Famed security adviser, Steve Hunt explains, “Why I Hate Security.”
These criticisms of cybersecurity and risk management are nothing new. You’ve heard them all before, or muttered them under our breath. If you are a business executive, you’ve shaken your head when you’ve seen it. And if you are a security professional, you’re guilty of more than one.
- “I hate security.”
- Much of what passes as security is no more than window dressing, or, as Bruce Schneier has called it, Security Theater, with its posturing, phony controls and security guard bravado.
- Not a week goes by that a CIO or other executive hears a pitch from a security vendor, whose eyes are bugged out as their words ooze fear, uncertainty and doubt.
- Security directors, including some of the most esteemed CISOs, can be seen from time to time running the halls, arms flailing overhead, screeching “The sky is falling! The sky is falling!”
- Risk management experts talk for hours about the “fuzzy logic” of measuring impact and likelihood, using game theory, and generally talking until the audience goes numb.
- And when the big one happens, when the big data breach hits, as it inevitably does, security pros and business executives alike point fingers at budgets, and internal politics, and vendor missteps for blame.
So I am here to give you the straight dope. To address all of these complaints once and for all. To put the discussion to rest so we can all move on.
Security is all those things.
Security IS often mere theatrics.
Vendors DO commonly sell FUD in place of value.
Risk management experts DO often employ pseudo science “to definitively calculate” intangible and unknown risks.
CISOs DO sound like Chicken Little when they predict the things we simply aren’t prepared for and need more budget for.
And security pros DO like to find a scapegoat.
All of these things are true, and security deserves its criticism.
I personally, however, look at it differently. Security is something special to me. For example, when I see a CISO work his or her way out of a messy data breach by responding quickly, limiting impact, and recovering smoothly–it gives me a very satisfied feeling.
Moreover, when I think of my own career as a security professional, I think of the truly costly and damaging attacks that we’ve avoided by working hard to improve continuously.
In the early 1990s I worked at a financial institution in Chicago. We got hacked–before we even had the word “hacked.” The bulletin board server was fine yesterday, but today it isn’t, and the audit log is gone. As we scratched our heads an ol’ timer leaned over us and said, “Looks like you got a security problem with your computer.”
I was stunned. I had never considered security and computers in the same thought before. My father was a locksmith, and I had worked my way through college and grad school at the University of Chicago with my own locksmith company and building PC clones on the side. So when I heard those words, a light bulb went on. I thought to myself, I know security, and I know computers. Right then I began retooling for a career in computer and network security. Right place. Right time.
So security gave me an entree into the world of the fledgling Internet, and into the world of creating value for the business in ways I never could have imagined before that fateful day seated cross-legged on the floor, under a desk, staring blankly at the back of a bulletin board server.
Security also did much more than that. It solved real problems. From the script-kiddies of the ’90s to the state sponsored hacking of the 2000s, security gave hundreds of professionals an opportunity to fight in very foreign territory–guerrilla IT warfare. We created a new way of operating the Internet, and we opened doors permitting businesses to create value and revenue in new ways. For example, the security community put its collective head together limiting loss sufficiently to make online commerce (once called e-commerce) a reality.
Converged approaches to physical and cyber security for the decade beginning 2001 created an amazing new world of inter-networked security cameras, intrusion detection, gates, fences, locks, employee ID badges, laptops, personal devices, and home automation controls. Everything was suddenly networkable because the basic questions of authentication and authorization (who are you? and, what are you supposed to do?) were answered by security professionals.
Today, we are coming up with clever ways to extend the work we did previously and apply it to the Internet of Things. Soon, we will see alternatives to keys and locks being used widely in the secure networking of any and every common device at home or sensor on a locomotive. Homes will operate more efficiently and businesses will make countless billions in new revenue because of IoT. This is possible because the security industry truly is doing its best.
Does security have its foibles? Is it security theater laced with FUD, bad logic and blame? Yes. But does it create value that outweighs its sometime silliness? Yes it certainly does. For me personally, it has provided me many benefits and opportunities, making me a better philosopher of technology, a better technologist in general, a better citizen of the world, a better provider for my family.
So the next time you sit through another ridiculous vendor pitch about all the bad things that will happen if you don’t buy their product, use your phone to securely transfer funds at your bank, or buy a gift for your kid on Amazon, or plan the next product launch with confidence that the security pros have your back.
Security managers try their best. They deploy firewalls and intrusion detection systems like they are supposed to, along with antivirus, web content filtering, encryption and policies. Yet when it comes to managing new threats or keeping ahead of the latest new vulnerabilities, security managers are stuck. They cannot adapt quickly enough. They cannot digest the amount of information their security controls are already producing. And they cannot well-enough sell the idea of more spending to senior management.
To the security manager, risk management is a matter of a few things: policies for influencing behavior, technologies for controlling behavior, and people to keep it all working. However, to the CEO–and the rest of the business–security needs one more important component: tireless diligence; eyes on glass 24/7, just like the CEO’s home alarm system that is constantly monitored.
Two opposing forces make the problem difficult. There are too few skilled security professionals to hire; and advanced threats and critical risks are growing each day. Companies need expertise and technology, but only the most well-heeled can afford to manage all the threats internally. Hiring experts then, either for short term triage, or for longer term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall.
Outsourcing to the experts
While many IT security functions consist of operational and business-as-usual activities, today’s world–full of sophisticated targeted attacks–requires specialized expertise to counter.
Vulnerability and patch management, antivirus updates, and changing rules in firewalls are mature technological procedures already baked in to most security programs. Over the last few decades, most (but certainly not all) organizations have built teams that are experienced in the day-to-day activity required to reduce attack surfaces.
Unfortunately, these tasks cannot be scheduled to fit into a regular work week. Countering advanced targeted attacks is much more like fending off attackers climbing fences than regularly scheduled fence repair. The skill sets of the security experts needed to ward off attackers is harder to obtain, and those with the skills are harder to retain.
While even the smallest organization may train people for operational security tasks, the top security experts get their experience at the most highly threatened and most targeted organizations: large financial institutions, telecom providers, defense contractors, government agencies, and managed security service providers, also known as MSSPs.
The solution is most likely some combination of internal and external support—an internal security team complemented by outside experts, consultants and managed service providers.
For business to thrive in the midst of risks, the IT and corporate security teams need to have tools at their disposal for proactive defense and rapid response. Outsourcing is one simple and cost effective way of increasing an internal team’s capabilities.
Helplessly standing by, I watched as the new CIO dismantled a carefully crafted NIST-compliant security program. Why would he do such a thing? Unplugging the intrusion detection? Tossing out the threat and vulnerability monitoring? Cancelling the risk management meetings and burying the recent risk assessment? He is nailing the coffin shut not only on the security program, but the company, too. How will it ever comply with customer requirements again? How will it pass the next audit?
I wasn’t dreaming. This was happening before my eyes.
Years earlier I had learned a lesson that I must have forgotten. The lesson, a hazy memory, was that I should always strive to see things from another person’s point of view. Doing that, I vaguely recalled, would change my own perspective and give me understanding–creating peace in place of conflict.
What was this executive’s point of view that, as the security consultant, escaped my understanding?
Over the years I had given conference presentations frequently promoting ideas such as “The customer is always right, even when he’s wrong,” and “There is a natural conflict of interest between IT and Security, since IT wants throughput and uptime, while security wants to inhibit and restrict.”
These made for good soundbites, but later, as a consultant, I actually had to guide my clients through the politics and economics of IT and Security.
In real life, the customer really is always right. By that I mean security is not absolute. It is always relative to the risk tolerance of the customer. If the CIO wants to unplug the intrusion detection and throw away the risk register, that’s because he has higher priorities. Simple as that.
I used to think my job was to point out the folly of such things. Now I know better.
Now, when the CIO starts whirling around and wreaking havoc like the Tasmanian devil cartoon character, I pour a cup of green tea and wait. What’s actually happening when security comes undone is that the company is seeking equilibrium. By gut feel, the executives, such as the CIO and CFO, look for ways to balance costs and risks with value and goals. It is natural economics that manifests itself in sometimes fervent bursts of change.
“You’re always so calm,” said one young security analyst after a highly charged and change-filled meeting recently. “You’re like the security Buddha.” He explained that he was referring to my zen-like approach to intermediating between the CISO and the CIO. I chuckled and thought how much I wished the other executives would simply leave security to the professionals and mind their own business. But the words that came out of my mouth surprised even me.
Fight is not what the CIO needs. He needs security to work with him, not against, and for the security team to understand that it’s all part of a natural process, an ebb and flow of risk tolerance and intolerance. The pendulum will swing the other way one day soon and the IDS will be turned back on and a new risk assessment will be written.
That ebb and flow costs some shareholders their value, and some CISOs their jobs, but it is inevitable.
What I saw years ago as meddling, I now see as the natural order of things. Let the meddling come, and pour a cup of tea.
Artist and philosopher Mitsuo Kakutani told me something that changed my life and business forever–though it only soaked in thirty years later. He said that in our twenties we kick up our heels; in our thirties we plant roots; in our forties we discover who we are; and in our fifties we find wisdom.
As a very young man, kicking my heels fiercely, I barely comprehended his words. Now, three decades later, wisdom visits me on occasion.
He taught philosophy while teaching pottery. Digging the clay, building the wood-fired kiln, creating an artful utensil–every task offered a life lesson.
Being a philosopher of technology still gives me opportunities to find life lessons in common tasks. My area of expertise is security–arguably the most theoretical and philospophical area of technology today. Passwords, encryption and firewalls beg the deeper questions, “Who are we?” and “What is expected of us?”
However, a moment of wisdom struck me some months ago that impacted my business and life tremendously. My wife saw me serving my clients with phone calls and emails in my home office. She remarked plainly, “You can work from anywhere, can’t you?” “Yes,” I replied. “My clients are all around the world and I can reach them anytime using technology and an occasional face-to-face visit.”
Unaffected, and in a tone of voice that immediately told me I was walking into something, she simply repeated, “You can work from anywhere.”
“Yes…?,” I repeated, drawing the word out tentatively.
“Let’s move!” she blurted.
In a flash I recognized that I had lacked something I greatly desired. Only with her prompting did it dawn on me that while I frequently traveled internationally for work, I was not fulfilling my life-long dream of “living” and working internationally.
Now we live and work in Chicago, North Carolina, Buenos Aires and Manila…and everywhere else the Star Alliance flies us and Airbnb houses us.
Through my 30s I focused on building a family and career. In my 40s I focused on what I called “work/life balance.” Today however, work and life and travel and family no longer are separate boxes that need to be balanced. There are no divisions between them at all any more. They are all one thing–and it took me a lifetime of planting and self discovery to learn it.
It was Rhonda MacLean, the former global chief information security officer at Bank of America, who first told me the now famous aphorism of security.
“Why do we have brakes on a car?” she asked.
“To stop?” I tentatively offered, suspecting I was walking into a trap.
“To stop?!” she exclaimed, confirming my suspicion. “If our intention were to stop, we simply wouldn’t go in the first place.”
“No,” she continued, “we have brakes on a car so we can drive fast.”
I was stunned. The heavens opened. Trumpets sounded. Suddenly everything made sense.
Security is the brakes on the car. It is also the seatbelts and mirrors and other safety equipment. However, my epiphany that day was that none of these devices is in place in order to give me caution, nor to avoid risks, nor to slow me down. Just the opposite. Security exists to allow me to drive fast, even recklessly, zigging and zagging through the racecourse with confidence that my vehicle will perform any way I need it to.
Security exists not to avoid risks, but to thrive in the midst of risks.
I tell the epiphany often. I told it just last week to officers in the ministry of defense in Oman. I told it previously to oil & gas executives in Rio, and even during a Formula One race in Italy. Around the world, this message rings loud and true.
One person responded in broken English, “You just put the medicine on the cut.”
That reaction is common because most people have viscerally negative feelings about security. An annoying layer of cost and inconvenience, they’ll say. You yourself, dear reader, have probably been guilty of talking about avoiding risks and getting that blank look from business leaders, haven’t you? The enlightened security professional and the enlightened business executive both realize that actually security is the thing that allows business to grow and to be agile and to–get this–take risks.
Those Buddhas of business therefore do a surprising thing. They purge the word security from their vocabulary. They talk once again about growing the business, out-maneuvering the competition, and racing ahead. In order to win a race, they correctly surmise, they need to put the systems and measures in place to nimbly zoom through traffic.
Every business manager should have the quiet confidence of a Formula One driver, knowing that this awesome screaming machine can do absolutely anything asked of it. Risks, then, become opportunities. Risks become assets. Risks let us thrive and win.
“My internal marketing department is looking to issue a communication around Twitter account security (with a business focus).”
Use of Twitter is growing, not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, or politicians with their constituents. Twitter has become a forum for sharing all manner of expression on all subjects.
That’s why businesses need to take special care in their security training regarding Twitter and other types of social media.
Twitter and LinkedIn are fertile sources of information for hackers preparing a social engineering attacks. By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets.
Employees post seemingly innocuous information on Twitter that may be gathered and assembled by an adversary easily. For example, photos of office space and co-workers, descriptions of work (My d-bag boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack to recruit unwitting accomplices.
I’ve used that technique in my operational penetration testing. I will call an employee claiming to be a new guy from a different office, and that my boss is yelling at me to give him a weekly TPS report, and that I’m having trouble with the macros, “could you please forward me one of yours so I could copy the formulas….”
I recommend a business have a policy that is well-“socialized” around the office with the following components.
- Encourage employees to limit posts to personal interests, and not related to their work, office, or co-workers
- Never to share information with strangers, even longtime “connections” on LinkedIn or longtime “tweeps.” Instead refer them to your corporate webpage, or say you will have someone get back to them.
- Always ask for a callback number or email address from anyone requesting information by phone, LinkedIn or Twitter, and forward the request security or to marketing.
- Twitter profiles should not indicate place of employment.
- LinkedIn profiles can be more complete, but only connect with people you actually know or who are personally introduced to you. (Social Engineers create fake, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate.) Just because a person is connected to (or follows) many of the same people as you, does not mean that they are legit.
Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers.
In the aftermath of the killing in Ferguson, MO, three police officers – none of whom are from the Ferguson police department – were suspended after blatantly racist and extremist comments and unacceptable behavior. A Rock Island, IL sheriff recently pled guilty to cyberstalking and resigned.
Do you think that, given an opportunity, these local law enforcement officers and others of their ilk would use information gleaned from your cell phone in a responsible manner? Would they respect information privacy?
Local law enforcement does have the opportunity. In September, news broke that owners of encrypted cell phones had identified 19 fake cell phone towers in various parts of the United States; it wasn’t long before the towers were connected to the NSA, as well as local, regional and state law enforcement.
This enables something as simple as tracking a user’s location or as potentially sinister as so-called “Man in the Middle” attacks where calls and texts can be heard or read before being forwarded on to a legitimate cell tower and the intended recipient. Is this a violation of physical security or cybersecurity? Or both?
Do you trust your local law enforcement to protect your information privacy? How many police officers or sheriff’s deputies are trained to understand these limits? In Florida a local police department used cell phone location information to conduct a search without a warrant. What else can and will they do? What have they done?
And what does this do to our expectations of information privacy?