It’s time for security leaders to challenge dogma

Jason Brvenik for a Security Slap Shot on the need for security leaders to challenge dogma and replace outsized assumptions with evidence and better action

maze / goal
Thinkstock

What are the key elements of a good security program?

Why did you answer that way?

Seems a lot of security is ‘handed-down’ knowledge. We pride data and evidence-driven decisions while suggesting security is too hard to measure and pin down. Curious, no?

Jason Brvenik (LinkedIn, @vrybdpkt), CTO of NSS Labs, suggests it’s time to challenge our assumptions and question the dogma of security to get better results. Jason’s career is marked by recognizing difficult challenges and applying new technologies and strategies to counter risks.

As CTO at NSS Labs, Brvenik oversees the company’s renowned independent testing and validation of security technologies, helping buyers find “truth in security.” Prior to NSS Labs, he served as Principal Engineer in the Office of the Chief Security Architect at Cisco, a role he assumed following Cisco’s $2.7 billion acquisition of Sourcefire in 2013. Brvenik was a Sourcefire Fellow and vice president of Security Strategy at the time of the acquisition. He spent 11 years at Sourcefire leading diverse business and technical operations for one of the security industry’s most influential and disruptive companies focused on network security and fighting malware.

He sets up and slaps a shot to challenge our dogma in security:

Confronting dogma and outsized assumptions in cybersecurity

I am always surprised at the outsized influence of assumptions and dogma in our cybersecurity field, since we operate in a world of objective results. These incumbent attitudes remain just below the surface and are easiest to spot when major incidents like the WannaCry or NotPetya attacks flood news cycles.

First—look at assumptions. Few things in security are certain, but it is striking how many decisions are still guided by gut reactions and what’s assumed to be true. Take the “defense in depth” concept of layered security. No one disagrees with the theory here. Yet despite our now mobile and cloud-driven world, the model continues ad infinitum, where new layers are continually deployed in front of each other to the point where actually managing all the layers introduces new challenges.

Defenses too deep to manage compound security problems, because new tools offering temporary peace of mind obscure the question of whether any real benefits offset their additional costs. Venture capitalists might not like to hear this, but I think we are already saturated with products for fighting known security spending catalysts like ransomware, which can and should be countered with existing technologies and practices.

Now look at dogmatic arguments characterizing security—too often used with media, executives and other crucial audiences. We still hear voices say that ransomware victims get what they deserve because they did not patch. Other experts lambast users running any version of legacy software. Blaming the victim is no more acceptable in the cyber domain than elsewhere. Yet others assert that developers cannot ethically end software updates for even decades-old code. Who else has heard that attribution is a crucial, fundamental principle of defensive postures—except when it is a completely irrelevant waste of time and resources?

Where does dogma come from? It is too easy to blame vendors and marketing hype. Dogma is ultimately fed by upbringing. We all learned security at different times in different organizations where we found reassuring “truths.” Depending on our mentors and the organizations we served, instincts on attribution, the human factor and other flashpoints make perfect sense to some CISOs and sound irrational to others.

With each of us responding to more executive questions and oversight, we owe it to ourselves to re-think our convenient illustrations and arguments. 

Sometimes posing questions in heated situations is more important than registering an argument. We will never have all the answers and always draw on experience, but this does not mean we should settle for guesswork or polarize conversations.

My analysis (color commentary)

Jason nailed it. We rely on dogma and assumptions to make decisions while searching for evidence. I do think we’re at a pivotal time in the industry, and the more we bring this up, challenge our assumptions constructively, and support each other in the quest for truths, the better we’ll all be.

Your turn—react

What do you think about the dogma and assumptions of our industry? How do you propose we bust some myths and work together for a better tomorrow?

Take it to our Facebook page or engage with us on Twitter (@catalyst & @vrybdpkt).

Ready, set, react!

NEW! Download the Winter 2018 issue of Security Smart