Speaker Spotlight—Roger Warwick, CPP
Recently Security Management interviewed Roger Warwick, CPP, managing director of Pyramid International. Warwick will speak about the importance of international security standards and how security professionals can influence the direction of standards development during his seminar session. During his interview, we asked Warwick about the value of international security standards, why open standards don’t give adversaries an advantage, and why security professionals no longer operate with a military mindset.
What will you be presenting on at your session, Roger?
I’ll be presenting on standards in general as well as standards on supply chain security and operational resiliency. They all have to do with ISO type security standards and ASIS Standards and Guidelines.
Generally, where does your expertise lie?
I’ve been a security consultant for 30 years now. But I got specifically interested in standards in 2004-2005 when I qualified as lead auditor for ISO 27001, which is the information security standard. Up until that date, there was no international ISO recognized security procedure standard. The ISO 27001 was an upgrading of a British standard called the BS7799, which was just a British national standard. It became an international standard in 2005 and I immediately signed up for the course to become qualified. That was opening the door for professional, international security management standards. Later on, in 2008, I qualified as a Lead Auditor ISO 28000 for supply chain security, and I am currently dedicating a lot of time to this sector.
A lead auditor is somebody who is qualified to go out and audit companies that intend to certify. The value a security professional gains when certifying as a lead auditor is the prestige and credibility you get when you go to a company and say you offering consultancy on information security and you say “I’m certified as a lead auditor under ISO 27001, which is the internationally recognized security standard for information security.” That gives you a hell of a lot of clout. Second, it means you know what the certification companies are going to be looking for, so you’re giving added value to your customers.
Why are standards so important to security companies working internationally?
Up until now, security has been dealt with as lots of separate factors. If you buy 10 books on security, you’ll probably find somewhere within the books the same things but all presented in a different way. There was no way walking into a building or an organization that you could know whether they are respecting the same security principles that are being respected in another country or another organization without examining them step-by-step. Things were not in order. Security people were doing all the right things but they were doing them as pieces, not as a process. The beauty of management standards is that you do things in a logical sequence. You can move from one organization to another and you know they’re doing it in the same logical sequence as well.
Let me play devil’s advocate, if there is one internationally recognized security standard for information security, will that make it easier for hackers to break through your defenses?
No, because a standard doesn’t tell you what to do; it tells you what to achieve. Now if it was a list of things telling you what to do, then the answer to your question would be “yes.” It’s not telling you what to do and how to do it. It’s telling you what you need to achieve. There are tons of variations. There are updates and upgrades. And ISO standards use the Plan-Do- Check- Act (PDCA) principle. The main thing in the principle of PDCA is that you’re continually revising. So something that worked in 2009 will not necessarily work in 2011. It may be out of date. If a hacker reads the standard, the only thing the hacker will find out is that you are continuously reviewing your policy and your system. The only thing a hacker is going to learn is that it’s going to be a harder job in the first place.
Over the last year, what have you seen that scares you?
The problem now is that we went through our teething period. We had hundreds of thousands of hackers enjoying themselves and doing things often just for the kicks—sometimes causing trouble, sometimes not causing trouble. With the amount of arrests that have been made, this has not died out, but we’re not talking in terms of that sort of quantity anymore. What we’re getting now is far fewer in quantity. Now what we have are the real criminals. They’re not doing that quantity anymore, but when they do it, they’re doing it thinking things through very well. And they’re doing it with a far higher chance of success than many thousands of kids did before.
The main danger at the moment is that sleepers are being used. Now a sleeper is something that is sent, that is received. And when you receive it, you don’t realize you received it. The sleeper closes the door behind itself and lays dormant for some time. Every time you switch your computer on, that sleeper gets an update, so your antivirus is a day or even minutes late. The only way you can defend yourself against that sort of attack is by taking one computer out of the loop for a week and then running a new antivirus on the computer to see whether the new one, which has been updated during the week, will catch the virus that was put in a week before. Finding a virus that was planted a week before means you know full well it’s on the rest of your computers but you can’t find it because it has been updated. And then you have to make some serious decisions. That’s messy and that’s complicated and nobody’s doing it obviously.
So it’s a piece of malware that lies dormant and then sends …
Or doing whatever it wants to do or doing nothing: it all depends. It may not do anything for a long time. It may do something at once. It all depends on what it’s being sent in there to do in the first place.
So we’re up against professionals as opposed to amateurs now. And there aren’t a lot of professionals out there, but a professional knows far more what he’s doing than an amateur does.
How much of your work can be offensive or proactive rather than just being reactive?
We are not IT experts as such. We have IT experts on board but when we do information security, we’re not just looking at IT. We’re looking at the procedures and the way you defend yourself. It is not just how you use your computer. The information standard is not about IT. It’s not about computers as such. Computers are obviously very important because nowadays the bulk of our information is stored on computers, carried on computers, transferred from one computer to another. But the concept is not just the technical side of your computers; it’s a concept of “What you do with your information?” “What do you with your backups?” “Where do you store them?”
One example: We were consulting a large multinational recently and everything looked like it was going very well. They had their research and development sector well fenced off from everybody else. They did their backups very frequently and I asked, “Where do you store your backup disks?” And they stored them in the same place where they stored all the other backups—where anybody could get to them. That’s where people slip up.
What does the standard say about that? Do you have to store that information off-site, somewhere separate in case a fire breaks out?
You have to either store off-site or store where it’s safe. And it depends on the actual type of facility.
So this is what we were talking about regarding variations in achieving the standard?
The standard does not say you must store a back-up everyday and you must store the back-up material 100 miles away. It doesn’t tell you that. It says you must do it as frequently as is reasonably necessary considering the sort of business you’re running. And you must store it where it is safe. Now safe in one type of facility means a long way away and in another type of facility means just around the corner. An auditor, who is not a security professional, risks making a wrong assessment by just going through a checklist without having a full feeling of what is really safe and what is really dangerous. Whereas, a security professional should be able to understand what conditions dictate keeping the disk close by or a long way away or making one copy or making ten copies. The standard doesn’t say you must make ten copies. The security professional should know whether the conditions are such that you should make ten copies. But the standard doesn’t tell you that you have to do this. The standard just says you have to make sure you make sufficient copies frequently enough and that they are safely stored.
That’s the value of the consultant?
Precisely. This is why it’s so important for security professionals, both external consultants and security managers within companies. For the consultants, it means getting work and providing value-added services to customers. For the security professionals within companies, some things they will do for themselves hands-on. For other things they will understand and be able to evaluate the work of consultants.
How often do you find that someone has your expertise within an organization that you’re consulting for?
The day after tomorrow, our IT guys are going up to the Italian branch of a major multinational to do the technical side. I’ve already seen from the visit I made last week that they have many security holes. They have an IT guy who is well qualified fixing your computers when they don’t work but his job starts and ends there.
Many companies just see the IT guy as being a maintenance guy. And they don’t realize how well the IT guy should be working together with legal and human resources and working on procedures. They’re still thinking in terms of the guy with the screwdriver.
Many companies don’t think of the IT guy as bringing sophisticated, diverse skills to the organization?
No. They may be very good IT guys, technically. But rarely, if ever, have they been sufficiently prepared and briefed into the concept of what they’re doing and why they’re there in the first place. This is the weak point.
When we first started speaking, you spoke about resiliency. What are your thoughts on resiliency? Where do you stand on the philosophical divide where some security professionals promote prevention while others promote resiliency?
There are two things here. Resilience means you have to be pragmatic; you have to be realistic. You can’t prepare and defend against everything. Something is going to get through the net so you need to know what to do when something slips through. How to do business continuity? How to get back in business again?
The resilience-thing is important because it’s the next step up from the single standards. Before there were standards, there were just a lot of single components: single components for supply chain security, transport security, information security, etc. Standards are putting these sector components into one. They’re being put together following the same order and the same management philosophy which makes it easy if you’re moving from one sector to another to understand what’s being done, what has to be done. It also makes it easy for general management to understand what security people are doing and for security people to understand what general management is doing, which is something that has never happened before. That’s the first important step.
The next step is resilience, because resilience is going to put all the security standards together.
So when security standards are done right, they promote resilience?
Certainly: When security standards are done correctly. And when, eventually, security standards are merged together with other security management standards and merged together with general management, this will automatically contribute to resilience.
So there’s a push for comprehensive security standards?
Oh yeah. They’re starting off as a single sector, but by being able to communicate with each other, they’re going to become comprehensive. And you’re going to have add-ons. Instead of starting from scratch each time, you just have an add-on.
If you go back to the fifties and sixties, security people had a funny idea that no one should know anything about security apart from us. “What do you know about security?” they’d say. And “We’re here, you’re safe.”
Wasn’t the logic behind that philosophical stance the idea that you had to keep security information secure because security professionals at an organization were the only ones that knew its vulnerabilities?
Well, we’re not fighting a war are we? The thing is if you start analyzing it, you’ll find that out of ten things, only one of the ten really has to be kept secret from a security point of view.
So is security management moving philosophically away from a military mindset?
Certainly, we’re on civilian-street here.
Is that because security professionals realized they’re not under siege?
Yeah. In the old days, security officers used to sit in a room somewhere distant from everybody else, with badges and things on the wall saying how good they’ve been in the past. Those days are changing very, very quickly. A security person has to be a manager, the same way someone in production does, the same way someone in marketing does, the same way someone in human resources does.
They used to call security, “guards, guns, gates, and dogs.” But it’s not that way anymore. Okay, you still have to lock doors, but very often what is of most importance to a company is not something material that can be picked up by somebody breaking into the building. It’s information or reputation. For a private school, reputation is the most important thing of the lot. If they lose their reputation, no one will pay to send their kids there anymore. But if they lose some capital investment or the building burns down, they can replace those things. If they lose their reputation, it’s all over.
This holds for others. Think about a pharmaceutical company losing its reputation. Have you heard of the Tylenol incident?
Yeah
When Tylenol happened, Johnson & Johnson was so professional and so quick in informing the public and getting the stuff off the shelves that at the end of the day, their reputation was enhanced. If they muddled around keeping it secret and said “We better not tell anybody or there’ll be panic” and “We should get stuff off the shelves and not tell anyone,” they possibly would have gone bankrupt.
I think that goes to feeling that people want to believe corporations have their best interest at heart and generally I think the public is very skeptical of that.
You need to tell people. This is getting back to the fact that security is far better off being open. There are times when security has to keep something undercover, but that is not the rule: it’s the exception. But when you do need to do it, you need to do it in an efficient way.
For full coverage of the ASIS International 55th Annual Seminar and Exhibits, click here.
- Login or register to post comments
- Printer-friendly version
Security Management is the award-winning publication of ASIS International, the preeminent international
organization for security professionals, with more than 37,000 members worldwide.
ASIS International, Inc. Worldwide Headquarters, 1625 Prince Street, Alexandria, Virginia 22314-2818 U.S.A.
703-519-6200 | fax 703-519-6299 | www.asisonline.org
© 2012 Security Management
This site is protected by copyright and trade mark laws under U.S. and International law.
No part of this work may be reproduced without the written permission of Security Management.
Powered by: Phase2 Technology
Comments