In a recent article, Rupert Goodwins wrote that Information Security technology is a sham. His thesis is that for all the innovative technologies in the marketplace, they routinely fail to fulfill their fundamental purpose of protecting a business. Every new breach report confirms this.
Goodwin’s statement is bold. It is also, sadly, fairly accurate. IT departments are overstuffed with technology and understaffed with people. The RSA conference this year was bursting at the seams with vendors, each fumbling over each other to stake out their unique position. Yet few had an answer to helping people become better security analysts.
Has information security seriously become a sham?
Let me tell you about a guy I know… Wait, rewind. Let’s start at the beginning.
At Anitian, we believe security is essential for growth, innovation, and prosperity. We agree information security is struggling. This struggle is not one of innovation or attention, we have plenty of that. Our struggle is an existential one. Maybe its not another piece of technology we need.
We can start our descent into mayhem with some fundamentals about technology and humans.
Built to Collapse
Why do technology companies get started? On occasion, an Elon Musk style entrepreneur emerges who genuinely wants to change the world. Unfortunately, this is uncommon. More often, people start tech companies to make money. Now, there is nothing wrong with that, but it does breed a certain type of business.
Today’s tech companies are on an eternal treadmill of hunting for money. Whether it is sales to fund operations or investors to fund growth, there is never enough. Information security is difficult to scale. The market must constantly be reacting to the latest threat, making it difficult to build long-term value into a single platform.
When money is all that matters, then selling is all you do. Marketing and messaging are not merely a priority, they are the only priority. Product quality, capability, and scalability are only important, if they help move more units through the channel. The cybersecurity market is littered with technologies that sell modest technical improvements and monumental marketing messages.
Palo Alto Networks comes to mind here. They were one of the first cybersecurity firms to strike gold on an incremental technical improvement mated to an aggressive marketing machine. Once PAN made all that money, there were a thousand copy cats behind them. Yet, PAN is not to blame. They were just doing what so many before them had done, like Apple.
This has become a rather reliable playbook for tech companies (including information security):
- Identify an incremental technical improvement (or a feature)
- Productize that incremental improvement with some adorable name
- Aggressively sell it as some profound “game-changer”
- Use your marketing and messaging might to convince people that they are losers if they do not have your brand of tech
Ultimately, we have a marketplace littered with technologies that make monumental promises with marginal improvements. However, this is only part of the sham. The other dimension of this problem is right at the tip of your nose, or some other sensitive part.
Big Boy Syndrome
Recently, I read a science article about monkeys. Researchers had found that male monkeys with the loudest screams tend to be the weakest members. This is how we simians are built. We compensate for weakness. We buy giant trucks, huge houses, big dogs, impressive laptops, and racks (or clouds) filled with big-name security appliances.
This is the “Big Boy Syndrome” — the need to compensate for feelings of cybersecurity inadequacy with increasingly larger and more complex technologies. If you want to be a Big Boy CISO, you absolutely must have this Next Generation Kill Chain Blind Spot Threat Intelligence Deception Behavior Analytics Appliance … IN THE CLOUD.
Of course, we all know how this turns out. It is the core message of Godwin’s article. All those Big Boy technologies invariably fail to deliver on their promises because the people who must use them become overwhelmed. Then a breach happens. Fingers are pointed. Blame disseminated. Krebs blog notified. Termination letters sent out.
Or to make matters worse, those Big Boy technologies actually become the vulnerability hackers exploit. We have a library of penetration tests at Anitian where we compromised a security product, only to use it against the target company. The rush to put more appliances in the channel can lead to shoddy engineering.
However, technology is a defining trait of our species. It is the only thing we as a species have going for us. Lacking fangs or claws, technology is our thing, and we are quite good at it.
Perhaps we are too good at it. We have invented so much technology now, that we are no longer mentally and emotionally able to handle its complexity. That complexity has overwhelmed us.
As Tyler might say, the things you own, end up owning you.
Lacking the capacity to manage complexity, we fall victim to our own biology and fall into a destructive positive feedback loop.
- I am afraid of a breach
- I do not know what to do, so I buy all those BIG BOY APPLIANCES that promise me safety from the hacker scum
- They do not work as promised
- I scream loudly and blame the hackers, terrorists, Russians, Chinese, commies, creeps, bronies, etc.
- I compensate for my deepening insecurity with… yep you know it … MOAR TECHNOLOGY!!!!
You are not your NGFW (or your khakis for that matter.) You are a space monkey, ready for evolution.
Tyler Durden also said, “It is only after you lose everything that you are free to do anything.” Maybe we do not need another technology. Maybe we need to lose everything in cybersecurity? Maybe we need to unplug everything for a bit. In those ensuing moments of panic, we may get some clarity.
The answer is not another product, it is leadership. We need people who can lead us, inspire us, and unite us with technology. We need leaders who can inspire us to act, rather than react. We need technology and people to start working together.
Our battle is not one of endpoint defense or network anomaly detection, ours is a moral battle. If we want to win this cybersecurity battle, we must set aside the all-encompassing thirst for money, power, and technology and find the things that inspire people to unite.
We need Next-Generation Security Leadership.
What does this look like? What does a next-generation leader sound like?
I began this exploration by talking about greed. Greed can be a good thing when it is applied to the right things. A thirst for growth and accumulation is a healthy activity for humans. We just need to change what it is we are accumulating and striving for.
1. Stop Accumulating Technology, Start Accumulating Intelligence
The next generation leader is not accumulating technologies, he/she is accumulating intelligence. Whether that is human or machine intelligence does not matter. Both are necessary. A great leader places value on new ideas and practices over new technologies.
Now, this is not to say technology is bad. Technology is fantastic. As mentioned earlier, it is a defining trait of our species. Yet technology cannot replace humans, well, not yet.
2. Stop Trying to Win, Start Losing Better
What is there to win? It is easy for us to cast everything in IT and security as a struggle between right and wrong, black and white, good and Comcast. Ultimately we win nothing. It is foolish to think we can win every confrontation with a hacker or malware. The attacker always has an advantage. They can always win an initial engagement.
Stop trying to plot out every tactic and attribute every technique. Focus on how you can quickly recover when you get hit. As Rocky Balboa might say, “it ain’t how hard you hit, it’s about how hard you can get hit and keep moving forward.”
Build technologies, practices, procedures, and people to be agile. This is why the concepts of DevOps are so valuable to security. The champion agility and quick thinking, rather than perfection and consistency.
3. Stop Talking to Vendors, Start Talking to Leaders
Kick the VARs and technology vendors out of your company, right now. Most importantly, restrict their access to your team. Technology salespeople feed upon the weaker members of your team. Every free lunch is another push to get you to buy technologies you either do not need or are unprepared to manage.
Rather, start talking with leaders, thinkers, and scientists. Teach your team how to analyze, communicate, and inspire. One of the best security videos I ever watched had nothing to do with security. It was Simon Sinek’s Start with Why.
4. Stop Knowing Everything, Start Listening
The difference between amateurs and professionals is that amateurs know everything, professional know their limitations.
If you are not sure what to do, then be honest with yourself. It is not weak to say “I need help.” We are uncertain because life is uncertain. Cybersecurity is complex. It is foolish to think you, or anybody, can know everything.
Great leaders are humble leaders. They say things like “I don’t know, but let’s find out” or “I want to hear your ideas.” They also engage people who can help them. And help means good SecOps, not another piece of equipment.
5. Stop Checking Boxes, Start Pushing Buttons
Stop the infernal treadmill of pointless audits and assessments for the sake of doing an audit. Start pushing yourself and your team with tests that genuinely evaluate readiness and capability. Get out of the comfort zone, and get into the discomfort zone. You will never improve if you do not test your limitations.
How Is That Working Out for You?
Information security is not a sham. We have let it become a sham. With each new product, we mire down our creativity and ingenuity, because we expect somebody else to do it. We believe technology will save us.
This is your information security program, and it is failing one day at a time. Only you can save you.
You cannot outsource leadership, ingenuity, and responsibility. You must own those all the way. Sticking anomaly detection in your cloud does not make you secure. So I say, let’s never be complete. Let’s stop being victims of the vendors. Let’s evolve, let the chips fall where they may.
I know this because Tyler knows this.
That’s it, I’m naming my next firewall project, “Project Mayhem”.
Hopefully nobody dies. This time.
Information Security Technology has always been an arms race. Putting all of your eggs in one basket (with a single security vendor) is not a viable approach. Multi-layered best of breed security architectures remain “the right thing” in my opinion. Primary objective has always been to make it as inconvenient and time consuming as possible to gain a foothold.
One does not improve in anything by talking to leaders… interacting with others who have similar challenges and experience that employ different techniques is of significantly more value.
I did not improve my chess/tennis/…. game by talking to leaders or playing others with less skill.
What do you think the vendors should do? What kind of products or services will help this problem and get us out of this state?
If vendors will keep on pushing products using the mentioned techniques I’m afraid there won’t be any change.
It is not the vendors who will change, but the buyers. CIOs and CISOs must control the interaction their people have with vendors much more carefully. When we advise companies, we suggest that vendors and VARs be managed through a single contact, and that person be excluded from any lunches or similar kickbacks. Any vendor meetings must have a clear agenda. But moreover, any new technologies should be done in a controlled fashion, with clear business, technical, and financial objectives. There is still plenty of room for VARs to add value. Just restrain them from distracting the team with marginally beneficial solutions to problems you may not even have.
I would like to echo that in business the technology compensates for the ability for Security Teams to leverage human expertise. In my experience, Security is attached to Operations and Operations is a cost center, and a homely one at that. The NGFW, on the other hand, is a sexpot. And totally worth the expense because you can tell your clients “We have the cyber security nuke-it-from-orbit wiz bang on the rack and it’s ready to defend YOUR data” which sounds a lot better than “We’ve got Greg from Security on it. Sure, he doesn’t like people and lives off of Mountain Dew Code Red, but he’s been reverse engineering code since he was old enough to reach the keyboard.” So the money and effort goes to the rack trinket, and Greg, in his darkened cubicle, is unable to get the sign off or funding defend the business using his expertise. To the C suite technology sounds safe, people sound unreliable, no matter how razor sharp and experienced they are. Until the sea change occurs when human experience is valued over slick gadgetry, I’m afraid we’ll limp along in our current state.