Why do mega breaches happen? Fire up the portal gun Morty, we are going on adventure.
Line up a thousand information security gurus across the cyber multiverse and you will hear them blame hackers, poor software design, lack of funding, Donald Trump, and a million other reasons that are really just symptoms of a larger organizational phenomena.
We do not need Mr. Meeseeks to solve this problem. Mega breaches are the result of a Culture of Breach:
- Poor leadership
- Lack of discipline
- Misguided focus
- Checkbox mentality
Now, let us explore these components to the Culture of Breach.
Information security is relatively new for most organizations. Fifteen years ago, there was no information security anything . As such, there are a lot of security leaders who simply do not know how to lead. They may have worked their way up in IT or audit, but they have never once had training in being a leader. Leadership is not something you just innately know. Like any skill, you must learn it.
How do we know these are bad leaders? They make excuses, blame others, and avoid any kind of accountability. Those are all the hallmarks of a bad leader.
Poor leadership begets a whole set of other bad behaviors. Perhaps the most destructive behavior here is to simply do what everybody else is doing. Weak leaders are more concerned with how they look than actually delivering results. As such, they focus on doing what they believe everybody else is doing. They line up at conferences (like RSA) and follow along with whatever the “Big Boys” are doing.
This leads to the next component of the Culture of Breach.
Lack of Discipline
Weak leaders who are focused on themselves, are undisciplined leaders. It takes genuine discipline to focus on results, especially in information security. Unlike software development, where success means a working application that everybody can see and play with; in information security, success occurs when nothing happens at all. It is difficult to stand in front of a Board of Directors and say “see, nothing happened, Great Success!”
Disciplined leaders understand this. They also have the tools around them to keep people focused on results. This means implementing practices that people will resist, but are necessary for sustainable security.
The most blatant example of this principle is patch management.
Patching is dull, irritating, and never delivers any sense of satisfaction whatsoever. It is also one of the single most important things you can do to protect a business. Yet it always gets thrown aside.
Lack of discipline causes poor leaders to lose sight of the goals. As such, this leads to the next item in our Culture of Breach.
When you combine weak leadership with a lack of discipline, you become focused on the wrong things. In information security, this manifests as focus on things that feel like you are doing security without actually protecting anything.
Common examples of misguided information security focus include:
- Fascination with hacking and attribution, neither of which improve the security of an organization
- Allowing VARs and vendors to constantly distract you from the goals with the latest technology.
- Writing stiff, long-winded, overly formal policies because you think it’s the only way to be taken seriously (when it actually does the opposite and makes people dislike you even more.)
- Refusal to share based on the idea that any form of sharing creates risk.
- Constant expression of indignation
- Need to belittle and denigrate people who you deem as inexperienced
Unfocused organizations are perpetually fighting fires and slapping band-aids on things. This is because they never stay true to the mission. At some point in the chaos of firefighting, weak leaders realize they can be held accountable for the lack of security. And this gets us to the final piece of the Culture of Breach pie.
Weak leaders know at some point, they will have to answer for the (lack of) results. Information security has created a whole universe of compliance and security frameworks that are easily twisted into a “Get Out of Hot Water” card: Checkbox Auditing.
It works like this:
- Weak leaders start focusing on compliance
- Compliance is pain
- Hire a checkbox audit firm and make the pain go away
- Get the auditors to checkity check check off all that security and compliance
- Now you cannot be blamed for the breach! You were just doing what they auditor told you to do!
Checkbox mentality closes the loop for the weak leader. Now they have a third party to vouch for them, absolving them of all blame.
As for the checkbox auditors, they do not care. Some of the largest most profitable audit firms have built an entire business empire on this model. It is tremendously profitable, because you do not have to hire competent people. Any nitwit with a laptop can checkboxes on a form.
Wubba Lubba Dub Dub
So why do breaches happen? This cycle is why. Hackers may be the cause, but you have no control over them. What you can control is how you respond to the threat of hacking.
Equifax was a giant pile of gold surrounded with a piece of string with a sign on it that said “don’t steal this!” The leadership at Equifax practically invited the hackers in with their irresponsible behavior, lack of discipline, misguided focus, and checkbox thinking.
The lesson here is simple: the most important part of your information security program is not the NGFW you select, not the pentest you perform, not the PCI requirements you meet, but the leaders you cultivate.
If you sincerely want to prevent a breach at your company, then end the Culture of Breach. Recruit, cultivate, and retain quality leaders. The rest of it will fall into place.