So as we are about to close out 2012, many of us in the IT Security community look around and try to assess where we were, what we have accomplished this year, and what is next. I’ve been working in IT since the late 90s, with a focus on security for much of that time. Most of my work has been in large private sector companies, with a brief, but very rewarding stint working for the government. To me while much has changed, many of the core issues remain today as they were back then. Our security condition has actually worsened in many cases. While that is up for debate, no one can argue the pace, sophistication, and impact of major cyber events related to nation-sponsored, organized crime, and hacktivism threats has increased exponentially in the last 4-5 years. This new normal has been applicable to the government and defense industrial base for a long time, but really surfaced in the private sector around ~2007. You would assume that with all that increased attention, dollars and executive support at the highest levels would be making things happen. Well they are, but we as an industry are still losing in the never ending cat and mouse game with our adversaries. Why?
Over the years, I have sat through countless “you’re doing it wrong” or “were screwed’ type presentations. Some of them were very informative, and I absolutely have a level of respect for anyone publicly voicing their opinions and ideas, knowing they will be criticized and nitpicked for things taken out of context. However, I often leaving conferences with a desire for a way to fix what we all know is broken. So what is stopping us? That is where I would like to focus some energy. What are the key road blocks and stumbling points that are keeping the security industry from truly raising the bar and not being stuck in a continual state of catch up?
The ideas that follow are not all my own and I’m sure I have subconsciously absorbed them or knowingly added them to my mantra. I have a set of wise men that I learn from constantly, however I won’t list them out or directly associate them to this posting out of respect. These ideas shouldn’t be taken as a statement of fact either, as they are only my humble opinions. My goal is to start a real discussion and starting point for documenting and overcoming our greatest challenges.
First off, any high level discussion that focuses on technical solutions is inherently flawed. That is the equivalent of trying to fix and improve the Maginot Line. To paraphrase the Matrix, “You’ve been down that road, you know that road, and you know exactly where it ends”. We shouldn’t be looking for point solutions, because just as you achieve them, the game changes. If we can all agree to “take the red pill”, we can start addressing the behavioral issues and misconceptions that are keeping us in a reality distortion field.
In no particular order, here we go:
Obstacle 1: No incentive or penalty for correctly managing IT Security Risk
How many times have you had a business leader accept an enormous, unmitigated risk, despite the misgivings of their security department? I agree that security should not disrupt any business revenue generating activities; however at a certain point sometimes the risk actually outweighs the profit. There are many factors that contribute to this behavior. The most talked about is the fact that technical security people often don’t correctly describe the risk in business terms. There absolutely is a need to have the right people, who can translate the lack of encryption, or the outsourcing of critical applications to what that may mean in business terms. So let’s say, we are already doing that. That is a big if, I know. The next challenge we have is a short-term fiscal quarter thought mentality that most c-levels have. They are incentivized to deliver results quarterly or annually to meet their bonus potential. By the time this risk they have accepted goes south; they have cashed the bonus check and may have been promoted into a different role or left the company all together. One thing is clear though, short term strategy rules the day. Hmm, just maybe the Chinese are right about one thing (See 5 year plan). Actually they are right about many things, but that is a different story. I don’t see an easy way to incentivize something that may take years to play out. For me the most direct solution, is available by modeling what you see implemented in the sports, legal and medical professions. Sometimes a pro athlete for a number of reasons creates a situation where they have violated the terms of their contract and their bonuses are subject to forfeiture. Imagine a world, where a senior leader that accepts a risk and then is found to have been negligent. That bonus achieved by cutting security corners should be returned even if they have left the company. I’m not sure if this was ever implemented, but I think this line of thought was discussed for SOX and FINRA regulation for CEO’s that sign off on financial results. Similar to medical boards and the Bar association, that failure should be recorded and follow them throughout their career. If you choose to for example, put your M&A or Intellectual Property data in a 3rd party cloud despite documented warnings, then all your future employers should know that. I’m not saying this would be easy to achieve or likely, but it would definitely modify behaviors. It’s also right to consider, that this might swing the pendulum too far to where we become too risk adverse.
Obstacle 2 – Field Validated Results Uber Alles
At the business level, the ultimate driver is audit compliance and the potential for fines by a governing body. Due to the punitive nature of the compliance racket, it makes perfect sense that this always stays high on the radar. What clearly needs to change is the thought that IT Security compliance somehow equates to real world security. It doesn’t and almost never has. Some of the guidance contains very reasonable controls, however much of it, particularly FISMA is creating a massive amount of overhead that actually detracts from improving security. Pro Tip: Stop funding auditing, if you’re not funding actually fixing the findings. I feel for the people placed in the horrible spot of having to write a single, snapshot in time, document to cover every possible deployment or IT environment imaginable. It’s a losing proposition by any measure. You can’t be all things to everyone all the time, unless your $deity. What is lacking is the concept of field validated results, correlated with threats to drive your overall security strategy. This has been discussed by many people and nobody with experience really disagrees with this. My suggestion is not to eliminate, but lessen the importance of static, one size fits all IT compliance. What should really be audited is the results of your incidents & pen tests and specifically whether or not you have closed the gap. Kevin Mandia used the term “Attack the gap” recently. That couldn’t be timelier. One of your primary jobs as an information security professional is ultimately reduce your attack surface. And to do that properly you have to have to know what the mostly exploitable points in your environment are to real threats, not outdated security guidelines.
Obstacle 3 – IT Security is a competitive advantage
Now that more stories are becoming public about companies literally getting hacked out of business, this strategy becomes easier to sell. I think its common place for leaders in non-tech industries to view IT as a cost center and not something that drives profits. I believe in the majority of cases this is not true. Never the less, a Fortune 100 company in my town actually told their IT workers we don’t value IT and you should look for work elsewhere if you want to be valued. Wow, well the guy who delivered that message is a straight shooter with upper management written all over him. If you’re reading this right now, chances are you will agree that information and the speed with which you can analyze and act on it is a competitive advantage. Hence the availability, integrity, and confidentiality of that information are also an advantage. (CISSP credits ;-)). There is no leap in logic here. So what is lacking is getting c-level leadership to understand this. We have to sell this better. We have to speak in business terms. We have to make a well defined, quantitative, business plan as to how this makes the company better. Everyday your company is either getting stronger or weaker in the market place. It’s a zero sum game in your vertical. If you suffer brand damage, loss of intellectual property, or a complete business disruption and your competitor doesn’t, guess who wins?
Obstacle 4 – Talent Gap from the Keyboard to Boardroom
DHS needs 2000 Cyber Warriors in the next 5 years! The lack of IT security skills has been covered AD nauseum by the tech media. This is a real issue, but it’s easier to fix than one would think. But I’m not going to discuss the key skills we need from DFIR people, which is another great discussion. Where I see this biggest deficit of talent is in the CISO/Director level security positions. I won’t say that to be great at this role you have to have been a skilled technical person, because I don’t believe that to be true. Certainly that is desired and helps, but it’s hard to detail a prototypical background. I’ve definitely seen people come out of the DoD or other 3 letter agency with the perfect resume and fall completely on the their face. To be honest, I’m not the best person to outline this problem because I’ve spent more time at the keyboard then I have in meetings with c-levels. I just know a problem when I see it. It has impacted me personally on multiple occasions. My biggest issue is that you don’t want someone in this role who is trying to climb the ladder or use it as a stepping stone. You have to be willing to put your career on the line and say no to the people in power. If you can’t do that, and your more of a yes man, then I beg of you, get into marketing, HR, finance, or some other part of the company. If you don’t have a track record of rocking the boat and want to merely coast till your retirement, please step aside. You also at the same time need to be an astute politician, because having great success or striving for greatness often brings up a myriad of consequences. Clearly for me though, the biggest required skill goes back to being able to show in understandable business terms the risks associated with not establishing or improving IT security. These people also need copious amounts of patience and a strong passion for security. If you can get one of these people in short supply, keep them happy because they are in very high demand. People want to work for these types of leaders and you will likely reap many rewards.
Obstacle 5 – IT Agility for Security
What is the number one reason high performers leave for another job? Is it money? What about power? I can’t say I have an answer for this and everyone is different on their expectations for a job. I can tell the type of people I like to work with are problem solvers and enthusiastic about at least one aspect of IT or IT security. What I tend to see a lot of, is people leaving because they are either pigeonholed into one area or have a sense of frustration because they can’t accomplish what they want to. It’s very common for an IT organization to resist and delay changes that support security because IT objectives are at odds with IT Security objectives. That’s not the only reason of course, but it’s a reoccurring theme that people are fighting a slow moving process to make change happen. This could be something as simple as instrumenting your network, collecting logs, or even product selection. My proposal is to fast track all security related projects. Yes beat me with a stick now, as I know this is totally unrealistic. That doesn’t stop me from selfishly wanting this. I firmly believe that turnover in your security department would come down if we simply move quicker on security projects. I also believe that these delays often take so long that by the time a given changes is operationalized it’s no longer cutting edge and attackers have circumvented it. We need to become more agile and responsive as a whole and I think there is consensus for that. How we get there is still an unanswered question.
So there you have it. My Top 5 suggestions to raise the bar in security and actually end the year being more secure than the year before. In case you’re wondering, number 6 would have been Applied Threat Intelligence. I am hoping for some more maturity in this space and to make people understand it’s not simply paying for a 3rd party threat feed. I think if we can eject the vendors and the Gartner’s of the world from our strategy process, things will start to improve. My message is stop following the crowd and start doing the hard work of building a security program that is right for your business. A program that is cognizant of the behaviors mentioned above. A program that not only enables the business, but is accountable to the business. A program that rewards and develops security talent. In short, a program that you can be proud of. Let’s do this.