There is a subject that I've been meaning to write about for a very long time now. I have worked in multiple enterprises over the years and I've seen trends at almost every single one that seem to repeat themselves.
The main pattern I see is that a dynamic security team is built up to tackle the security of the environment. This is usually a strong team that works long hours to build or rip and replace all of the elements that are missing. The build out will usually take two years, give or take, then shift into a maintenance mode.
This is the part where I, and a lot of good people that I've had the privilege to work with, would usually pack up and move on to the next challenge. Herein we see the law of unintended consequences come back into full view.
The builders give way to the maintainers. Not that there is anything wrong with that per se. What I have seen happen in a few organizations is that they get used to doing things a very specific way and are not typically seen to think beyond the confines of their box. They have their infrastructure and governance framework to operate within and not a whole lot of incentive to approach things differently.
They had become comfortable.
I suffered this at one point in my career. One week as an experiment I decided to come in every day for a week and merely surf the web. I would answer no emails. I would only attend meetings and answer the phone. That week I had exactly one meeting anyway. On the Friday I realized that having done what I considered to be nothing, I still managed to be productive and that was frightening. What really terrified me was that my co-worker had been running the same test during the week. To this day we still chuckle about that. What this exercise really hammered home for us was that it was time for these builders to move on.
We were getting complacent.
I learned that security teams cannot sit on their laurels and enjoy the ride. We as security practitioners as well as at an organizational level need to be uncomfortable.
Let me explain what I mean. If your security practice or even you yourself have become stuck in a rut there needs to be a change. Whether that is moving on to a new job or simply reviewing the way security is being managed in the organization it should be clear that inertia kills.
For me it was a choice to move on to new career opportunities to keep things fresh in that particular instance. We can never afford the choice to sit idly by. With the Information Security field constantly changing we need to adapt to grow.
This where we need to change fundamental behaviors. Rather than being defensive when new technologies are introduced we should take the time to learn them and embrace them where appropriate. A perfect example is cloud computing. I routinely run into security practitioners who are stuck with an inability to accept this as it is orthogonal to their knowledge base in a lot of cases. In order to grow this needs to change.
Is your organizational security program doing the same thing day in and day out? I once spoke with someone who worked for a company where a production database had a peculiar script running. On a weekly basis it would back up the database and ship it to an archival server. This was going on for 5 years apparently. No one had thought to check the destination IP address. When he had a look...well, that didn't end well. For five long years no one had challenged that. They were comfortable in their routine. It is time that organizations, as well as ourselves, become uncomfortable.
(Image used under CC from stonelucifer)