Recently I was in a meeting with security executives and managers of a prospective customer. After discussing their initiatives and pain points, I explained how Lancope’s StealthWatch System may help address some of them. As I described how the StealthWatch System reveals ongoing security breaches in networks, the CISO became visibly anxious. When I inquired about the discomfort, I was told that his organization was not yet prepared to be confronted with how bad things really were.
Understanding the Problem
I was joined in that meeting by an experienced InfoSec colleague that had joined the Lancope team just a few weeks prior. The CISO’s comment so badly perplexed my teammate that he did a visible double-take. I could see his righteous indignation was quickly formulating a sermon on the sins of this line of thinking. I knew what he was about to say because I have heard myself say it all before.
I stopped him from saying these things by explaining that I understood the prospect’s concerns. I told the CISO that almost 1 in 4 of the organizations I meet with initially feel the same way. I began to probe about where the worry was rooted. The CISO was worried that they didn’t have the manpower or processes to handle fighting advanced cyber-attacks. They were worried that revealing the problems in the near term would damage the organization’s business initiatives. There was also concern that bringing in additional tools exposed the organization to new risk (in the wake of FireEye and Target).
I regularly hear this “head in the sand” InfoSec strategy. Normally it is much less blatant but nonetheless apparent. I have lost count of how many security teams I have met with over the last couple of years that are comfortable living in “plausible deniability.” They believe they cannot get in trouble if they are unaware of their problems. There is an unspoken agreement that “living in ignorant bliss” is preferable to the hard work of building a safer security practice.
It’s very easy to pass judgment on organizations that have their heads deep in the sand. The only healthy and sane way to address such a policy is to apply all force to fixing it quickly. While there is little doubt that laziness and incompetence play a role in keeping heads deeply buried, it is a gross over-simplification to leave it there. The changes that are necessary to improve security often require good people to lose their jobs. People may go to jail. Companies may be left permanently damaged. It is easy to make these decisions when these people are faceless. But when they are the people you see every day and your children go to school with their children, the pain of making sweeping changes seems like it can wait another month or two (or twenty).
Fixing the Problem
If not done right, ripping heads out of the sand can cause more damage than actual security breaches. It’s important to develop a plan that can safely nurse the organization from unhealthy to healthy.
When I had the responsibility of securing a DoD network, I had the gall to create what I entitled our “Monthly Failure Report.” I documented all the ways that my team failed to protect government assets. I provided my best estimate of the count of different types of attacks that I was unaware of or couldn’t respond to. I sent this report to my superior. In addition to listing how I had failed to execute my duties, I provided an explanation of why I failed and a remedy to reduce the failures. The recommendations required either additional manpower, additional knowledge/training, additional tools or policy changes.
Failure reports serve two important purposes. First, they move the responsibility of fixing the failures up the chain of command. They make superiors aware of security gaps (removing plausible deniability). Secondly, they provide justification and explanation for correcting the problems. Often, management and executives don’t understand why purchasing additional security tools is necessary. I have met with some executives that believed their teams were asking because they wanted “cool toys.” Failure reports remove that type of errant thinking.
Processes are created to make policy reality. People and tools combine to make processes occur. Effective processes are what make networks secure. If the IT organization doesn’t have a person that loves working with flow charts, it should borrow one from another department or contract a business analyst. Being able to document current and future processes enables tool selection. It also makes teaching entry-level team members manageable. They can be assigned sections of one or more processes. Their development in the organization can be gauged by their ability to master different processes. Flow charts are powerful tools in transforming a security practice.
Building an effective security architecture requires some initiatives that only need to be done once. It would be an unfortunate waste of time and money for an organization to train individuals to learn how to do a task they would only do once. It would be an ever bigger travesty for an organization to buy a new set of tools but never effectively deploy them. Most security product vendors like Lancope provide a partner directory that can be used to find experts to deploy products quickly and painlessly. Additionally, it may be wise to keep a partner on a support contract to provide an escalation tier as response processes require.
Information security currently has an unfortunate lack of trained professionals. As I work with security teams, I find many of them need theoretical cybersecurity training before the product training can be useful. Organizations like SANS provide courses to help transform loyal team members into sharp security analysts and responders. One of the best places to find the next security superstar is in a cubicle near you. Training a loyal employee on a new set of skills will save the organization money, make for a more loyal employee and create an operator that is already familiar with the organization’s systems and processes. When evaluating new security tools for InfoSec processes, be sure the vendor provides regularly scheduled training.
There are many challenges in moving from “plausible deniability” to full visibility. Spending some time doing honest evaluation and reporting is a good first step. Using internal talent and consultants, processes can be built from policy. With the paperwork done, tool selection and team training become straightforward initiatives. Organizations do want to get their heads out of the sand, but yanking hard is rarely wise. Some gentle coaxing can empower even the most terrified organizations.