4.8 The Verdasys rich picture
This example of a rich picture comes from Emeric Miszti, Vice President of Enterprise Information Protection at a computer security software company based in the USA, with offices and clients across the world. The company works with large, often multinational, organisations to help them to improve their computer security processes.
Activity 10 The Verdasys rich picture
Miszti drew a rich picture of how he is able to capitalise on an opportunity presented by clients he meets with every day. His rich picture depicts the complex work that Chief Information Security Officers (CISOs) manage and how he helps these clients to improve their data security systems (right click on the image below and then click Play to watch the slideshow with audio).
Transcript: The complex web of relationships for a CISO, a rich picture by Emeric Miszti
Transcript of Emeric Miszti’s rich picture
This is a description of my rich picture. At the centre of the diagram is the CISO. In organisations the CISO is the Chief Information Security Officer, who is in a complex web of relationships and usually reports to the CIO (or the Chief Information Officer) of that company. The CIO usually reports to a board of directors and is responsible to the board for the delivery of the company’s technology. Security is perceived to be a part of the technology function, which in itself is part of the problem that I describe.
When dealing with technology and data, there are conflicting objectives. There’s data availability, data integrity and data confidentiality. The CIO is most interested in the availability of the data because the technology function is usually assessed on the data being available when a user requests it. This means is the computer network working? Or is that particular server up and running? But the [CISO] is responsible for all of it – whether it’s available, whether it’s secure, and whether it’s confidential. Think about when you give your credit card details to a company – sure, you want that data available, otherwise your transaction wouldn’t be authorised; but you also want company to keep it secure and confidential, as well as accurate.
So the CISO has all kinds of relationships they need to deal with. Within the company, you will have on-site employees and remote workers. You will also have third party relationships. There are companies that also have access to the company’s data – this can include places like call centres. These employees and third parties will have two-way access to the data – contributing to it and using it. They can also remove it, for example on CD-ROMs, USB sticks, telephones, smart cards, hard drives and portable or mobile data.
In terms of employees, you will usually have three types:
There are the good people who know what they’re doing to keep that data secure.
There are the good people who do the wrong thing. They make mistakes, like leaving their laptop on a train or sending files by e-mail to the wrong person. This is actually one of the biggest problems that a [CISO] faces as this accounts for the majority of users.
And then there are potential rogue employees – they may want revenge, or they may be committing fraud.
And out in the big, wide world, there is the evil hacker! I’ve represented him with a skull and crossbones. The evil hacker, of course, is interested in both the network and the data for very different reasons: monetary incentives, to cause trouble, just for fun, or because they’re nasty (here represented as a devil), or simply, in the case of many teenagers hacking for the first time, just because they can. The evil hacker is not only interested in hacking into the network but also attacking by getting in touch with employees through social engineering. You can secure the network with technology, but if an employee can be talked into giving away sensitive data or their password, then all the technology in the world isn’t going to do anything to protect the data.
Then on the left of my diagram I’ve put various other stakeholders. The government, and here, lots of individuals whose data it is, and potential customers, and regulators and auditors. And a very big one is the media.
The government makes laws having to do with data protection. Along with auditors and regulators, these entities put a lot of pressure on boards to keep their data secure and confidential. And boards need to respond to these issues, which then puts the pressure on the CISO.
Customers and clients will give you lots of their data, and you may also give them data in return. This is a huge responsibility.
And of course, the media is sitting out there waiting to report where you’ve messed up in any way in any of those relationships – and there are rich pickings at the moment! Here, I’ve got a telescope pointed at the company.
Then with the company, you have the compliance person, the legal person, the fraud person, HR and physical security. Compliance is making sure that the company complies with the auditors and regulators and the government. Fraud is keeping tabs on employees, especially the ones that have evil intent. HR is focused on the employees and employee-related issues. Physical security is watching the computers and keeping the technology ‘safe’. Legal is concerned with what everyone does, really.
And it all focuses it on here – data – so data is really actually the centre of my diagram. The CISO, however, is traditionally focused on the network, but no one really knows what the critical data is, where it is, or how the users are using it. Consequently, they focus on the technology, because that’s easier to protect than the data itself, which you don’t know. The problem is that this has caused massive failure throughout all sectors. According to KPMG, 250 million individual customer records were lost in 2009 alone worldwide. If you take the world population to be 6 billion, that’s 5 per cent of each person’s records, or you have a 1 in 20 chance of having your data stolen or lost in any one year!
There’s a lot of people involved in this situation, and everything always comes back to the data, with the CISO being the one that’s primarily responsible for it. So the challenge for the CISO is preventing the data from getting outside of the organisation off to the evil hacker or the bad employee, or indeed, just lost through negligence – because all of this will end up in the media. And if it ends up in the media, that affects the company’s reputation, sales, credibility, may cause them to be fined, and ultimately will affect the company’s bottom line.
So the CISO has to build relationships (here I show that with two hands shaking), being aware of what’s out there (viruses, for example), developing employee education programmes in data security – and really, all of these things should be through partnerships and relationships (for example, with HR). But with the CISO focused solely on the network – finding technological solutions rather than on these things – that’s where we have a problem. The CISO needs to expand their view to include these relationships and these other approaches. They need to understand the business – what the users are doing with the data. And the location of that data, which is, really, anywhere, as you can see from this diagram.
Much of my work at Verdasys, is consulting with these companies to help them see how the Verdasys software and process can help them with all of this. Help the CISO to understand where the data is, understand the business processes that underlie the data, and how it’s used, how to their educate users in real time, how to protect the data, how to comply with laws and regulations, and to facilitate the building of relationships by making data accessible to those who need it when they need it.
If I redid this diagram, I guess I would put the data in the middle and then put the CISO on the side along with the other people in the company. Because it is, really, all about the data. If the data’s not available you’ve got no business. If the data can’t be trusted, you have no business. And if it’s not kept confidential, you face a whole load of impacts, reputation, fines from regulators and government, hits to your credibility – eventually to sales and your bottom line. How can you keep your data available when you don’t know where it is and where it sits outside your perimeters where you have no control over it? That’s what my diagram is showing.
As you can see, the issues that Miszti discusses are quite complex, involving many different stakeholders. There is scope for both potential problems and opportunities in these issues – and the rich picture helps to illustrate how each of these is related to the other. It is also interesting that, after doing the rich picture, Miszti found that he would have made ‘data’ the centre of his picture rather than the CISO.
Drawing rich pictures is very much tailored to individual situations. The Further reading section of this course also provides links to a YouTube video of someone describing their rich picture and other information for using visual illustrations to develop and depict organisational issues and solutions.
Throughout this section, you will discover different methods for thinking creatively about your work and associated management issues. In the next task, you are asked to try out one of the methods discussed in the CPS material.