Monday, September 5, 2011

Employee Infosec Academy

You get some of the best writing out of information security people when their cheese slips off their cracker. Frank McClain had just such a moment recently which provided me with a nice setup for this blog post. Frank’s cri du coeur included a description of a system administrator whose response to potential security incident was less than helpful. This system administrator was a good example of someone who doesn’t have a solid awareness of the current threat environment or just doesn’t care. Good system administrators are worth their weight in gold and because they are on the front lines of an organization’s information technology function, they need to be plugged into an organization’s information security program. This post will explore some ideas on how information security people can improve their working relationships in their organization.

I’m still amazed how many lessons I picked up as a patrol officer that I have been able to apply to my information security career. For example, when I was a police officer, there was a resurgence in the concept of community policing that emphasized establishing relationships with the community beyond just having police officers in squad cars answering calls for service. There was an understanding that law enforcement lost something when it made the transition from foot patrol based policing to vehicle patrol based policing.  What was lost was the community interaction and relationship building that police achieved when they had officers on foot assigned to dedicated areas where they would get to know the community and work with them on their problems in both a reactive and proactive manner.

Information security organizations should learn from police departments when it comes to community relations. The information technology people who make up your organization are a key part of the community that you are chartered to protect. System administrators, for example, can be your best friend or, as Frank illustrates, a great impediment to your work. If your only interaction with these people is reactive, you probably aren’t building strong relationships will make working with them much easier during an incident. Developing strong relationships with your information technology staff will make it more likely they will reach out to you when they see a potential issue. Early detection of incidents is critical to the security of the modern enterprise and a suspicious system administrator who sees and reports something odd could be the key event that causes you to get a “win” by early detection of an incident.

Information security organizations can build relationships by doing things such as giving periodic presentations to the information technology staff on the current threats that the organization is facing, what the security team is doing about it, and what should be reported to the security organization. Another concept that can be borrowed from the law enforcement community is the concept of a “ride-a-long”. Ride-a-longs generally take the form of a citizen riding with a patrol officer for all or a part of their shift. The same concept can be used where someone like a system administrator can shadow someone from the organization’s security operations center to see what life is like responding to incidents. This should also work the other way around where security people shadow someone like a network administrator to see what their lives are like and how the security people can better work with them. The one-on-one relationship building from this sort of activity will be invaluable to an organization.

An expanded version of the ride-a-long concept is the citizen police academy. This is a very popular program that has been embraced by law enforcement agencies around the country ranging from larger agencies such as the Las Vegas Metropolitan Police Department and the San Antonio Police Department to smaller agencies such as the Pflugerville Police Department. For example, last year I attended the FBI Citizens’ Academy that was put on by the FBI’s Newark office.  It was a fantastic experience that introduced me to many different aspects of the FBI and left me with a positive view of the organization that I retain to this day.

So who would attend an employee infosec academy? Because security should part of an organization’s culture rather than viewed as a separate function, the opportunity to attend the infosec academy should be extended to everyone. A special emphasis should be placed on having information technology employees attend the academy in an effort to build lasting relationships that are critical to protecting the organization’s infrastructure. However, the program would also be ideal for senior executive management so that they can better understand the role of the security organization and the challenges they face. Building a relationship with a chief financial officer and their staff, for example, could increase their confidence in the security function and lead to a better chance of successful budget requests for new personnel, tool, and training.

What would an employee infosec academy look like? The police have already done the heavy lifting for us. The model of having the academy class come together for several hours each week to learn about a different aspect of security is a great way to structure these classes. Since this is being done in an employment context, organizations could also run full-time academy classes that last a day or more depending on the amount of material to be covered. Specific modules that could be included in the academy would be things like architecture, policy, incident response, digital forensics, and risk assessment. The academy staff should take great effort to present their material in an manner that is informative, but also entertaining. Great pains should be taken to avoid death by PowerPoint style presentations. For example, the digital forensics team could conduct a demonstration where they use a free tool like FTK Imager to recover deleted pictures off a digital camera’s SD card to show how files can be recovered after deletion. The incident response staff could explain their methods for detecting and responding to incidents, show demonstrations of their tools, and walk the class through a real life incident that occurred inside of the organization. The risk assessment team could talk about how they conduct their assessments and walk the class through a completed assessment report.

For a security organization to meet the challenges of the current threat environment, it must be innovative and have the support of the organization that it protects. The law enforcement community recognized this same fact  long ago and created many innovative community programs in response. Information security organizations should learn from their peers in the law enforcement community by adopting and adapting these programs to their organizational needs.