BOSTON -- One of information security's most venerable thought leaders believes the evolution of leadership in the industry has reached a turning point and without a disciplined, holistic approach emphasizing shared knowledge, enterprise security programs will never achieve their desired results.
Good judgment comes from great experience; unfortunately, great experience comes from bad judgment.
Tony W. Sager,
director, SANS Innovation Center
During a keynote Wednesday at the SANS Security Leadership Summit, SANS Innovation Center director Tony W. Sager drew from his 30-plus years at the National Security Agency's defense-focused Information Assurance Directorate (IAD)-- a decade of which was spent running IAD -- to highlight the biggest challenges facing today's infosec leaders.
Sager said leaders like him with several decades of experience were forged during the 1970s and '80s, a simpler time when infosec was largely a government endeavor, led by the NSA, tasked with defending against a singular Cold War-era enemy. Society is different today, he said, and despite the rapid pace of technological evolution, the problems facing information security leadership are rooted less in technology and more in managing dynamic business problems and unpredictable users.
"Good judgment comes from great experience; unfortunately, great experience comes from bad judgment," Sager said. To be an effective infosec leader, "you have to make a lot of mistakes to be able to learn from them."
Emphasizing communications, incentives
Sager's talk highlighted key points in his career when he pursued resolutions to problems in a way that either drew from existing community knowledge or led to new frameworks that helped others solve the same problem.
"What I thought about was, what problems should I not have to solve on my own," said Sager, "and if I could, is there a greater good in doing this as part of a larger community focus? The more consistent we are in solving these problems; the better it is for everyone."
During Sager's early days managing the NSA's mythic Red Team -- the IAD group that uses adversarial techniques to find the weaknesses in government cybersecurity systems -- found many vulnerabilities, but few were ever fixed. He soon realized that the group not only had no incentive to ensure that flaws were fixed, but also often had to work through a maze of bureaucracy to determine which government agency could affect each necessary change.
Sager said he eventually managed to change how the Red Team's success was measured, shifting the focus to problems that it helped to fix. Realizing that about half of the Red Team's findings needed to be conveyed to someone besides the owner of the affected system, he also worked to foster a culture that downplayed specific exercises in favor of identifying stakeholders and working with them to achieve joint goals.
One of the biggest, government-wide infosec problems he encountered was the lack of consistent software configuration standards, particularly on desktop computers. Each agency was on its own to configure its machines securely and according to Sager, few were up to the challenge. System admins often didn't know how to implement secure configurations, or lacked the bandwidth to do so.
"We would ship machines to every poor, undertrained, underappreciated sysadmin in the DoD," Sager said. "They were these out-of-the-box, unconfigured versions of Microsoft Windows, and it was too much to ask them to manage this on their own."
Over time, that led to the creation of the Federal Desktop Core Configuration mandate and eventually the broader U.S. Government Configuration Baseline. Getting there, Sager said, required many government cybersecurity leaders to convince Microsoft and other IT vendors that selling pre-configured IT systems according to a limited number of baselines would actually save them money.
"The response from Microsoft was, 'You government guys don't get it. Every time you change configurations, things break,'" Sager said. "But eventually they realized that by having five or 10 or 15 configurations, based on roles, it cuts costs and streamlines their relationships."
The two keys to making it happen, Sager said, was the unified leadership throughout the government and private sector joining together to make the case to the vendors, and identifying the specific configurations so the vendors understood what was involved.
Good security leaders never work alone
Though the abundance of information resources available to information security leaders today may be seen by some as a positive, it's arguably made the job of managing infosec organizations even harder.
"Never before have we had so many tools, so much information, so many products and services. We are drowning in an incredible array of data meant to help us," Sager said, "and yet the problem seems to be getting worse faster than it's getting better."
Sager said information security leaders suffer from a "fog of war" effect not unlike combat commanders. Because it's so difficult to deal with the volume of data available, leaders struggle to identify the best course of action, resulting in imperfect decision making.
Sager's own struggles in this area eventually led to the creation of the SANS Top 20 Critical Security Controls, a set of broadly applicable defensive measures. He encouraged infosec leaders to adopt the controls as a tenant of their programs because they can help organizations prioritize, implement, sustain and automate standards-based defensive practices that have been proven to thwart the majority of cyberattacks.
Having worked with some incredibly powerful and effective leaders within the U.S. military "with many stars on their shoulders," Sager said the most common flaw among them was being great at identifying new things to do, but not so great at deciding what to stop doing.
"I've worked with amazingly brilliant people, but they don't see the problem that the workforce is already stretched," Sager said. "So I would say, 'give us some help in what we can stop doing.' Because if everything is important, nothing gets done."