The fourth and final part of a story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. A story that began here
In previous instalments of this story I ‘factionalised’ hundreds of past conversations about real-life security. Conversations with a huge range of individuals from the coal-face to the boardroom. Conversations that took place over lots of years.
We’ve talked about damaging macro and micro cycles: First the boom/bust of security spending and accumulation of security debts. Key drivers include business-wide cost-cutting, battles for survival and lack of knowledge of the full risk-picture. Then there’s the operational battles to embed and mature attempts to repay some of those security debts. Frequently undermined by competing agendas and cultural issues in all lines of defence. Issues which can kill something potentially successful and send businesses back around the costly cycle of finding and implementing a new solution (or the same solution with new wrapping paper).
In amongst that there’s been a nod to the reliance on compliance and how that can be divorced from real risk mitigation, a look at the tension between IT and security and illustrations of behaviours that negatively impact business culture as it applies to security.
As explained in part two, it’s unlikely to all apply (I hope) to any single business. It’s more like a ‘Bottom 10’ of things that can go badly wrong and at the end of part three I made this statement:

“But what can you do about that? Surely these are just facts of business life…”

What indeed? In some ways it doesn’t matter whether or not these are insurmountable challenges because my core motivation wasn’t to present problems then offer magical solutions. Later there will be some suggestions and pleas for change (allowing for the fact that a cultural shift is a long-term goal), but here’s the real reason I’ve spent so many hours thinking about and writing this:

Chucking Boulders In Our Glass Cybersecurity House

This series of posts signals the end to a period of writer’s block. A block caused by disillusionment with many of the folk who publicly comment on our trade. Breach after breach and 0day after 0day I watched (and sometimes contributed to) commentary on what went wrong and how it could have been avoided.
The ‘obvious’ errors made by security functions and the lists of often basic controls we’re all shocked they haven’t implemented (or got right) yet. Overlay that with vendors and consultants splashily advertising their new or upgraded tools and processes. “We can detect and stop the malware (or other type of compromise) that took firm X, Y or Z down”. The megaphone of hindsight and media-piqued board attention, upping their chances of a foot in the door.
Calling that out isn’t new. The term ‘echo chamber’ has been wearily used by many influential commentators. We don’t just have breach fatigue, we have fix fatigue too. What I don’t often see acknowledged is this:
Many security professionals inside soon to be breached firms KNOW what’s broken. They KNOW what’s needed to fix it and IF the political wind and budget cycle are in their favour, they’re probably working their asses off to get fixes in place.
If they’re not listened to, or they’ve tried and failed multiple times to get things done, there are a couple of likely outcomes.

Jumping ship to consult or collapse

The most likely upshot: They will leave. Taking their hard-won local risk and environmental knowledge with them. Knowledge that takes years to accumulate, so recruiting to fill gaps won’t work.
They will often turn to consultancy, because consultants – ironically – get better pay, a fairer hearing, better access to decision makers and they frequently get to leave before the true pain of implementation takes hold. Or they get ill. I’ve been given empirical evidence of high rates of stress-related illness among security professionals. There could be a plethora of reasons for that, but working unacknowledged and inhuman amounts of extra hours to achieve things, things often de-valued or made impossible by political battles (or the next round of budget cuts), could well be a factor.
So perhaps the next time you get jumpy about the cyber skills shortage or wonder at the persistent lack of women in the trade, consider this: The problem might not just be the pipeline of professionals. It could also be the overabundance of cultural issues that often make attempts to mature security thankless, intensely stressful and painfully repetitive.

Two sides to every story

Of course not all security professionals are good and not all businesses are bad (as I’ve been careful to point out thus far). The rapid weight of tech and threat evolution hangs heavily on everyone. For both boards and security bosses, knowing where to turn for good advice and where to start can be incredibly tough. Businesses struggle to spot the good guys with the skills to help them, mainly because we still rely too much on qualifications as a measure of expertise. A benchmark for a great security leader and great specialists of various flavours isn’t out there and needs to be.
It must also be acknowledged that many non-security staff are as much victims as creators and perpetuators of cultural problems. It is a top to bottom set of problems and will require top to bottom solutions. It’s a lot to take on, but it starts with small steps…like patience;
Patience to explain and understand the impact of destructive cycles on the security function, the business, it’s customers and it’s shareholders. Patience to work out what your risks really are and which are a priority (in the context of business objectives) to fix. Patience to take stock and be honest about the old, less sexy vulnerabilities linked to infrastructure, processes and security education. Patience to pause and properly assess peoples’ potential instead of filing CVs in the bin that don’t hit the right qualification acronym or keyword. Patience (when something goes wrong) to confirm whether a big ticket fix is the most effective way to reduce risks. Patience to get remediation in place (something that’s been broken for a decade isn’t getting dramatically riskier if it takes a few months to sort out). Patience to give solutions a chance to work.
That, I would strongly argue, is the rarest and most valuable resource in cybersecurity – if you find me a vendor selling it at a cost-effective price, I’m in.

Part One – Wild Speculation & IT Transformation
Part Two – Fatal Fails, Piecemeal Resurrections & The Budget Battleground
Part Three – Lines Of Progress-Limiting Defence
New post – Permission To Be Crap At Security…at least for a while – coming soon

This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.

Some overdue acknowledgements:

• The title is obviously an homage to a phrase coined by Peter Drucker “Culture Eats Strategy For Breakfast” later amended, by Dick Clark of Merck to “Lunch”. Here’s an article inspired by that on Huff Post’s Corporate Acupuncture blog. It includes comments on the effect of technology.
• Whack-A-Mole – A phrase Charlotte Tschieder used to describe the way we point and pick at random solutions. I’ve reused it ever since.
• Security Debt – I’ve referenced the post where Richard Stiennon coins that phrase in each of the four parts of the story, but here’s the link again.
• Dr Daniel Dresner – Thank you for reviewing this and apologies for taking little of your advice.
• Finally a thank you to all of the business and security people who have trusted me enough to discuss their triumphs and frustrations over the years. I hope I haven’t misrepresented you in this series of posts.