Once Upon A Time In Security
Stories We Tell Our Security Selves, And A Call For Change
I believe that to be a successful cybersecurity leader you need to be a good story teller. My belief in this principle stems from years of trying to convince stakeholders to invest in security programs, to foster engagement in security problems, and to stop stakeholders from being the cause of security issues. I still believe this to be true, but lately I have also been noticing a new reason for storytelling in security: to help security leaders stay sane.
It’s no secret that the volume, complexity and impact of security events is growing exponentially. For any security leader, keeping up with these events is an impossible task, let alone predicting and avoiding them. Simultaneously, organizational leaders have woken up to the threat of cyber risk, realizing they let this problem get way out of hand long ago, and are now looking for salvation from an over-worked and under-resourced security team.
The stories we are currently telling are not working. Case in point, check these out:
Story #1: You Cannot Secure Things You Can’t See
This is an oldie but a goodie. For as long as I’ve been in security we have told ourselves that we can’t be held responsible for securing something if we don’t know about it. We have relied on our CMDBs and network monitoring systems to let us know when something new pops into our environment, and only THEN will we take ownership of the security effort needed to harden and protect that asset.
We tell our security selves that this is a completely reasonable approach, that we cannot be held responsible for something we don’t know about. We recognize that we can’t be everywhere, and if someone in the business wants to bring something new to the office and plug it in, or roll out a new service, or work with a new vendor, or buy a new piece of software, then who are we to be on the hook for such at thing? We talk about “risk ownership” and “asset ownership” and “shared risk models”, and hope and pray that everyone around us believes this too.
As much as I would like to believe this story, it’s not true. Just look at Log4J, or Solarwinds, or any of the myriad cyber events of the last few years. These things started outside our organizations and came into our environments via agreements and software the security teams had little to no control over. We certainly couldn’t see the IT elements involved in the threats. These elements were introduced into environments without change management controls, or adequate record keeping, or effective governance/oversight. And yet, when the flag went up, it was left to the security teams and IT partners to respond and fix the problems.
It doesn’t matter whether security leaders can see or manage things — if the company has anything to do with those things for any reason, the security team will be on the hook to address the cyber risks associated with it.
Story #2: There Is A Shortage of Talent in the Security Profession
When it’s hard to get things done, when our teams are burning out due to overwork, as our leadership wants more from us, this story pops up. A lot.
It’s not a story we want to tell, not at all. We’d love to have people throwing themselves at our recruiters, begging us for any job at the we can give them, at any price we want to give them. We would love to find people with many years of experience in the functional areas we need, and not have to spend time finding, developing and retaining that talent. Telling this story helps us explain why Bad Things Happen, why projects take longer and cost more than expected, why we can’t guarantee a secure outcome for our organizations, no matter how hard we try, or how much money we ask for.
The hard truth is that our workforce shortage isn’t a supply side problem. There are plenty of talented people wanting the opportunity to work in security. It’s a demand problem. Instead of hiring for potential, we are demanding people have years of experience working in security when they can’t get a foot in the door. Instead of setting expectations with our stakeholders we are demanding security professionals work long hours, under compensated and under valued. Instead of changing compensation structures and working conditions we are demanding that security professionals conform to hiring and retention practices that don’t align to the realities of the security job.
Security leaders know that the talent shortage is a fairy tale — but they have no other option but to continue spinning this yarn as the rest of the organization (and regulators) struggles to understand the true value of the security function, and keeps expecting the security function to be everywhere doing everything.
Story #3: Following a Risk-Based Approach to Security is the Right Thing To Do
We tell ourselves that in order to appropriately manage limited resources we should risk rank all our “stuff”, and only apply the most critical controls (where control = $$$) to the most critical assets. I don’t disagree with the story, but it’s not reflected in reality.
If security was a financial ledger, this would make complete sense. But security isn’t a financial ledger. We take this approach, but as soon as a breach occurs in an unprotected, low-risk part of our world (then transfers from there to something more important), we are immediately responding to the event. No one ever says “let it burn”. Just as a salesperson will never leave money on the table, no security person will ever not respond to something just because it’s “low risk”.
In reality, there is no such thing as “low risk”, or a place where security people are comfortable “accepting risk” — which means our boundaries get blown out into all aspects of the business, whether we can afford to be there or not.
The stories we are telling ourselves and others are no longer working. What, then, are the alternatives?
Alt Story #1: There are limits to what we will do
Note that I’m not saying there are limits to what we CAN do… I don’t believe that for a second. However, as leaders, we need to draw our boundaries brightly. We will not do everything we want to do, with the resources we have been given — and we need to stop pretending otherwise.
Make sure we have the resources to do the things we agree to do. No half-measures, single points of failure, duct tape and chewing gum. Be clear. If the company (and regulations) require a function like MFA, vulnerability management, incident response, or something else, make sure you have enough resources to do that. Don’t take on ANYTHING else until you have doing those things REALLY WELL. Hold the line on this, because as soon as you let it slip, everything that follows will be done by the seat of your pants (and at the expense of the mental and physical health of your teams). If someone wants something else additional, make sure they’re prepared to pay for it.
Alt Story #2: Security is a special profession, and we will treat it that way
The security profession is HOT because people want to work in it. If we keep treating our security employees like everyone else it will be hot like a dumpster fire. Salaries and benefits and working conditions need to change to meet the needs of security professionals, rather than holding security people to requirements of others.
I don’t care what other job roles in an organization do, for security hiring I will advocate for higher salaries; lower certification/degree requirements; enablement of not only operational time but research/learning/development as a requirement of the job; and the ability to collaborate across industries and with competitors in order to improve our security posture. If other professions need similar things then great, let them ask for it. In the meantime, my colleagues need to be provided with the conditions to do their job properly.
Alt Story #3: Unless Security is at the table when decisions are being made, they will not take the fall when the security risks come to pass
Any number of people may have “Chief” in their Information Security Officer title, but if they are reporting 3 layers down from the inner circle of the CEO, they are not an executive (See Andy Ellis’ article on the topic). It’s time for the security organization to come out from the bowels of the CIO/CFO/CLO organization and into the organizational leadership sunshine. It is not the role of the CISO to make this happen, either. This needs to be a top down, board-mandated action. Every company assumes cyber risk the minute they open their doors for business, and that risk can stop a company in its tracks. Why wouldn’t you put the CISO on the leadership team?
If an organization isn’t willing to elevate security leadership to the top most ranks, then they need to assume the liability of that decision. Security leaderships should assume golden parachutes, be part of the director liability insurance programs of the company, and have direct reporting lines to the board, independent of any management reporting lines.
The security profession, and security leadership in general, have long been seen as a second tier administrative function in an organization. Security professionals have long perpetuated that myth.
It’s time for the industry to stand up for itself, to base its work in the foundational principle that security is a first tier function, and demand appropriate treatment and respect from partners and stakeholders.
We need to stop telling stories that apologize and compensate for lack of respect, lack of resources, and lack of knowledge on the part of our non-security colleagues. Instead, our stories should reflect that the security function protects the value of the organization, and demand first rate access to decision makers and resources.