Security: Putting It In Context
We Are All The Exception To The Rule
Recently, I attended a closed door meeting where a bunch of really smart and experienced security leaders talked about security stuff. As we delved into security trends and issues, the only common thread was that all the leaders had different ideas: what was important, what was urgent, how to address a problem, what they wanted from their vendors. It made me think about how our industry works (or doesn’t), how we can better work together to solve common problems, and what stops us from doing that.
We security people like to judge other security people. A lot. No one group does Monday morning quarter-backing like the security industry, and we have a lot to respond to. When ever a security event occurs, the court of public opinion goes into full swing:
- “Well of course it happened, look at your qualifications”
- “Why didn’t you fix that old vulnerability?”
- “How could you let that password exist?”
- “You did WHAT?”
Our regulators and standards-setters don’t help either. Witness the regulators who are increasingly pushing for zero-exception regulations (no POAMS here!), forcing entire industries to conform to their view of the “right” controls. Consider the standards that assume capabilities and skills of organizations as “base level”, without ever having tried to execute their standards in a real world scenario.
Security vendors contribute to the problem, assuming customer capabilities and needs without truly understanding the customer environment. “Industry standards” are documented without regard to the variety of organizations that make up an industry. What is “standard”, anyway? A small Doctor’s office or a multi-hospital conglomerate? A non-profit energy consortium or a multi-national energy producer? A small elementary school or a premium research university? A start-up or a century-old household name?
Now, the SEC and other government agencies are pushing board members to apply focused security governance, and those poor Directors are trying to work out what “acceptable risk” looks like, when there are no standards to follow. They want apples-to-apples comparisons, benchmarks, models and risk equations. Instead, they’re getting apples-to-marsupials stories and anecdotes, and everyone is getting frustrated.
If you’re looking for hard and fast rules, boundaries and certainty, don’t do Information Security — Helen Patton
There is something that we all tend to forget. That is, managing security for an organization is about managing risk, and risk is contextual to the time, place, industry, culture, politics, maturity level, personalities, laws, technologies, and processes in which the organization exists. This means that everything we do, every decision we make (or don’t), every tool we use, every person we hire, is done is the context of our organization, and no two organizations are the same.
What is the implication of this in practice?
For security professionals, it means treating other security professionals with kindness and grace. When an event occurs, instead of piling on with criticism, ask “how can I help you?”. It means creating security programs that you are comfortable defending, not because it compares favorably to peer organizations, but because it’s the right thing for your company to do.
For regulators, it means creating frameworks and regulations that allow for different grades of maturity, and different resource commitments, and giving organizations time to comply to requirements from the point of awareness, not just from the point the document was published onto a website.
For vendors, it means spending as much time as possible with customers to understand their context, before making suggestions on products and services that should be considered. It means being expansive with your definition of “customer personas”, and “industry segments” recognizing that organizations, like human bodies, come in all different shapes and sizes, even if they weigh the same amount.
For board members, and other organizational leaders, it means taking the time to understand the systemic risk of the business you are in, and what the internal levers are to make improvements in a risk profile. It means listening to external assessors without prioritizing external opinion over internal knowledge. It means paying less attention to contrived benchmarks and more attention to your own team’s expertise.
And for the community at large, it means finding areas of common problems that can be worked on together, and finding a range of solutions (not just THE solution) that can be applied to the problem based on the unique nature and constraints of the business.
There is no “one size fits all”. There isn’t even “one size”. So why do we insist on judging people to a standard that is imperfect for everyone? Stop that.