Chapter 1. The Odds Are Against You
Before I lay out my road map for building or revisiting an information security program, let me first provide some context of the environment in which most of us work. I say most because some of us have the privilege of working in companies with great executive sponsorship. These companies greatly value InfoSec for what it provides to the company in protecting its intellectual property. They understand the value the function provides, and view InfoSec as integral to the fabric of the organization. For the rest of us, we stand on soft soil. If I’m being honest about our situation, we’re on our own when it comes to building out the InfoSec program. Neither the culture nor any executive sponsor will provide much support. The work of putting the program in place rests solely on the security leader. I liken it to pushing a boulder up a hill. The forces are against you.
The context I’m about to share has been my experience working as a security leader in various organizations. I’ve always been one to learn from others, keeping my ear tuned to the latest trends, while challenging the InfoSec industry’s accepted standard practices. Over the years, I’ve realized that most of us operate in a work environment framed by a few fundamental facts. These facts are true for the vast majority of us, except for those chosen few who work with strong executive sponsors, almost unlimited resources, and a company culture favorable to InfoSec. Here are those facts:
Nobody in the company, outside of your team, usually cares much about InfoSec.
Nobody in the company really understands your job.
Our industry is guided by fear and scare tactics.
My conclusions about our operating environment stem from considering the many disconnects we confront every day in our jobs. For example, the number one security control in every framework is asset enumeration. And everyone agrees this is the most important security control and where all security starts. Yet, how many of us work at organizations that take this seriously? How many of you have gotten your arms around asset enumeration? Right? This is good data: the first and most important security control is almost completely ignored where you work. Has it ever been a sustained priority by your systems leadership? This doesn’t seem odd to you? But the question is, what does it tell you?
Or consider the tone from the top. Everyone agrees this is super important for a successful InfoSec program. But when was the last time anyone was disciplined, let alone fired, for InfoSec policy violations? Unlike codes of conduct or human resources (HR) policies, which are strictly enforced, InfoSec policies are at best suggestive to most employees, and violations rarely catch anyone’s attention or interest. Isn’t all of this considered as tone from the top?
Over the years, these three facts have formed the environment in which most of us work. Your job is to change that environment. That is the focus of this book. The simple seven-step process I present in this book is the best way to do that. But before I do, let’s delve deeper into these three facts.
Fact 1: Nobody Really Cares
So, fact number one is that most of us work in companies where nobody really cares about InfoSec. Now, don’t get upset until you hear me out. I know we live in an age when every week another breach is in the news, and the leadership at your company will often ask you if “we’re safe.” But let’s look at the data we have from our own companies and see if my claim isn’t true, or mostly true.
If you’ve been in the industry for any length of time, you’ve likely already gathered data on the companies where you’ve worked. So with that data, answer this question: can you identify one executive with any clout who gives much time or thought to InfoSec? Most likely, it doesn’t make their agenda. They may like to talk about it and may say they care—but if we’re really being honest, and we measure their level of interest and support by their actions and the resources sent your way—then clearly, their level of concern is low.
I want to identify an exception to my claim to those who work in the financial services industry, or any other highly regulated industry for which the cost of a breach would lead to loss of public trust that translates into loss of revenue and/or stock price. But for the rest of us, I’m going to stick by my guns and argue that nobody really cares about InfoSec, because we don’t contribute to the bottom line.
Still disagree with fact number one? Then look at your last security incident and ask yourself this: what did the post-incident remediation look like? Did money and resources flow your way? Did anyone demand that it not happen again? Was anybody fired? Did any leader in the company ask for an executive summary of the events? Were you required to make a presentation to executive leadership about what happened? Did any system owners involved in the incident get reprimanded? Were there any consequences at all? Did the organization suddenly get religion on patching and updating software? Were more system administrators told to send logs to your monitoring service? Did any teams invite you to their staff meeting to discuss the root cause and ways to avoid it going forward?
Your answers to these questions provide you with a clear message on your company’s culture and attitude toward InfoSec. Now what do you think? Does anybody care?
Maybe the post-incident activities were all positive at your workplace, and your company took corrective actions. Money flowed your way. Heads rolled. You were given time on the executive agenda to explain what happened. System owners were reprimanded. And executives made statements that this can’t happen again. If that is your operating environment, I’m happy for you. Consider yourself lucky.
But for the vast majority of us, based on my experience talking with many of you, we don’t see those post-incident activities happening often. Instead, incidents are quickly forgotten, nobody shows much interest in the root cause, and nobody is ever disciplined or let go for mismanaging the security of company systems or data. It just doesn’t happen.
Do you need more evidence that nobody really cares? Look at your board presentations. Do they get pushed to the end of the day? After waiting for hours to present, have you been told that the meeting is running late, and that there’s no need for a cybersecurity update? Or better yet, while you’re walking into the room to give your presentation, has someone asked if your 15 minutes can be compressed to 5 since they’re running late? Sound familiar?
This is our world as InfoSec leaders. You’re at most a check in the box. You and your team are insurance for the company. The one throat that company leaders can choke, the fall guy if they need one. They can point to your team and say, “See? We care. We have a security team.” But in the end and underlying it all, nobody really cares.
Suffice it to say that this “nobody cares” attitude is one of the realities you’ll have to come to grips with. Get to acceptance quickly. To move forward, you must factor in the reality that you’re on your own. Understanding this mindset and your operating environment will help you value the simplicity of the seven steps laid out for you in this book.
Fact 2: Nobody Understands
The second fact is that not one person in the entire organization really understands your job. That’s right. No one knows the ins and outs of your position and can appreciate the diversity of demands placed on you. Many people know portions of your job or can talk about various sections of the eight domains, but nobody understands or appreciates the totality of the work you do. If they did, you’d get more respect, wouldn’t report to the person you do, and would get paid much more.
Since no one understands your job, no one can appreciate what it takes to get your job done. Some may claim to, but in reality they don’t—and you know they don’t. I’ve worked with bosses who’ve told me they used to run InfoSec functions at other companies, but after talking with them for a couple of minutes, it’s clear they don’t know the job either. One of the rocket scientists I had the pleasure of working for (or with) didn’t know the difference between logging and scanning. Ouch.
Nobody knows the diversity of services you provide across the company or appreciates the breadth of technologies you must master. For each department and team in the company, you provide a different service. For the legal department, you provide computer forensic support (among many other activities). To other departments, you write company policy, support compliance efforts, and provide business-to-business (B2B) risk-assessment services, web app pentesting, red team exercises, incident response services, tabletop exercises for simulated incidents, awareness training for general staff, and on and on. There isn’t one person beyond your team who understands the diversity of tasks that make up your job description, or the demands this places on you and your team. After all, we hire “high-speed” technical people, and none of them want anything to do with running phishing tests; it isn’t sexy work engineers want to do.
Deloitte once had a chart that I love. It decomposed the 8 domains of InfoSec into 176 areas. The chart could barely fit on a standard office wall. When you looked through the chart, it didn’t take long to realize that the job of a security leader spans way beyond anything provided by anyone else in the company, and the sad part of that equation is that no one has a grasp on the job’s breadth. If they did, they might care more. (Nah, who am I kidding!)
Fact 3: Fear Drives Our Industry
The third and final fact that provides context for our work environment is that fear drives our industry. Consider one of the underlying assumptions we as InfoSec leaders subscribe to: the ever-present belief that bad things are about to happen. If our network isn’t being hacked at this very moment, hackers are at least acquiring the information they need to do so. We begin to worry that every new form of cybercrime is being directed against our systems. And, of course, the vendors trumpet this tune whenever they get in front of you.
Fear has driven our practices, empowered our vendors, and kept many InfoSec managers from responding rationally to the real threats in our environment. This culture of fear has created baseline expectations that have little to do with real InfoSec. Meeting these expectations, these all-or-nothing-based standards, consumes a huge percentage of our time and budgets.
As anyone in the business of selling security knows, financial success is directly related to the level of fear held by the consumer. What security vendor could sell solutions if the cyber world was a safe place? They couldn’t, so they crank up the volume on the fear message.
Why are educated, successful people spending millions of dollars on security equipment? The answer is fear. They’ve swallowed the fear pill, which equates to spending on security devices for their homes, cars, pets, and families. Fear sells. And InfoSec is no exception.
It’s no surprise that our fears and assumptions have led InfoSec departments to continually upgrade to the latest and greatest in security technology. But vendors are not vested in our success. Their success depends on how insecure we feel about our security capabilities and how much we believe their products will give us what we’re told we lack.
As a result of the industry’s continual fear message, we can be seduced into believing we need more technology to protect the company. We’ve been convinced that not only do we need more technology, but we need the latest technology to be truly safe. Security tools are expensive, so we ask for more money. More tools require more staff to support them, or at least look at them, so we request more staff.
Over time, we’ve lost our way. Our decision making has been warped, and soon we have a security architecture of tools that’s embarrassing. Our tools are mostly standalone and “best in class.” Few integrate with any other tools without integration from your team. Our architecture is overly complex and often doesn’t make sense, failing to address the true threats to our companies. No wonder we have a hundred vendors knocking on our doors every day to sell us more stuff we’re told we need.
The irony in all our purchases is that despite investing countless dollars in the latest and greatest technologies, the average social engineer can gain access to our systems with three well-crafted phishing emails. Ouch! And oddly enough, not many vendors are knocking on your door to help in that area. Why? Because there isn’t much money in it, as it requires training of our end users. I’ll discuss this more in Chapter 7.
Conclusion 1: It’s All Up to You
If you agree with the three facts that shape our operating environment, here’s one of the conclusions we can make: it’s all up to you. To be successful and protect the company’s information assets, you’ll have to do it alone. That’s right: it’s just you and your team. You most likely don’t have an executive sponsor. Sorry. To get the job done, you’re going to have to lace up your shoes, get out of your office, walk the streets, and knock on doors. I equate your work to that of a door-to-door missionary who hopes to get invited in, except in your case you won’t have a buddy standing next to you.
Over the years, I’ve developed a great set of operating principles that help me and my team navigate the unchartered waters of building a program. One of my operating principles is “go where you’re wanted.” If anyone opens the door and invites you in, work with them until the cows come home. But if they gently close the door or even give you the “invisible middle finger,” as many do, then make a note of it. Don’t hold it against them, because you’ll be back knocking on their door again.
I don’t mean to be overly pessimistic. So please forgive me if I come across that way. I’m just sharing my observations and experience as an InfoSec leader for 25+ years. The success of your InfoSec program will largely rest on your shoulders. You’re on your own. However, there is hope, as the rest of the chapters of this book explain.
Conclusion 2: You’ll Always Be Under-Resourced
Since nobody really cares about InfoSec, and nobody understands your job, how can you expect to receive adequate resources for the task at hand? It’s just not going to happen. This conclusion shouldn’t come as a surprise. It makes sense.
Who among us is adequately resourced? We’re chronically underfunded. If this isn’t your situation, once again, good for you. But the rest of us live in a continual state of financial deprivation, with only momentary periods of money to spend.
Given that we are perpetually underfunded, the next question we must address is, how do we operate on a limited budget? This is where my seven simple steps come in. The beauty of the process is that it requires little funding or resources to execute. As I’ll show you, you can get through most of the steps without the need for much in terms of resources. It’s one of the beautiful attributes of the plan: you can get a lot of work done without any resources at all.
Conclusion 3: Being Successful Requires Thoughtful Work
I believe many InfoSec types approach their work with an all-or-nothing mentality: anything less than complete security is a compromise that’s equivalent to cutting a deal with the devil. I disagree with this approach, and believe that we as security professionals should view our jobs in terms of “laps around the track,” with the aim of each lap to leave the environment a little more secure than it was before you started that lap.
I’ve been accused of being inconsistent in my approach to InfoSec, accused of leaving it for others to deal with, and not standing up and demanding that certain security controls be implemented. But when you don’t have strong executive sponsorship, you have to play a finesse game to get the job done. To move security forward without strong leadership endorsement, you have to approach your role in the company as a consultant whom others can choose to ignore or partner with. You have to approach your work in increments; a security model that achieves basic “locks on the door” is a vast improvement from what existed previously if that was nothing.
Unfortunately, our thoughts about what constitutes “good” InfoSec has been shaped by the technology industry. We’ve come to believe that most InfoSec problems are solved through technology. This has led to an InfoSec culture totally focused on cutting-edge tools that we’re told will fix our problems and address the latest threats we face. As a result, many InfoSec professionals build their strategies around these technologies that make up our industry, while totally overlooking the more important side of educating others in the company.
Do your best to buck this trend. After all, I’m claiming in this book that the art side—the people side—of our work is just as important (if not more important) than the science side. So your strategy needs to be much more than a list of tools purchased to address the supposed threats you face. If the people side is more important and valuable to you in protecting the company’s information assets, your strategy will have to contain a plan to get all company employees involved and doing their part to secure the company’s information assets.
Your strategy should answer two basic questions:
How do I show the company that its investment in InfoSec is producing the return it should?
Are the company’s information assets more secure this year than last? If so, how do I show this to company leadership?
I’ve put these questions to hundreds of chief information security officers (CISOs) and gotten an equal number of responses. Nobody has given me simple metrics to measure our progress. One of my intentions in this book is to do just that (Chapter 10 discusses metrics). To be successful over the long haul, you have to step back and take an honest look at what we all blindly agree to be “best practices.” And perhaps challenge them.
InfoSec is more art than science. It requires right-brain thought among left-brain engineers, and this can be problematic for many individuals in our space. Since you’re on your own to secure the company’s assets, you have to get creative and find ways to achieve this.
If you view your security work as laps around the track, you’ll understand the benefits of incremental improvements that come through the long, hard work of building relationships, staying close to clients, staying humble, and maintaining a spirit of service. Equipped with these, you can’t go wrong; you’ll be embraced by the company, and will find yourself and your department hugely successful.
The seven-step plan I lay out starting in Chapter 2 does not gain momentum or authority from fear. It’s based on years of analysis and refinement. I’ve spent countless hours analyzing our work, questioning the industry’s assumptions, evaluating alternatives, talking with industry experts, and reading our literature. I challenge our industry’s so-called best practices, and I’ve written this book to teach you a better way and hopefully spare you from a lot of grief in the process.
My approach doesn’t make sense to people steeped in industry standards. It doesn’t fit their mental model or, quite frankly, their egos. I’m not writing this book to encourage the status quo. I’m writing this book to show you a better way and to encourage you to get out of the arms race of technology. If you give it a chance, you’ll find my plan is simple, makes sense, and most importantly, it works.
For you to get on board with my simple process, I suggest you consider the truth of our operating environment and be willing to step back from your biases and be open to another way. I’m not here to help you live up to industry-imposed standards. Those who developed those standards don’t live and work at your company. Nor am I here to help you get a pat on the back from other CISOs.
No, the kudos you’re going to get will come from the employees of your company who no longer see your department as their watchdog. It will come from higher-ups who appreciate that you’ve balanced risk with the needs of the business. It will come from all your IT colleagues who no longer feel like they’re at war with you. But mostly, it will come from knowing you’ve protected your company’s assets to the extent they need protection, that you run a department not by fear, but by rational, informed decision making.
The examples and stories I share throughout this book are all from my own experiences. I’ve witnessed the transformation in security over and over in several companies, starting at ground zero and in some cases starting with a crater in the ground left by my predecessor. (You know these types, the Genghis Khans of security leaders. Our industry is rife with them.)
If you’re willing to try my approach, you too can transform your InfoSec department into a well-regarded and highly valued business partner in your company. The difficult part will be letting go of your old models and approaches to InfoSec. I believe the job of every InfoSec group is to influence the company’s culture and move it toward greater degrees of security, provided your business needs a secure environment. I’ve built my approach to InfoSec over 25 years of security leadership, and the steps I’ll take you through are the ones I still use to this day. If you follow my methodology, you will totally change the way your company secures its assets. It’s almost enough to give any CISO or InfoSec manager a good night’s sleep.