Scrappy Security for Banks
Interview with Michael Seese, Information Security Professional and Author"The idea behind the 'Scrappy' line is it's very informal, it's very conversational, they're kind of short, about 200 pages, so it's not some huge ponderous tome that is going to take you months and months to get through," Seese says. "The idea is just to keep it lighthearted and just talk to people like you and I are talking right now. We didn't want to make it read like a college textbook."
In an exclusive interview, Seese discusses:
- His unique approach to these two hot topics;
- How he puts these practices to work on the job;
- Advice to other information security professionals on how they can make a difference.
Seese, CISSP, CIPP, is an information security, privacy, and business contingency professional for a major Midwestern bank. He holds a Master of Science in information security, and a Master of Arts in psychology. Seese regularly speaks at conferences, has had numerous articles published in professional journals, and contributed two chapters to the 2008 PSI Handbook Of Business Security. He is the co-author of Haunting Valley, a compilation of ghost stories from the Chagrin Valley. Michael also penned (or, better said, e-penned) the twin books Scrappy Information Security and Scrappy Business Contingency Planning.
TOM FIELD: Just for some context, why don't you tell us a little bit about yourself and your role with your bank, please.
MICHAEL SEESE: Okay. Well, I've been here, employed here, for about five years in-house as an information security professional, and also a few years ago started branching out into the privacy profession because it is closely aligned with security. There are some differences, but it is closely aligned with that discipline. Before that, I actually had worked here as a consultant, doing some contingency planning projects, as well, so that's where I actually got my start in contingency planning. In my current role, I have done a lot of security policy and awareness, and I'm also doing, right now -- the role has kind of morphed into a little bit more of general risk management, is probably the best way to say what I do.
Scrappy Security
FIELD: So, tell us about your books. The information security one has been out for awhile, and now on business contingency planning is coming out. What can you tell us?SEESE: Well, my goal in writing the information security book -- both books, really - was to have one common constituency, one common reader in mind, and that is the person who works at a corporation and needs to try to implement either an information security program or a business contingency planning program. And it really just gives you a nuts-and-bolts, from the ground up, here are some things to cover. What is different about the information security book is it also can be read by, as I say in the introduction, anyone who has a computer that is connected to the internet and does online banking and reads e-mail, which is everybody.
Because there are all sorts of threats out there. So, it provides real world good advice in terms that humans can understand. It's not what I call the propeller head stuff - I used to be a computer programmer, so I can call myself a propeller head - but it's not the stuff that is supposed to make your head explode. I do go into some technical details, but then there is a section in the information security book, called "What it means," and it gives a real world analogy, to say "Think of your IP address as being like your cell phone number. It's tied to your cell phone, and wherever that cell phone is, it identifies you. Much like your laptop computer, there is a card in it, your LAN card, and it's got a unique number on it that no matter where in the world it is, that number is your computer." And I just make real world analogies like that, so that the average person can understand, "Oh, so that's why I have to use good passwords. That's why I shouldn't send sensitive information in an e-mail."
FIELD: So, what's the scrappy element of these books, Michael?
SEESE: Well, the reason "scrappy" is used is I have a good dear friend who lives in Redwood City, California, near San Francisco, and the last time my wife and I had visited, she published a book called "Scrappy Project Management." She's a self-employed motivational speaker/project manager. And, she had signed a deal with a book publisher called "Happy About," who does business books, and they created this "Scrappy" line, which just -- the idea behind the "Scrappy" line is it's very informal, it's very conversational, they're kind of short, about 200 pages, so it's not some huge ponderous tome that is going to take you months and months to get through. The idea is just to keep it lighthearted and just talk to people like you and I are talking right now. We didn't want to make it read like a college textbook.
Response to Books
FIELD: Sure. What reaction have you received from the book, especially from your core audience?SEESE: Um, so far, so good. It's gotten nice reviews. It's posted up on Amazon, and also I had a nice write-up by Security Management Magazine, which is the publication of the ASIS. They gave it a nice write-up because one of the things that they pointed was the book succeeds in doing what it sets out to do, just explaining real world information security concepts, the things that people need to know, in ways they can understand. So, the contingency planning book, I guess we will see what kind of feedback it gets.
What's Most Overlooked in Security?
FIELD: Well, I'm curious about this, Michael. When you look at information security and contingency planning, both, what areas do you see are most overlooked by the professionals that you are trying to reach?SEESE: Well, really, in both cases, I call it the human element. In terms of security, as our technological solutions improve, the bad guys are going to go after our weakest link, which is the people. That's not an insult against the people. The people want to do their jobs, they want to be helpful, they don't want to stand in the way. So, there are many ways that bad guys can leverage that, by pretending to be an authority, or pretending to be someone who needs a favor really quickly, to get them to give up confidential information. So, you can have all the best technology in the world. You can have full secure laptop encryption, but if your user is right there, user ID and password on a post-it and stick it on a laptop, if it is lost or stolen, for all intents and purposes, it's not encrypted. If your users are not trained in how social engineering works, and they give up their user ID and password to someone who calls and purports to be from the help desk, again, you have basically just, the system has been breached. And it's not so much their fault if they haven't been exposed to "These are the methods the bad guys are using, and these are what you need to do to combat them." We are the information security professionals. We know this. When I get phone calls from someone purporting to be my credit card company, usually I say, "Thanks, I'll call you back on the number that I know is yours because it's on my statement or my card." I try not to do business with people who call me because I'm just paranoid that way; it's necessary for my profession. It's a matter of teaching those kind of users.
With the contingency planning book, it's also about the people, but when you think about it, you know a lot of people think about business contingency planning as being about disaster recovery. You know, if a natural disaster destroys your facility, PC's can be replaced. If you've got your data backed up, especially offsite, it can be replaced. It's your people that can't be replaced, and so not to be morbid, but if there is a true disaster, a fire, or something bad happened, people can be lost, or they might just move on, I mean, in the normal course of their lives. You need to make sure that their processes, the things that they do, are understood and can be replicated by someone else, if the event arises.
Making a Difference
FIELD: Michael, give me a sense of what you do in your day-to-day job, to try to make a difference, based on your experience of having compiled this knowledge and shared it with people.SEESE: Well, we in the security field, we sort of have this thing where we say, "Well, we try to be business enablers, not disablers," and all that. You know, we very often have to put our foot down, and say no. Actually, it's very funny you ask that question. Just today, literally, half an hour before this conversation, I got a call from someone who needed to get access to a website, a file-sharing website where, you know, you can post files and someone else can post files. And we don't allow that because a person could access this site, and post confidential information, and we would have no way of tracking where it went. So, we don't allow access. But, in this case, she just needed a 30-second video that was a commercial, a public relations commercial that someone had repaired, and it needed to be reviewed, and she said she needed to see it today. Because, you know, it's a 30-second commercial, and in most cases, I can say, "Yeah, who wants to work from home, but it's a 30-second commercial, go home and watch it tonight," but she said, "I need to look at it and review it today." I said, "Well, I'll tell you what. Let me see if I can go get these wav files, pull them down to my computer, scan them for viruses," because I'm that sort of person, and then I sent them off to her. I finished sending the last one five minutes before I came down here and started talking to you. But it is just that kind of thing, that you know, I use my "super powers" that I can get out to the Internet, to be able to get the files that the person needs, check them for viruses, because I'm thorough, and then I sent them along to her.
FIELD: Well, with these super powers, Michael, what are your career aspirations? Do you want to continue to write? Do you want to stay in the information security profession? Move up in banking? What are your thoughts?
SEESE: Well, definitely to continue to write. It's something that I've done since I was a kid, and actually, my first job out of college was as a newspaper reporter, so I do a lot of writing. Actually, I'm working on a book of short stories right now, and hopefully, we can start soliciting publishers really soon, but we're not quite there yet. But in terms of my career here at the bank, it's just my job, to keep studying and learning information security and getting better, because the bad guys are getting better, and there's more of them. I should have thought to look up some statistics, but you know no one needs to have the actual numbers of identity theft from two years ago versus today. We all know those are rising. I did read an article just yesterday that said, for the first time, the number of cybercrimes - I don't know if it was number, victims, dollar loss, or whatever, but it was whatever measure of cybercrime, this year, was, for the first time, greater than the same measure of real, physical crime. So, cybercrime is increasing, because it's easy. Again, you can send out a billion spam e-mails. You can convince people to go to websites that download the keystroke loggers, which record their online banking credentials, which allows the bad guys to steal your money. That's very prevalent right now. They are improving their techniques all the time. So, we on the information security side have to keep up with trying to improve our techniques all the time, too, because, I've got a day job. It's generally, you know, 9:00 to 5:00 that I do information security. These guys can work 24/7 on being bad guys.
Career Advice
FIELD: So, for other banking and security professionals, especially, that want to make an impact in their job, where would you advise them to start?SEESE: Try to learn as much as you can about security issues because, again, it impacts your business life, as well as your home life. You've got to know how to protect yourself at work, as well as at home, because you don't want to have some kind of incident where you allow bad guys to get your work credentials any more than you want people to get your personal credentials. And it's too easy these days, with the number of different accounts that we use, and we've got our bank accounts, and we've got our e-mail accounts, and Facebook, and there's just -- it's a lot to keep track of on an individual level, and so, it's very easy to slip up and make a mistake when it comes to hearing from someone who you think is a friend, or this or that or the other. And the same thing applies, really, in the work arena. For an information security professional, I would say the exact same thing I said about myself. Just try to learn, try to read, try to learn and keep up with the newest threats and the newest countermeasures, read magazines, go to conferences, and read books, because this really is not a static profession. It continually is evolving and we do have to evolve with it.