Impending Doom and IT Security's Downward Spiral

Monday, June 06, 2011

Rafal Los


The Information Security industry is a strange beast.

I posted this article over on the Enterprise CIO Forum, where I semi-regularly post for the readership of IT Managers and CIO-level folks. I'd be interested in your feedback either here or there.

This interesting escalation of animosity and bitterness in blog posts I'm reading and seeing on Twitter from notable Infosec circles has me thinking about just what that catalyst for all this negativity is.

Having been in the security industry for almost a decade and a half my thought process quickly gravitates to the very serious breaches which are piling up like our national debt around us - and what this is doing to our fragile psyche as a community.

If you've been in Information Security for any meaningful period of time you can surely side with the frustration and disappointment many of the long-time residents of Infosec-ville are feeling as massive breach after breach piles on in the news.  

The result of all of this is a downward spiral.  What I'm saying is that the negative events in the news are only going to cause things to get worse unless something drastic happens. Allow me to explain.

The Downward Spiral

Over the past ~13 years I and many peers I know have worked tirelessly to better the security condition of the digital assets of ourselves, our employers, and those connected to us.  In those years, very few things have actually gotten much better.  

Vendors have come and gone, projects were born and launched, consultants have come and gone... and in the end we're still unsure where we stand in terms of a true security posture.  I am not going to try and tell you that the infrastructure you've put in place hasn't added a level of protection to your organization - only that as you raise the bar, the bad guys continue to find ways over it.

The problem with all of this, as in the Cold War arms race, is that no one really wins... except those selling the bombs.  The other problem is that you can't win an arms race... in fact you're more prone to losing by running out of money, or other valuable resources.  This is primarily why the Cold War ended... neither side wanted to keep spending money and our opposition basically went broke.  

Let me bring this back to your current condition as a security manager.  You're going broke.  You know it, I know it, and the bad guys know it. Not many IT budgets are growing, as the global economy continues to slug along... and in fact many budgets are drying up especially on the poorly understood 'security' aspects. Information Security, whether we admit it to ourselves or not, is like buying life insurance.

Organizations large and small are too busy trying to make a profit to buy any when times are good, and when things go sideways it's too late.  There still aren't enough good evangelists (no matter what you think of that title) both in the industry and inside organizations to really make sense of what business value Information Security brings... and that's a shame because the less we can explain our value to the organization, the less we get in terms of investment - this leads to the condition we're in now where things are just flat out dreadful.  Don't believe me?  Ask Sony's customers and shareholders.

So here's how this downward spiral goes:

  • Organizations don't see 'security' as adding business value, therefore
  • Little effort is spent hiring the 'right people' into the roles that are most critical, therefore
  • A poor case is made to improve organization security as a function of risk management, therefore
  • A catastrophic breach or security event takes place, therefore
  • An incredible amount of time/effort/money is spent on triage of these security incidents, therefore
  • The business asks "Why didn't our security team prevent this?", therefore
  • IT Security has a diminished value to the business......
  • now return back to the top and start again

The Way Out of the Spiral

This depressing view may prompt one to ask - how do we get out of this downward spiral?  If that's your thinking than I have good news for you.  There is a way out and it's not going to require a ten-fold increase in spending on IT Security.  

This effort requires the cooperative efforts of your Security technology vendors, your organizational leadership -and you as the security manager.  Let me take you through what my way out of this looks like.

First, I think we need to shift the way we see Information Security.  Right now security is a tool we use to solve specific problems we perceive are real.  Notice I said perceive... more on that later.  

I've spoken with more than a dozen CISO-level managers who are annoyed with the fact that they have 100+ security vendors who each do a tiny component of what is considered corporate IT security... but fail to work together intelligently and produce any sort of meaningful risk reduction.  

Think of your antivirus solution today... how does that work with the rest of your solution set? The solution is for vendors to step up to the plate and offer you the security manager an actual solution to the issue of increased risk.  Point products are so 1998... If you're not getting risk intelligence from your Information Security technology it's time to start looking at your vendors.

Next I think it's legitimately time to start thinking differently about what we do in security.  We're not defenders of the great castle walls anymore - or maybe we never were?  It's time to sit down with your business, and ask how IT Security can truly align with business goals and protect corporate assets.  This isn't new - I agree - but it's not being done well.

Too many times the answer to "what does your organization do?" is "We're a bank"... but that's what you are, not what you do.  Security is still poorly aligned to organizational goals, and Infosec practitioners are still too technology focused to see the value they need to bring to the business.  

I think we need to train our IT Security people twice.  First train them to be a business analyst and understand the corporate mindset, strategy and delivery model and only then can we train them to be good security people.  Learning technology is easy ...applying it to the business is hard.

A Brighter Future

Or perhaps you'd settle for a less grim future ...either way there is a way out of this.  We just need to start pulling up before we've passed that point where it doesn't matter anymore.  IT Security is not fundamentally broken, and protecting your corporate assets is completely possible.  Start thinking of how you're going to do that, not what new technology you're going to buy.  

Better yet - look at your current technology and ask yourself what you can consolidate, or throw out in favor or something that will actually move the needle and raise the bar to a level where you're not caught in an arms race with the hackers.  

Threat Intelligence is something I've been speaking about, and heard many of you talking about as well... but this isn't your 2002 threat intelligence.  We haven't done this before, at least not well.  

Threat Intelligence isn't just a SEIM/SIM gathering information and throwing up alerts and saving petabytes of logs somewhere which no one has the time to look at.  Threat Intelligence gives you true insight into your organization's weaknesses allowing you to focus on what's important and protecting that.

As you close out the first half of 2011 and sit and worry about how not to become the next big data breach story... ask yourself if you've equipped yourself and your organization for success... or more fire drills and compliance madness.  Now go and do something about it.

*   *   *

I've given this blog a Twitter hash tag for the continued conversation... as we've had over 300+ tweets discussing the post and its ramifications.

At the core of the issue is this - how does "security" better participate in "the business"?

If you're interested in following our conversation, first read the above mentioned post including the comments (which I would argue hold just as much if not more value!) - then join us on Twitter with the hash tag "#SecBiz" (you can search through previous conversations by searching the hash tag)... and join us.

There is still much to be discussed!  Thank you to those that have participated thus far... I think this hashtag will live on, for the sake of this conversation and going forward.

Also... Martin McKeay has graciously offered to host a debate on a topic related to this on his podcast!  Stay tuned for a link to that... crazy how things spin out of control and take on a life of their own once you hit a nerve people care about right?

Join us, contribute, and thank you.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
breaches SIEM Information Security Professional vendors Threat Intelligence
Post Rating I Like this!
Brett Scott Amen Brother! Some are already doing this stuff. However, not everybody can be James Bond. Not everyone can be trained to be the star quarterback. Therefore, technologies that allow security organisations to concentrate intelligence and talent and make the data useful to many thousands of "points of presence" using automation is our brighter future.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.