The Sponge

---

I was examining a bath sponge one evening and thought about the journey taken by this particular genus of sponge. From it's exciting life as a sea dwelling, multi-celled, animal to an item hanging from a hook in a bath and body shop, this little sponge had been around.  Like most of you I empathize with any creature that ends up on the bottom of my shopping basket, but understanding my place on the food chain, I quickly move on with my life.  For some reason, this sponge was different...  I felt compelled to give serious consideration to the unfortunate events leading to such a humble end.  To really understand where this sponge came from I had to "become the sponge".

At some point this sponge was living a happy if somewhat solitary life under a sunlight-streaked warm tropical sea.  Swaying to and fro under the gentle pressure of the underwater currents with delightfully colored fish swimming by to nibble and groom their neighbor... the sponge, then dashing off leaving it alone again to sway to and fro... to and fro....  

Fast forward five years and some chubby guy in Dallas, Texas is in the shower using the same sponge to exfoliate his butt.  Sad... so very sad.

​

If there is any moral at all to this story, it's this; Don't become complacent and take things for granted.  Now I'll try to tie this into an information security analogy, but don't expect much... I really just wanted to share that story.

​

Information Security Programs can range from a simple set of controls and practices for the neighborhood coffee shop to a complex and comprehensive multi-national solution based a formal Information Security Management System aligned with international standards and industry best practices.  The former of those solutions can be designed and implemented for a few hundred dollars by a pretty smart high school student.  The latter will require months of planning, extensive resources and funding, and often generates a virtual cross border range war between the security implementation team and the legacy network and system administrators.  A bit of advice here, work for consensus prior to implementation or become intimately familiar with Sun Tzu's Art of War.

​

Once an information security management system is in place, change adoption and communication programs have more or less been successfully conducted, and budget blown for the next five years, a worn out and battle scarred security team may allow themselves to settle in and become complacent.  It's interesting that complacency is defined as:

"pleased, esp. with oneself or one's merits, advantages, situation, etc., often without awareness of some potential danger or defect"

​

I am a firm believer in basking in the sunshine of success when deserved, however the problem with becoming complacent is found toward the end of the definition "often without awareness of some potential danger or defect".  Security professionals,  if we possess any character flaw at all, may at times exhibit signs of hubris.  We don't like to admit that we may be wrong, or worse yet, lacking in technical proficiency.  So here you are,  new security program in place, enjoying the adoration of the security neophytes within your organization and taking a working holiday that will last until you become conscious of your condition or fate steps in and creates an emotionally significant event tailor made just for you.  It's not likely that if you've been lacking in self awareness or a work ethic prior to this you will suddenly achieve some level of enlightenment.  I'm thinking many will go the other route.  and we all know the type of emotional event I'm referring to here.  Hackers!  Those mean spirited pirates of the net.  Eventually we all have that one security experience that we will bring up in conversations for years to come.  Whenever security, the Internet, or any mention of pirates come up in casual conversation, you begin to retell the story of the great security breach of 2010  (The story tells much better if it doesn't start out with "I really screwed up once").  Worst case; you don't have to tell people about it because they read it in the newspaper. 

So back to the moral of this missive.  Build your program, enjoy the rewards that come with a successful launch of an information security management system, but never stop evaluating and improving your program.  Threats change with technology, business objectives will introduce new risk, and the attack vectors continue to shift.  Challenge yourself daily and you might avoid ending up like the sponge.

Cannabis Industry - Your Board Needs Security Advisors

The growing legalized marijuana market is going to launch fortunes for some and bring ruin to others but you can't deny the impressive potential of this new and exciting industry.  According to a report from the ArcView Group (http://arcviewgroup.com) the marijuana industry will see a 27% CAGR from 2016 to 2021 resulting in a 22 billion dollar market.
This new market opportunity has been compared with the California Gold Rush, the end of Prohibition, and the Dot Com explosion.  I personally suspect we are witnessing a convergence of opportunity and growth with the potential to far exceed market analyst expectations.  

Companies and inventors are busy developing new THC delivery devices, conducting pharmaceutical research, and creating myriad new products.  There are approximately 12,000 patents registered with the World Intellectual Property Organization related to the cannabis industry.  We can expect a surge in innovation from highly structured research facilities to old school cannabis disciples.  The potential exists for us to witness important technical advances aimed at improving efficiencies of growing facilities, lighting, air circulation, and hydroponic/aeroponic methods.  Scientists and enthusiasts are developing new cannabis strains to improve pain management, enhance the recreational consumer's experience, and refine flavor for edibles.  Significant contributions are expected in pharmaceutical research.  There's a rare opportunity here to witness the possibilities that arise when the efforts of experts and laymen alike will benefit the community as a whole.  The enthusiasm of this new breed of entrepreneur joined with the discipline and rigor of laboratory processes could set off a renaissance of discovery and change our cultural landscape forever.  A possible consequence of an increase in innovative activity would be the adaptation of technical advances in the cannabis industry for other market segments.  

Then there's the matter of security.  Nothing this lucrative can escape the attention of the criminal elements.  Larger companies have the resources to protect their intellectual property.  Regrettably, they also could use those same resources to acquire technology belonging to smaller start ups.  It's unfortunate that during the very stage when a company is most vulnerable to pilfering of their work processes, methodologies, and trade secrets, they can little afford to staff a security team. Cyber crime will be a problem for the less sophisticated startups and smaller companies.  Just a few areas to consider are:

• Insider threats (physical and cyber)
• Network breaches and data exfiltration
• Poorly secured cloud services 
• Lack of training, personnel, tools
• Sabotage
• Fraud
• Theft of edible recipes
• Risk from third party/supply chain

My recommendation is that smaller companies give serious thought to inviting an experienced security executive to join their Board of Directors.  Companies without a formal Board of Directors should at a minimum create an advisory board and seek out a professional from the security industry or identify a qualified security executive from a non-competing company to help guide the company leadership in seeking cost effective controls and countermeasures.  

Aside from the obvious value proposition of not losing intellectual property to potential competitors, having a mature information security program, will demonstrate to potential investors that company management recognizes the value of their intellectual property and is safeguarding both tangible and intangible company assets.