely, and places these real threats at the centre. You’re assessing what’s vulnerable in your community. This assessment is why you never have a security plan: your risks change over time. Planning security, on the other hand, lets you decide over time what to reduce, enlarge, or emphasize.
Does management have a responsible role to play? Definitely. Management’s role is to inspire. It floors me that people think this is hard to do. It’s not. Your community’s leadership, staff and volunteer alike, merely need to say one thing to the people you serve:
We care about you, and we’re concerned about your security.
That sets the tone. Ten short words tell your members that you value them. Do you know anyone who doesn’t want to be feel valued? Your community doesn’t have stakeholders — it has people for whom you care deeply. Your community doesn’t have security managers or directors — it has trusted servants who serve the community when they share what they know of security and life safety.
Good security practice
Some people think good security practice flows bottom-up. It’s not my experience, and neither does good security practice flow down from the top. Good security practice travels up-and-down. Your trusted servants set the tone. They understand what suspicious activity is — and now so do the people you serve. Your members become more conscious about security because their trusted servants made time and effort to show them.
Security is a planning process, not a set of solutions to specific problems. It’s not possible to effectively secure a campus by installing an alarm system after a break-in, or by hiring a patrol company after a serious incident. It’s also expensive to take this approach. It’s more effective, and much less costly, to decide what the short-term and long-term security issues you face.
If You See Something, Say Something
If you see something that seems out of place, it’s out of place. Trust your instincts.
When you report …
- Briefly describe the activity you saw
- When did you notice the activity? What time was (is) it? What date?
- Where did you see it?
- Did you see anyone leave the scene? Where did they go?
- Can you accurately describe anyone you observed?
- Can you accurately describe vehicles, if any?
People, Property, Protection
People On Property is the foundation of all good security planning.
A community-based organisation (CBO) provides social services, recreation, cultural programs, education, childcare, and many other services we rely on all the time. The CBOs we all join also train volunteers, recgonise potential leaders and help them develop, and serve the wider community in ways large and small.
Some CBOs become targets. Vandalism to the places we use all the time is common: schools, churches, mosques, synagogues, and temples. Rage directs its attention to some CBOs more than others — but every community centre attracts it, and some people die.
How do we protect the people and places who gather together in a community?
We now all know how difficult it is to protect against terrorism. Terrorism no longer relies on a wolf pack. Many terrorists attack as lone wolves. These terrorists drive cars, take subways, or run down streets while stabbing people. It becomes complex: how are we to predict the unpredictable?
Complex does not mean “complicated.” Many CBOs occupy a campus — a building and a parking lot is a campus. It’s not complicated to build a fortress to protect the people and places we love. It’s also not desirable. The people and places we gather give us meaning. We must plan to protect the people and places we gather. Crisis management is now critical.
A secure CBO needs to implement security by design. The notion of a sound “security plan” is a misnomer — and a liability awaiting judgement. There’s no such thing as a security plan. We can only plan what we can forsee. A wedding, for example.
To plan a wedding we choose a date. Then we choose a caterer, rent a reception hall, ask Uncle Josh to be best man, and arrange clergy. Even in this simple arrangement, though, something will go wrong with the plan. The food is late because the caterer is stuck in traffic. Uncle Josh missed his plane. The reception hall is a soggy mess from that freak rain storm.
We can’t plan security.
The best we can do is security planning. Security planning is an ongoing commitment to recognise the potential for disaster. We can’t plan to thwart an attack. We can understand what to do when an attack occurs, and then do what’s necessary to recover.
Security planning needs motivation.
Not every CBO has the motivation. Every CBO has members who see security planning as expensive, or not necessary. It’s impossible to say whether or not security planning is expensive. Planning isn’t the expense — or shouldn’t be. The solutions security planning discovers may be expensive. To decide if the solution is expensive, answer these two questions:
- What do you want as your epitaph?
- Are the actions you are taking today in line with the legacy you want to leave?
“It’s too expensive!” is, I think, not the legacy you want to leave your community as it struggles to overcome a disaster.
Are You Testing Your Post Orders?
Your post orders are irrelevant if your member service officers don’t know or understand them.
ARM-LP uses the term member service officer (MSO) to describe someone authorised to provide general or specific services to an ARM-LP community. In this article, a member service officer assists your community with respect to security and loss prevention.
It’s very important to ensure that member service officers understand how to best serve your needs. A capable supervisor is essential. Your member service officers may be contractors — but your supervisor is a trusted servant, someone from your organisation who can capably orient your MSOs, train them in your community’s post orders, and oversee them as they undertake the task to protect your community.
Different organisations have very different needs. Every ARM-LP community will need to arrange their post orders as a manual. The manual needs to address these 12 topics, but it need not be complex.
|A||Introduction||B||Executive Summary||C||Conduct Code|
|D||Job Training Checklists||E||Member Service Policies||F||Special Post Orders or Assignments|
|1||Access control||2||Personnel security||3||Emergency response|
|4||Law Enforcement||5||Life Safety||6||Duties To Report and Record|
Your organisation must routinely quiz your MSOs to test how well they understand the post orders. This quiz must be a part of your standard procedures. ARM-LP communities may…
1. Use Q Net’s online examination tool on a dedicated page or
2. Embed the exam on its own website. This option requires technical expertise.
You need to be registered and logged in to take this quiz. Log in
I received a high technology birthday gift from my parents when I turned 17 (sometime in the 1970s, never mind when): an electric typewriter.
This high technology gift is only “low tech” looking back in time. My typewriter was certainly high technology compared to the manual typewriter I learned to type on in my grandfather’s office.
The current state of technology is now always high technology. “The more they overthink the plumbing,” according to Scotty on Star Trek, “the easier it is to stop up the drain.” High technology frustrates everyone who uses it.
We usually adopt new technology rather than adapt it, I think, and at best this approach challenges us and the organisations we serve.
We are responsible
Am I responsible? Of course.
- I am willing to embrace new technology
- I am honest about my technology needs and how the technology can help
- I am open to change what I do
- I accept that change imposes certain risks
Frustrations accumulate when change occurs
High technology disrupts Routines. Install new technology only when aware of this.
Backup is an essential routine
It’s very easy to store today. Many media are available if there is not much to back up. Your challenge?
There is no such thing as an organisation without a great deal of data to back up. Your organisation needs to recover its data quickly. That’s no simple task if you’re backups are stored on anything other than a hard drive.
Frequently test your backups. Corrupt files are commonplace, and testing ensures the backup data is trustworthy.
Monthly seems reasonable, and more frequently as organisations grow.
A real strain is placed on computing resources during regular business hours. The strain is even greater if routine backups are scheduled during this time. A scheduled backup should not interfere with an office’s normal productivity.
Schedule a backup routine to alert you to poor resource allocation, exceptions, and incidents.
The smallest useful unit of information is called data. It’s barely useful without context.
A 16 digit number, for example, conveys nothing useful to the person who reads it — unless it accompanies a name. Other data may be necessary to provide further context, such as a verification code, but this only provides additional context.
When data collected includes context it is information.
Modern criminals have profitable information if they have a name accompanied by a 16 digit number.
The community you serve generates a lot of data: names, birthdates, addresses, marital status, credit card numbers. Birthdates, names and addresses provide context for credit card numbers.
Data is an asset in a digital economy. Data loss can only ever be horrifying for your community — and catastrophic if the data cannot be recovered. Organisations must…
|Choose the backup media||Regularly test the backup||Conveniently schedule backups||Audit their data needs||Prioritize
A single server is typical in small office computing environments. Audits are essential. Small office networks are no less vulnerable to data loss than enterprise networks — and they are far less prepared to overcome the chaos or catastrophe that occurs.
Security is a priority. It’s ridiculous to…
- back up data and leave it in a insecure location, such as sitting on the same desk as the workstation
- leave a computer on and open to hackers
- back up data and leave it where it can be destroyed by fire, flood or human stupidity.
Have I made my point?
Business continuity requires accessible data.
Perhaps 50% of organisations will survive if the data they store is inaccessible for some length of time. The ones that survive will be the ones who have spent time, effort and money to ensure their continuity. It needs to cost money. It does not need to be expensive: an 8 terabyte external hard drive is roughly $225.
What Happens When Information Technology Stops Working?
What happens when the information technology we use routinely stops working?
Every organisation must answer this question. Security of Data (sometimes called datasec), a mission critical strategy to protect data, is one answer. Chaos (at best) or catastrophe (at worst) are the only possible consequences when a a mission critical operation fails.
In this article, mission critical means the essential operations of an organisation or business with such import that failure can be neither contemplated nor tolerated.
A business continuity plan based on the assumption that data loss is inevitable, datasec is essential to the communities you serve. Every organisation uses information technology — and every organisation loses it. How you lose it is irrelevant.
There is no such thing as an organisation that does not generate large volumes of data. How much of the data is critical is a different issue — all data is important, but only some data is vital. In this article, vital means “necessary to maintain continual operations.”
Data is generated constantly, both by your staff and the members they serve. These stakeholders use email, text messaging, Skype, VOiP, websites, social media and electronic data interchange EDI1 to routinely receive and transmit data.
Common reasons for data loss are human error, hardware failure, software failure, or malice, probably (though not necessarily) in that order.
Your principal concern is backup planning.
Your principal task is to ensure that the data you collect is secure. Backup planning is one aspect of this task, it is vital, but the task is incomplete in the absence of strong privacy policies and robust security systems.
The difference between “plan” and “planning” is crucial. A plan? Use it to understand objectives and the goals each objective intends to achieve.
Planning is an ongoing process to consider how (or if) objectives are useful. You need to be planning continually. Larger organisations need to be preoccupied with it. Small organisations should begin the process now, assuming at some point they want to become larger organisations.
1 EDI is a secure digital standard to exchange documents online. It features these benefits:
|It mitigates channel noise, thus reducing tranmission errors||It provides a fast, secure way to communicate with trading partners||It allows customers or clients to respond faster|
Targeted attacks are not science fiction. People willingly give have sensitive data and information to the organisations and communities they subscribe to or join. A targeted attack occurs when criminal actors pursue and attack one or more specific groups.
The cyber protection of people assumes targeted attacks require both some expertise and sufficient resources to target, acquire, and anonymously compromise small business networks. Some expertise does not mean much expertise. Script kiddies must not escape our consideration.
Pop culture portrays script kiddies as bored, lonely teenagers seeking recognition from their peers. It’s not far from the truth, probably — but they’re also lazy, malicious and immature. Script kiddies are mad scientists, not misunderstood geniuses, and they cause significant damage.
The motivation? Bragging rights and thrills. Script kiddies are unprofessional hackers, they lack technical skill, they leave evidence — and the cost money. MafiaBoy was a 15 year Canadian script kiddie in 2000. He caused more than $1 billion in economic damages to Yahoo.