Five Signs Your Organization Is Failing at Security

@1iJax aka The Security Viking//

Just when you think the drum has been beaten loudly enough for long enough, a quick survey of organizations across the spectrum will find many companies still just “don’t get it”. No, this is not an exhaustive list, there is only so much we can fit on one post. If you’re an executive or member of management, and you’re having trouble getting a security program going, or you really have no clue if you have an effective program, please read on. If you’re a Security Pro that feels something isn’t right at your organization, and every step forward is met with one, or more, steps backward in your program, then there is a good chance that the org is systematically failing.

1. Management Has No Clear Idea What Security Is –

This is a pretty big one, just about any other “sign” mentioned below is a symptom. We need to discuss it and Management needs to understand it so that we can be level set on the rest of the signs. What is the purpose of security? If the first answer that came to your head was “duh…protect the company” I can’t fault you for thinking that, but it’s wrong. It is actually the executives, in any organization, whose job it is to protect the company, not the rank and file members of Security.

So what is Security’s job? I won’t bore you with some acronym. At a very high level it is two simple things. (Well it sounds simple, but anyone that studies game theory will tell you that the simpler the rules, the more complex the game.)

  1. Advise upper management of the threats the organization is facing.
  2. Oversight of the program upper management has tasked to counter those threats

That’s it.

Some Security folks may be screaming at the screen when I say this. “Who’s this Viking guy? Security is way more complicated than that and I go home each day and tell myself how proud I am that I protected that company!” Sure we use all sorts of processes, methods, and tools for our security programs, but at the end of the day, all of those things are just details that support our mission of Advising and Overseeing. (I did say simple rules make complex games.)

Companies that fail to recognize this usually fail hard. They are easily identified by their lack of strategy, and oh boy, just wait to see how they respond to a breach…welcome to the shit-show! Executives in these Orgs will sound clueless when trying to describe the kind of program they have.

I worked at a multi-billion dollar company that recently had doubled in size. During a town hall meeting with the CEO and COO, I asked a simple question,

“With the increase in size and the multiple verticals we are in, has anyone started discussions around appointing a CISO”.

I wasn’t asking them if they had a CISO in mind, I was just simply asking if the discussion had started. The first sign something was wrong was when the Executive VP, head of HR asked back, “What is a CISO?”

(We’ll take this moment to pause and allow the security guys to finish laughing.)

The world is full of acronyms and not everybody can pull from memory every acronym they have heard so I simply explained those terms and expanded on my question a little to give more context.

A few minutes passed and the CEO said, “We have a question, ‘With the increase in size and the multiple verticals we are in has anyone started discussions around appointing a CISO or CSO’.”

What happened next made me wish I had never asked.

The CEO responded, “I think we have people that are responsible for that so no, next question”.

Did I expect them to tip their hand and detail how they are strategically building the Security team to the whole world? No, but at a minimum at least pretend to care and give an answer that sounds like the thought of security had crossed their mind.

Instead, we got an answer that clearly came from an Executive that “didn’t get it” and had been insulated by many layers from Security. Right around that time when I asked the question they moved the head of InfoSec another layer lower than the CIO and started the destruction of that team.

Which brings us to our next point…

 

2. Improper reporting structure. To report to the CIO or not report to the CIO, is NOT the question –

Pundits have gone back and forth on the question, “To whom does InfoSec report?” As the grip of technology has deepened, it has often become the practice to shuffle these teams under the CIO.

The problem with this approach, at the risk of oversimplifying things, IT exists to serve the technological wants and dreams of the business. The security practitioner’s job is advice and oversight, *gasp* and requires telling people no.

No, is an impossible word for the CIO, use it too much and they won’t be CIO for long. They can say, “Yes, but…”. “Yes, but we need more money.” “Yes, but we need more headcount…” etc.  Can you imagine a CIO saying “No, we can’t build that app to better engage our customers and make more money”? Neither can I. The CIO that got stuck with security can quickly become a filter stifling our purpose of Advice and Oversight. (Hey, they’re just trying to guide the tech ship and some jerk that fancies himself a Viking keeps telling the IT guys they can’t use TLS 1.0.) God forbid if an inexperienced CIO shuffles security under another layer of IT management. Try it if you really want to see the wheels fall off.

To be fair to the CIO, CISO’s that stonewall the business don’t remain CISO’s for long either. We are in the Risk Mitigation business where sometimes battles are chosen carefully and political capital is stored for use at a later date.

Who should we report to then? Some say CFO, some COO, Chief General Counsel…etc. Some have even proposed that IT should actually report to a CISO. It sounds interesting but you still end up with someone that has two roles with occasional competing interests. To simplify this question first understand that reporting structure directly impacts #1…

  1. Advise upper management of the threats the organization is facing.
  2. Oversight of the program upper management has tasked to counter those threats

In order for Security to fulfill its purpose, it *MUST* report directly to a member of the Executive Leadership Team. The vertical your company is in may dictate which member of the ELT that is. At the end of the day though it really doesn’t matter which “C” suite person you report to, so long as that person has a “seat at the table”, and takes security seriously. Anything less is just pretending and results in a game of telephone as each layer of management interprets what Security means.

 

3. Policies Are Not Owned By Executives

You would think that this would be obvious, unfortunately, this is not always the case. I worked at a shop where the CIO insisted they get to review policies we proposed before legal did. Of course, Security reported to that CIO, so that much of our work was met with all sorts of stonewalling and watering down.

The phrase of the day was, “We need to keep these close so we can remain fluid and adaptable to the business…blah, blah, blah.”

Basically, they liked being in control of the Security policy so it could be changed as needed to enable saying “Yes!” to the business without adding to the workload. Remember IT can’t say no.

Drawing from our expanded knowledge of the simple purpose of Security (might be a theme here), this problem directly impacts Security’s ability to provide oversight. Executive Leadership *MUST* own the directives that dictate the direction the Security program is running.

Policies are the rules by which all employees must operate. Without Executive sign-off, any manager of equal or greater rank than the top Infosec manager can simply interpret what that policy means, as they see fit.

Yes, Security gets that there is a difference between attainable, and aspirational policies. We might advise against it, we might ask, “But shouldn’t we aspire to be more secure?”. We wouldn’t be good advisors if we simply bent the direction the wind blew, but we also get that policies that you cannot hope to meet are unworkable for everyone involved.

This is why we need the ELT, you know the folks responsible for protecting the company, to weigh these decisions carefully and agree on the direction forward. Everything we do, every process, every wall we build is a direct result of Policy. Only when the ELT owns and feels comfortable defending, these tough decisions can Security effectively move forward.

If you haven’t caught on yet, most of the signs of a failing InfoSec program come directly from Upper Management’s lack of engagement. Back while studying for a certain cert I had the privilege to get some training from someone that wrote a really popular study guide. I’m quoting from memory so this is probably off the mark, she essentially said,

“If Security at your organization does not directly report to the ELT and the ELT or board doesn’t sign off on policy, you will not succeed. If that organization is unwilling to change you need to run away and don’t look back.”

(Sorry if I butchered this quote, RIP Shon Harris…f* cancer!)

 

4. Security has no idea what the purpose of security is –

This one made me laugh as I typed but sadly this is becoming more and truer. Simply put, security resources continue to get stretched thin, and there are a whole lot of folks with only a couple years experience running around with senior titles. In my day (at 42 I’m an old curmudgeon in the industry) I had to work eight years before I got a “senior” title.

Unfortunately, it’s the nature of the business now, double digit unemployment rates in the field have led to an explosion of newbies from poorly planned infosec college programs and from IT. The influx of IT folks, I’m speaking mostly towards the management side, is bringing an “IT mentality” with them. (Nothing wrong with IT folks coming over, we love to have you, please send more developers this way.) What used to be a slow trickle of highly qualified IT people learning the ropes from knowledgeable Security staff has quickly become the blind leading the blind. Newly minted IT managers in Security will often times filter, or even completely withhold, the results of an honest attempt to evaluate the company’s readiness level.

This natural reaction towards not wanting to look bad to senior management is a glaring violation of the purpose of Security.

I’ve heard things like, “There’s too much red, no way management will take us seriously,” or “I can’t give them this, it makes us look really bad.” And even worse, “I need you to look closely and see if you can change of few of those things”.

Dear former IT manager now in Security, we need to have a talk. We need you to stop capitulating. You need to understand that the place to politicise a report is not in the findings, it is in your management response!

I get it, it’s hard to show our warts. Nobody is asking you to wear a tinfoil hat and scream that the sky is falling, but when you shirk your duty to advise you are missing your chance to show them how they can get better and losing the respect of your staff in the process.

As a manager, don’t you agree that your usefulness to upper management is your ability to provide a vision for the future? This is your time to shine and sell that vision!

 

5. Revolving Door of Security staff

Do people seem to come and go? Do most of the analysts and engineers on your team have less than five years with the company? Does your program seem to be on track for a couple of years and then everyone vanishes overnight? If you answered yes to any of these then you’ve got a problem.

With some regions reporting unemployment numbers as low as -16% in InfoSec fields, your staff will quickly learn they don’t have to wait for you to “figure it out”.

So how do we fix it?

First, you need to understand the type of staff that became Security folks in the first place. They absolutely read between all the lines! These are the people that crawl through all your systems and pick apart every nuance looking for threats to your organization, do you not think they are reading your every move and weighing your words?

They know when they are being talked down too. They know when management is not taking Security seriously. If you don’t care then why should they? These folks are constantly under the gun. They often times stay up at night just learning about the latest and greatest problems in the world. They live, breathe, and eat from the seedy underbelly of the internet and many of them do take “protecting the company” personally even when we know we shouldn’t.

Appreciation for the work security does is helpful but straight talk goes even further. Be honest about your shortcomings as a company, don’t try to wash over them with some pretty facade. We have highly attuned b.s. meters. Following through with the suggestions Security gives you to fix these shortcomings goes a long way. Signaling to your security staff that the org is ready to try to fix things can have a huge impact on morale.

Now you’re talking the talk, how do we walk it? Three words: Security Staffing Standard. Having a written plan for addressing staffing issues tells your experienced staff that management recognizes the need for a healthy program, and gives you something you can manage towards.

No two companies have the same staffing needs and nobody has come up with the perfect formula. Personally, when it comes to the number of folks in the technology side of Security, I like to use the “Ratio of IT” measure as a starting place.

A detailed look at this may be a post for another day, but basically being at 6-8% of IT staff allocated to Security is about the middle of the pack. Obviously, the verticals you are in, and some specialty skill sets can influence this number.

Know your business, adjust accordingly, and be prepared to adapt and change that Standard as the environments you operate in change.

Strong word of caution…Do not fall into the tool trap!!! Buying a product does NOT replace a headcount, in fact, it may increase the need due to the specialty nature of managing that tool. Tools are no different from hammers. Hammers don’t swing themselves!

 

My company has all these problems, now what –

If you are C level, and you did happen across my little rant, the ball is in your court.  Own your policies, enable Security by having them report directly to you, staff accordingly, and you will be light years ahead of the next guy.  For the Security guys, even if your org hits all of these, don’t bail right away.  See it as a challenge, do your best to fight the good fight, and if you see no attempt to improve, leave with a smile. (or just flat out run like Shon suggested)  You survived, you learned, and you can take all that knowledge of what doesn’t work and help an org that really really really wants and needs your help.  I’ll leave you (especially our InfoSec brothers and sisters at Equifax) a favorite proverb of mine that I passed to a Director at Target shortly after their breach…”Smooth seas do not make skillful sailors!”  Good luck out there.