Month: December 2017
J.S. Bach’s sublime “Fugue in C-sharp-minor,” from Book One of Das Wohltemperierte Klavier (BWV 849) was published in 1722. It has five voices and three subjects, so it is a triple fugue. Let’s take a look at what Bach and his excellent work can teach us about building a rock-solid information security program.
1. Keep it simple
The slow and stately four-note subject is simple but pregnant with possibility. Through each iteration and each addition of a new component, the piece becomes a lovely, dense mesh of darkness and light. Ultimately, the thrilling climax can send emotional waves through your body leaving you weeping, emotionally drained and forever changed. Each element is simple in itself, but when combined, an extraordinarily complex web of sound is created.
If your perimeter firewall has 5000 rules, you’re probably doing something wrong, especially if you are a relatively small organization. Likewise, if your policy documents are incomprehensible to the average end user, there is a problem. One IT staff on which I was doing an assessment claimed their policy was secret, and when I finally got hold of it, it turned out it wasn’t a policy at all – it was simply a copy of a federal agency’s policy framework written in govspeak. There was nothing there that would communicate performance and behavioral expectations to management, end users or the IT staff.
Printed music, a score, is simply a set of instructions for a performer. It’s not music until a performer brings it to life. Bach’s scores provide the minimal amount of information required to do just that and they leave a great deal of the interpretation to the performer (assuming good taste and common sense, of course).
Your information security plans and documents are similar; they’re just documents until you bring them to life and put them into practice. In many enterprises, these documents exist only on a shelf and are never used. Dust off those documents if you have them and make sure they have been implemented, followed and enforced. If you don’t have the documents, you had better get to work. Follow Bach’s lead and keep it all as simple as possible. Don’t count on common sense, though.
Bach chose a five-layer framework for this fugue. How many layers does your security program have? Comprehensive policy, procedures, guidelines, technical controls, administrative controls, physical controls, awareness and training are all part of the mix.
The common mistake I have seen in audits is that organizations often depend on only one layer – technical controls. Many security programs, probably in the majority of enterprises, consist of a firewall and some antivirus software but policy, procedure, guidelines and training are often non-existent. If you depend on technical controls alone, your score is 80-90% incomplete.
Musicians learn resilience, often the hard way, as soon as they begin doing recitals. The only way to be prepared for anything is to over-practice and over-rehearse so that no matter what happens, your fingers keep going even if your brain shuts down. You have a great amount of time to prepare, but only one chance to get it right when it actually counts.
Practicing and planning for the inevitable information disaster is the only way to survive it. If you’ve done this well, you can keep performing without anyone but an expert noticing the glitch. If you do it badly, the show is interrupted and you may never get a second chance.
4. Continuous improvement
A good music teacher shows you how to practice using mindfulness rather than rote repetition. Each iteration should be made better than the last by analyzing every aspect of what you’re doing. Walter Giesking wrote about this sort of approach in his book and he might be considered music’s version of W. Edwards Deming.
What sort of program for continuous improvement do you have in place? It doesn’t happen by itself unless you had a great teacher, coach or mentor. Great performers analyze every aspect of every performance and do a root cause analysis so they don’t make the same mistakes again. Well run organizations and great managers do the same, but the majority keeps making the same mistakes over and over again. Public humiliation in front of colleagues and coworkers doesn’t often seem to be a motivating factor in the business world, but it definitely is in the world of musical performance.
Listen to the voice of your network and your end users and pay attention to logs and metrics. Too many IT directors are tone deaf to the voices of their customers and I have seen many organizations that pay no attention to security logs and metrics at all. They can’t distinguish between the sound of a perfectly tuned network and an out-of-tune one. Don’t be that patronizing, know-it-all ass of a CIO – listen to everything and everyone.
If you are unfamiliar Bach’s c-sharp-minor masterwork, you can listen to Hélène Grimaud’s performance in which the fugue begins at about 3:15. For a different approach, Sir András Schiff’s version begins at about 2:40. There is no accounting for taste and everyone has their favorite.
If you are fascinated by the music and want to learn more, my favorite recording of the entire set is Angela Hewitt’s, which is part of my car mix for long trips. If you are new to Bach, it can be a life-changing experience.
If you want to improve your information security program, there are numerous resources from which to choose. IS0/IEC 27000, NIST, and COBIT 5 for Information Security all provide great starting points. Which is your favorite?
© Copyright Jeffrey Morgan, 2017
This article was first published on CIO.com at https://www.cio.com/article/3240972/data-protection/5-things-js-bach-can-teach-you-about-information-security.html
In the Meditations, Marcus Aurelius advised his readers to stay away from public schools, which proves that the writings of dead white guys are still relevant today.
I was fortunate that my parents heeded this advice. My sisters and I never set foot in a public school, except for three unbearably long days in Pompano Beach in 1970. Once you’ve gotten a taste for the private sector version of a thing, the government version will never be tolerable — even if you are only nine years old. No matter how often we moved up and down the east coast during our upbringing, my parents always found decent private schools in which to enroll us.
What those schools all had in common was some sort of Christian affiliation — whether it was Quaker, Episcopalian, Presbyterian, Methodist, and even one Baptist school briefly. There was never an expectation that one become a Christian, but there was always an assumption that students would attend the required religious services and respect the foundational Judeo-Christian values. That doesn’t seem like a lot to ask and plenty of Jewish students as well as the occasional Hindu and Muslim attended as well.
My most vivid memories of those days are of the annual Christmas Pageants. In Christian private schools, those reenactments of the birth of Christ, as told by Luke, take the form of a dramatic oratorio. They were lavish productions that included beautiful costumes, readings from the bible and the singing of hymns and carols. We rehearsed for weeks and everyone participated.
On the night of the pageant, just before Christmas break, the auditorium was full of parents, grandparents, and other relatives dressed in their most respectable attire. There were no cell phones to interrupt, no fights, and no protesters shouting down the performance. There were no victims. Regardless of their race or faith, no one declined to participate because the parents and students all saw the value that a private education with a Judeo-Christian foundation could provide.
Every family valued knowledge, learning, and education. Every family valued work and aspired to a middle class lifestyle, or maybe just a little better. Every parent wanted their children to be better than themselves, and not just financially; they wanted their children to be better people. At that time, and in that society, no one was interested in emulating crude, low-class behavior and such conduct would certainly have been shunned.
As the lights dimmed, and a palpable hush fell over the audience, a spotlight shone on the actors as the narrator read from the bible. Even the babies were quiet. Narration was followed by interludes in which the choir sang ancient European tunes. Singing those hymns, I could feel the connection to my ancient ancestors celebrating the birth of Christ by candlelight, without computers, electricity, plumbing or heat. Those ancient people, Celts in my case, celebrated the joy of life and God, though even the wealthiest of them had nothing by our current standards.
Forty five years later, I can still recall the visceral reaction — the lump in my throat and the tears welling up as the pageant proceeded — with all of us sixth graders in precious costumes reenacting a 2,000 year old event.
The story, so beautifully translated in the King James Version still creates an up welling of emotion in me and I am not a Christian. My best teachers and professors, mostly Catholic and Jewish intellectuals always correctly identified me as a pagan (the small p kind). Although my sisters both adopted Catholicism later in life, I never have. Lack of faith doesn’t diminish the simple beauty of Luke’s Nativity story a bit.
Do they still do Christmas pageants anymore? I don’t know. My children are grown. My baby girl is 25, a soldier, and a jumpmaster in the army. All of my children attended Catholic schools because they were the only private schools available in the rural area in which I raised them. I had to make sure they received an education that would teach them about western civilization and Judeo-Christian values. It was worth every penny.
I feel a little sad for people who will never experience their own connections to their ancestral heritage, western civilization, the world, and the universe because they received a purely secular education. Public education purposely omits such a huge portion of western culture from the curriculum that I fear the recipients can never learn what they need to become truly civilized human beings. While many may get this through church, synagogue or in some other extracurricular venue, a significant part of the population is missing out completely. Without the knowledge that there is something greater, without the understanding that universal truths do exist, how can you ever see life as being anything other than nasty, brutish, and short?
Lacking the sacred point of view, authoritarian rule becomes a necessity and the means to all ends are always justified. Maybe this makes the twentieth century democide of as many as 260,000,000 humans easier to understand. I suspect that secular education is also responsible for the SJW worldview that sees a mostly full glass as completely empty. The angst, anger, vitriol, and downright hate voiced by so many in our society can only be explained as a lack of education and perspective.
The current, rampant rejection and denial of Judeo-Christian culture, especially in universities is also a mystery to me. Across the planet, and especially in the west, we enjoy the highest standard of living ever known. I don’t understand how an educated person can refute the connection between millennia of intellectual achievement and our current prosperity.
From the Old Testament to the New, from Aristotle to Aquinas, and Locke, from Josquin and Palestrina to Bach, from Breughel to Leonardo, Michelangelo, and beyond, this collective knowledge is what has led us to our current understanding of humanity. The shared achievements of western civilization, and particularly of Christianity, have led us to embrace human rights and improve the living conditions of billions of humans. Ultimately, it is what got us to the moon and gave us the IPhone. Is this even debatable?
For better or for worse, Judeo-Christian culture is how we got here – and it seems better to me. The values, ethics, and morals that have been passed on for the last few thousand years have built the incredible standard of living we have today across the globe. Only a few decades ago, this was universally acknowledged, but we seem to have entered a new, dark age where knowledge, culture, and history have been eschewed.
The darkness of totalitarian rule always seems as if it could be upon us at the next turn and the disturbing penchant of millennials for socialism and communism frightens me. To me, the only explanation for this seemingly invincible ignorance is that it is the inevitable result of a poor education, especially in morals, ethics and values.
I don’t have a solution, but a reboot of our education system that includes a return to teaching Judeo-Christian ideas might be a good start.
© Copyright Jeffrey Morgan, 2017by
Information Security for Executives and Managers
Who: Non-IT Executives and Managers – public, private and non-profit sectors.
What: Information Security Training
When: Tuesday, December 12, 2017, 12:00 PM eastern time.
How long: The training is 30 minutes, but I am leaving an extra 30 minutes for questions and discussion.
Cost: Free! There is nothing to buy, no sales pitch, and no upsell.
Click on the link below to register! Attendance is limited to 25 on a first come, first served basis. When you register, I will send you a calendar invitation.
What you will learn.
- What is the single, deadly assumption executives and managers make about their information security programs?
- What free resources are available to build a rock solid information security program?
- What are the required building blocks of an information security program?
- Who should be on your information security team? It’s not who you think!
- What’s the difference between Cybersecurity and Information Security?
Register now for the live, web seminar – December 12, 12:00 PM Eastern time.