Why Root Cause Analysis is a Vital Part of Your Security Improvement Journey

At CyberCrowd, our mantra is that we always help our clients make informed security decisions. We think this approach helps to empower our clients and improve their thought process with regards to cyber security. For example, informed security decisions provide clarity when building business cases, provide a greater understanding of business assets and more importantly, enable a pragmatic view of Information Security.

It sounds easy when you read it out like that. Unfortunately, it’s not easy at all. It requires a tremendous amount of business smarts, experience, confidence and patience. When you throw into the mix our industry’s fragmented, everything proprietary, let’s scare everyone into buying our solutions approach… it’s really not surprising that we fall into a problem-solving mindset, rather than addressing root cause.

Before we attempt to fix problems or work on improvement, our job is to instil a base level understanding of what Cyber Security actually is and what it involves. Or putting it another way, we’re attempting to put in place a solid foundation. That foundation is built on three key facets, which are People, Process and Technology.

These three facets really do rely on each other. For example, there is no point introducing a technology solution to a security problem without addressing staff awareness, policies and procedures (People and Process).

With the appreciation that cyber security is not just about technology, comes the freedom of being able to hold off making immediate decisions. Of course, decisions need to be made, however they can be made with information taken from looking through a different lens.

For example, if your issue is that you have a lack of control of admin accounts, you know you have a serious issue. If you’re in the midst of drawing up a shortlist of vendors that can help you with this issue, then arguably you need to take a step back and carry out some root cause analysis.

You’ll likely end up asking some of the questions below:

1. Do we have a policy regarding how we manage admin level credentials?
2. Do we have a process for checking the ongoing effectiveness of the policy?
3. Are there consequences to anyone who mis-uses admin credentials?
4. Have we trained our staff on the risks of common threat vectors for privileged users?
5. What are the impacts
6. Who is responsible for security in my business, do they have the authority to drive change?
7. How do we know who has admin level credentials in our business?
8. Do they need this level of access?
9. Have we considered least privilege as an approach?

Depending on the maturity of the business, you might have a different list of questions. The point is, we have not jumped to the conclusion that a technology solution can help us to address the issue. We have taken a step back and explored why the business is in this position in the first place. We can now make some informed security decisions.

The answers to the questions drive the next set of actions. As a consequence of asking the questions, we improve our staff security awareness (People), perhaps create some policies and monitor any improvements (Policies). We may well decide that we need to apply some technology as a belts and braces approach to the issue, however we may also be comfortable that we have mitigated the risk (Business lead for security) just by approaching the issue differently.

Following this logic provides us with the opportunity to deliver security improvements across the business. If the analysis determines that we need a technology solution, then we have a ready-made business plan to present to the board. In addition, we’re already thinking about the policies and procedures, so if we did need to adopt a new piece of technology, we can align it to our business goals.

Root cause analysis drives more questions. The focus is on addressing the real cause of the problem rather than its symptoms. If you’ve never used it before with your approach to cyber security, why not apply some next time you start to think about how you can fix something before you understand the real cause of the issue.

A starter for 10, using the 5 Whys from Six Sigma and applying it to our example above:

  • Why do we have so many people with admin accounts?
    • Because they tell us that they are required?
  • Why don’t we have a policy for admin account usage?
    • We do, however they do not follow it?
  • Why do they not follow the policy?
    • There are no consequences to not following it?
  • Why are there no consequences?
    • The owner of the original security policy has left the company, no one has ultimate responsibility for security now?
  • Why has this not been escalated to the board of directors?
    • o Good point.

If you’re struggling with this, or would like some independent advice or mentoring from experienced CISO level consultants, feel free to get in touch. We like a healthy dose of pragmatism and we promise we won’t try to sell you any security products.

Data Protection Bill – Statement of Intent

On the 7th of August the Department for Digital, Culture, Media and Sport (DCMS) published their statement of intent for the Data Protection Bill. The ‘lines to take’ from the PR surrounding the announcement focused on the public having more control over their personal data, including the ‘right to be forgotten’. Also, a new right to require social media platforms to delete personal information on request.

Read more

GDPR and the C Word

There’s a very good chance that the ‘C’ word is used regularly by organisations in conversations relating to the General Data Protection Regulation or GDPR. That’s not the C word that I have in mind however.

I’m interested in ‘Compliance’.

Read more

Chris Gabriel Discusses GDPR with Technative

Our Group Chief Digital Officer, Chris Gabriel, spoke recently to Technative about the role of the IT channel in helping organisations to prepare for GDPR. Chris has blogged for us recently on the importance of privacy in the digital economy and believes that the IT channel can help organisations to prepare for GDPR despite it not being an an ‘IT problem’.

Organisations Must Match Personal Digital Experiences with Strong Personal Data Privacy

Like many today I am hooked and delighted with digital experiences. Like many today I am horrified and totally fed up with digital experiences.

I guess that is the world we live in.  Yes, we are in a digital age, but an embryonic one, and because of that the potential that digital offers brings out the best in people and businesses and alas the worst in them.  These best examples of digital really do delight.

Read more

GDPR and why the ‘G’ is for Gorilla

John working on his blog...

Anyone who has heard me talk about GDPR will know I don’t feel it’s particularly necessary to harp on about the coming apocalypse of financial super-sanctions. This is at least partly because we don’t know how severely the ICO will impose fines. Also, because too much FUD (‘fear, uncertainty and doubt’) is already being peddled around the potential fines by others. Typically you’ll find that I tend to focus on the operational (and technical) challenges that will come with the additional information governance obligations, enhanced data subject rights and the increased likelihood of civil actions by data subjects. Read more

Creative design from the Northeast

Praesent faucibus nisl sit amet nulla sollicitudin pretium a sed purus. Nullam bibendum porta magna.