A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security.
In the last two parts of the story, using Nick Leeson’s take down of Barings bank as an analogy, i looked at the boom/bust cycle of security spending. Typically driven both by business-wide cost challenges and by incidents, audit points and regulatory findings. Things change at the top when things explode. The new brooms often choose (or are often cornered into choosing) big ticket, fast and usually piecemeal solutions. At the same time security debts, built by decades of persistent or cyclical underspend, continue to grow. Debts mainly linked to the less sexy foundations of sound security.
A nod was given to the kind of leader needed to try and break this cycle, the almost impossible task of doing so when competing for spend in the same budget meeting as IT and the utter impossibility of doing so if culture is broken in other lines of defence. That latter point is the one I’m focusing on in this instalment.
Lines Of Progress-Limiting Defence
If you want to change business culture as it relates to security, your risk, audit and regulatory assessors have to come along for the ride. But those bodies have credibility and budget to retain too.
They don’t fare well when flying in the face of prevailing political wind. If it’s a storm, like the one described in parts one and two of the story, they may pull on waterproofs and pick up buckets, but fail to point out holes in the roof. Why? Because they too can lack the deep and long view of what constitutes ‘good’ security, or unilateral power to pull everyone else in a less well-known direction. Reliance on compliance is a natural result. It’s a battle with solidly drawn (albeit infantry exterminating and increasingly ineffective) lines.
This is a mash up example put together from hundreds of conversations. It is intended to show how groups that should (in theory), all point in the same secure growth promoting direction, can end up doing the opposite.
Best laid plans
Imagine there’s been a breach at a vendor site. Regulators get wind. Auditors descend. Damning reports call out systemic failings in security due diligence and on-going supplier security assurance. Much money is spent on consultant led gap analyses, strategy formulation and high level plans.
Expensive new staff are recruited to start assessments far later than planned (all that gap analysing, strategising and planning takes follow-on-work-generating time). Senior stakeholders are breathing down the neck of the consultant left in charge of activity. Initial results come in and cause a stir. Is excitement about good progress being made? NO. The excitement is about the first meaty bits of non-compliance uncovered. Why? Because that’s what everyone had been told to expect. It justifies the existence of the team and the pricey lead up to the activity.
What happens after findings are presented? The board want issues fixed NOW. Old issues which flew under the light touch radar of past governance. Issues which often don’t actually constitute an intolerable risk.
That latter point is important. There is such a thing as a non-compliant control that presents a low risk (or at least a temporarily tolerable one). Also, with tech focused standards, fixes are frequently expensive and disruptive to implement. Third parties can have equally difficult cultures and the process of getting them to put controls in place – controls they may not be contractually obligated to implement – is a difficult one. If culture is broken and “I don’t care just get it sorted” is the prevailing ethos, you end up with mountains of minimally productive effort and misdirected pressure.
This can derail work to embed, operate and mature the assurance framework and as mentioned above, fixes cannot be pulled out of a hat. The hard line taken with suppliers kills the collaborative relationships established and all sides dig their heels in. Deadlines are set too tight by a keen to please consultant manager (conscious they won’t be in post forever and hungry for a marketable win). One or two are met, but others are repeatedly missed.
Thus the function’s reported productivity and therefore credibility, progressively declines.
Many masters, multiple agendas
Risk functions have reports to file that HAVE to show quarter on quarter improvement (the CRO says so). They are watching closely, pushing for positive updates and escalating news of delays through their reporting line. And audit? From the very start they were the primary recipients of MI on progress against the strategic plan, but when things come to a high profile head they redefine success factors to match the short-term expectations of the board. It becomes too politically dicey to challenge the value of hitting small operational targets, at the expense of embedding a longer-term solution. A solution that once had potential to be a sustainable means to treat the aggregate supplier security risk.
Finally regulators (sick of misinformation about timescales for progress) put their foot down. Perhaps news of challenges filters through, but too late. Internal oversight functions have previously reported the kind of optimistic picture they knew the board would approve, so it just sounds like excuses. When regulators shout ‘jump’ the whole business says ‘how high’. Now overstretched and de-motivated staff are working double overtime on reports for risk teams, reports for audit, reports for regulators and weekly (or even daily) updates for 17 different directors, who had ignored related risks until issues landed with a crash on the board agenda.
…and around we go again
Against that backdrop another bust cycle begins. Cost challenges result first in a cull of the budget for externals. The contractor managing the supplier governance service moves on. Another body comes on board. Another body who is handed 3 key challenges:
- Fix the high rated non-compliances, by extended (but still brutally tight) deadlines
- Clear the backlog of assessment activity and
- Cut the run budget by 30%
Despite appearances, number 3 is the priority. “We all have to pull together and work smarter to help the business achieve it’s objectives”. But what if there is no more ‘smart’, because smart is already working 2 FTE worth of hours (for reasons I’ve already illustrated).
Deliverables 1 and 2 don’t really stand a chance. Perhaps the function limps on, progressively reducing quality and depth of assessments, de-scoping more suppliers or just letting the list of overdue fixes and assessments grow.
Eventually another supplier gets breached. Maybe one in the backlog, one already assessed but not yet fixed or (arguably harder to defend), one given a clean bill of health after a light touch assessment – the kind introduced after budget cuts. All that went before is likely to get swept away. After all it never delivered on promises, audit points are still overdue and the regulators are now threatening a formal investigation. Cue consultants and GRC tool vendors vying to demonstrate a better, more cost effective way…
…and around we go again.
How – after all that – does progress towards mature security look?
That just happens to be about supplier security governance (it seemed apt given the number of high profile breaches that have started with 3rd parties). It could just as easily be about an incident-driven plan to improve access management, security around development, management of existing vulnerabilities, mobile device security or data governance.
Any attempt to robustly reduce some of that security debt (however well sponsored, funded and planned) will fall on it’s face if you haven’t managed board-level expectations. Expectations about findings, dependencies, limitations and real effort required. An uphill or futile struggle if other lines of defence contradict your view of priorities and the scale of the challenge. Either because they lack expertise and experience in the specific field, or because they’ve been politically trapped into trading their independence for survival.
But what can you do about that? Surely these are just facts of business life…
This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.