Home  |  Sarah  |  Services  |  Blog  Contact

Sunday, 02 Aug , 2015

When Business Culture Eats Cybersecurity For Breakfast – Part Four

Share this article

Chucking Boulders In Our Glass Cybersecurity House - The fourth and final part of a story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security.

The fourth and final part of a story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. A story that began here
In previous instalments of this story I ‘factionalised’ hundreds of past conversations about real-life security. Conversations with a huge range of individuals from the coal-face to the boardroom. Conversations that took place over lots of years.
We’ve talked about damaging macro and micro cycles: First the boom/bust of security spending and accumulation of security debts. Key drivers include business-wide cost-cutting, battles for survival and lack of knowledge of the full risk-picture. Then there’s the operational battles to embed and mature attempts to repay some of those security debts. Frequently undermined by competing agendas and cultural issues in all lines of defence. Issues which can kill something potentially successful and send businesses back around the costly cycle of finding and implementing a new solution (or the same solution with new wrapping paper).
In amongst that there’s been a nod to the reliance on compliance and how that can be divorced from real risk mitigation, a look at the tension between IT and security and illustrations of behaviours that negatively impact business culture as it applies to security.
As explained in part two, it’s unlikely to all apply (I hope) to any single business. It’s more like a ‘Bottom 10’ of things that can go badly wrong and at the end of part three I made this statement:

“But what can you do about that? Surely these are just facts of business life…”

What indeed? In some ways it doesn’t matter whether or not these are insurmountable challenges because my core motivation wasn’t to present problems then offer magical solutions. Later there will be some suggestions and pleas for change (allowing for the fact that a cultural shift is a long-term goal), but here’s the real reason I’ve spent so many hours thinking about and writing this:

Chucking Boulders In Our Glass Cybersecurity House

This series of posts signals the end to a period of writer’s block. A block caused by disillusionment with many of the folk who publicly comment on our trade. Breach after breach and 0day after 0day I watched (and sometimes contributed to) commentary on what went wrong and how it could have been avoided.
The ‘obvious’ errors made by security functions and the lists of often basic controls we’re all shocked they haven’t implemented (or got right) yet. Overlay that with vendors and consultants splashily advertising their new or upgraded tools and processes. “We can detect and stop the malware (or other type of compromise) that took firm X, Y or Z down”. The megaphone of hindsight and media-piqued board attention, upping their chances of a foot in the door.
Calling that out isn’t new. The term ‘echo chamber’ has been wearily used by many influential commentators. We don’t just have breach fatigue, we have fix fatigue too. What I don’t often see acknowledged is this:
Many security professionals inside soon to be breached firms KNOW what’s broken. They KNOW what’s needed to fix it and IF the political wind and budget cycle are in their favour, they’re probably working their asses off to get fixes in place.
If they’re not listened to, or they’ve tried and failed multiple times to get things done, there are a couple of likely outcomes.

Jumping ship to consult or collapse

The most likely upshot: They will leave. Taking their hard-won local risk and environmental knowledge with them. Knowledge that takes years to accumulate, so recruiting to fill gaps won’t work.
They will often turn to consultancy, because consultants – ironically – get better pay, a fairer hearing, better access to decision makers and they frequently get to leave before the true pain of implementation takes hold. Or they get ill. I’ve been given empirical evidence of high rates of stress-related illness among security professionals. There could be a plethora of reasons for that, but working unacknowledged and inhuman amounts of extra hours to achieve things, things often de-valued or made impossible by political battles (or the next round of budget cuts), could well be a factor.
So perhaps the next time you get jumpy about the cyber skills shortage or wonder at the persistent lack of women in the trade, consider this: The problem might not just be the pipeline of professionals. It could also be the overabundance of cultural issues that often make attempts to mature security thankless, intensely stressful and painfully repetitive.

Two sides to every story

Of course not all security professionals are good and not all businesses are bad (as I’ve been careful to point out thus far). The rapid weight of tech and threat evolution hangs heavily on everyone. For both boards and security bosses, knowing where to turn for good advice and where to start can be incredibly tough. Businesses struggle to spot the good guys with the skills to help them, mainly because we still rely too much on qualifications as a measure of expertise. A benchmark for a great security leader and great specialists of various flavours isn’t out there and needs to be.
It must also be acknowledged that many non-security staff are as much victims as creators and perpetuators of cultural problems. It is a top to bottom set of problems and will require top to bottom solutions. It’s a lot to take on, but it starts with small steps…like patience;
Patience to explain and understand the impact of destructive cycles on the security function, the business, it’s customers and it’s shareholders. Patience to work out what your risks really are and which are a priority (in the context of business objectives) to fix. Patience to take stock and be honest about the old, less sexy vulnerabilities linked to infrastructure, processes and security education. Patience to pause and properly assess peoples’ potential instead of filing CVs in the bin that don’t hit the right qualification acronym or keyword. Patience (when something goes wrong) to confirm whether a big ticket fix is the most effective way to reduce risks. Patience to get remediation in place (something that’s been broken for a decade isn’t getting dramatically riskier if it takes a few months to sort out). Patience to give solutions a chance to work.
That, I would strongly argue, is the rarest and most valuable resource in cybersecurity – if you find me a vendor selling it at a cost-effective price, I’m in.

Part One – Wild Speculation & IT Transformation
Part Two – Fatal Fails, Piecemeal Resurrections & The Budget Battleground
Part Three – Lines Of Progress-Limiting Defence
New post – Permission To Be Crap At Security…at least for a while – coming soon

This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.

Some overdue acknowledgements:

  • The title is obviously an homage to a phrase coined by Peter Drucker “Culture Eats Strategy For Breakfast” later amended, by Dick Clark of Merck to “Lunch”. Here’s an article inspired by that on Huff Post’s Corporate Acupuncture blog. It includes comments on the effect of technology.
  • Whack-A-Mole – A phrase Charlotte Tschieder used to describe the way we point and pick at random solutions. I’ve reused it ever since.
  • Security Debt – I’ve referenced the post where Richard Stiennon coins that phrase in each of the four parts of the story, but here’s the link again.
  • Dr Daniel Dresner – Thank you for reviewing this and apologies for taking little of your advice.
  • Finally a thank you to all of the business and security people who have trusted me enough to discuss their triumphs and frustrations over the years. I hope I haven’t misrepresented you in this series of posts.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...