Skip to main content

The Growing Divide: InfoSec Practitioners vs. Climbers

The Problem
In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs)

The Reality
First things first, I’m a realist. There are both positive and negative connotations with this phrase.

  • IT Security needs to understand the business and what matters to them
  • IT Security needs to apply their understanding of threats to high value business functions
  • IT Security needs to build relationships within the business

  •  Security strategy by buzzwords is not effective
  • Fails to realize IT Security is not IT, which have vastly different goals
  • Implies yielding of risk acceptance & mitigation to business units and not corporate risk function

I agree wholeheartedly that the IT Security function needs to be business aligned. What that means to me is that they need to not only understand the business functions, but align their controls around what matters to them in ensuring goals are met. And of course, building relationships across the business is key to your ability to execute, and this is common sense and not specific to IT by any means. I have always supported the model of mapping what attackers want to what the business cares about. I call this a hybrid threat & data centric model.

On the flip side, I think we lose more of our security prerogative the moment we start creating roadmaps based on buzzwords. If you are a CISO, and one of your first goals is to get your CISSP in the first 6 months of your job that is a sign. If you need to bring in consultants and read Gartner for your strategy, there is another sign. If you repeat buzzwords in your presentations, that is yet another sign. The final sign, would be that your plan was only to be a CISO for 2 years before your next corporate rotation. Guess what you are the classic PISO (Paper CISO). It’s okay, most are, but guess what there is hope. But that will be a different blog post.

So what we have here is failure … failure to think for yourself and acceptance of group think. Based on the amount of breaches across all industries, I think it’s safe to say almost everyone has it wrong. A Home Depot IT leader literally said “we only want C level security”. More recently, it was made public that the USPS didn’t even have a 2-factor VPN. Was this because they were partners with the business and single factor was more convenient? So anytime some phrase like this becomes a buzzword, you should immediately put up your guard and realize it’s merely the talking head’s silver bullet of the moment. You can already see this, as more people have abandoned the term “partner with the business” for “business aligned security”.

Another major misconception is that IT Security should operate like traditional IT. This is fundamentally wrong in every sense. IT is actually a true business enabler. IT is specifically chartered to make things faster, better, and cheaper. IT delivers shiny new things to the business to the help them maximize revenue or service the customers better. IT Security is in conflict with this, as their goal is loss prevention and more specifically to protect the business from itself, not just outside threats. Does a partner with the business, tell them they have to apply critical patches (induce change) right before the busiest online shopping season? Does a partner with the business push back the rollout of a major website because it’s running Drupal on a single physical server with 3 year old Apache? Does a partner with the business have the ability to tell the CEO his baby is ugly? The job isn’t to win promotions and get accolades. The job is to be the protector of the business. That often means putting your personal career on the line to tell the business no, not because you can, but because it’s the right thing to do. No matter how eloquent you are, the business will never truly grasp IT risk and its consequences which come after the current fiscal quarter. It’s the equivalent of telling a starving person not to eat the cheeseburger in front of him, because next Tuesday you’re going to give him a fiber bar. Good luck with that.

The final problem I have with this phrase is that it yields way too much control to the project team or business unit. There is a reason corporate compliance and audit report to the board. They want to ensure risk is being appropriately managed and that the C-levels aren’t painting a different picture then the reality on the ground. Is it really appropriate for someone to accept risk, take a bonus, and move on before that risk ends up being a problem for the next person? This is one of the key flaws with the way IT risk is currently being managed and I expect this to largely change as cyber insurance, high premiums, and the required 3rd party audits start to ramp up in the coming years.

The Path Forward
  • Apply a heavy dose of skepticism to any buzzword that is being used by a vendor or consultancy. Trust me, their interests do not align with yours. A good rule would be to ask 5 Whys, to determine what they know about the subject beyond a surface level knowledge.
  • Hire a permanent or contracted technical deputy CISO to guide your program from strategy to implementation. This person needs to have verifiable experience defending organizations with a solid track record of accomplishments. 3rd party verification is often required to avoid hiring a good talker without true substance, hands on experience, and vision.
  • If you aren’t passionate about IT Security, confident enough to say no to the C-levels, and results driven, then it’s probably time to move on to a different role. The shareholders deserve better than that. And with the rules starting to change, where every breach is considered material, the seat is about to get hotter.

Comments are very much welcome, as I realize this is a highly opinionated piece, that many people will find controversial.


Popular posts from this blog

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.

If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…

Hacking Exposed Notes

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogati…

Top 10 InfoSec Mistakes

This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.

1) No CISO Left Behind Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.
Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors…