Why seeking perfection in security actually increases risk

I often explain that security leaders face demands and pressures no other leader in the organization has – or understands.

The constant stream of negative headlines and fixation with breaches (just a symptom) increases attention on nearly every action security leaders take. That causes a lot of security leaders to try to meet an unrealistic expectation that they know everything. A suggestion that perfect security exists, and they can offer it.

That chase of perfection is unattainable; it carries an increase in risk.

Lance James (LinkedIn, @lancejssc) Chief Scientist at Flashpoint has some insights on how we can do better. I met Lance at InfoSec World this year. He presented the opening keynote. He was on the DTSR podcast (listen here), too. We had a series of good chats – fully of energy, optimism, and ideas for how we can advance the security industry.

Prior to joining Flashpoint, Lance was the head of cyber intelligence with Deloitte. He describes himself as “an infosec executive in the board room, a scientist in my mind, and a hacker at heart.” With 16 years of experience as a practitioner, Lance invests in the next generation through mentoring.  Where he shares his experience and learns. He currently heads R&D innovation efforts at Flashpoint.

During our recent conversation, we focused on the risk of perfection. More importantly, Lance offers insights on the positive outcomes of setting perfection aside and working to get things done.

Here are five questions with Lance James:

How does the expectation of perfection actually cause harm and create risk for security leaders?

First, you can start with the expectations and pressures in hiring the CISO and other vital security leaders.  We already are starting in wrong. Yes, do we want to hire someone that comes in confident, and can tell us what we need to do? Of course we do. But I’ve personally seen it go too far too fast – which then turns into the Superman-Complex – both on the expectation side to the CISO, and the expectations from the CISO’s mind outwardly.

When was the last time you heard a security leader say “I don’t know.”

And this is where we forget to begin…

Taught in some of the traditional martial arts such as Aikido and Karate-do, there is a concept called Shoshin meaning literally “beginner’s mind”.

“In the beginner’s mind there are many possibilities, in the expert’s mind there are few.” ~ Shunryu Suzuki

This concept is practiced by many of the great leaders that are in our history books. The idea that we are open, eager, and carrying no preconceptions when studying a subject even if it’s advanced or something we have done a million times before. As I like to think of it, a child’s mind in some ways – as children often don’t view things as hard or easy at the early stages in their life, but instead they only see opportunity.

So let’s go back, – what if we said to the board: “I don’t know.”

Is that OK?

In security, we are scrutinized by our peers due to the challenging and competitive nature of our field. We don’t get to be OK with not knowing anymore, especially when put in a leadership position of such responsibility.

What happens instead is that we are too quick on the draw with providing answers, and the incentive and the agenda for that answer is only to placate or please the requests from on high, thus keeping us in a tactically reactive state which detriments us in our field, as well stunting our capabilities as a potentially strategic leader.

We’re wired for speed in security. You suggest that leads to mistakes – especially in the emerging field of intelligence. How so?

This need to solve the problem yesterday and placate to the demand has also been the reason why many tend to walk all over organizations during the sales process. A question remains: Isn’t it time organizations that are tasked to defend themselves demand better from industry providers, instead of just buying and accepting what is sold and told to them, and time after time finding out it’s not actually working the following year ? What happened to solving the actual problems, by asking yourself what are we solving? How do we solve it? And WHAT DO WE NOT KNOW?

Being pushed by the provider community is due to this over perfection in the first place and our allowing of constant panic because nobody says: NO! Let’s stop for a sec, what don’t we know?

But let’s talk about intelligence:

Note the entire process is encompassed around Evaluation and Feedback – two of the most commonly ignored or skipped over processes of intelligence in our InfoSec community.

The drive for fast-paced answers in intelligence and companies having to service them dilute the understanding of what real intelligence is. Right now, most people are getting information. Without the analysis and production, we only have information. Threat feeds are just information, not intelligence. 

Intelligence includes the bi-directional relationships you’re involved with.

The back channeling of vital information in the traditional intelligence sense during WWII was based around the relationships that were built over long periods of time. It isn’t a race. I know that content is king, and data is the new bacon. But it’s not always instant, or big data, it’s smart data. Intelligent data that allows you to make a decision quickly. I would rather have slower delivered intelligence with high quality to allow me to understand everything about the decision I need to make.

We’ve seen how rushed intel creates wrong decisions in politics, so why are we not learning from those mistakes?

This is why feedback, evaluation with your clients – meaning sitting down and fine tuning, and prioritizing their interests and requirements are essential for both a successful relationship when interfacing with intelligence driven services, as well as evolving together. People who hire intelligence service providers, again demand this type of relationship – because you will then not only get the best bang for your buck, but you will help the vendor constantly improve as well, which will benefit you strategically in the long run.

That biweekly conversation is the difference between guessing what is valuable while throwing something over the fence vs delivering precision-based actionable value every single time.  

You suggest it important to stop showing off. And that we should substitute showing off with something more important. What is that? 

As we just discussed, relationships are essential in intelligence, and in business. You walk through an IT conference (not InfoSec) and you can see how those relationships help each other. In the InfoSec world we have very little trust of each other and it’s from top down we make our decisions on who we use and trust. Some security companies like to do what I call “stunt work”, for example an APT report that only speaks to the services of the security company or doing some cool hack (be it a car, or whatever) to garnish quick tactical attention, yet again yelling at people to be secure? Are either of those really solving the problem? Especially when it says at the end of such materials, “For more information please contact sales@oursecuritycompany”. How are we really helping – Protect first, sell second. Or in other words – solve a problem, the money will come.

Now to be clear, it’s all fine as security companies to put out reports, and papers on your products and solutions, but it’s really about whether those solutions truly solve a problem, not create more panic in our industry. There’s a balance needed, and also ethical disclosure practices that have been around for 15 years now. Some of the reports themselves have only served to cause panic, (and to note, these are very few and far between in our field) but they do cause a cascading copycat effect to newcomers in our industry just trying to make a buck and not really selling anything of true value, such as “unbreakable encryption” offerings.

There are many ways to show your thought leadership – you don’t need to draw a logo for the latest vulnerability you discovered or found on a client site because you do incident response for them.

Call me traditional, but the value of an in-person handshake doesn’t change, no matter what field we are in. Solve problems together instead of selling one-way to a desperate organization trying to machine gun his way into solving the problems.

Stop telling your prospective client you will have that extra feature in 3 months for them just to sell to them. I personally have literally said to folks – “no, I can’t sell this to you right now, it wouldn’t be right and you’re not ready for it. Here are the things you should do first before you come talk to us about this.”

We are InfoSec professionals and we have a responsibility. We don’t allow lemon cars, why would we allow ourselves to do that with technology or service that they either don’t need, not ready for, or doesn’t solve their problem?

Let’s talk about the lemon market and threat intelligence. In a world of panic and crisis, we open ourselves to being vulnerable to a lemon market in our field. How many threat feeds actually can you tell me work for you – and how much percentage to you actually operationalize? And how many threat feeds does an enterprise organization have in their environment… let’s not even add that cost up. Again a wide blanket approach to solve a problem because

1. They may not completely understand how to solve the problem and
2. They don’t know how to determine if the problem is going to be solved by the vendor and
3. How is the enterprise going to determine a quality threat intel service and guarantee consistency?

It’s not like food, where you can tell if it’s spoiled by looking at it. And the POC itself is expensive in time and how many times are we truly dedicated to our POC? And the fact that the vendor’s client can’t tell the difference between a peach or a lemon is going to cause the perverse incentives in this market today.

Quality takes time, and can be more expensive. Also costs… lemons start undercutting the peaches, and the lemons win… thus the dilution in the threat intelligence and security space in general and we are all still waiting on a superman, but we probably wouldn’t know how to tell the difference anyway as everyone claims to be him. So stunts work temporarily, but what needs to be figured out is the actual problem you’re solving and how much it truly should be invested in. If you don’t have that answer as the organization shopping for security, then don’t shop yet.

Another advantage to slowing down (and not showing off) is the ability to see more clearly. Why is that important?

Let’s talk about a threat intelligence “indicator” – how long will hashes, and IP’s that are always after the fact be helping you in the long run? Do you think sophisticated attackers that you can’t see usually are going to repeat themselves that often with the same techniques when they hack you after they hacked someone else? I guess that wouldn’t be very “advanced”.

What do indicators truly indicate? Let’s try this:

Answer those questions.

Many people do not realize that an attack isn’t an initiation – it’s a provocation to the attacker? But we always ask why did they do that? For example: One day there was a pop-star that had their twitter account hacked by an electronic army from the middle east and everyone always wants to just go after the simple why? But how do you ask why? When this was presented to me that day my question was: What (and where) was the pop-star doing at the time?

Those answers gave us more than just looking at indicators in a typical fashion:

We learned what media the attackers read

We learned why they did it and other potential future targets

And we learned the techniques, tools, and motivators that I described above that then can be used for understanding how to minimize a future risk, be it you’re a pop star, or an organization.

(The pop-star happened to be on a tour in middle east at the time for those wondering).

Perception management – think as if you are the attacker, and you feel provoked – why? What would provoke you, why don’t you like company X? Then as the company, what can you do to provoke less?

What can a security leader do to get started on this path?

The computers are doing just fine on their own – the vulnerabilities, the exploits, the crime, the attacks – all PEOPLE. Same with how we manage security as a leader.

1)     QTIP – Quit taking it personally

a.     You will hear so much more if you don’t take things personally – your ego won’t be wasting time defending, and instead you will be learning and listening and creating new ideas to solve these hard problems.

2)     Leave your ego at the login prompt

a.     Get humble. Start over, learn what you were like as the young hacker knowing nothing and pretend that is you all over again. Because it is, we just forget it. Whether you’re a CISO, a team lead, a security consultant, is there any harm in being humble and learning again?

3)     Be Honest with yourself and others

a.     This industry is founded on integrity – and sometimes we were too honest in the beginning telling everyone what they did wrong and how they are insecure. But… now it’s gone to us shifting or not wanting the accountability. Feel pride in your work, through accountability, honesty, and the thirst for knowledge and what you don’t know but could.

4)     Our InfoSec field is very negative – we get it, everyone is insecure and vulnerable (puns intended), but what is that serving you? Fear, uncertainty, and doubt? How is that working out in the long run? We all want something different and know it and feel it, so let’s do something different. Focus on your strengths, build a team around your weaknesses.

5)     Again, hackers were born from curiosity and persistence – a child-like mind. Why not be that again? We are all learning, and this is a daunting field with many unforeseen possibilities ahead of us, so let’s take them on one at a time with a beginner’s mind.