Operations

9/15/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Information Security Lessons From Literature

How classic themes about listening, honesty, and truthfulness can strengthen your organization's security posture, programs and operations.

As someone who enjoys observing the world around me, I try to learn from many different things.  Sometimes, my inspiration might be a bit non-traditional or out-of-the-box.  Along these lines, I’d like to share a few lessons I’ve taken from two literary sources:  Robert Fulghum’s 1989 book All I Really Need To Know I Learned In Kindergarten. 

Fulghum’s book, which is a collection of fifty short essays, revolves around the theme that, sometimes, life’s basic lessons can teach us profound lessons. There is a catch though – we must be ready, willing, and able to internalize them.  Listening – or more precisely,  the simple fact that one cannot talk and listen at the same time -- is a good example of this.

Source: Amazon
Source: Amazon

During the course of my job duties and its associated travels, I meet with and speak with many different organizations. One thing I’ve noticed over the years is that some organizations listen better than others. Why is this an important point? Let’s take a step back.

Given the pace at which the threat landscape is evolving and maturing, an organization’s security posture is something that needs to continually evolve and mature. That is an ambitious goal that requires understanding the weaknesses of the security organization; only when weaknesses are identified and understood can they be addressed. Listening to observations, advice, lessons learned, and feedback from others in our field is a great way to identify weak spots ripe for improvement.  Granted, there is a lot of noise out there in the security world, but with an acutely honed filter, a lot of valuable information can be obtained just by listening.

Unfortunately, I often see organizations struggle with this skill. They spend a lot of time telling people what they are doing right, rather than soliciting and accepting input on what needs to be improved.  As I mentioned, one cannot talk and listen at the same time.  And, of course, a security organization does need to ensure that others understand its value.  But, there is plenty of room for more listening to take an organization to the next level.

In addition to listening, honesty is another great way to improve an organization’s security posture. Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  Here’s how:

Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Management: Intentions matter.  Management does not expect perfection, but it does expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.

Peers:  We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.

Clients and Partners: Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.

Other Organizations: Organizations can improve by interacting, sharing information, and learning from one another.  Similar to peer interactions between individuals, this requires  a forthright approach .  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as you might think.  People tend to see through that stuff, but they are often too polite to point it out.

It sounds counter-intuitive, but admitting weakness is actually a strength that can  help us to grow and improve, both as individuals and as a security organization.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards listening, honesty, and truthfulness. 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fscholl370
50%
50%
fscholl370,
User Rank: Apprentice
9/23/2015 | 12:38:08 PM
Security and Literature
Good post.  Another good book is the Confidence Man, by Herman Melville.  Good way to learn about the insider threat.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17407
PUBLISHED: 2018-09-23
An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.
CVE-2018-17358
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a ...
CVE-2018-17359
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
CVE-2018-17360
PUBLISHED: 2018-09-23
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executa...
CVE-2018-17361
PUBLISHED: 2018-09-23
Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php because $_SERVER['PHP_SELF'] is mishandled.