Sometimes our efforts to explain security don’t connect with our audience.
Because security is complex and often hard to explain, we turn to hypothetical examples and try to help people understand potential consequences. Sometimes it works. And sometimes it causes an erosion of credibility.
Our conversation got me excited. Heck, it inspired me with an idea I’ll share in the coming weeks. Todd’s insights are a recipe for success for security leaders looking to make a difference.
A lot of people note security is built on people, process, and technology. You point out that the order is important to avoid failure. Why?
The success of a security program comes down to people, process and technology in that order - and if you try to change that order, you’ll fail. Hiring the best people and then helping them grow is the bedrock of any security program. As a leader, it’s your responsibility to set clear goals and a framework for people to work together and achieve those goals. Then, these processes need to be enabled with technology. Automate tasks that bore your staff, keeping their time focused on what is valuable to your business.
If you get these priorities out of order, you’ll end up making your people slaves to a tool or inhibit them by requiring them to execute a process that does not actually protect your business. Both of these are effective ways to get your best people to quit. But if you focus on the people first and empower them with processes and tools, the security posture of the entire organization improves.
In building your influence and getting buy-in, you recommend avoiding hypotheticals at all costs. What do you see as a better option?
When I talk about security processes that are valuable to your business, I mean paying attention to the real threats of today and not hypothetical situations. 20 years ago we had to deal in hypotheticals because we had few examples to work off of, but today you only have to open the newspaper and count the headlines of the stories examining security. Read the news, talk to contemporaries -- there are real attacks happening every day. Learn from them and focus your energy on the threats that are most likely to have an effect on your business. Leaders expect reality in the executive suite and boardroom. Let this imperative flow deep inside your organization, and focus on the real problems and challenges you’re facing.
The best way to do this is to engage with other security professionals in your vertical. Share your stories and get them to share theirs. With attackers continually two steps ahead of us, the only way we all have a hope is to work together.
Why is it important for us to learn how to share information?
Information sharing is a powerful imperative. Sharing with your contemporaries is the best way to live in reality. Find and engage with a group that shares candidly about how they’ve been attacked. Reciprocate this by sharing your experiences. The odds are that if you’re in the same industry or you run in the same circles, you’re likely going to be attacked by the same people, using the same technology and processes to attack you.
Empower your staff to engage in communities that share techniques the attackers are using. One of the best things you can get out of these communities is indicators of compromise.
Organizations have long been hesitant to share information about security out of fear it will be used against them. But a good example of the power of sharing is the link between the Anthem, Office of Personnel Management (OPM), and United Airlines compromises. There were a number of perfectly shareable technical indicators that were reused by those attackers. When Anthem shared those indicators in the community, OPM and United should have taken action on them immediately. This is a regular scenario demonstrating how you have to enable your staff to share and then take it a step further and enable the processes to actually use those indicators.
You point out that sharing actually helps us improve how we measure. And that proper measurement is a key to engage and retain our teams. How so?
One of the most important components of a sharing-based approach to security is being able to take action on the indicators. Optimizing your team around a number of metrics such as:
How quickly can an indicator be used to protect your entire enterprise once you know it?
How much staff time does it take to use an indicator to protect your enterprise?
How long does it take for a staff member to triage an infection event based upon an indicator?
How many false positives is your organization finding on the indicator per week?
The answers to these questions give you insights into how your people are working. It helps to identify processes you should focus on improving and helps you evaluate the tech and tools that help boost your team. Security people disdain the mundane. Proper measurement of the right things is a sure way to engage and keep your security team happy. Stop wasting their time on tasks that have no value.
Put people first, deal in the real, share, and measure. Where do we start?
Regional sharing centers such as the Advanced Cyber Security Center (ACSC) or Information Sharing and Analysis Centers (ISACs) are a great place to start. Attend with the intention to meet as many people as possible, build relationships, and open up sharing channels. Work across the four points outlined above as your guide. Ask your peers how they are handling people, process, and technology improvements.
Encourage your staff to do the same for their relative discipline. Analysts can participate in indicator sharing groups where they compare technical notes on attacks they’ve seen. They’ll leave with piles of actionable intelligence about attackers. Collectively moving toward a climate of information sharing will empower us all to walk in step with - or maybe even one step ahead of - attackers.