Security managers try their best. They deploy firewalls and intrusion detection systems like they are supposed to, along with antivirus, web content filtering, encryption and policies. Yet when it comes to managing new threats or keeping ahead of the latest new vulnerabilities, security managers are stuck. They cannot adapt quickly enough. They cannot digest the amount of information their security controls are already producing. And they cannot well-enough sell the idea of more spending to senior management.
To the security manager, risk management is a matter of a few things: policies for influencing behavior, technologies for controlling behavior, and people to keep it all working. However, to the CEO–and the rest of the business–security needs one more important component: tireless diligence; eyes on glass 24/7, just like the CEO’s home alarm system that is constantly monitored.
Two opposing forces make the problem difficult. There are too few skilled security professionals to hire; and advanced threats and critical risks are growing each day. Companies need expertise and technology, but only the most well-heeled can afford to manage all the threats internally. Hiring experts then, either for short term triage, or for longer term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall.
Outsourcing to the experts
While many IT security functions consist of operational and business-as-usual activities, today’s world–full of sophisticated targeted attacks–requires specialized expertise to counter.
Vulnerability and patch management, antivirus updates, and changing rules in firewalls are mature technological procedures already baked in to most security programs. Over the last few decades, most (but certainly not all) organizations have built teams that are experienced in the day-to-day activity required to reduce attack surfaces.
Unfortunately, these tasks cannot be scheduled to fit into a regular work week. Countering advanced targeted attacks is much more like fending off attackers climbing fences than regularly scheduled fence repair. The skill sets of the security experts needed to ward off attackers is harder to obtain, and those with the skills are harder to retain.
While even the smallest organization may train people for operational security tasks, the top security experts get their experience at the most highly threatened and most targeted organizations: large financial institutions, telecom providers, defense contractors, government agencies, and managed security service providers, also known as MSSPs.
The solution is most likely some combination of internal and external support—an internal security team complemented by outside experts, consultants and managed service providers.
For business to thrive in the midst of risks, the IT and corporate security teams need to have tools at their disposal for proactive defense and rapid response. Outsourcing is one simple and cost effective way of increasing an internal team’s capabilities.
Helplessly standing by, I watched as the new CIO dismantled a carefully crafted NIST-compliant security program. Why would he do such a thing? Unplugging the intrusion detection? Tossing out the threat and vulnerability monitoring? Cancelling the risk management meetings and burying the recent risk assessment? He is nailing the coffin shut not only on the security program, but the company, too. How will it ever comply with customer requirements again? How will it pass the next audit?
I wasn’t dreaming. This was happening before my eyes.
Years earlier I had learned a lesson that I must have forgotten. The lesson, a hazy memory, was that I should always strive to see things from another person’s point of view. Doing that, I vaguely recalled, would change my own perspective and give me understanding–creating peace in place of conflict.
What was this executive’s point of view that, as the security consultant, escaped my understanding?
Over the years I had given conference presentations frequently promoting ideas such as “The customer is always right, even when he’s wrong,” and “There is a natural conflict of interest between IT and Security, since IT wants throughput and uptime, while security wants to inhibit and restrict.”
These made for good soundbites, but later, as a consultant, I actually had to guide my clients through the politics and economics of IT and Security.
In real life, the customer really is always right. By that I mean security is not absolute. It is always relative to the risk tolerance of the customer. If the CIO wants to unplug the intrusion detection and throw away the risk register, that’s because he has higher priorities. Simple as that.
I used to think my job was to point out the folly of such things. Now I know better.
Now, when the CIO starts whirling around and wreaking havoc like the Tasmanian devil cartoon character, I pour a cup of green tea and wait. What’s actually happening when security comes undone is that the company is seeking equilibrium. By gut feel, the executives, such as the CIO and CFO, look for ways to balance costs and risks with value and goals. It is natural economics that manifests itself in sometimes fervent bursts of change.
“You’re always so calm,” said one young security analyst after a highly charged and change-filled meeting recently. “You’re like the security Buddha.” He explained that he was referring to my zen-like approach to intermediating between the CISO and the CIO. I chuckled and thought how much I wished the other executives would simply leave security to the professionals and mind their own business. But the words that came out of my mouth surprised even me.
Fight is not what the CIO needs. He needs security to work with him, not against, and for the security team to understand that it’s all part of a natural process, an ebb and flow of risk tolerance and intolerance. The pendulum will swing the other way one day soon and the IDS will be turned back on and a new risk assessment will be written.
That ebb and flow costs some shareholders their value, and some CISOs their jobs, but it is inevitable.
What I saw years ago as meddling, I now see as the natural order of things. Let the meddling come, and pour a cup of tea.
Artist and philosopher Mitsuo Kakutani told me something that changed my life and business forever–though it only soaked in thirty years later. He said that in our twenties we kick up our heels; in our thirties we plant roots; in our forties we discover who we are; and in our fifties we find wisdom.
As a very young man, kicking my heels fiercely, I barely comprehended his words. Now, three decades later, wisdom visits me on occasion.
He taught philosophy while teaching pottery. Digging the clay, building the wood-fired kiln, creating an artful utensil–every task offered a life lesson.
Being a philosopher of technology still gives me opportunities to find life lessons in common tasks. My area of expertise is security–arguably the most theoretical and philospophical area of technology today. Passwords, encryption and firewalls beg the deeper questions, “Who are we?” and “What is expected of us?”
However, a moment of wisdom struck me some months ago that impacted my business and life tremendously. My wife saw me serving my clients with phone calls and emails in my home office. She remarked plainly, “You can work from anywhere, can’t you?” “Yes,” I replied. “My clients are all around the world and I can reach them anytime using technology and an occasional face-to-face visit.”
Unaffected, and in a tone of voice that immediately told me I was walking into something, she simply repeated, “You can work from anywhere.”
“Yes…?,” I repeated, drawing the word out tentatively.
“Let’s move!” she blurted.
In a flash I recognized that I had lacked something I greatly desired. Only with her prompting did it dawn on me that while I frequently traveled internationally for work, I was not fulfilling my life-long dream of “living” and working internationally.
Now we live and work in Chicago, North Carolina, Buenos Aires and Manila…and everywhere else the Star Alliance flies us and Airbnb houses us.
Through my 30s I focused on building a family and career. In my 40s I focused on what I called “work/life balance.” Today however, work and life and travel and family no longer are separate boxes that need to be balanced. There are no divisions between them at all any more. They are all one thing–and it took me a lifetime of planting and self discovery to learn it.
Did you get that memo yet?
There comes a time in every business leader’s life when he or she receives a sternly worded memo from a large customer who requires that all “third-parties” adhere to security standards as rigorous as their own. Other times it is an external auditor or federal regulator who rings the bell. Sadly, sometimes it comes as a “reality check” after a major internal security breach.
However it comes, that day is met with consternation.
“Do I hire more IT staff?”
“Do I fire and replace the ones I have?”
“Do I call a big consulting firm?”
“Do I hire a lawyer?”
“Do I fall on the sword?”
Security is one of those nagging concerns every business leader wishes would “just go away.” Unfortunately, the only certain way to make security less of a concern, is to infuse it into every aspect of the business. Like quality control, security is an idea, a concept, which works best when woven into every key production environment.
Two opposing forces have to be addressed before the problem is solved and security really works.
There are too few skilled security professionals to hire;
And advanced threats and critical risks are growing each day.
Of course companies need expertise and technology, but only the most well-heeled can afford to manage all the threats internally. Hiring experts then, either for short term triage, or for longer term oversight and monitoring, is one technique companies have been using for years to overcome the time and talent shortfall.
As I discussed this with business leaders recently, the overwhelming feeling in the room was that someone needs to speak the language of compliance. Someone in the organization—or one of these outside experts–needs to translate the security efforts the company is making into language that will satisfy the auditor and big customer.
Some experts put the technology in place. Others handle the compliance communications. When a business has both, it can confidently reply to customers and auditors, “We have security built into our company culture and into our systems.”
It was Rhonda MacLean, the former global chief information security officer at Bank of America, who first told me the now famous aphorism of security.
“Why do we have brakes on a car?” she asked.
“To stop?” I tentatively offered, suspecting I was walking into a trap.
“To stop?!” she exclaimed, confirming my suspicion. “If our intention were to stop, we simply wouldn’t go in the first place.”
“No,” she continued, “we have brakes on a car so we can drive fast.”
I was stunned. The heavens opened. Trumpets sounded. Suddenly everything made sense.
Security is the brakes on the car. It is also the seatbelts and mirrors and other safety equipment. However, my epiphany that day was that none of these devices is in place in order to give me caution, nor to avoid risks, nor to slow me down. Just the opposite. Security exists to allow me to drive fast, even recklessly, zigging and zagging through the racecourse with confidence that my vehicle will perform any way I need it to.
Security exists not to avoid risks, but to thrive in the midst of risks.
I tell the epiphany often. I told it just last week to officers in the ministry of defense in Oman. I told it previously to oil & gas executives in Rio, and even during a Formula One race in Italy. Around the world, this message rings loud and true.
One person responded in broken English, “You just put the medicine on the cut.”
That reaction is common because most people have viscerally negative feelings about security. An annoying layer of cost and inconvenience, they’ll say. You yourself, dear reader, have probably been guilty of talking about avoiding risks and getting that blank look from business leaders, haven’t you? The enlightened security professional and the enlightened business executive both realize that actually security is the thing that allows business to grow and to be agile and to–get this–take risks.
Those Buddhas of business therefore do a surprising thing. They purge the word security from their vocabulary. They talk once again about growing the business, out-maneuvering the competition, and racing ahead. In order to win a race, they correctly surmise, they need to put the systems and measures in place to nimbly zoom through traffic.
Every business manager should have the quiet confidence of a Formula One driver, knowing that this awesome screaming machine can do absolutely anything asked of it. Risks, then, become opportunities. Risks become assets. Risks let us thrive and win.
“My internal marketing department is looking to issue a communication around Twitter account security (with a business focus).”
Use of Twitter is growing, not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, or politicians with their constituents. Twitter has become a forum for sharing all manner of expression on all subjects.
That’s why businesses need to take special care in their security training regarding Twitter and other types of social media.
Twitter and LinkedIn are fertile sources of information for hackers preparing a social engineering attacks. By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets.
Employees post seemingly innocuous information on Twitter that may be gathered and assembled by an adversary easily. For example, photos of office space and co-workers, descriptions of work (My d-bag boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack to recruit unwitting accomplices.
I’ve used that technique in my operational penetration testing. I will call an employee claiming to be a new guy from a different office, and that my boss is yelling at me to give him a weekly TPS report, and that I’m having trouble with the macros, “could you please forward me one of yours so I could copy the formulas….”
I recommend a business have a policy that is well-“socialized” around the office with the following components.
- Encourage employees to limit posts to personal interests, and not related to their work, office, or co-workers
- Never to share information with strangers, even longtime “connections” on LinkedIn or longtime “tweeps.” Instead refer them to your corporate webpage, or say you will have someone get back to them.
- Always ask for a callback number or email address from anyone requesting information by phone, LinkedIn or Twitter, and forward the request security or to marketing.
- Twitter profiles should not indicate place of employment.
- LinkedIn profiles can be more complete, but only connect with people you actually know or who are personally introduced to you. (Social Engineers create fake, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate.) Just because a person is connected to (or follows) many of the same people as you, does not mean that they are legit.
Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers.
When legendary former Gartner analyst, Vic Wheatman, and I discussed our latest webinar, we tackled the issue of creating and measuring value.
After the webinar ended, my wheels kept turning as I considered some research I’d completed recently. For one thing, I learned that CEOs think security executives are excellent security managers — but downright rotten business-people.
Specifically, CEOs complain that security executives still have the mentality of “keeping bad things from happening” rather than the more business-minded approach of “adding value to the business.”
Here’s the trap. Solving a security problem under budget is not a matter of “finding the best deal.” It is a matter of solving the problem most cost-effectively. Click here for the recorded webinar. And read more HERE.