Posted on

Core business application on a legacy infrastructure

I’ve had the privilege to work for many different organisations in my career. Some of these organisations had one common challenge of maintaining their core application on a legacy system and upgrading it to the latest to make it more reliable, highly available, scalable, secure and cost-effective. This is for obvious reasons – reduce the business impact, improve productivity, improve work efficiency and eventually improve staff/customer satisfaction. In this article, I’ll be sharing my strategy and approach to mitigate the risk of running core applications on the legacy system and finding the right solution for the business.

Before we delve into a mitigation plan and long-term strategy, let’s understand some of the challenges.

Challenges

  • Support and maintenance – OS patching, unsupported software version, systems ordevice dependency and people dependency (lack of in-house knowledge), e.g.whoever wrote the application is no longer with the company, so the knowledgehas gone with the person. Another issue could be that the business cannotafford application downtime for maintenance due to the criticality of thesystem, e.g. A trading application for financial services can cost in millionsif down for few mins, A patient record system for a healthcare service can be life-threateningif down for some time.
  • Security Risk – System vulnerabilities due to missing patches orunsupported hardware and software. Unauthorised access to the system as itmight not have appropriate controls in place due to system limitations whichcan lead to data loss. Unplanned service outages can damage the businessreputation and unexpected financial loss to the organisation.
  • Lack of integration with other applications/ devices to improve the overall user/ customer experience.
  • Compliance issues – the system doesn’t meet compliance requirements of the organisations.
  • Not aligned with the organisation’s vision
  • Performance issue
  • Staff training and usability issue
  • and the list goes on…..

Now let’s discuss the mitigation plan or short-termstrategy to overcome the situation temporarily so we can plan for a better solution.

Short-term strategy

  • Engage vendor or 3rd party in supporting the system
  • Conduct risk assessment to understand the risks, business impact and dependencies.
  • Virtualise the system if the application is running on aphysical server. This will give a bit of flexibility in adding more resourcesto the system to improve the performance and remove the hardware dependency.
  • Segregate network and move the system to a separate network if it’s not already.
  • Document all processes around the legacy system including service owners, emergency contacts, support contract,  know issues, troubleshooting guide, workarounds, how to guide, BCP etc.
  • Awareness and usability training for staff – It will enable staff to be more familiar with the system and processes around it.

Long-term strategy or finding the right solution

  • Establish the organisational context – organisation’s vision, objectives, workforce, culture and customer
  • Share your vision with the vendors or trusted suppliers to find the right and cost-effective solution in line with the organisational goal.
  • Consider high availability, scalability, reliability and security of the solution.
  • Do a cost-benefit analysis and create a solid business case to get top-level buy-in.
  • Engage key people e.g business managers, process owners, project managers, IT, Security in design and implementation phase (review security in every phase of the project)
  • Conduct risk assessment after the implementation phase to understand the risks, so they can be treated before the solution go live.
  • If the solution is hosted or a cloud solution, review the contract thoroughly and ensure the provider implies with your security standards and you have the right to audit them periodically.
  • Train staff and make it a part of new employee onboarding process.
  • Decommission legacy system
  • Lastly, embrace the new change….

‘The Only Thing That Is Constant Is Change – Embrace it.’


Posted on

How to Assess an Organisation’s Security Posture – a beginners guide!

For years I’ve been helping organisations get the best out of their people, processes and technologies. This has also enabled me to learn and evolve on both professional and personal level.

In the last few years, I’ve been to countless meetings, seminars, open houses and security summits where a large number of the businesses and IT leaders from various organisations expressed similar concerns regarding the security posture of their organisation. Most of them have a different/ random approach to improve their security posture which is fine when you don’t have dedicated security staff. At least something is better than nothing!

This article is aimed at both who wear multiple hats in their IT department including being responsible for Cybersecurity and someone from a technical cybersecurity background working in a more leadership role.

During such gatherings, I was mostly asked this fundamental question-

” How to determine a starting point when talking about improving the security posture? In other words, where to start?”

Those conversations prompted me to present in one such seminar a pragmatic approach based on my real life experiences in the trenches. Here I’m sharing my high-level strategy which I believe would benefit organisations that want to improve their security posture but don’t have the budget to hire a CISO or dedicated security staff or for similar reasons.

Before starting with the main topic, I want to make one point very clear that the success of your security programme heavily depends on one thing and that is top-management buy-in. I can’t stress enough how important is to have full support and governance from the top.

As security professionals, our job is to act as evangelists to transform the mentality and culture of our organisation. As leaders sometimes, we have to use different tactics in different situations to convince the audience or our organisation/business that Security is a business enabler, not a blocker. But that itself can be a tough job!

Now coming back to our main topic, where to start? Once you get the green light from top management, it’s time to create a high-level strategy and find the right approach to start the programme as there is no one fit for all. There are different frameworks available which can be used, e.g. COBIT, SABSA, NIST. However, I use these frameworks as a guide to follow the industry best practices and use my experiences to create my strategy on how to kick off the programme. In my opinion, we should treat this initially as a project. Once you achieve the objectives set out in the project, this should become a part of the continuous improvement process. In Cybersecurity, there’s no such thing as a “perfect security posture”. As technologies change quite rapidly so do the nature of attacks. Its a continuous improvement process!

There are two phases in assessment of overall security of the environment:

Phase 1: Understand the organisational goals and other contexts.

In this phase, you will be spending a lot of your time to interview (meeting) people of your organisation, reviewing processes and technologies. E.g. stakeholders, workforce, regulations, culture, partners, customers, competitors, organisation’s objectives and risk appetite. The aim is to gather as much information as you possibly can, so you can analyse the data and get a clear understanding of who and what you are dealing with. Clarity breeds mastery!

 

Phase 2:  Conduct security assessment (Health Check) on your environment

  • Asset Characterisation – rank your assets based on their business value and impact. Consider the CIA triangle security model while assessing the value and the impact. It’s imperative to know what you are trying to protect, i.e. your high-value assets. They can be tangible or non-tangible. BTW, this includes people as well.
  • Threat Assessment– assess the likelihood of attack. Generally, this is a scenario-based collaboration exercise between IT and the asset owner to go through what-if scenarios.
  • Vulnerability Assessment – rank potential vulnerabilities against all critical/ high-value assets. The main reason for conducting a VA is to identify known security exposures in the environment and fix or put a control so that they won’t get exploited by an attacker.
  • Risk Evaluation – determine the level of risk to all critical assets in terms of impact x likelihood = Risk, then prioritising the risk based on the degree.
  • Risk Treatment –  is the process of identifying the gaps between the current and the desirable security of the environment and advise on the controls or countermeasures to mitigate, avoid, transfer or accept the risk. This exercise generally happens in Security Committee meetings as key decision makers will need to be present in this meeting to make a swift decision on organisational risks.

Also, I was asked, ” What area would you address first?”

Again, answer to this question is it really depends on the outcome of the security health check/ assessment report and mapping the risks to the organisational goals. Based on the risk mapping, create a strategy to manage organisational risks as per their ranking in the report and get approval from the top management or the security committee. Some of the risks can be addressed simultaneously if they don’t have any dependencies or budgetary restraints.

Few examples of Organisational Risks:

Based on the above example, let’s calculate how we determined the internal network assessment (2nd row in the table above) as Critical risk. There are two methods to analyse the risk – Quantitative and Qualitative. Here we are using the qualitative approach which is quick, simple but subjective as compared to quantitative which is more accurate but time consuming.

As per the security assessment:

Assets Characterisation – Internal network security (Critical)

Threat assessment – High (Likelihood)

Vulnerability Assessment – High

Risk Evaluation – Impact x Likelihood = Risk (based on the above table – Critical x High = Critical)

In the above scenario, the correct treatment would be to mitigate the risk by updating the firewalls, lockdown VPN’s to a specific port, source and destination addresses, segregating the network (VLANs) and allow only authorised traffic between the VLANs as baseline defence.However, there may be case where you have to chose other risk treatment options. Most of the times, Security professionals spend their time to mitigate the risk.

This is a very simple example of assessing the current state of an organisation’s security.

As we all know there is no perfect state in security, it’s a continuous improvement process, so the regular assessments are imperative. This is a lot of work, and you can use different approaches to achieve the end goal. You can hire a 3rd party to do these assessments or do it internally if you have enough resources and expertise. I generally use a hybrid approach which is using 3rd party expertise when and where required to complement the in-house security team.

Also, it is essential to “speak in business language” when communicating risks to the business leaders instead of getting into the technical nitty gritty of the risks. That way you have more chances to win the confidence and support from your senior management.

Thank you for reading and happy learning!

Don’t forget to share your feedback in the comments section below.

Posted on

What’s going on in my head?

I have always wondered why people react differently to the same situation which then leads to different outcomes – positive or negative. In the past I have had situations where I could have reacted differently leading to better outcomes. Sometimes that’s how we learn (from our mistakes) and evolve as human beings.

I’ve lead many different teams and collaborated with various different people at all levels in the business. And over the years I’ve found that the way we react to certain situations is based on our past experiences, emotions, language, values and beliefs.

I remember a member of my team in a previous organisation used to have a short temper. All the other team members would avoid seeking any help from this individual because of his mood swings and behavior. In one of my 121 meetings with him I shared my feedback and explained how it was affecting our teams’ productivity. He went quiet for few seconds and said “That’s how I am, can’t help it!” I asked some fundamental questions to dig deeper into this and explained to him the concept of “what’s going on inside”. The below illustration covers it in more detail:

Above picture illustrates how we process external information and based on our past experiences, emotions, values, beliefs etc. we react.

Let me explain. When we process any external information it gets auto-filtered in our heads as we have filters in our head, knowingly or unknowingly. Researchers have found that majority of men delete most of the information and only process what in relevant or important to them. Whereas, women distort most of the information they receive which is quite true at least with my wife. We generalize the information based on the categories mentioned in the picture above. Based on the categories, we take the meaning out of it as positive or negative. If the meaning is positive, we feel positive, which then reflects in our behavior- resulting in a positive body language.

Similarly, if we take negative meaning from the information we processed-  we end up with a negative feeling, which then reflects in our behavior – resulting in a negative body language.

However, the good news is we can change our behavior and our body language no matter what the situation or circumstance is. Its all in our control.

Lets see how. Lets assume you take the negative meaning from a situation based on the categories, you get a negative feeling but instead of reacting quickly – you pause! You create a gap of a few seconds before reacting to the situation. This is where your intelligence comes in to help you control the situation and act accordingly resulting in a positive behavior.

You can create this gap at any stage – meaning, feeling, physiology, generally easiest between feeling and physiology. Usually you’ll find the way you feel about an event or information is much harder to control or change. Once the gap is created, you have control over the situation and hence over the outcome of it too.

It is this gap that can help us better handle situations and in turn our lives – both professional and personal to make better and right decisions.

Like most things in life, this needs practice though but the key here is to take that pause. Whenever a situation arises, remember to create a gap in your mind for few seconds to think what outcome you want and change your reaction accordingly. Gradually this will become a habit.

When I explained this concept to that team member, he got emotional and said he wished he was introduced to this earlier as this goes to explain some of his behavior and the way he reacted to certain situations. That individual worked on it for months and noticed a significant improvement in the way he reacted to situations. Even the team noticed this change and were far more comfortable around him which was great to see.

Bottom line is that if we see this world as it is without adding any filters or judging a situation or a person based on our past experiences, emotions or beliefs, we could build better relationships, handle difficult situations better and make the right decisions.

Hope you all found the above interesting!

 

Posted on

Basics of Change Management

Change Management is quite popular topic and a really important aspect for any organisation to run their daily operations normally. Its very critical to understand this process as if done properly, it can improve the service availability and reduce any unplanned outages. But if its not understood or not followed properly, it can cause disasters and sometimes reputation loss.

Change is good. Progress comes from change, and organizations change on a daily basis. When it comes to information technology, organizations must take steps to ensure that change achieves business objectives without disrupting operations.

I am not going to discuss typical ITIL change management model which you can find it in ITIL manual guide. Here, I’ll cover change management which is based on ITIL however has been modified and then applied successfully numerous times.

There are 2 concepts in change management:

  • Strategical Change
  • Infrastructure Change or Service Change

In this blog we will discuss Infrastructure or as some call it Service Change. This is the area where most of the IT personnel get involved in their daily work.

Also the process below is a very simple representation of Change Management. It does not include the more thorough concepts like RPN, Governance etc.  This is ideally suited to IT personnel/companies that don’t currently have Change Management process in place or looking to improve. This guide can be used as a starting point to implement or modify your existing CM process.

We are not going to discuss Strategical change here. I’ll cover it separately.

What is Service Change?

Any change which can impact normal services to the end users or customers is a Service Change. It has 3 categories:

1.  Standard

2. Normal

3. Emergency

 

Standard Change: These are very low impact changes and most times are pre-approved in the change management process, sometimes classed as white-listed changes. E.g password changes, changing backup tapes.

Normal Change: Is a change which can cause disruption to the normal services and needs to be managed in a very controlled manner. Hence, all normal changes must go through the Change Management process.

Emergency Change: Is the change which generally happens on the fly in case of an emergency situation like an unplanned outage or system failure etc. These changes then go through the change management process after the services are resumed and then documented accordingly. Most of the time these changes get approved at the Senior Management level (ECAB) as the risks associated are really high.

Request for Change (RFC):

RFC can come from Service Desk, where user or customer has opened up a ticket for an issue which requires changes to the system or when engineer is doing some maintenance work which needs some configuration changes to the baseline of the system or IT Project work. A good RFC document should have the following items:

1. Type of change (Standard, Normal, Emergency)

2. Description of the Change

3. Expected Impact of the Change

4. Change tested in the test environment (yes/no)

5. Risk assessment

6. Rollback plan

7. People involved in the change

8. Scheduled time of the change

9. Business justification/ approval

10. Notification

Once RFC is ready and submitted, it goes through the approval process as shown below:

 

All RFC’s must be approved by a relevant authority. In most cases, it is the Change Advisory Board (CAB).

Change Advisory Board (CAB)

CAB has a representative member from each of the business groups who has the technical, operational and business understanding and can provide meaningful input to the Change Manager to aid him to make the right decision.

I remember when I became a member of CAB and attended my first CAB meeting, few questions came into my mind – what are we going to discuss, what are the questions that can help us assess the request for change properly. I sat there and observed other members in the team, we all went through the RFC together and went through a series of questions.

When I went back to my desk I thought there must be a better way of assess the change for request. So I decided to research on this topic, found some information on the internet but again that wasn’t very clear. I finally found my answer while preparing for my ITIL exam.

During that time I also attended an ITIL seminar where the presenter explained the concept of seven R’s in the Change management process. Lets see what these seven R’s are:

  • Who’s Raised the change?
  • What is the Reason for the change?
  • What is the Return required from the change?
  • What are the Risk involved in the change?
  • What Resources are required to deliver and support the change?
  • Who is Responsible for the build, test and implementation of the change?
  • What is the Relationship between this change and other changes if any?

These questions will definitely help you to assess RFC’s properly.

In a nutshell, Change Management process ensures that organizations follow a standardized process for requesting, reviewing, approving, and implementing changes to information systems.

“Change is Good but it must be controlled”

Hope you find this informative!

Posted on

3 Focus areas for any organisation’s IT & Security department

Lately I met with  IT and Security leaders of various companies at an IT Security seminars and while talking to them I observed that all our discussions were mainly around 3 areas – Improving Security posture of the company, managing IT outsourced providers and prioritisation between strategic and BAU activities.

I was even asked to present on ‘How to improve the Security Posture of a company’ during an IT Security Summit attended last year in Budapest.

Needless to say this is an important topic that gets discussed and is at the forefront of IT/Infosec department of every company.

In this blog I’ll be sharing a few slides from my presentation last year. I’ve also added slides covering the other 2 topics above. I intend to follow up the presentation below by a detailed blog on each of those topics to provide more context. Watch this space!

 

 

 

 

 

 

These slides are also shared here