Sunday, November 29, 2015

We can´t keep hidding behind risk analysis

Antonio Ramos. CEO of Leet Security.

Antonio Ramos has a solid CV in cybersecurity. Not only for the places where he had worked or the amount of certifications he has (we swear he has more than José Selvi :), but also the quantity and quality of the organizations he belongs to, starting from the Spanish chapter of the Cloud Security Alliance, of which he is founding member; ISACA Madrid, where he was president and now vice-president; the European cibersecurity organism ENISA; ISMS Forum Spain or the Spanish Association of Certification and Standardization (AENOR).

But when you met him in person, all these headlines and baggage take a back seat and are his humanity and sympathy the things you'll remember. Antonio, 42 years, from Extremadura living in Madrid, in addition of being expert in cybersecurity has a tradesman´s soul and is one of the few people in this savage world who dare to undertake without dying while trying. Member on his own right of the business sector (the real one) of the Spanish cybersecurity, is one of the closer members.

- Why do you enter in the mess of being an entrepreneur?

- Because of my parents. They always had little business and the fact of my family had lived in an environment of undertaking day after day makes it isn't strange for me. Actually, I always had this idea that led me to being an intra-entrepreneur in the companies I worked in ( starting the line of SGSIs in Ernst&Young, or the activity like PCI QSA in S21sec).

- In January 2011 you co-founded LEET Security and you're the CEO. What do yo do?

- Is the first security qualification agency in Europe. We developed our own methodology to evaluate the level of solidity of the safety and resilience measures of a service and we assign a tag that, in an easy way, allows the users of that server to know the security measures. To do that we have five levels (From D to A) assigned to the three dimensions of confidentiality, integrity and availability.

- Recently you signed a agreement for the Spanish critical infrastructures. What does it mean?

- We have signed a three years agreement with the INCIBE to develop a model of construction of capabilities in cybersecurity for industrial control systems. When it will finished (which will very soon) I suppose the CNPIC will use it, for example, to evaluate the capability level of the critical operators in the management of these critical infrastructures. This allows to know the existing capability level rate, if it is enough or not with a homogeneous scale for everybody and create upgrade paths of these cybersecurity capabilities.

- Who you'll certify: a critical infrastructure, for example a power plant, or the provider in charge of their security?

- The provider. Related to the critical operator, the CNPIC will have to establish the model and how they want to use his methodology

- What good someone certify something is safe? It reminds me some certificated webs... and were defaced days later

- Indeed, I agree 100% in it can't certify a safe service. Actually,  I think is counterproductive. That's why what we make in LEET Security is to rate the solidity and maturity of the security measures and the resilience of a service assigning a qualification. Does it mean a service with the highest qualification it can't be hack? Absolutely no. The qualification gives us an indication of the technical capability in the safety of the service and an indicative of it´s vulnerability. This means, the more qualification, the less probability of and incident and the server will be better prepared to restore the normality in case of accident.

- And in what do you do in your other company, Nplus1 Intelligence & Research?

- Consultancy services of high added value in government matters related with (cyber)security. Specially, We like to apply theories of the business management area, like the Theory of Constrains or Lean methodologies, to the cybersecurity area.

- Actually, you come from economic formation.

- Yes, and accounts auditor. I ended in the world of cybersecurity by chance. I made some programming courses and I had a Spectrum in my house, and this made the audit firm I entered in 1998 to ask me to join to the technological risks unit, really incipient in these times. I went with no doubt and I'm have never regret of my decision.

- You have dedicate basically to security management. From your position, do you see we are going wrong?

- The capitalist system make the decisions are ruled by a system of rewards and the conclusions of the cost-benefits analysis. Unfortunately, the existing rewards don't led to a better security ( the developers don't receive more for making the develops more safe, the manufacturers don't receive more for more secure softwares...) because the costs-benefits analysis don't consider the security properly because, as an externally, it needs external mechanisms (legislation, for example) to make possible a correct decision-making with the real cost of not considering properly the cybersecurity.

- How should we do it? Because raising awareness about passwords is a lost battle.

- I agree. The answer is accountability. We have to make the acts with incidents have their consequences. That is to say, it must exist a frame of responsibilities where you'll pay if you have an insecure activity for the rest of people, organizations, or the rest of the society.

 Furthermore, leaving behind the hypocrisy of the risk analysis. Today, too many organizations hide behind the risk analysis for not approaching the introduction of proper security mechanisms, using the excuse of the very low probability of the menace. And although everybody is aware of the risk analysis are only useful in situations where the unknown is residual, It is still being used to decide which security measures to  implant in a moment, like now, of total uncertainly and intended attacks (not at all random). Ultimately, we can't keep "hiding us" behind risk analysis and we should start to analyze which impacts we can't allow in our responsibility area.

- And you still have time to dedicate to entities like ISACA Madrid... Why do you spend energy in being his president?

- The chapters of ISACA are professional associations, which means there isn't corporate interest. For me, the time on ISACA has been a way of return all I lernt from great proffesionals, dedicating part of my time and mi effort, in an altruist way, to other professionals.

- Antonio, which gurus (in the best sense) of security you respect/mind/listen..?

- I'm not very fan of gurus or, well said, I have very high standards. I admit Bruce Schneier was very accurate in the past ("Secret & Lies" and "Liars & Outliers" are essentials, in my point of view) and nearest, I must admit David Barroso and Alfredo Andrés are references for me.

- It is curious you talk about them. My opinion is there's an abyss in your generation, more focused on companies, less "funny", and the generation of David or Alfredom, who were members of the "underground" in the 90's. Meanwhile your people assembled in Securmática, they did it in UnderCon, NocONName, RootedCon...

- I think your perception is really interesting and I think it's mostly real. There's a group of professionals who decided to dedicate to hacking and they had been more "techies", while others focused on business management. In fact, I think they're the yin and yang of the cybersecurity; that is to say, on one hand we have to learn technical abilities which allows us know in a low level that we have effective security measures and, in the other and, we have to ensure the organizations/people have the right mechanisms to take right decisions in security matters. In my opinion, ignoring each other weakens us, and thinking the other is underneath don't help us to offer the best of us as a sector. I enjoy with some expositions of Securmática, like with others expositions in the famous CONs, and there are  really bad expositions in both conventions. There's nothing better or worst by definition, not all the cybersecurity is hacking and not all the cybersecurity management. That's why I enjoy my conversations with David Barroso and understanding what he does makes me a better professional.

- Do you have a quote related to security with you?

- The majority of problems related to (in)security come from giving it a different treatment to cybersecurity than to the rest of "securities".

Text: Mercè Molist


Post a Comment