Operations

11/5/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Mature & Unconfident: The Best Information Security Teams Ever!

Security through maturity and humility is a workable philosophy with proven results for organizations that are willing to give it a try. Here's why.

Traveling regularly, like many things, has its advantages and disadvantages. Anyone who has been through an airport lately is more than familiar with the disadvantages, but what about the advantages? One of the main advantages traveling brings me is the opportunity to meet with clients to better understand the security posture, strategy, and operational effectiveness of their respective organizations. One hour with a customer brings me more insight than a thousand white papers, because the greatest insights come from practitioners. 

In other words, enough about the problems and challenges! What are people doing to solve those problems and address those challenges? The answer depends on the organizations themselves, which I like to classify -- by maturity and confidence -- into four quadrants.

Mature & Confident
As you might expect, organizations in this category have fairly mature security programs.  Management laid out a strategic vision that was subsequently implemented. The organization took a risk-based approach to security. Risks and threats to the organization were prioritized and mitigated accordingly. An incident response process was set and followed. Security operations runs continually.

At first glance, you might say that this program sounds like a panacea. I would urge you to reconsider that assertion. What is the risk with this type of program? Look closely at the tense in the above paragraph. Everything is past-tense. As we know, our adversaries are continually adapting to maximize their effectiveness. As defenders, we need to continually adapt as well. Risks and threats change over time, as do the ways in which we mitigate them. The risk in this type of organization is stagnation. And stagnation is not a great recipe for continued success in the security realm.

Mature & Unconfident
The organization that is mature and unconfident is the best kind, in my opinion. These types of organizations took all the same steps as the mature and confident organizations. What’s the difference? They are never satisfied. They always remain hungry. They are never confident that they are safe.

This philosophy pervades these organizations at many different levels. People are never afraid to raise their hand to indicate that a risk is unmitigated, a new technology is needed, a process needs refining, certain gaps exist, or any of the other issues that may arise. This lack of confidence is not a weakness, as it is often regarded, but rather, a strength. It is a reality check that keeps the organization humble. Why is this important? That humility allows the organization to continue to mature and to avoid stagnation.

Immature & Unconfident
Organizations that are immature and unconfident are my favorite type of organization to work with.  At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness. But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome. 

Of course, the process of maturing a security program is a lengthy one with many details. The first step in that process is understanding that you need to work through it. Believe it or not, this self-awareness and organizational humility is something that is surprisingly uncommon. More often than not, organizations with immature security programs fall into the next category.

Immature & Confident
I’ve been known to describe some past co-workers as a “deadly combination of incompetence and over-confidence.” I’m sure you’ve all encountered this type of co-worker at some point in your work life.  He (or she) is the one who runs confidently, full-speed ahead in the wrong direction entirely, whose instinct is always to do the polar opposite of what is needed, and who cannot accept this possibility at all. I’m using this analogy to illustrate a somewhat sensitive and delicate point. Having an immature security program is something that can be remedied -- unless an organization is too overconfident to realize it. In my estimation, the number of organizations that fall into this last category is far greater than most of us would like to believe.

In a sense, this is the most tragic of all the categories; so much potential, yet a nearly impassable uphill climb. You might ask what leads me to lump so many organizations into this category. My answer to that question is fairly straightforward. I base it off of the questions that I receive from some organizations. Often, these questions indicate an underlying lack of understanding of the core challenges companies need to address -- and, as a result, any potential solutions to those challenges. More often than not, I receive these questions from organizations that tell me that they take a very strategic approach to security and have a very mature security program as a result.

Which type of organization are you?
I never ask this question of organizations I meet with, for obvious reasons. It is a question that each organization needs to ask itself and answer honestly. The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response. Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.  Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for information on the career trends program.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.