Robert Garigue was the CISO of Bell Canada and Bank of Montreal. I only met him and heard him speak once, and that was over a decade ago, but I learned a tremendous amount from him. Garigue's insights continue to resonate, and its an impressive accomplishment, because back then Infosec simply did not have the traction that it does today, yet he could see where things were moving and better still had great ideas on how to organize security practices to deal with unfolding events.
Here are some of the main things I learned from him.
Finding a way to be effective
Garigue talked about the two most prevalent CISO models - the good cop (jester) and the bad cop. The jester CISO
Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?
The jester has happy customers! At least for awhile.
We have all seen bad cop CISOs who
Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?
Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model
King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.
This is the way forward! Find and grow security champions in the dev, test, architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Better still, these people will know ways to integrate security into the architecture, and security is all about integration. Its all about beating the bushes, education, and decentralizing security services.
Back in 2004, security did not have the mandate it has today. It was mostly losing 9 of 10 battles. For the one security did win the most common response was to centralize security services and delivery. In practice, this meant cramming together on service after another into a network DMZ and assuming this Helm's Deep approach would somehow help hold Rohan and Middle Earth together. Never mind, that Helm's Deep was supposed to the last resort for the final stand, not the first and only option. Anyway, Garigue saw early on that centralization was not going to scale, and more to the point did not map to how business or technology actually works. Instead, security must establish ways to decentralize security services. In Garigue's thinking, the goal is to find the "locus of control" which could be policy (rules), infostructure (content) and/or infrastructure (technology).
Importance of application, data, and identity in security
When I met Robert Garigue in 2004, the identity and AppSec world was very small, I think you could fit everyone in the space in a mid size suburban Starbucks. Garigue was way out in front in recognizing that information security was a not a separate discipline rather its organization should be "the result of the knowledge transfer process."
And so really our job is not just to move along the curve above, its to map and deliver those security services to knowledge networks.
What I really appreciate about this view is that its not security as a static topology, instead Garigue shows security working at different levels in a living, breathing system.
Garigue compared Infosec to dentistry, you need a group that specializes and keeps up with the latest developments in the field. But you do not go to the dentist to brush your teeth. Way back in 2004, Garigue said that security teams should eschew running the firewall team, if you have a network, you have to have a firewall. The security team should have a policy and run tests, but setting firewall rules is the digital equivalent of teeth brushing.
The relationship of business and security
Garigue said security and business are not enemies. Security is a business enabler. Because we have brakes in a car, you can drive 60 mph on the highway and get home safely. Anyone who has been in an accident at 25 mph knows that that hurts, so without brakes we cannot even drive 25 safely, but with brakes we can move much faster and safer.
Information Security is fundamentally about integration
This one is my favorite
Information is messy, unpredictable, and powerful. Security is an illusion that we can partition our system a priori into known secure and insecure states. The combination of these two opposing forces will always be a debate. Our job in security is to make sure its a constructive debate and not a destructive debate as it so often becomes.
Coping with risk
"Knowledge of risky things is of strategic value
How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?
This is the mandate of Information Security"