Operations

11/5/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Mature & Unconfident: The Best Information Security Teams Ever!

Security through maturity and humility is a workable philosophy with proven results for organizations that are willing to give it a try. Here's why.

Traveling regularly, like many things, has its advantages and disadvantages. Anyone who has been through an airport lately is more than familiar with the disadvantages, but what about the advantages? One of the main advantages traveling brings me is the opportunity to meet with clients to better understand the security posture, strategy, and operational effectiveness of their respective organizations. One hour with a customer brings me more insight than a thousand white papers, because the greatest insights come from practitioners. 

In other words, enough about the problems and challenges! What are people doing to solve those problems and address those challenges? The answer depends on the organizations themselves, which I like to classify -- by maturity and confidence -- into four quadrants.

Mature & Confident
As you might expect, organizations in this category have fairly mature security programs.  Management laid out a strategic vision that was subsequently implemented. The organization took a risk-based approach to security. Risks and threats to the organization were prioritized and mitigated accordingly. An incident response process was set and followed. Security operations runs continually.

At first glance, you might say that this program sounds like a panacea. I would urge you to reconsider that assertion. What is the risk with this type of program? Look closely at the tense in the above paragraph. Everything is past-tense. As we know, our adversaries are continually adapting to maximize their effectiveness. As defenders, we need to continually adapt as well. Risks and threats change over time, as do the ways in which we mitigate them. The risk in this type of organization is stagnation. And stagnation is not a great recipe for continued success in the security realm.

Mature & Unconfident
The organization that is mature and unconfident is the best kind, in my opinion. These types of organizations took all the same steps as the mature and confident organizations. What’s the difference? They are never satisfied. They always remain hungry. They are never confident that they are safe.

This philosophy pervades these organizations at many different levels. People are never afraid to raise their hand to indicate that a risk is unmitigated, a new technology is needed, a process needs refining, certain gaps exist, or any of the other issues that may arise. This lack of confidence is not a weakness, as it is often regarded, but rather, a strength. It is a reality check that keeps the organization humble. Why is this important? That humility allows the organization to continue to mature and to avoid stagnation.

Immature & Unconfident
Organizations that are immature and unconfident are my favorite type of organization to work with.  At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness. But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome. 

Of course, the process of maturing a security program is a lengthy one with many details. The first step in that process is understanding that you need to work through it. Believe it or not, this self-awareness and organizational humility is something that is surprisingly uncommon. More often than not, organizations with immature security programs fall into the next category.

Immature & Confident
I’ve been known to describe some past co-workers as a “deadly combination of incompetence and over-confidence.” I’m sure you’ve all encountered this type of co-worker at some point in your work life.  He (or she) is the one who runs confidently, full-speed ahead in the wrong direction entirely, whose instinct is always to do the polar opposite of what is needed, and who cannot accept this possibility at all. I’m using this analogy to illustrate a somewhat sensitive and delicate point. Having an immature security program is something that can be remedied -- unless an organization is too overconfident to realize it. In my estimation, the number of organizations that fall into this last category is far greater than most of us would like to believe.

In a sense, this is the most tragic of all the categories; so much potential, yet a nearly impassable uphill climb. You might ask what leads me to lump so many organizations into this category. My answer to that question is fairly straightforward. I base it off of the questions that I receive from some organizations. Often, these questions indicate an underlying lack of understanding of the core challenges companies need to address -- and, as a result, any potential solutions to those challenges. More often than not, I receive these questions from organizations that tell me that they take a very strategic approach to security and have a very mature security program as a result.

Which type of organization are you?
I never ask this question of organizations I meet with, for obvious reasons. It is a question that each organization needs to ask itself and answer honestly. The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response. Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.  Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for information on the career trends program.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6700
PUBLISHED: 2018-09-24
DLL Search Order Hijacking vulnerability in Microsoft Windows Client in McAfee True Key (TK) before 5.1.165 allows local users to execute arbitrary code via specially crafted malware.
CVE-2018-15615
PUBLISHED: 2018-09-24
A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x.
CVE-2018-6682
PUBLISHED: 2018-09-24
Cross Site Scripting Exposure in McAfee True Key (TK) 4.0.0.0 and earlier allows local users to expose confidential data via a crafted web site.
CVE-2018-17368
PUBLISHED: 2018-09-23
An issue was discovered in PublicCMS V4.0.180825. For an invalid login attempt, the response length is different depending on whether the username is valid, which makes it easier to conduct brute-force attacks.
CVE-2018-17369
PUBLISHED: 2018-09-23
An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter.