Spying in Norway: IMSI-catcher used to spy on the Parliament of Norway

Image: Aftenposten.noLast week in Norway, hell broke loose. Aftenposten, one of the major newspapers here, published a story of how Oslo were set up as a spy-hub where the cellular networks had been replaced by a hostile 3rd party. Someone are spying in Norway, and both the Parliament and our Prime Minister are being spied on. Aftenposten published numbers that, according to their words, where extremely suspicious. So suspicious in fact that they alerted the government, the police and the public at the same time. Hell broke loose, everyone believing that the numbers were in fact as dramatic as claimed.

Let us step back for a minute to understand what happened. Aftenposten, together with a so-called secure cell-phone maker, ran (or drove) around Oslo a few weeks, collecting data from the cellphone towers. Out of some 50 000 (fifty thousand) records of cellphone connection data, some 1200 where considered suspicious. 1200 of 50 000, or roughly 2.4% of the total data being flagged by the device as suspicious. That may sound alarming, and we may even consider that number to be statistically significant, until we look at what kind of events the device will flag as suspicious:

  • Switching between cell towers
  • Change in cell tower power received by the device
  • Moving between the bands (2g, 3g, 4g etc)
  • Reflection of signals (as caused by bridges, tunnels, buildings etc)
  • Disturbance of signals (as caused by bridges, tunnels, buildings etc)
  • Signal abnormalities of any sort (tower down, tower having problems, general technical problems etc)

It does not take a lot of sense to realize that any of the sources above may create weak signals and signal drops, events that the device is considering suspicious, frequently and possibly without a trace. To remove such errors, the 1200 events initially flagged were filtered down to 122 highly suspicious events, or critical events, according to the news. So out of the 50 000 records, a mere 122 events are found to be critical. That is 0.244% according to my math. Here is my problem: 0.244% is not a statistically significant number. It´s not even alarming. It´s just a small number that can easily be explained by a number of possible reasons, where the use of IMSI-catchers is one, and one that seems highly unlikely. There are number of ways we may explain such a number just by looking at the cellular technology itself:

  • Cell phones use radio waves. Radio waves fluctuate, they are dynamic in nature. They move, they change and they bounce off of things.
  • Cell phone networks are computer networks. Computer networks are filled with systematic errors, some of which we don´t even find. A broke switch, an earthing error, a software glitch – so many possible sources of network errors. Tell me: in your networks, would a 0.244% of events be considered significant? Most likely not. You may consider to look into it, but it is no way you consider your network to be 100% free from errors.
  • Some companies and offices use repeaters to enhance their cell phone connectivity. These devices would trigger an event on the phone(s) used in the assessment.
  • Other devices may have interfered with the cell phone signals – both rogue and legal devices.
  • It could be devices owned and operated by police, e-services and other legal, Norwegian entities.
  • You are driving around in a city. When was the last time you did not have some occasional problems with connectivity?

In my understanding of technology (and mind you, I am not an expert on mobile and cell phone technology, I am just good at spotting the elephant in the room), a 0.244% anomaly is not really a big issue. Unless of course, someone is really out there trying to interfere and listen in on my phone calls. So let us consider the IMSI-catcher tech too. An IMSI-catcher is designed to get the IMSI number off of your SIM-card, and the IMSI number is a unique identifier that may be used to identify the owner of that card (this is not automatic, as the IMSI number don´t know the phone number). With that number, you are able to listen in on voice calls where that SIM-card is being used. Unless you are just picking random numbers to listen in on, identifying the right person to wire-tap may be a challenge. Of course, if you hack into the databases of each of the telcos here, you can just look it up yourself. But if you hack your way into the telcos, why not just do the wiretap directly? And get access to SMS, data and location? Or why not just create a secure communication app, which you have people register to use, and then you just listen in on everything they do? Or, why not do like Huawei did when they successfully replace the backbone of the two major telcos in Norway a few years ago? If you want to own me, own my network core!

From my perspective, this whole story is another example of cheap FUD – Fear, Uncertainty and Doubt. The newspaper Aftenposten is playing the kid who cries «Wolf! Wolf!», and everybody runs to the field to save the sheep and hunt the wolf. Only, there is no wolf. In the story, the kid got away with it a few times, before people started to ignore his calls. One day the wolf came and took the sheep, and no-one came to rescue because no-one no longer trusted the kid´s cries. The same may become the issue here: what if there are no IMSI-catchers, and there are no foreign entity spying on our parliament and the embassies and hotels and what not. All there is so far, are speculations without clear analytics, no proof, a lot of crying, and the usual panic of pretending to do something while we have no clue what is really going on and what we should really be doing. Let´s get back to the news stories:

As of December 17th:

  • No IMSI-catchers or other devices have been found
  • A number of the critical anomalies reported are being dismissed
  • Investigations are in place to find the IMSI-catchers the paper claims are there
  • The blame-game is going around the table («We did not know», «This is not our domain», «This is someone else´s responsibility»)

I may be too quick to dismiss this event as nothing but a trick to sell papers. Perhaps the journalists and the editor printed the story out of good will. Perhaps some nation, a group of criminals or some others do have a network of IMIS-catchers in Oslo. I still would like them, and their readers, to ask the question

«Who is benefiting from this story?»

The answer is pretty clear: the paper, the secure cell-phone maker, the FUDers out there, and very few others.

I would also love to have the paper consider it´s responsibilities towards the society – perhaps it would be better for all if the police / e-services were informed and allowed to investigate the issues before the story went public? Or was it more important to sell papers and create havoc?

—Disclaimer: technology is being used to spy on us on all fronts, and the possibility that rogue cell towers are being used, is real. —

Book Review: Data-Driven Security

It was a great pleasure to read the Jay Jacobs and Bob Rudis book Data-Driven Security: Analysis, Visualization and Dashboards. And there I spoiled the whole review. This book is solid. It´s amazing. It´s a great resource on how to understand, build and run your very own data-driven security systems. It is, basically, everything you need. So just go and buy it already if you don´t have it. No need to read more of this review. Unless of course, you want to.


The book (get the physical, printed one) is a beauty. It is not very often in the days of e-books and print-on-demand publishing that my hands and my eyes can behold such a well made and beautifully designed book. Yes, I am a book geek, who love the old hand-printed books of the past centuries, but now Im diverting. Although it is a soft-cover book, as soon as you open it up you realize that the design of the content and the cover was made by one team – the same colors and symbols are used throughout the book, making it a breeze to read and very easy to understand. Of course, Wiley know their stuff, and when they make an effort, they really do deliver. Why do I carry on writing about the books colors and design, you may ask. Well, when it comes to books like this one, where the authors have a clear mission to teach you a new skill set, in an area that may be considered extremely boring and technical (for some), presentation becomes key. Interestingly, Jacobs and Rudis makes presentation a key element throughout the book too: Not only are they deep into technical security, data modeling and analytics, they understand that presentation is vital if they are to 1. Make sense of the data, and 2. Help others (read: C-suits) to understand the data.

And I love nothing more than people who apply their own teaching in their actions. Kudos!

So what is this book all about?

Jacobs and Rudis set out to teach you how to better understand your security data by demonstrating how analytics and visualization of your data creates meaning out of numbers. They apply programming tools like Python and R, and the book is filled with sample code. Unlike most books with code examples, you can read the book cover-to-cover without coding anything, and still get their message and meaning. If you want to build tools and try it out yourself, the code examples and explanations are there to help you do just that. And the color coding of the book, the graphics and the visual appearance of the content make you want to go on. And on! Until you realize you have read it all.

The structure of the book is taking you on a journey from the history of making sense from data, via learning to use R and Python (and when one is better than the other), through different statistical methods, understanding outliers, means and modes, to visualization and which design you should use on your graphs to make them convey the most important information. They also look at dashboards, and their usefulness (and how some are not). I particularly liked the part where they use the SANS Institute Security Program Effectiveness Metric to show how you can build a security awareness metrics program, and visualize it.

I am not sure what complements the other best: the content and knowledge of the authors, or the design and layout of the book.

This is a well written, hands-on, great resource of data-driven security, presented in a package of high quality.

Oh, you also get a free Gnocchi recipe with the book, Rudis is a hobby cook!

What are you waiting for? Get it now! It is so worth it!

Not into affiliate links? Use this direct link.

Book Review: CSA Guide to Cloud Computing

I have been reading a lot lately, and it is time to write some reviews. First up is: The CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security which sets out to be the definitive guide to understanding the pro´s and con´s of cloud computing, based upon the Cloud Security Alliance (CSA) body of works across domains, industries and countries. Written by the Founder and CEO of CSA Jim Reavis, the CSA Ireland Chapter President Brain Honan (CEO of BH Consulting), and the CSA Chief Innovation Officer Raj Samani (EMEA CTO, McAfee part of Intel Security), the book is comprehensive and detailed, and well founded.


Disclaimer: I am myself the Chapter President of CSA Norway, and as such, I am biased towards CSA. 

The chapters of the book are well structured and comprise of anything from an introduction to cloud and a definition, via threat models and challenges with implementation, to best practices, research, opportunities offered by the cloud, and the future. I am particularly happy to see a full chapter dedicated to privacy issues and how to handle them in the cloud. Privacy is a growing concern, and one that companies can no longer avoid taking responsibility for. The chapter on incident response in the cloud is relevant and valuable to many SME´s who may not yet have such plans in place.

My favorite chapter is Chapter 5: Making the Move into the Cloud. This chapter lists requirements and a high-level checklist an organization should work through when (or before) moving into the cloud. Again, I see a high value especially to the SME market, who may not be very well adversed in all the aspects of managing risk. I find Chapter 6: Certification for Cloud Service Providers of special interest too. One challenge many customers face when they are looking for cloud providers is the question «How do I know that they know / do what they claim?», a question that can be very hard to find adequate answers to for companies. With the CSA STAR certification, the book explain what it is and the value to both providers and clients, and the question now can be answered with «We have the STAR certification. Here is our documentation.» This chapter also list a number of other certification bodies which may be relevant to cloud providers and clients.


A challenge a book like this faces is that of being too technical, thus rendering itself irrelevant before being printed. The authors have done a good job avoiding this pitfall by using business model examples, and generic technical examples.

All Good?

Is there nothing negative? Personally, I would have liked to see more directly applicable tips and checklists, and a focus of the book to be a tad bit more practical – in the sense that I would love to take the book and just work my way though it and end up with a viable cloud solution for my company (well, our clients, that would be).

A note to the publisher Syngress: The cheap paper and the black and white printing of what Im guessing are colored models, makes the physical book feel a tad bit cheap and amateurish. I expect a professional publisher of your caliber to be able to proof-print the book to check the readability of models, graphics and illustrations. Unfortunately, you did not, and the result is that most models, graphics and illustrations appear blurry and some even hard to read. Example figure 4.5 where the grey shades are hard to tell apart, making it impossible to make any practical use of the figure. Same happens on figure 4.6 and many others.


I like the book, I believe this book will be a valuable asset to both cloud providers and cloud customers. BUY!

Or if you do not want to be tracked by the affiliate link, use this instead.

A proud Fellow to the National Cybersecurity Institute

nciThe National Cybersecurity Institute (NCI) is an academic and research center located in Washington D.C. dedicated to assisting government, industry, military, and academic sectors meet the challenges in cyber security policy, technology and education. The NCI have appointed a series of special advisors to help them create more value and to better cover the cybersecurity landscape. I am one of these advisors, and they call me an NCI Fellow. I am very proud to be appointed a Fellow at the National Cybersecurity Institute.

As a fellow, I provide my insights, comments and questions regarding cybersecurity and security culture through discussions and my writings. The NCI explains:

The National Cybersecurity Institute draws on the best minds in cyber security to inform its strategic vision, and to fuel Excelsior College’s cyber security curriculum. This positive feedback loop ensures our students access the best education and talent in the world. NCI Fellows are important contributors, serving as key contributors, advisors, and presenters on behalf of the NCI.

I am not the only fellow, a number of very intelligent and knowledgable people are on that list, some of whom I have had the pleasure of working with in previous projects. You can see the impressive list here.

The NCI is owned by the Excelsior College which specialises in cybersecurity education. Excelsior College Cybersecurity Programs are certified to meet the Committee on National Security Systems (CNSS) Training Standards.

The cloud security rules: Five factors to consider with the cloud

Cloud services is a sector that is still growing strong. As part of the Information Security Buzz question for the Expert Panel in October, I looked into the five factors that every organization should consider when moving to the cloud. Cloud security is an important consideration for companies, and knowing what to consider is a great help. Use my advice to get you going!

The answer is based on the tips in the book The Cloud Security Rules from 2011, available here.

You may pop over to the Infosecuritybuzz website, or watch my answer directly below.

As always, your comments and questions are welcome!

Hacking Your Mind: How you are being exploited by hackers of all sorts!

As part of National Cybersecurity Month, I am traveling the country giving my talk on Hacking Your Mind – How you are being exploited by hackers of all sorts! pro bono to public and private organizations alike. Here are the slides, the notes and so forth! As always, I am better in person ;)

Below are each slide (and the videos) with my speaker notes. Enjoy!


Hi and thanks for attending this presentation on how you are being exploited by hackers of all sorts!

Welcome to Hacking Your Mind!

My name is Kai Roer, and this presentation is all about me. So let me start:


I have been working with leadership, computers and information security since 1994, a ride that has enabled me to write several books, travel to more than 30 countries, appeared on radio, TV and printed media more times than I can remember.

Simply put, as you can see on this slide, I am an awesome guy!

But don´t take just my word for it:


Rather, take a look at what some of the people that I have been working with over the years, say about me. Obviously, so many people saying so much great stuff means something, right?

Not only am I an awesome guy, I know what Im doing too!

And there is more! People from all over the world go nut´s when Im around. 

That is what I do. I hack their minds. Into doing what I want.

Today, I am sharing some of secrets about how the human mind helps social engineers and hackers to make you do what they want.


I will be talking about how your mind is being exploited by hackers of all kind – from sales people to your boss, from the social engineer who tries to gain access to your offices, to the phishing attempt you are receiving in this moment.

Broken down, I will look at three mental mechanisms that plays together to turn you into a victim.

  • I will look at how our social abilities and our need to be accepted and liked, makes it easy to ask for a favor.
  • I will show how our brains have evolved in to a dangerous tool that prefers to make shortcuts – shortcuts that make you click that phishing link.
  • Finally, I will explain how social structures are being exploited to make us follow those who lead us into temptation.

But first, let us establish a fact.


That fact is: You like me. Yes you do! I made you laugh, and I have established myself as an authority on hacking your mind. You are curious, and even if you don´t like the fact that you do like me, the fact remains. You like me. Enough to make you vulnerable.

As you saw in the #HolaKai video, requests can be small, and non-intrusive, making it easier to comply. 

This trick is being used by hackers of all sorts to convince you that it is perfectly safe for you to spend your time and money with this person. It works like this:

As social creatures, we form groups of our friends (and colleagues, family and others), groups of which we are members of. We call these groups in-groups. Everyone who are not a member of a particular in-group of ours, is automatically considered to be in an out-group – i.e. a group that may be competing with our resources, interests, politics and what not. Think of your favorite sports-team. Your team is the best, other teams are…well, not relevant, right?

Think of a fellow fan of your sports-team, let us call him John. John is approaching you, and ask you for a favor. You have never really spoken to John before, but because you both are fans of the same team, you accept to help him out.

Had John not been a supporter of your sports-team, the chances for you to help him out would be slim.

So how do hackers exploit this vulnerability? Easy! They do like I did: they make you laugh, they make you enjoy their company, and they quickly build an in-group where you both are members. An example:

These are musicians. Or pleasure-hackers, if you like. They are making you feel good, because they want you to give them money. Take a close look at how they flirt with the participants (the camera in this case), and how they interact with the audience. All is done to make you give up your hard earned cash so they can go and buy some beers (and there is nothing wrong with that, especially when they are also great musicians!)

A hacker would use similar tactics (possibly without the instruments!) to have you open a door to your office space, to ask you for information or to have you visit a website where they will automatically compromise your computer.

Now, let´s take a look at how your brain is handling those requests!


Your brain is an amazing computing unit. It handles a large number of different information at any time – even when you sleep. It is also amazingly fast at arriving at conclusions, and there is bound to be false positives and negatives. In other words – amazing as your brain is – it is not without flaws.

According to Daniel Kahneman, your brain consists of two kinds of circuits: Lightning Fast Shortcuts; and Process Intensive Hard Work. Shortcuts or Hard Work – what do you think your brain prefers?

Just like me, your brain is lazy, and tries to avoid hard work as best as it can! So if you leave the choice to your brain, it choose shortcuts every time. Plain, simple and fast.

So how does your brains laziness make you vulnerable to hackers?

Let´s take a look!

(Recommended reading: «Thinking fast and slow» by Daniel Kahneman)


The best trick you can play on anyones brain, is to tell it that something is urgent. Somehow, when your brain thinks that we are running out of time, it just accept anything at face value.

This shortcut has been used by marketeers since forever to make you buy stuff you never needed in the first place. A bad manager also use this shortcut to make you do things he believes should be done (while good managers have learned a lesson or two from Dr. Stephen Coveys Time/Importance Matrix).

A hacker may use urgency in any number of ways. In a spear phishing attack, a hacker may send you an e-mail that resonates well with you, perhaps referring to a current and important project you are managing. The email may even be sent to you at a time when you are heading into an important meeting, and the email may use a title that relates to the current project to catch your attention.

Because you are in a hurry, and the project is important to you, you are more likely to open the email and any attachments, effectively opening your computer and your workplace to malicious code execution.

Stress and urgency make you vulnerable to attack. Hackers know that. Hackers exploit that. Your job is to slow your brain down and review the information requests you receive – every time, all the time.

Suggested reading: «The seven habits of highly effective people» by Dr. Stephen Covey


Humans are social creatures, we live in groups, we form complex societies. To make such complex societies work, we need rules and policies, and we need to be able to recognize friend and foe – preferably before said foe kills us. More importantly, we need to be able to recognize who is in charge – what is the pecking order, and where do we fit in?

Some studies suggests that humans are able to decipher the pecking order automatically, just like Kahnemans shortcuts from earlier. What is more, it seems like this is so ingrained in our organism that even small babies are able to recognize the power structure of a group of people.

And there are, of course, tricks to use to make other people perceive you as an authority – tricks used by hackers all the time. You have already witnessed one such trick today:


By showing off what I have done, what I do, and what people say about me, I have effectively shown that I am someone who matters on this topic. I have established myself as an authority on the subject.

Of course, since I am here as a speaker, and you are here to listen to me, we have established that authority-relationship even without the need for me to show off. However, by enforcing the message, and giving you even more reason to build that awe, you are less likely to challenge me, and more likely to accept my claims at face value.

Just like the hacker want you to do too.


There are many kinds of authorities out there, this is just one example. The important about the power of authorities is the perceived value of their requests and orders, which make them harder to refuse. In this picture, the command structure is clear and not disputed, and the soldier to the left follows the orders without questions.

When you encounter people who you perceive as an authority, you are less likely to question their instructions and requests. You are more likely to accept their arguments, and to do their bidding. You are, after all, accepting them as more knowledgable, smarter, better or just more worthy than yourself, effectively stripping yourself off the power to say No!

Hackers use this strong urge to comply with authorities to force their way with you. One example is the so called Windows Support phone call scam, where the suport person on call tell you to open your browser and visit a particular link. As a support person, (s)he is perceived by you as more knowledgable, an authority, and because of that, you do not question the perhaps strange request to have you visit a website, a website that will have you download malware.


I have just told you about how your mind is being exploited by hackers of all kinds. Sales people, managers, social engineers – and your kids too!

The fact that you like someone, makes you more likely to do what they request from you. So as a social engineer, I will use this to befriend you, and then make a request you would otherwise decline.

Next, I looked at how our heuristics, the shortcuts in our brains, makes us vulnerable to urgency. Remember that, next time you see a Limited Time Offer!

Finally, I shared some of the ways authorities may be using us, and how hackers use the pecking order to have you stop questioning their actions.


What questions do you have?

I may be hanging around the shadows if you have any questions and comments you´d like to share with me.


Thank you for being here! I hope you had as great a joy as I did!

The Security Culture Framework Ecosystem

“How can you give away the Security Culture Framework for free, Kai?” is a recurring question I get. The short answer is that I believe in sharing to build a better world (Peace and Happiness and all that…). The longer answer is somewhat more complicated, and perhaps a tiny bit more self-serving. Let me show you the Security Culture Framework Ecosystem.

As you can see in the slides, the business model for my company is to give away the framework and templates, while we sell consulting, coaching and products around the free content. This business model is not at all new, nor is it revolutionary anymore. The model has been applied in Open Source software for a long time, and the Freemium model is also being successfully applied by numerous startups around the world. The model scale with the needs of the customer, a flexibility that allows my company to provide our competence, services and philosophy to organizations worldwide as their needs grow.

Security Culture Framework Ecosystem

To you this means that you can spend as much or as little money and effort on building and maintaining security culture as you like. If you are running on a low budget, you can manage everything without spending a dime, just by downloading templates and explanations from the Security Culture Framework site. If you get stuck, you can ask the community for answers.

For those with limited budgets, our trainings are available both online and on-site. We also provide what we call Security Culture Coaching – a service where you pay a small fee to have direct access to our pool of Security Culture Coaches when you need it, as much as you need it. A coach is not a consultant and does not provide you with answers, the role of a coach is to ask you questions you need to consider, and to point you in directions you may benefit from. You do the work, the coach is there to ensure you do it efficiently and without too many detours!

If you lack internal resources, but have money to spend, you can use one of our consulting partners in the USA or Europe. Our partners are trained in the Security Culture Framework, and can do anything from answering simple questions to set up and manage complete Security Culture Programs on your behalf. If you are looking for a consulting partner to help you out, contact us and we will help you identify the best available partner for your needs.

The Roer Group Products and Services

The Roer Group are also providing consulting to clients in special markets. We specialize in multinational enterprises with diverse cultural assets, as well as in public service areas. Our main focus is to build internal competence at our clients so they can maintain their own security culture programs without our direct assistance.

In addition to consulting, training and coaching, the Security Culture Framework offers a special application to set up and manage security culture campaigns and programs. The application is currently available to a selection of our clients, and will be made available to more clients throughout 2015. You may request access by contacting our team, of course.

Join the Security Culture Framework Community

The Security Culture Framework is an open and free framework to build and maintain security culture. Around the framework and the community is a growing ecosystem that enables us, our partners and most importantly our community members and clients to build better security culture. You can also be a part of the ecosystem by sharing your stories, providing services and support, and being active in your search for excellence.

Feedback loops to feed your security culture program

Feedback loops are valuable tools used to learn from something you do, and applying that learning in your later activities. In the Security Culture Framework, feedback loops are used to learn from each security culture campaign that is implemented, and the input from the feedback is then used to enhance the activities in the program.


The GoalLearning from your actions is a great way to build competence. We are all learners, all of the time according to scientists. It makes sense then to put this learning into work by applying it to our next actions. In the Security Culture Framework, feedback loops are used to gather metrics and results from your activities, and then using that feedback to understand what to change, what to do again, and what not to repeat.

The same feedback may also be used to understand how different user groups are, well, different. Some people learn best from reading, others by taking active part. Some learn after seeing something once, others need repetition and deeper motivation. Gathering and using data from your security culture campaigns will help you understand where to put your focus, and who may need more work than others.

In psychology, feedback loops explain how we learn from our actions: We do something, observe the outcome, adjust our course and then apply the learning to our new action. According to psychology, our brain use feedback loops automatically. Why should we not employ similar methods when working with security and security culture? In fact, we already do. Think of the ISO/IEC standards (and many other body of standards too) using the Plan-Do-Check-Act (PDCA) cycle. The PDCA cycle is a clean copy of the feedback loop employed by our mind. This is great news: it means most of us already know how to effectively use feedback loops in a workplace!

Using the Security Culture Framework, you organize the work with security culture and awareness in such a way that feedback is gathered as part of the process. The framework is free, and open, so you can download templates and start building culture today.

New Look of The Security Culture Framework

The Security Culture Framework has evolved over the past years, from a loosely knit set of ideas into a process and methodology. With the frameworks development, the website and community have changed too.


The current iteration of the Security Culture Framework website features all content free and open. What used to be hidden away behind registration links, are now freely available to anyone, without registration. One may ask why we chose such an approach, and the short answer is that we strongly believe in creating a platform that are being applied and used by people and organizations around the world, with no strings attached.

The longer answer involves our business strategy, how we as a company are making our money. We make money from our training, coaching and consulting services which we provide to organizations worldwide. We provide support to our implementation partners by training and certification services. And we provide clients with support and access to specialist competence when they need to. Our money-making services are closely tied to the Security Culture Framework, as the framework allows us to provide high-quality content, processes and methodology to organizations  who otherwise would not be able to afford our services. Now, they can use the framework, while opting to buy the services they need and see fit – directly from us, or from our certified partners.

The Security Culture Framework also allow you to register your own account so you can join the public discussion on how to build and maintain security culture, learn from others, and to get community support. Even more importantly, you can share your own results and get comments and ideas on how to improve.

Controlling your culture is a process where you must be in charge, by setting clear goals, define your metrics, involve the right people and so forth. You have two choices: leave the culture to control it self, or take charge to create and maintain the kind of culture you want in your organization. The Security Culture Framework is to be used when you want to take charge.

What is your experience with culture? How have culture impacted your job, your organization or your career? Please use the comments to share your experience!

Security Career Advice: Handling Executives who ignores you

Security Career Advice

Advices are important. Both to receive and to give. As my regular readers know, I occasionally answer questions about the industry, education and offer security career advice on what one should (not) do.

Brian reached out and wanted to know how to deal with executives. His question brings us to a vital area of security, and your career: How you communicate, and how you interpret other peoples communication, is key to your success.

This is the question of today:

"Hi Kai,  What advice would you give to someone who 
found vulnerabilities, brought them to the executive level 
and then had the executives 'play' them down to avoid being 
embarrassed? I believe that InfoSec has no room for egos.
Cheers and thanks again!
Brian "

This is an interesting question, particularly to me, since I am not exactly known for discovering and sharing vulnerabilities. I am not that technical anymore. However, what I can say, revolves around how you can handle different people, and how you may interpret their reactions to you.

Which is exactly what I did in my respond to Brian:

Hi Brian!

One of many challenges we see with people (execs are people, believe it or not…) is their mental patterns, ideas and customs getting in the way for rational decision making. Most people (at those levels at least) have their own agendas – either personal, professional or both, and the mental patterns can make it hard for them to see things from different perspectives.

The same is true for security pros – we tend to focus on our perspective only, and deem everyone who “don´t get it” to be stupid user, wrong or just plain ignorant of the problem.

In the words of Dr. Stephen Covey, the author of 7 habits, we all should do out best to “Seek to understand before we try to get understood”. What I am saying is that that the exec may have reasons for their behavior that they failed to communicate to you, making it hard to understand why they choose to do what they did.

Although I am a fan of full disclosure, I do not believe in total disclosure: I do believe there are situations where we should not share everything with everyone. In the case of vulnerabilities, on a general note, I believe we should try to fix the hole before we tell everyone. And when the hole is fixed and patched, there may no longer be any real reason to talk about the vulnerability?

In cases where a company choose not to fix, not to patch, and not to disclose anything, there may be a case for going public with the vulnerability. However, I strongly believe in being more responsible than we demand from others, so I would be very careful in how I choose to go public.

Questions like:
– what will be the outcome if I do this?
– what is the outcome I want to achieve?
– what other actions can I take to achieve similar results?
– who will get into trouble if I do this? Who else?
may help you decide the appropriate action.

So short answer: try to understand their (execs) motivation, and why it differs from yours.

How does my answer help you? How can you use this? What other tips would you give Brian?

Do you have a career related question? Let me know!