August 18, 2017
After reading through some other blogs and strategy papers over the weekend (don’t judge me; to some of us, this activity constitutes a good time . . . yes, lame . . . I know), I saw what appeared to be an underlying theme across the narratives I’d read: Security tolerates failure.
It’s understandable that it happens, but I think, if we are honest with ourselves, it happens because of a collective acceptance that close enough is good enough. It can be easy for any of us to offload responsibility when so many things aren’t in our control, and we can feel powerless because of it. In almost every instance I read about, I saw leadership and technical security folks pointing fingers at all kinds of issues, but I hardly ever read about any of them taking ownership – or even acknowledging that security earned this failure. The bad things did not happen through osmosis; no evil hacker just magically jumped into the network. Failures occurred because of a series of bad decisions, poor strategy, and a lack of enforcement of well-known security practices.
Let’s think about this for a second: You deserve what you tolerate.
What does that message mean in the context of cybersecurity and security operations?
If you or your team collectively turn a blind eye to lackluster security policies and don’t bother to enforce the standards that you put in place solely to defend your network, you deserve the bad things that will inevitably occur because of those decisions. If you or your team does not wish to enforce a user policy because users gripe about it, again, you totally deserve the work and stress that comes with the imminent breach headed your way. If you tolerate vendors selling you technology that comes with default hard-coded back doors and does not have ways in which you can technically control or patch that device, you can’t be surprised when it becomes an IOT threat to your network and every other network on the internet.
Here is the first half of the hard part that accepting failure comes from tolerating it – this takes accountability and willpower:
- Tolerating overhyped technology means we won’t get what we deserve (or what we paid for).
- If we don’t enforce our policies, we let down our users, our leadership, and shareholders.
- If we don’t align our strategy with the business, we can’t be surprised when we aren’t involved in decisions and our initiatives are sidelined.
We should take steps that will help us STOP FAILING and stop TOLERATING anything less than victory. There is only one thing to do: Raise the level of expectations.
Here is the hard part – you still have to actually do it (there is no AI that will help you here).
- If you have a user policy that says we monitor your activities and we are watching what you do on our network, enforce it.
- Don’t accept smart devices into your network without having a plan in place to track and patch that item.
- Make the C-level team realize that security is not just a part of the business: It’s critical to its success in today’s world, and don’t take a seat at the kiddie table.
- Analyze and understand the nuances, technical needs, and implications of any technology your team is considering using. Don’t just move forward with a POC and think it’s all going to work out (it won’t).
That goes for the good and the bad. The choice of whether the results lean more towards the positive or negative are up to us and how much crap and failure we are willing to stomach before we flip the script and move decisively away from tolerance.
- information security
- network security
- security & risk
- security architecture
- security operations & program governance