Skip to main content

The Growing Divide: InfoSec Practitioners vs. Climbers



The Problem
In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs)

The Reality
First things first, I’m a realist. There are both positive and negative connotations with this phrase.

Positive:
  • IT Security needs to understand the business and what matters to them
  • IT Security needs to apply their understanding of threats to high value business functions
  • IT Security needs to build relationships within the business

Negative:
  •  Security strategy by buzzwords is not effective
  • Fails to realize IT Security is not IT, which have vastly different goals
  • Implies yielding of risk acceptance & mitigation to business units and not corporate risk function

I agree wholeheartedly that the IT Security function needs to be business aligned. What that means to me is that they need to not only understand the business functions, but align their controls around what matters to them in ensuring goals are met. And of course, building relationships across the business is key to your ability to execute, and this is common sense and not specific to IT by any means. I have always supported the model of mapping what attackers want to what the business cares about. I call this a hybrid threat & data centric model.


On the flip side, I think we lose more of our security prerogative the moment we start creating roadmaps based on buzzwords. If you are a CISO, and one of your first goals is to get your CISSP in the first 6 months of your job that is a sign. If you need to bring in consultants and read Gartner for your strategy, there is another sign. If you repeat buzzwords in your presentations, that is yet another sign. The final sign, would be that your plan was only to be a CISO for 2 years before your next corporate rotation. Guess what you are the classic PISO (Paper CISO). It’s okay, most are, but guess what there is hope. But that will be a different blog post.

So what we have here is failure … failure to think for yourself and acceptance of group think. Based on the amount of breaches across all industries, I think it’s safe to say almost everyone has it wrong. A Home Depot IT leader literally said “we only want C level security”. More recently, it was made public that the USPS didn’t even have a 2-factor VPN. Was this because they were partners with the business and single factor was more convenient? So anytime some phrase like this becomes a buzzword, you should immediately put up your guard and realize it’s merely the talking head’s silver bullet of the moment. You can already see this, as more people have abandoned the term “partner with the business” for “business aligned security”.

Another major misconception is that IT Security should operate like traditional IT. This is fundamentally wrong in every sense. IT is actually a true business enabler. IT is specifically chartered to make things faster, better, and cheaper. IT delivers shiny new things to the business to the help them maximize revenue or service the customers better. IT Security is in conflict with this, as their goal is loss prevention and more specifically to protect the business from itself, not just outside threats. Does a partner with the business, tell them they have to apply critical patches (induce change) right before the busiest online shopping season? Does a partner with the business push back the rollout of a major website because it’s running Drupal on a single physical server with 3 year old Apache? Does a partner with the business have the ability to tell the CEO his baby is ugly? The job isn’t to win promotions and get accolades. The job is to be the protector of the business. That often means putting your personal career on the line to tell the business no, not because you can, but because it’s the right thing to do. No matter how eloquent you are, the business will never truly grasp IT risk and its consequences which come after the current fiscal quarter. It’s the equivalent of telling a starving person not to eat the cheeseburger in front of him, because next Tuesday you’re going to give him a fiber bar. Good luck with that.

The final problem I have with this phrase is that it yields way too much control to the project team or business unit. There is a reason corporate compliance and audit report to the board. They want to ensure risk is being appropriately managed and that the C-levels aren’t painting a different picture then the reality on the ground. Is it really appropriate for someone to accept risk, take a bonus, and move on before that risk ends up being a problem for the next person? This is one of the key flaws with the way IT risk is currently being managed and I expect this to largely change as cyber insurance, high premiums, and the required 3rd party audits start to ramp up in the coming years.

The Path Forward
  • Apply a heavy dose of skepticism to any buzzword that is being used by a vendor or consultancy. Trust me, their interests do not align with yours. A good rule would be to ask 5 Whys, to determine what they know about the subject beyond a surface level knowledge.
  • Hire a permanent or contracted technical deputy CISO to guide your program from strategy to implementation. This person needs to have verifiable experience defending organizations with a solid track record of accomplishments. 3rd party verification is often required to avoid hiring a good talker without true substance, hands on experience, and vision.
  • If you aren’t passionate about IT Security, confident enough to say no to the C-levels, and results driven, then it’s probably time to move on to a different role. The shareholders deserve better than that. And with the rules starting to change, where every breach is considered material, the seat is about to get hotter.

Comments are very much welcome, as I realize this is a highly opinionated piece, that many people will find controversial.

Comments

Popular posts from this blog

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here. If you are interested in jumping straight the slides you can visit here . Opening The conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of