ISO - It's a Bit Emotional

Monday, July 26, 2010

Javvad Malik


A few days ago my wife gave birth to a baby boy. I remember my Dad telling me that when I was born he had to send a telegram to let his parents know the good(?) news. But times have changed, who needs a telegram when you have a mobile phone?

Like all other information security professionals, my life is based around ISO27001; therefore, in line with section 13.1 ‘reporting information security events & weaknesses’ I noted that I required a formal event reporting process. Luckily I was prepared and had the following process flow documented.

Turn on phone -> Find Dads number -> Dial -> wait for dad to answer -> give the news

Simple as can be!

However, something strange happened as I dialled the number. My fingers were a little more shaky than usual and my heart was racing. Mouth went dry, so dry in fact that when my Dad answered I could barely manage a croaking sound.

After several attempts and a quivering voice I managed to spill the news out, “congratulations… … … … it’s a boy” Well something like that. It sounded more like “croooak ccrrkk rrkkk boy” But he got the message in the end.

It’s funny how even the most rational persons body stops co-operating when things get emotional. Your decision making ability is impaired and simple things such as walking in a straight line become quite challenging.

Now this got me thinking about how big chiefs in organisations are supposed to act in the event of an incident. Yes, it’s all well and good having a documented process which says that if your entire customer database is compromised stating the steps you need to take.

But in reality if you’re the Chief Security Officer, then you’re under a lot of pressure. No ISO standard or certification will tell you how to deal with the emotional turbulence you’ll undergo so I’ve taken the time to break the process down for you:

1) Shock
This sets in immediately, but for most it doesn’t last long. Unless you’ve got a bad heart condition in which case this could spell the end. But it’s one of those situations where you think “surely, someone’s going to tell me it’s all a joke or there’s been a mistake”. Then you go on the BBC website which confirms your bluechip company has just managed to lose all of its customers financial details. You can’t speak a word, it isn’t a joke and it isn’t a simulation.

2) Bitterness
This one gets ugly. Here is where you’ll probably say a lot of things you’ll regret later. Like blaming the executives for not listening to your recommendations, or cursing the finance department for cutting your budgets. You may even resort to blaming your own team for their sheer incompetence. After all you’ve done for them, employing them, training them, the least they could do is do their job properly and not go to security conferences all year round. Expect lots of swearing.

3) Excuse-making
We only got compromised because our carbon footprint is too large and we had some tree-huggers infiltrate our organisation and compromise us from the inside. Or because I wasn’t allowed to go to Defcon this year the security gods were angered. Perhaps it was a covert CIA operation. Conspiracy theories will fly.

4) Despair
After 3 days at your desk despair begins to set in. Everything is horrible and nothing is good. Life has lost all meaning and purpose. This is the stage where most people consider dusting off their 30 year old CV, try and find out what LinkedIN is all about and eventually decide on moving to Spain to hire out mopeds to British tourists.

5) Acceptance
So you lost some data. Big deal. Every companies loses data and ultimately, with a bit of PR the whole situation can be turned around. You can finally get budget to implement cutting edge security controls and once your customers realise this, it will propel the companies share prices to nose bleeding heights never seen before. This stage will probably last around 30 years, and you’ll be telling that story as you remind people to return the moped with a full tank of petrol.

Possibly Related Articles:
Enterprise Security
ISO 27001
Post Rating I Like this!
shawn merdinger Spain. Mopeds. Me like.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.