Lies We Tell Ourselves: 5 Misconceptions Infosec Needs to Change

Sunday, June 10, 2012

Rafal Los


In spite of the state of disarray in the Information Security world where budgets are growing, and CISO's are receiving a mandate from senior management - there is still an uneasy misunderstanding of what security is really about even amongst those who practice it.

"Secure" is achievable - I think by now this is one of those myths about security that is fading quickly.  I've seen way to many pitches (from vendors, from peers, even internally) that have said "If you (business) gives us (security) X, we will make you secure".  That idea was mental at best, or as the post here is called, an outright lie to ourselves which we passed on to others.  

The problem with this mindset is this - not only is this mythical state of secure not achievable, but it's also unsustainable, and financially unquantifiable as a finite spend.

The prevailing feeling over the last couple of years is that it is possible to reach a state of equilibrium where technical risks are equal to or less than the financial cost to put us in that state. The 'state' is on a continuum and every organization is comfortable with a different place on that continuum... and that's OK.

"Enforcement" is possible - Many CISOs, mostly due to the train wrecks that have taken over the IT news, have gotten power, through mandate.  I can probably count on one hand the number of CISOs I directly know who understand that a mandate doesn't necessarily mean you "win", or that anyone that you have dominion over will do anything more than the bare minimum while you're watching them, but ignore you once you walk away.  

Enforcement is not a way to secure an enterprise... I've been quoted as saying (in a security context) "You can bring a horse to water, you may even drown it in the pond, but if it doesn't want to drink, it won't"... which is true.  You can't force security onto a business staffed with people who have their own agendas, goals and objectives.  

Sure, you may care about 'security' but odds are developers, project/program managers, operations staff, and other simply are not.  Their goals are business-driven objectives including "keep the business operational", "deliver faster" and things like that... all things you may be hindering with your 'mandate'.  

So while you can attract bees with honey, trying to force them to fly your way probably won't work.

"Control" is a reality - One of the major arguments I've personally heard about "public cloud" adoption is that it's insecure because the security group has no control over the actual security controls of the provider.  

My point is this - if you think you (the security team) have had any measure of control over your organization's decision-making capability related to security, you're delusional.  

In 3 out of 4 organizations that I've worked with in the last 4 years - and this may be biased based on the companies I've done business with - the security organization is dragged along by the rest of IT and the business kicking and screaming and trying to 'secure' the ever-increasing complexity that makes business run.  

Acquisitions, product purchases, projects and integrations - security rarely, if ever has a decision-making capability (the ability to say "no, you cannot do this" when business gains, real or perceived, is on the line).  

Forget trying to get or maintain control... you're not going to want it when you have it, if you get it.  What you want is governance... you want the ability to provide policy and direction but allow others to adhere to it as it fits their roles and business - with the ability to audit and govern change and technical risk.  Trust me on this.

"Security" is a business requirement - Does your CEO believe that security as a core business requirement?  If you're an organization that relies on extremely high levels of assurance and low risk - then maybe the answer is yes.  The other 99% of you, bad news... security is just a component of doing business.

Sometimes security doesn't even matter, not one tiny bit.  When your senior leadership, those "C-levels" see the news and hear of millions of dollars in losses, embarrassment to the organization attributed to hacking... odds are they think about it for a few minutes then go back to wondering how they're going to make their quarterly numbers appealing to your shareholders.  

Security tends to be a concept that goes in one ear, rattles them a bit, and then quickly exits.  It's like people who don't wear seat belts who pass a vehicle wreck where the driver obviously wasn't wearing a seat belt and was killed... your mind says "wow, I should be wearing my seat belt, that's tragic!" but as soon as the accident is out of sight, it's back to out of mind and your conscience forgets.  

Security is a component of doing business, and often incident response (and all that goes with it) is part of the cost of doing business - but security is rare, if ever, a "business requirement".  If you feel otherwise, let's talk, I want to hear the story.

"Security" must be a cost center - Another fantastic myth many of us have resolved ourselves to, and I know I did in a previous life where I worked, is that security is a cost center and nothing more.  This is so not true!  Security, or the "Office of business resiliency" has much to offer the organization in terms of benefits that can overcome that "all you do is cost us money" barrier.  

Again, it's that thinking 'outside the box' (sorry, had to do it) that has some successful CISOs contributing to the business in terms of helping it achieve business goals faster, while others are still stuck in the "department of no" mode.  

Good security practices and principles can save your organization money in a real, measurable way, and it can contribute to making more money by getting to market faster, having more clients (that care about security, compliance, etc)... so stop thinking of security as just a cost center and start thinking of ways to help the business top or bottom lines.

Here's a thought - let's start thinking about enterprise resilience, which combines a whole boat-load of other things and drops in a healthy dose of security to make sure that your organization can detect, deter, respond in a manner that suits the business profile you're in.

It's time the information security organization gets over its hang-ups, misconceptions, and pre-dispositions to outdated thinking and gets with the new agile enterprise.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Incident Response Governance Security Audits Controls Information Security Infosec Resilience Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.