I write this because I have had enough of arguing over the lowest common denominator when it comes to securing networks, servers and applications. Reading the articles in the various media and trade journals, one would get the distinct impression that putting forth any sort of effort is beyond a lot of peoples’ capacity.
Do you people complaining about the difficulty of achieving compliance with a security framework ever listen to yourselves? I would say the answer is “No” because if you did, you would understand where I am going.
Do you realize that you are arguing over doing the bare minimum? I would guess that would be a resounding “No” because, again, you would understand where I am going.
If none of this rings a bell, then maybe this does. When was the last time anyone told you that only doing the minimum was acceptable? If they did, then they are people I would not want to associate with because they are likely on their way out the door as you will be shortly once that breach occurs.
All security frameworks are a bare minimum. They do not guarantee security of anything. What they do is define the “best practices” or “common knowledge” of what it takes to have a reasonable chance of being secure. But it gets worse. Security frameworks require perfect execution, i.e., being compliant 24x7x365, in order to succeed. And as those of you complaining are rudely finding out, that just does not happen when people are involved.
In order to address the shortcomings of people, security frameworks are layered. You must have heard the phrase “layered approach” time and again during security discussions. The layers are there so that when people fail, their failure does not result in a total failure of an organization’s security posture. Where things go wrong is when there are multiple failures. It does not matter that things are layered when the vast majority of those layers are circumvented by multiple failures.
Oh, you do not think that is how a breach happens? Read the Verizon DBIR or PCI reports on breaches and it lists out the multiple processes that failed that led to the breach, not just a spear fishing email or the breach of a firewall. Those were the start of it all, but it was a lot of other things that ultimately led to the success of the breach.
Another rude awakening for management and security professionals alike is how easily all of that security technology they have invested in does nothing once a phishing email corrupts an insider’s account. That is because a lot of organizations’ security posture is like an M&M candy – hard on the outside with that soft chocolate center on the inside. If you go back to the Verizon reports, read the details of how many attacks came to fruition over insider accounts being corrupted. They may not necessarily be categorized as insider attacks, but an insider was compromised as part of the successful attack.
Which brings me to security awareness training and the fact that people consistently complain that it is worthless. Did you people really believe that one session, once a year is really going to change peoples’ bad habits? If you did, I have some property I would like to sell you. You must harp on this topic constantly and consistently. I know that is not what you want to hear, but people only learn by being told repeatedly to stop their bad habits. Even though a lot of people approach this subject by making it annoying and painful, it does not have to be that way. But it is the only way to have an effect and it will not happen overnight and not everyone will learn the lessons. Security awareness takes years and lots of patience, but it does eventually pay off.
The bottom line is security is a war between you and the people that want your organization’s intellectual property, card data, medical records, financial information, whatever information you are trying to protect. Wars are won or lost on the strategy used and the battle intensity of the soldiers involved. Wars and battles are not won with mediocrity which is the approach upon which you are arguing. Mediocrity in war is how people die, not how they survive.
Let me know how that mediocre approach works out. That is, if you are even around to let me know.
PCI Guru 
Wow! This nearly brought tears to my eyes, PCI Guru. I am constantly at odds with my merchants who want to do the very minimum necessary to let them check the compliant box. “What can I get away with?” and “Where are the loopholes and exceptions?” These are some of the questions I receive daily. And it’s going to be that way unless we can develop a culture and mindset of security.
Unfortunately, there are too many organizations, small, medium and large, that see any security program (i.e., PCI, HIPAA, FISMA, ISO, etc.) from a “check the box” perspective because they have not been burned yet. Whether they choose to bury their heads in the sand and ignore the issue or believe it will happen to the other guy, it is these folks that are the most likely to lose it all or come close to it.
Excellent. Feel a sense of frustration and I feel the same way as management and others who run/own the businesses don’t seem to understand or ignore to understand. I work with at least 1500 + business activities and most ignore PCI and worse and don’t support training for their people. Been in this boat for 4 years and can’t make management to do something to support compliance. Ready to just call it quits.
I am just tired of the arguments that, for all intents and purposes, seem to revolve around the fact that people will have to get off their collective butts, do something and be accountable for what they do. I think it is that last part, being accountable, that is the largest sticking point. No one wants to be accountable any more.
Exactly, it’s pure and simple laziness, substitute the DSS with any area of IT and the same would apply. I’ve witnessed for sometime that IT and security professionals have resorted to the lazy(persons) approach after realizing that control was no longer available and black boxes and oversea service providers are barriers to solving the “complicated” questions.
I think “laziness” is a bit strong. What I have experienced is more of a resignation to the fact that there is no time/money available to secure the mess and reduce complexity and therefore people just sit back because nothing can be done.
Management wants results at all costs and there is no discipline in IT because saying “No” results in people going off and doing their own thing in the Cloud or with service providers. As a result, IT operations, development, etc. are sloppy and disorganized. They focus on today’s fires and never look any further down the road than tomorrow.
Great Blog!! I couldn’t have said it better myself!!
You are spot on, Mr. Hall. It is exhausting listening to clients rationalize why: either the minimum is acceptable yet onerous and burdensome; or, that some automagical solution will reveal itself that allows the client to use a “risk based approach” to avoid achieving even that modest standard. If customer service is truly part of these organizations’ charters and missions, that should, I think, include protecting customers’ sensitive information from inappropriate disclosure and unauthorized use. However, passive observation reveals that, often, neither are a paramount concern nor a strategic priority. So, I question both the sincerity and appropriateness of making those representations if security is the also-ran from a strategic standpoint. I often remark to my children that lying to others is bad but that lying to yourself is even worse. The titular and nominal leaders laboring to avoid the work should indulge in some introspection and ask themselves whether they truly have their customers’ and their organization’s best interests at heart. Particularly when they invest more time searching for nonexistent shortcuts to avoid work rather than beginning to improve their risk posture.
I think peoples’ expectations have changed over the years. There is this mistaken belief that the higher up the corporate ladder you go, the easier life gets when, in fact, it is exactly the opposite. And while technology has provided us the ability to know more about our organizations, it has also created a level of complexity never seen before. We no longer take time to clean up after ourselves as we are always moving on to the next new project. As a result, we increase complexity in order to get the next new “widget” implemented and end up with a Rube Goldberg mess of networks, systems and applications. This mess is almost virtually impossible to secure because there are too many opportunities for an attacker to leverage. Security works best in simple environments and unfortunately few organizations have the luxury of simplicity.