"I’d be lying if I said no. Yes, there are times when I do feel that it is an uphill battle," Len Kleinman, chief cyber security adviser for RSA in the Asia Pacific and Japan, told iTWire during an interview.
"The challenge for cyber security practitioners is two-fold. First, we have to fight the good battle within our workplace to instil good cyber security practice. At the same time, we have to defend and protect the business from external threats."
Kleinman has more than 25 years of experience, with an early focus on Oracle CASE, network operations and database administration.
Prior to RSA, for 14 years Kleinman worked in senior roles in IT security at the Australian Tax Office, including governance and risk, compliance, and played the role of the IT security adviser.
Len Kleinman: "Knowledge is to be shared for the betterment of society, not to be hoarded. Its value is in being widely disseminated."
A security technology community activist, he is involved in and supports several cyber security and technology organisations and regularly speaks at security events.
He was interviewed by email.
iTWire: Do government offices have the practice of carrying out pen testing? What form do these take – are external experts called in or is in-house expertise utilised?
Len Kleinman: To the best of my knowledge, several government departments currently perform penetration testing as part of their overall security assessment process. Delivery of such capability can be either through in-house services or an external provider. Not all government departments have a full-time in-house capability and many rely on procurement of penetration testing services. As good as penetration tests are, they should not be seen as the silver bullet. Penetration testing is only one part of good cyber resilience practice.
To ensure a quality outcome when engaging external services, organisations still need to play an active role in the activity, by allocating a lead individual. That person should be reasonably experienced in the mechanism of conducting and delivering a penetration test. They should provide guidance, support and advice to ensure that the delivery of the penetration test covers the required scope, that testing is conducted in depth, and to ensure that the findings are thoroughly validated to highlight the risk to the business. This is what RSA refers to as business-driven security.
The spectrum of what constitutes penetration testing can be rather widespread. Just performing a vulnerability scan, in my mind, does not constitute a penetration test. Instead, this can form part of the overall penetration test programme, arguably part of phase one – reconnaissance.
Having a thorough penetration testing framework is important to ensure that the activity is performed in a manner that yields quality results. Organisations must consider things such as obtaining the proper sign-offs and approvals prior to commencement and having a proper test environment that replicates the production environment.
It’s also important that there is separation of duties within the test team, so that no one person is, for example, responsible for the execution of a compromise on a system. Instead, each team member plays an active role, ultimately enhancing the organisation’s security. Lastly, organisations must factor in time to perform a re-test to evaluate any remediation and fixes that are subsequently implemented – it is not unusual for a fix to itself introduce new vulnerabilities.
Some of the challenges in the current environment stem from the adoption of new development models, including the Agile and Spiral models, which contrast to the traditional waterfall approach. These changes necessitate that penetration testers work closely with the development team in determining when a test should happen based on the extent of change. However, this has the added benefit of the development team having easy access to security experts. As this engagement occurs collaboratively as the project progresses, it significantly lessens the chances of any big "surprise" findings at the end of a large testing cycle, which can adversely impact project schedules and costs.
Penetration testing is but one evaluation and assessment component of good cyber security practice. There is great value in penetration testing when it is performed properly in identifying risk, understanding the impact and providing a way forward.
What is the main change you see between security practices today and those of, say, a decade ago?
The biggest recent change in security practices is the adoption of a risk-based approach. The shift from the "compliance" mindset and approach has taken some time to set in, but is definitely well entranced now. I recall some five-plus years ago pursuing the mantra of "intelligence-driven" security, which is fundamentally risk-based, and having such a hard time getting any traction. Something I have learnt over time is that you can be a little too ahead of the curve. Therefore, having the patience for business and industry to catch up is important.
We’ve also seen the role of cyber security shift from "keepers of secrets" and "guardians at the gate" to be more integrated into the business and taking a detective/hunter styleapproach.
Lastly, cyber crime has evolved into a phenomenal criminal business model that is well-structured, repeatable and very profitable. Without endorsing this industry, I fully recognise the creativity and innovation that is shown by the players in this space. We can certainly take a leaf out of their playbook when it comes to collaboration and playing to one’s strengths.
If you had not become a security professional, what line would you have gone into?
Probably the military. My father was a colonel in the army and instilled some strong values in me, which I believe have allowed me to be very successful in life. I have brought many of these ideals such as a disciplined approach, formalised structure and the ability to commit and execute, to how I work.
If not the military, then something like marketing and media with an education and information edge. I like the idea of contributing to the community at large. Knowledge is to be shared for the betterment of society, not to be hoarded. Its value is in being widely disseminated.
Do you ever get the feeling that you, as a security pro, are fighting a losing battle?
I’d be lying if I said no. Yes, there are times when I do feel that it is an uphill battle. Having said that, it really comes back to attitude and how you view things. The fact that it is difficult just means that there is so much opportunity to improve.
The challenge for cyber security practitioners is two-fold. First, we have to fight the good battle within our workplace to instil good cyber security practice. At the same time, we have to defend and protect the business from external threats.
I somewhat lament the lost opportunities we have had from previous attacks like the Sony and Target breaches. It is not that we did not learn from those and similar events. Rather, it is that we did not take the lessons and turn them into improvement programmes. Herein lies the value of good post-mortem analysis, having good resources, processes and leadership.
Lastly, cyber security has traditionally been viewed as a cost centre. Although this is slowly changing, having those conversations with the executive team emphasising the business risk value of cyber security is critical in helping them understand the value that cyber security brings.
What is the biggest impediment to making a system secure? I am talking here of all the links - users, manufacturers, technical hands and so on.
The "people" component presents the biggest challenge. There is plenty of good technology out there and developing good processes can be facilitated and overcome.
Resources – There continues to be a skills challenge in cyber security. The demand definitely outstrips supply. However, there is much one can do to attract and retain good cyber folk and it starts with creating the right culture and having good leaderships. You can usually tell when this is lacking in an organisation from the exodus of good cyber practitioners or recruitment campaigns that are less than successful. You need good practitioners to facilitate good cyber security practice and work technology in a methodical manner.
Users – The end user tends to be the weakest link in the chain when it comes to an organisation’s cyber security posture. You only have to look through recent incidents to see that in many cases the common vectors involve the end user. Unfortunately, it is the innate quality in humans "to trust" that seems to be constantly abused by the miscreants in cyber space. As such, general awareness programs form a critical part of an organisation’s cyber security practice.
Leadership – This one scares me the most. Often, people in leadership positions have only been involved in cyber at the fringes. For example, people who have managed awareness engagement now wanting to be seen as thought leaders in cyber security, but they have very limited tacit knowledge, experience or time at the coalface.
If you look at the chief of surgery at any hospital, they would be expected to have relevant qualifications and years of experience. They would have honed their skills over time through practical application and training, ensuring they are very familiar with the field’s concepts, practices and procedures. The same is the case for senior partners in law or accounting. This just reflects the maturity of cyber security as an industry. We have not had the opportunity to mature over time in the same way that these other traditional vocations have done.
At what level of a company do you find the greatest resistance to following a process that will ensure security?
You can find resistance at any level in an organisation. In most cases, the highest levels tend to be supportive of cyber security, especially when you talk about the potential impacts to business that adverse cyber events can have. In my experience, it has generally been at the lower executive levels where I have found the most resistance. Traditionally, this has been through a lack of education and understanding of cyber security. For example, I repeatedly hear commentary from junior executives with regard to what they perceive as the reporting of repeated vulnerabilities. What many of them fail to understand is that a significant vulnerability in a critical area of shared infrastructure can render all systems that consume that common infrastructure to be exposed and therefore vulnerable.
Additionally, traditional reward systems in business tend to create friction and resistance. Take for example, if someone’s bonus hinges on them delivering a project or system by a particular date. You will face resistance as cyber security findings, say from a penetration test, can often impact timelines.
This has caused me to question the reward mechanism in business. The pressures of time to market and competitive advantage are even stronger these days, leading to a delivery first and security fixes later attitude. Now what if the reward mechanism was based on delivering a project or system on time and securely? What if the reward was reduced or altogether removed if penetration testing found, say, three vulnerabilities that exceed the organisation’s risk tolerance level? That might change the attitude and resistance to cyber security.
Attitudes have started to change and I believe this is due to people understanding better the value of data and the responsibility to securely manage it. I have been saying for several years now to colleagues in the industry that the change will come and resistance will lower. It will happen through one of two main mechanisms:
- Through the leadership layer embracing the learning and educational aspects of cyber security to improve their understanding; or
- Through generational change – those people moving on through retirement, redundancy or being made to move on. And this is starting to happen.