Friday, November 14, 2014

The Growing Divide: InfoSec Practitioners vs. Climbers



The Problem
In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs)

The Reality
First things first, I’m a realist. There are both positive and negative connotations with this phrase.

Positive:
  • IT Security needs to understand the business and what matters to them
  • IT Security needs to apply their understanding of threats to high value business functions
  • IT Security needs to build relationships within the business

Negative:
  •  Security strategy by buzzwords is not effective
  • Fails to realize IT Security is not IT, which have vastly different goals
  • Implies yielding of risk acceptance & mitigation to business units and not corporate risk function

I agree wholeheartedly that the IT Security function needs to be business aligned. What that means to me is that they need to not only understand the business functions, but align their controls around what matters to them in ensuring goals are met. And of course, building relationships across the business is key to your ability to execute, and this is common sense and not specific to IT by any means. I have always supported the model of mapping what attackers want to what the business cares about. I call this a hybrid threat & data centric model.


On the flip side, I think we lose more of our security prerogative the moment we start creating roadmaps based on buzzwords. If you are a CISO, and one of your first goals is to get your CISSP in the first 6 months of your job that is a sign. If you need to bring in consultants and read Gartner for your strategy, there is another sign. If you repeat buzzwords in your presentations, that is yet another sign. The final sign, would be that your plan was only to be a CISO for 2 years before your next corporate rotation. Guess what you are the classic PISO (Paper CISO). It’s okay, most are, but guess what there is hope. But that will be a different blog post.

So what we have here is failure … failure to think for yourself and acceptance of group think. Based on the amount of breaches across all industries, I think it’s safe to say almost everyone has it wrong. A Home Depot IT leader literally said “we only want C level security”. More recently, it was made public that the USPS didn’t even have a 2-factor VPN. Was this because they were partners with the business and single factor was more convenient? So anytime some phrase like this becomes a buzzword, you should immediately put up your guard and realize it’s merely the talking head’s silver bullet of the moment. You can already see this, as more people have abandoned the term “partner with the business” for “business aligned security”.

Another major misconception is that IT Security should operate like traditional IT. This is fundamentally wrong in every sense. IT is actually a true business enabler. IT is specifically chartered to make things faster, better, and cheaper. IT delivers shiny new things to the business to the help them maximize revenue or service the customers better. IT Security is in conflict with this, as their goal is loss prevention and more specifically to protect the business from itself, not just outside threats. Does a partner with the business, tell them they have to apply critical patches (induce change) right before the busiest online shopping season? Does a partner with the business push back the rollout of a major website because it’s running Drupal on a single physical server with 3 year old Apache? Does a partner with the business have the ability to tell the CEO his baby is ugly? The job isn’t to win promotions and get accolades. The job is to be the protector of the business. That often means putting your personal career on the line to tell the business no, not because you can, but because it’s the right thing to do. No matter how eloquent you are, the business will never truly grasp IT risk and its consequences which come after the current fiscal quarter. It’s the equivalent of telling a starving person not to eat the cheeseburger in front of him, because next Tuesday you’re going to give him a fiber bar. Good luck with that.

The final problem I have with this phrase is that it yields way too much control to the project team or business unit. There is a reason corporate compliance and audit report to the board. They want to ensure risk is being appropriately managed and that the C-levels aren’t painting a different picture then the reality on the ground. Is it really appropriate for someone to accept risk, take a bonus, and move on before that risk ends up being a problem for the next person? This is one of the key flaws with the way IT risk is currently being managed and I expect this to largely change as cyber insurance, high premiums, and the required 3rd party audits start to ramp up in the coming years.

The Path Forward
  • Apply a heavy dose of skepticism to any buzzword that is being used by a vendor or consultancy. Trust me, their interests do not align with yours. A good rule would be to ask 5 Whys, to determine what they know about the subject beyond a surface level knowledge.
  • Hire a permanent or contracted technical deputy CISO to guide your program from strategy to implementation. This person needs to have verifiable experience defending organizations with a solid track record of accomplishments. 3rd party verification is often required to avoid hiring a good talker without true substance, hands on experience, and vision.
  • If you aren’t passionate about IT Security, confident enough to say no to the C-levels, and results driven, then it’s probably time to move on to a different role. The shareholders deserve better than that. And with the rules starting to change, where every breach is considered material, the seat is about to get hotter.

Comments are very much welcome, as I realize this is a highly opinionated piece, that many people will find controversial.

No comments:

Post a Comment