Are parents better security managers?

It has been a while since I have been posting here but my family and my job kept me quite busy. Especially my role as information security officer in my company with a successful ISO 27001 certification took its effort over the last couple of months.

Anyway new ideas regarding security and privacy are popping up in my head all the time and I am glad to find this moment to write one of them down and spread it.

This post is about a topic that I have been thinking for quite a while now. Being father of a 2 year old son I see quite some similarities between parentship and security management and I even think that being a parent made me also a better information security manager because I stay calmer in difficult situations like incidents.

As parents you have a lot more situations to deal with that need urgent response to some kind of incident like overfull diapers or your kid running towards the busy street etc. and you learn to and will stay calmer. You also sharpen your sense for what could go wrong – I call it my daily risk analysis. I regularly have to judge what my kid(s) can do like climb somewhere or play themselves outside and what I want to (try) to avoid them to do like run on the street by telling them not to do it and/or locking the fence.

Like in the role of an information security manager as a parent you will not be able to mitigate all risk because kid(s) should not be overprotected and parents do not have the time and energy to control everything. Also there are other stakeholders you have to consider like your partner or your employer that might have different thoughts on how much protection or time your kids need.

This is very similar in a business environment. You will usually not be able to mitigate all information security risks because cost and effort will be too high and too much restriction might have a negative impact on your business. Also time and ressources for information security are limited so that controls have to be prioritized according to the risk level.

But finally there is one huge different: when raising kids parents have to deal with a lot more safety issues than an average information security manager. And what is one of the most important thing you learn in your information security education? Safety (protection of human lives) is always more important than security 😉

Data minimization, Digital innovation & Security

I have been joining the KITS Conference in Berlin recently and there have been lively discussions about privacy as enabler or disabler of the digital future in Germany. Startup consortia and inter-trade organizations like BITKOM think that data minimization is no longer acceptable because it hinders digital innovation. And also at the German BSI IT Security Congress have been statements like “We no longer need data minimization. We need to secure our data.”

Apparently those people have a different understanding of security. In my eyes security protects assets like data to reduce risks. Risks are usually determined by multiplying the likelihood with the impact. E.g. the risk that an administrator maliciously steels your data by downloading it from the database could be reduced by lowering the number of admins by 50%. This will lower the likelihood and the corresponding risk by 50% as well. The impact is influenced by the amount of data and its criticality. If you practice data minimization the amount of data and consequently the impact will be reduced. Thus, data minimization is like the need-to-know principle very important for security because it lowers the impact not only for one risk like data theft by administrators, but for all risks associated with this data set. Furthermore anonymization and privacy by design can help to perform data analysis anyway.

And IMHO the digital future in Germany is rather hindered by a risk-averse and a bit old-fashioned culture than by data minimization 😉

Cybercrime affects Germany most

According to the study Net Losses – Estimating the Global Cost of Cybercrime published by the Center for Strategic and International Studies (CSIS) Germany loses 1.6 percent of its gross domestic product (GDP) because of cybercrime. This is more than in all other countries. Second are the Netherlands with 1.5 percent followed by Norway and USA with 0.64 percent each. One reason for Germany’s high loss numbers could be the recent efforts to collect and publish cybercrime incidents, but of course also a lack of security measures in German companies.

Environmental Risk #1: Air Pollution

The World Health Organization (WHO) recently published a report with new numbers of dead people because of air pollution each year: 7 million worldwide – most of them because of stroke and heart and lung diseases.

This is more than twice as high as previously estimated and thus air pollution is the biggest environmental health risk now. And even in Europe 600,000 deaths are linked to pollution according to the WHO study and the German SPIEGEL reports that particulate matter pollution in some German cities like Berlin or Leipzig is significant.

Of course pollution is not a direct risk to data centers or IT equipment like an earthquake or flood, but it has a significant influence when it comes to sustain one of the most important resources for IT: Skilled people. Pollution already influences decisions about whether to outsource IT to certain countries especially in South-east Asia. It becomes harder to find employees from Western countries that are willing to build up a subsidiary or manage partners in these countries if there is significant pollution in this area.

And pollution might even be a risk to IT operations in case administrators are not able to leave their homes due to high Pollution if critical maintenance has to be done on-site. So pollution definitely becomes a topic for information security considerations and a gas mask might be standard equipment in your future emergency kit.

False Risk Perception

I recently read an article about eight people having died in a medium German city last year because they walked over red traffic lights and have been hit by a car. They apparently had the feeling they had everything under control, but they underestimated the risk. The story reminded me about the daily business of information security people having to deal with risk perception of their managers and employees – luckily without casualty. But in a much more complex environment that is hard to oversee. False risk perception is typical for human beings. There are studies saying that the number of deaths of the 9/11 attacks was exceeded by the number of deaths caused by additional car accidents because people chose to drive instead of flying and driving is much more dangerous than flying.

As it seems there is also a false risk perception about terror attacks and the NSA spying. The NSA only contributed to the prevention of 4 out of 225 terror cases since 9/11 according to a study of the New America Foundation. The rest was prevented by the police etc. If there is only a small number of suicides because people are identified as terrorists by mistake because of misleading correlation results of the NSA, the spying would not only help to save lives, but even “kill” additional people. But I doubt there are public reports on the impact of such false positives.