10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Information Security Lessons From Literature

How classic themes about listening, honesty, and truthfulness can strengthen your organization's security posture, programs and operations.

As someone who enjoys observing the world around me, I try to learn from many different things.  Sometimes, my inspiration might be a bit non-traditional or out-of-the-box.  Along these lines, I’d like to share a few lessons I’ve taken from two literary sources:  Robert Fulghum’s 1989 book All I Really Need To Know I Learned In Kindergarten. 

Fulghum’s book, which is a collection of fifty short essays, revolves around the theme that, sometimes, life’s basic lessons can teach us profound lessons. There is a catch though – we must be ready, willing, and able to internalize them.  Listening – or more precisely,  the simple fact that one cannot talk and listen at the same time -- is a good example of this.

Source: Amazon
Source: Amazon

During the course of my job duties and its associated travels, I meet with and speak with many different organizations. One thing I’ve noticed over the years is that some organizations listen better than others. Why is this an important point? Let’s take a step back.

Given the pace at which the threat landscape is evolving and maturing, an organization’s security posture is something that needs to continually evolve and mature. That is an ambitious goal that requires understanding the weaknesses of the security organization; only when weaknesses are identified and understood can they be addressed. Listening to observations, advice, lessons learned, and feedback from others in our field is a great way to identify weak spots ripe for improvement.  Granted, there is a lot of noise out there in the security world, but with an acutely honed filter, a lot of valuable information can be obtained just by listening.

Unfortunately, I often see organizations struggle with this skill. They spend a lot of time telling people what they are doing right, rather than soliciting and accepting input on what needs to be improved.  As I mentioned, one cannot talk and listen at the same time.  And, of course, a security organization does need to ensure that others understand its value.  But, there is plenty of room for more listening to take an organization to the next level.

In addition to listening, honesty is another great way to improve an organization’s security posture. Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  Here’s how:

Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Management: Intentions matter.  Management does not expect perfection, but it does expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.

Peers:  We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.

Clients and Partners: Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.

Other Organizations: Organizations can improve by interacting, sharing information, and learning from one another.  Similar to peer interactions between individuals, this requires  a forthright approach .  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as you might think.  People tend to see through that stuff, but they are often too polite to point it out.

It sounds counter-intuitive, but admitting weakness is actually a strength that can  help us to grow and improve, both as individuals and as a security organization.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards listening, honesty, and truthfulness. 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/23/2015 | 12:38:08 PM
Security and Literature
Good post.  Another good book is the Confidence Man, by Herman Melville.  Good way to learn about the insider threat.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.