This article can also be found in the Premium Editorial Download "Information Security magazine: Effectively navigating the security risk assessment process."
Download it now to read this article plus other related content.
As we all know, non-stop reports of data breaches, data losses and hacking claims have put the spotlight on the state of information security. The constant negative attention on security is causing my mom, friends and neighbors to constantly ask, “What is wrong with security?! Why can’t these companies get it right?!”
My answers are numerous and complicated; they are black, white, and gray. I ask myself, my peers, clients, vendors and security friends the same question and their answers are numerous, complicated and subjective, to say the least. The reality is each and every one of us is responsible for what’s wrong with security. Each participant in security must step up and improve the effectiveness of his or her involvement. Here’s what I hear as some of the most common explanations for the
“I do not have time to deal with the audits, the scan results, the IDS events, the firewall policy changes, the security policy, etc. across the entire organization. I only have three people on my staff. We do what we can, but we will not get to (insert important security issue here) in the next six months. If you gave me the staff and the budget I could address it, but the headcount won’t be approved by management.”
Find a way to make security real for senior management. Perhaps present a lunch-and-learn seminar on botnets and online fraud. Explain to senior management how they can protect themselves from online fraud. If they apply security to their personal lives, they will incorporate it into the professional lives.
“I submitted a change-control request to the networking team to disable all of those firewall rules and six months ago. I also asked for a list of active hosts to scan and the list they produced was half the size of what I found through discovery; they clearly do not manage the network very well. If management forced the issue, it could improve, but we do not have support for security on the networking team.”
Try to find a creative way to penetrate (no pun intended) the networking and IT teams: Make friends, do favors, buy drinks, but most importantly, get to the root of their problems and find out what makes their jobs difficult. If you can solve their job woes and make their lives easier, you will make things more secure, but you have to take the time and go to bat for them.
Generic security team member
“We do not have an IDS, so I can’t tell if any packets hitting that host contained SQL injection or not; I can tell if the firewall let a packet through over port 80, but that’s it. No, I cannot tell you if a brute force was executed against the domain controller; we do not retain the logs. I have submitted requests for an IDS/IPS and log management solutions two year ago, but they haven’t been approved.”
Demonstrate the business value of security tools to the IT and development teams. Try to position the tools you need as a service offering and show them the value to their everyday lives. If your approach is to lay down the hammer and refuse to help if you don’t have certain tools in place, you’re less likely to build a successful business case.
“I met with security vendor X yesterday and they are touting security product A. This guy is a sales guy trying to push his product and I can tell you right now, I’m not buyin’ it.”
It’s true -- salespeople are trying to sell their stuff; that’s how they make a living. I bet some of them would even admit to having to pay a mortgage, like most of us. There are some very good security sales folks that help you find the right solution for your business and some not so good ones that simply try to sell the next hot thing based on FUD. Please, people in purchasing positions, find the right partner and someone you can trust.
“I don’t see the need to buy security monitoring product X, if you write good code that should take care of all of the problems. In addition, we can write a tool that can be more useful and do it better than the vendor.”
You’re very good at creating the widget; that’s your core business. Please focus your energy on securing your code and open your hearts and minds to buying those security tools that are not your core business.
Security sales guy
“I thought that breach would happen. They have practically no tools in place. I worked on a deal for a year and a half with them; it was a product they really needed but they never got the budget approved and a few folks in the organization didn’t see the value, so it was dropped.” Or, “Client, this is the one and only security product you need. If you buy this product, it will achieve all of your compliance requirements.”
Don’t be a tool and oversell your products. Don’t use the FUD factor as it won’t work. Build trust with your clients and bring them solutions that meet their needs, not your portfolio.
“I spoke with the entire security team, the IT team, and the developer team and let me tell you, they have some problems. The security team has no staff, not enough time, and not nearly enough tools. The IT, developer, and networking teams do not see the value in security, so at the management level they have little buy-in and things simply do not get done, whether it is buying and implementing product or implementing policies and procedures. I delivered 35 findings from a one-week engagement; they are going to have a tough time getting those resolved. However, my 150-page report was very comprehensive; I should get a few more engagements out of it.”
Please don’t sell your client services they don’t need. If you walk into a client site and know the state of their security within five minutes, don’t sell them an $80K gap assessment – offer to help fix the issues. Offer value that goes beyond the dollars your client spends in everything you do; send them security tidbits here and there that are specific and applicable to them. Build partnerships and relationships and understand their business. Oh, and please do not give them a 150-page report; instead ensure you provide a simple one-page set of recommendations. Your value is not necessarily based on the length of your reports.
Security community (via Twitter)
“Doh! <Company> hacked because they accidentally posted SSNs on website -- guess that guy is getting fired”
“Seriously? Did they actually think that telling us they were breached by an APT would reduce their culpability? Idiots”
“<Hacker Group Z> posted email addresses and passwords from <Company> on Pastebin-haha!!!
“It is almost funny how easy it is to do a Google search on SQLi or XSS…”
Spend a portion of your time providing solutions to the public. I consistently see new vulnerabilities, zero days, and other problems publicized, but don’t always see solutions. Don’t publish a new vulnerability or an opinion without a fix; it doesn’t help. Avoid commentary that may be perceived as judgmental. These statements discourage other security individuals from joining the security community and prevent them from asking for help in solutions. For example, if a breach of company X is made public and we as an echo chamber call that company an “idiot,” do you think it will openly reach out to us for help and collaboration? Not so much.
There are a lot of things wrong with security, but I also truly believe we are currently in an upswing, in terms of focus and effort. If we each do our part, we have the opportunity to improve the industry as a whole; it has to be a collective effort.
Elizabeth Martin has 15 years of experience in the information security, compliance, and risk management industry. She has extensive experience in the automotive, retail, financial, healthcare, government, and managed security services verticals. Send comments on this column to firstname.lastname@example.org
This was first published in October 2011