You might not know David Lacey by name but if you’ve worked in infosec his work will be very familiar to you. He’s often called the father of the ISO 27000 standards for Information Security Systems Management.
I had an opportunity to talk with David Lacey at the recent AISA conference. We spoke about the current state of information security and the challenges facing vendors, users and professionals trying to make it all work.
“The problem I see is that security professionals are not allowed to practice real security. If you practice real security you’ll say ‘Get those people off the network’. If you do that you’ll be sacked and be unemployable,” he says.
As a result he says information security professionals “go native” and say that they are being “buisness aligned”.
Lacey says "But what they mean is they’ve gone soft and not standing up to the business.The business doesn't want to do security. Nobody in their right mind wants to spend money on security when you can blame IT when it all goes wrong”.
Security professionals need to challenge the business more rather than bending to their whims.
Lacey agrees with another AISA speaker, Jane Frankland on the importance of gender diversity in information security. When running large security departments, such as at Royal Mail, he often preferred to hire women as they were better negotiators.
"Women tend to be more tenacious, they’ll use a bit of charm and have perseverance. They won’t take no for an answer and they won’t be bullied as much as men”.
One of the other problems Lacey identified is that many consultants are not much more than “spreadsheet operators”. Although they have spent a lot of time identifying issues by looking at data they aren’t problem solvers.
“With all the tick-box stuff we have, we’re breeding a generation of young consultants with no problem solving ability of skills”.
When it comes to the role of users, Lacey says the systems we use aren’t designed to allow users to make mistakes. He contrasts this with aviation where systems are built with the expectation that mistakes will be made so appropriate controls are baked into the design.
“In security we don’t do that. If your password gets stolen or you get socially engineered - you’re screwed,” he says.
Another challenge is that we have “blame culture” says Lacey.
"In security, nobody every does anything until something goes wrong and then they sack somebody to show they’ve ticked the box, blamed somebody for it and then board is blame free”.
In contrast, Lacey says safety inspectors look for the underlying root cause.
“It won’t be the person. Why did the person make the mistake? Maybe he was put under pressure, not trained properly or not out in the facilities. Let’s fix those problems and not have a blame culture”.
People want to get things right but they aren’t given the right education and opportunity he says. In particular, Lacey says many education programs are very condescending and unsophisticated.
When it comes to vendors, he says they don’t really have research labs that develop true solutions.
“They tend to jump on a big bandwagon, whether it’s big data, AI, immune system concepts - a lot of this is marketing. What we are seeing is a lot of identical solutions being developed by everyone”.
Lacey also pointed a finger at the numbers of false positives many systems generate. For example, while there were alerts generated during the 2013 target hack, Lacey says it’s possible so many alerts were generated that it was simply impossible for the real problem to be easily identified. And, because of the real alerts were buried the CISO was sacked.
“There’s a problem with the usability of these tools”.
Lacey’s most recent work is a massive undertaking. He is working on a database that joins physical objects and actual processes directly with compliance systems. While many say standards foster a lowest common denominator approach to security, he says that by linking compliance with real activity we can make compliance far more valuable.
“If we can ask ask real questions about real things and record information about real events, activities and objects then that might work”.
Ultimately, Lacey believes his invention will be able to automatically scan a network and automatically complete, for example, an ISO 27000 questionnaire. However, it will work with other standards so that compliance checkboxes are managed automatically and security teams can focus on solving the bigger issues of usability and resilience.