Choice of Words in Professional Cybersecurity Documents
Transcript:
In cyber security, we often use words to express an obligation to do one thing or another, with respect to cyber security. Those words might appear in a policy. They might appear in a contract, for example. They might even appear in response to a questionnaire. Nevertheless, wherever the words appear, cyber defenders are wise to think carefully about their choice of words. They want to ensure that when they say, “We do this,” or, “We strive to do that,” they’re making statements that are realistic rather than idealistic. An example of an organization who chose some words that were too idealistic was MD Anderson, a large health care entity. MD Anderson said way back in 2007 in its security policy that, “It will always encrypt every portable device.” But that’s not realistic over a period of fifteen years. MD Anderson, like any other large entity, can’t perfectly guarantee that it’s going to encrypt every portable device. And therefore, organizations often need to be thinking about softer language like, “We strive,” Or, “We intend to use various methods for securing data on portable devices, including, but not limited to, encryption.” So, an example of a person wrestling with this kind of problem was a student who had taken my class at the SANS institute. He had heard me talking about using softer language like “Strive,” or “Professional teamwork.” He goes back to his organization, and he starts promoting these softer words. He gets pushback from his team. So, he comes to talk to me on LinkedIn and we talk about how he might argue within his team that less absolute language makes more sense. So, I asked the student, “Does your organization always follow all of the standards that it has written for itself?” This question was going back and forth in September 2021. So, this was a year and a half after remote work had gone into play because of COVID. The former student comes back and says, “You know Ben, I’m looking at our contracts. We have a bunch of contracts saying that we're going to secure data, but they all assume that our employees are working from the office. In other words, our contracts are out of date.” So, he goes back to his team and says, “Look, we’ve got all these obligations to do things but it’s all out of date.” in response to that, his team members said, “The truth is, we don’t always do what we say we do. Therefore, you’re right. Less absolute language often makes more sense.” And so, I see cyber defenders reaching for standards that they can articulate to say, “This is what we do.” For example, cyber defenders may want to say something like, “We always follow best industry practices.” When I hear that, I sit back and I say, really? Do you always follow best industry practices? Is there any place within your organization at any given time where you might be able to show that you didn’t follow best industry practices? And I suspect the answer is that there’s always places in your complex infrastructure where you didn’t follow the absolute best industry practices. An example of this comes from the British Airways case where British Airways was investigated by the data protection regulator in the United Kingdom. And the data protection regulator found, “Oh! There's this certain server. You didn’t harden it according to best industry practice that was explained on this certain web page two years earlier.” So my point here is that organizations are often wise to step back as they choose words in contracts or policies and look to use less absolutist type of language.
I teach a five-day course at the SANS institute. The name of that course is Legal 523: the law of data security and investigations. You can learn more about that at sans.org. You can also learn more about me and my practice of law at benjaminwright.us. Here in this video, I've given some ideas that can help to address legal compliance or legal risk. Obviously, through this video, I’m not your lawyer and if you need legal advice, you need to go hire a lawyer to give you specific legal advice. This video is only for public education.
In cyber security, we often use words to express an obligation to do one thing or another, with respect to cyber security. Those words might appear in a policy. They might appear in a contract, for example. They might even appear in response to a questionnaire. Nevertheless, wherever the words appear, cyber defenders are wise to think carefully about their choice of words. They want to ensure that when they say, “We do this,” or, “We strive to do that,” they’re making statements that are realistic rather than idealistic. An example of an organization who chose some words that were too idealistic was MD Anderson, a large health care entity. MD Anderson said way back in 2007 in its security policy that, “It will always encrypt every portable device.” But that’s not realistic over a period of fifteen years. MD Anderson, like any other large entity, can’t perfectly guarantee that it’s going to encrypt every portable device. And therefore, organizations often need to be thinking about softer language like, “We strive,” Or, “We intend to use various methods for securing data on portable devices, including, but not limited to, encryption.” So, an example of a person wrestling with this kind of problem was a student who had taken my class at the SANS institute. He had heard me talking about using softer language like “Strive,” or “Professional teamwork.” He goes back to his organization, and he starts promoting these softer words. He gets pushback from his team. So, he comes to talk to me on LinkedIn and we talk about how he might argue within his team that less absolute language makes more sense. So, I asked the student, “Does your organization always follow all of the standards that it has written for itself?” This question was going back and forth in September 2021. So, this was a year and a half after remote work had gone into play because of COVID. The former student comes back and says, “You know Ben, I’m looking at our contracts. We have a bunch of contracts saying that we're going to secure data, but they all assume that our employees are working from the office. In other words, our contracts are out of date.” So, he goes back to his team and says, “Look, we’ve got all these obligations to do things but it’s all out of date.” in response to that, his team members said, “The truth is, we don’t always do what we say we do. Therefore, you’re right. Less absolute language often makes more sense.” And so, I see cyber defenders reaching for standards that they can articulate to say, “This is what we do.” For example, cyber defenders may want to say something like, “We always follow best industry practices.” When I hear that, I sit back and I say, really? Do you always follow best industry practices? Is there any place within your organization at any given time where you might be able to show that you didn’t follow best industry practices? And I suspect the answer is that there’s always places in your complex infrastructure where you didn’t follow the absolute best industry practices. An example of this comes from the British Airways case where British Airways was investigated by the data protection regulator in the United Kingdom. And the data protection regulator found, “Oh! There's this certain server. You didn’t harden it according to best industry practice that was explained on this certain web page two years earlier.” So my point here is that organizations are often wise to step back as they choose words in contracts or policies and look to use less absolutist type of language.
I teach a five-day course at the SANS institute. The name of that course is Legal 523: the law of data security and investigations. You can learn more about that at sans.org. You can also learn more about me and my practice of law at benjaminwright.us. Here in this video, I've given some ideas that can help to address legal compliance or legal risk. Obviously, through this video, I’m not your lawyer and if you need legal advice, you need to go hire a lawyer to give you specific legal advice. This video is only for public education.