Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies


The Security Manager and Business Situational Awareness


By Stephen Northcutt
Version 1.1

Business unit managers and business operations leaders are always telling information assurance managers that "Security needs to be aligned with business". This is one of the primary goals of both the SANS Technology Institute's Master of Information Security[1] programs and also the SANS Security Leadership Essentials[2] course, but what are the fundamental things security managers can do to help align security with the needs of the business? We suggest that progress is possible if there is a process in place to develop and maintain business situational awareness.

What is Situational Awareness?

The concept of situational awareness is apparent in military writings as early as the 6th Century BC. Sun Tzus The Art of War is a collection of 13 chapters, each of which is devoted to one aspect of warfare and is, implicitly, a guide to ancient Chinese generals on how to be situationally aware of many factors affecting success on the battlefield. In military history some credit this book as influencing Napoleon, the German General Staff in World War II, and even the planners of Operation Desert Storm.

These concepts have spilled over into business and managerial strategies as well. And in turn, the business applications have influenced today's military departments in the United States to adopt Situational Awareness as a key component of business transformation.[3]

The term was originally coined by Dr. Mica Endsley during work done between 1995 and 2000, and boils down to "the perception of elements in the environment along with a comprehension of their meaning and along with a projection of their status in the near future."[4] Wikipedia suggests "knowing and understanding what is going on around you and predicting how things will change, or, in other words, "being coupled to the dynamics of your environment" (Moray, 2004)."[5] And, according to a US Navy web site "Situational Awareness refers to the degree of accuracy by which ones perception of his current environment mirrors reality."[6] So, putting that into our context as computer security managers in business we need to perceive what is going on with the business, understand the meaning of these events in context, and be able to predict what they mean going forward.

Some security managers aren't very good at business situational awareness

The Management 512 teaching team works with hundreds of managers every year. One of the things we do is ask the students: "Do you know your organization's mission statement?" Invariably the majority of the students do not. If we were to ask you if are you familiar with the executive dashboards[7] used by your company's executives for their situational awareness, would you be able to describe in detail the data that is monitored and used for decision-making? If you do not know what factors are being interpreted by decision-makers, how can you expect to succeed in influencing change and decisions related to your field?

Example of perception versus reality in information security

In 2001, we had the high profile Code Red[8] worms. They weren't that dangerous really, but they were very high profile in terms of press coverage and there were costs involved related to the clean up. An IEEE paper[9] and netlab presentation[10] both estimate the Code Red worm cost around $2.6 billion. Many security programs were granted additional money to go "fix the problem". Later, in 2003, when Blaster[11] hit infecting over 100.000 Windows computers, how do you suppose security managers felt? Some actually thought they would get more money for their program. How do you suppose the business operational viewed the same event? It would be more like "Jeepers, can these security people get it right?" After 2003, the real drivers for security architecture were government regulations, Sarbanes-Oxley, GLBA, HIPAA, state privacy laws and the like. Once again the security program got funding, then the auditors still hit the organization with non-conformities. Consider the perception. The high profile data losses of 2006 are the new driver[12] for the 2007 budget, but before we spend a dollar of the money, we should think long and hard about perception! Now, in 2010, the stakes are higher than ever as credential stealing malware such as Zeus are being used to capture corporate and personal online baking accounts. How does a security manager improve their ability to know and understand what is going on in business and predict change?

There are four basic process steps we need to implement as leaders:

• Understand accurate baseline of current situation, understand impacts and trade-offs at critical points in a process
• Make sure we are in the flow for incoming important information, facilitate decision-making with the right information
• Identify expectations & biases, that unchecked lead to errors
• Remain alert for drift between incoming information and our expectations. The best way to do this is to make predictions, write the predictions down, and review for accuracy and in the cases where you were wrong, do a lessons learned to improve in the future.

A security manager must cultivate a strong situational awareness before they can pass this skill on to their team. Business Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the security team with regard to the organizational mission. More simply, it's knowing what is going on around you and staying alert for change.

Now that you have read this, stop and ask yourself, "How often do I actively pursue situational knowledge?" When was the last time you went and dug around the metrics that define the business of your organization and considered the security role in either supporting those metrics or even hindering those metrics.

Where do I start?

We start by understanding how well we really fit into the organization and how well our program is actually performing. Three important tools to help give us an accurate baseline understanding of the current situation are:

  • Internal and external audit reports
  • Vulnerability scans and/or penetration test (ethical hacking) reports
  • Minutes from board meetings

What do these have in common? Having almost no input from the security department or the CIO, they are reality-based tools that measure how you are doing. Now, to be sure, it is just a start, but they are things most computer security managers can, almost immediately, access, read and understand. We want to pursue metrics[13]; they can be used to persuade auditors that your processes, in fact, do conform to regulatory guidance.[14] Then, evaluate your organizations products; the way you earn your revenue. What are the top three, and how will you protect these products? Security cannot usually serve as a force-multiplier but it can help prevent problems. Start to work on a list of things to check when you get back in the office, start to think of security in a new way. Activities such as interviews, answering questions, reading status reports, observing and inspecting, tracking process, and evaluating changes for success or failure are sources for incoming important information that lead to situational awareness. Every organization is different - what are the sources for incoming important information where you work?

A security manager is responsible for understanding how to communicate with senior management. How do they best learn aurally, visually, or tactilely? A book or two on adult learning styles can help you identify biases and expectations. In particular, re-familiarize yourself with Myers Briggs[15] typing. Take one of the online tests[16] to understand how you learn and perceive; and practice guessing how the executives in your organization learn and perceive. In many organizations the Myers Briggs index for senior executives is public information available from HR.

Avoid losing situational awareness, the so called mission fog

Important clues that situational awareness is lacking include: signs of confusion or a gut feeling that confusion exists; use of improper procedures; departure from planned work; failure to meet targets; ambiguity in answers; and logical disconnects. Teach yourself to be sensitive to days and weeks where the stress of deadlines or interpersonal relationships is warping your business situational awareness. Stop, take a walk, get away from the situation — ask yourself how can you reconnect with the important information that helps correctly assess the environment.

Seven factors that reduce business situational awareness:[17]

  • Insufficient Communication
  • Fatigue / Stress
  • Task Overload
  • Task Underload
  • Group Mindset
  • "Press on Regardless" Philosophy
  • Degraded Operating Conditions

Summary

Business situational awareness is a basic skill an information security manager needs to develop. This is most important when we are promoted from the technical ranks. There is little, about ten years of programming or network design and operations that teaches us about earning revenue and managing quality and costs. However, these are the things upon which the rest of the business is focused. We need to focus on them as well. If your organization has a quarterly assessment program,[18] ask if you can get 360 assessments[19] with other stakeholders in the business. This will help you rapidly align your mindset and the direction of your information security program with the needs of the business.

Links were valid at the time of this writing, January 6, 2007

1. http://www.sans.edu/
2. http://www.sans.org/training/description.php?tid=452
3. http://www.army.mil/armybtkc/focus/sa/index.htm
4. http://faculty.ncwc.edu/TOConnor/431/431lect03.htm
5. http://en.wikipedia.org/wiki/Situational_awareness
6. http://wwwnt.cnet.navy.mil/crm/crm/stand_mat/seven_skills/SA.asp
7. http://www.entrepreneurship.fiu.edu/downloads/marc_resnick/Research/Situation%20awareness%20applications%20to%20executive%20dashboard%20design.pdf
8. http://www.caida.org/analysis/security/code-red/
9. http://ieeexplore.ieee.org/iel5/45/27781/01238686.pdf
10. http://netlab.tkk.fi/opetus/s38153/k2004/Lectures/g12damages_expenses.pdf
11. http://www.rbs2.com/parson4.htm
12.
http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1232273,00.html
13. http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf
14. http://www.sans.edu/resources/leadershiplab/cisecuritytoolset.php
15. http://www.myersbriggs.org/
16. http://www.humanmetrics.com/cgi-win/JTypes1.htm
17. http://www.sans.edu/resources/leadershiplab/performance.php
18. http://www.chartcourse.com/360assessment.html
19. http://www.ccl.org/leadership/assessments/additional.aspx?pageId=30