A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security.

Wild Speculation & IT Transformation

Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted to resign. I’m not surprised he felt sick. He had lost what eventually added up to 1.4 BILLION dollars (£867mn) of other folks’ money, trading futures on the Singapore money markets.
There is fairly comprehensive consensus that this unthinkable loss was made possible by a lack of effective management and regulatory oversight. A lack of oversight encouraged by the testosterone and reward fuelled excesses of the boom years preceding the crash before last.
It’s deeper than that though. Not only was it a culture that offered exceptional financial rewards for exceptional risk taking, it shook off spectacular losses by making bigger bets and wrapped it all in a culture that ate it’s young if they didn’t show a killer instinct. A killer instinct that resonated through the global markets, creating self-fulfilling prophecies via the financial media and smoke filled rooms reeking of mutually dependent pots of money.
Dealing in futures is much like dealing in ways to mitigate the risk of a cybersecurity incident, only with less history and experience to refer to. Instinct tells us that past incident avoiding experience is no indication of future incident swerving success, but uncertainty is not well tolerated.

Confidence tricks

Those who’s mojo seems to work in the short-term get trust and backing to gamble harder. Bosses are ill-equipped to understand the real value behind the spend. Both poor professionals and overenthusiastic vendors hang promises on tender psychological hooks. Board members are supported to overcome the discomfort borne of being on the back foot, by pitches fostering righteous indignation about those who dare to threaten them and horror at the thought of presiding over a big breach.
Too often the sharpest suits with the most board-friendly patter win the day, regardless of their experience and expertise. It doesn’t matter that they can’t illustrate a connection between advertised results, spend, effort, time and the effect on real risks (or opportunities, depending on your spin-tolerance).
In the fundamental facts behind Nick’s story you can also find the foundations of our latest global recession. This time betting on the future of debt – banking on repayment covering the price paid for a packet of debt bought and sold on the open market. A debt that’s price fluctuated in a way that did not reflect it’s likely value. Much like the long term (or at least cyclical) underspend on security found at most publicly traded firms and even more of private and public sector organisations not listed.

Juggling security debts

We’re juggling our security debts (something Mr Richard Stiennon recently proposed a way to quantify), variably estimating their value and watching them gleefully handed over from one departing board member to the next. Then some pain hits. An acquisition squeezes profits, a misjudged strategy nails the share price, or external market conditions get dicey. Margins and shareholders need a boost. The quickest way to achieve that? Cut costs…overhead costs.
Experts come along. Not security specialists. They usually have CVs trumpeting IT transformation prowess (or other euphemistically loaded equivalents). Gurus with mega per diem price tags, schlepping round huge companies selling their IT and security – often viewed as the same thing for this purpose – overhead cutting wares. Savings parlay into golden handshakes, huge bonuses and golden parachutes. A killer instinct, a reputation for making the hard (headcount cutting) choices, goes with the territory.
Pushing those savings to and beyond the limit of sustainable IT and security operation adds to our debts. Ones we hope won’t end up in a market crushing critical mass of defaults. In our analogy that’s a devastating outage or security breach. Causes can be many and varied: IT instability, lack of solid enough foundations to bear the weight of growth, stacked vulnerabilities opening multiple doors to attackers and/or pared to the bone supporting security operations presiding over erosion of basic access, patching, monitoring, incident management, change assurance, supplier assurance and [insert the other stuff that slowly gets nailed] type activities.
Oftentimes the horrific fallout from that will be visited upon a leadership team that didn’t exist when the pattern was established and the transformational gurus? Long gone…bonus and polished CV in hand.
Why won’t folk see it coming? Because the reputation staked is bigger than a single individual and relies on the transformation being seen as the right thing to do. A constructed truth, signed in career limiting blood and inherited by the next body through the door. Often heralded as a resounding success – see the upswing in market confidence and rebounding share price for details.

Part Two – Fatal Fails, Piecemeal Resurrections & The Budget Battleground
Part Three – Lines Of Progress-Limiting Defence
Part Four – Chucking Boulders In Our Glass Cybersecurity House

This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.