Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
12:12 PM
Joe Campbell
Joe Campbell
News Analysis-Security Now

From Enemies to Allies: Addressing Security Culture Clashes in Your Organization

Building secure organizations starts with people, not technology. Part 2 of a 2-part article.

In last week's piece, I addressed the different types of security cultures within today's organizations. You have your "security bullies" -- the teams that refuse to compromise with other internal stakeholders in the business when it comes to implementing security policies, in turn only inciting teams to find insecure workarounds and loopholes. And then on the other side of the spectrum, you have the "elephant in the room" -- when business teams only see security as stifling agility and innovation, refusing to include them in critical conversations. In both cases, both sides of the table need to become allies to the business and each other. Let's talk about how we can get there. Getting equipped for the conversation
At this point, many may be thinking their task is simple: Don't be a bully if you are, or simply make yourself heard if you are the elephant. The truth is, this isn't something that is going to be fixed without a more conscientious approach. Before you embark on getting to the table in partnership with the business, you need to learn more about the importance of your job. You need to be prepared to explain to the rest of the company why security matters. Understand how defense has evolved
The traditional approach to security has been the same for a millennia. It was employed by the Roman legions and is employed today in our businesses. Often called "defense in depth," the strategy consists of sequential layers of defense meant to weaken the enemy and finally, defeat it. Where there were once castle walls, moats and battlements, there are now physical security, firewalls, authentication barriers and more. This approach to security is really not a mystery to the business. In fact, most of the folks in the business would probably describe security in this way.

On top of their understanding is the expectation that this can and should be done silently and transparently to their daily operations. Perhaps they have not been reading security blogs lately.

Have you heard any of these phrases before?
"They are already in the walls."
"You've already been hacked."

There seems to be enough evidence in the wild that our traditional approach to security hasn't been working. We all need to begin rethinking security with an understanding that an evolution and revolution in our approach is necessary. This revolution requires that security begins to understand the business and that the business actually has a stake in security too. It's our responsibility to explain this to them in the simplest way possible and open the door to new and positive relationships.

Identity in depth
To put it simply, not having a robust perimeter security solution, competent authentication and even multi-factor authentication would basically tell me you were being negligent. But as we all know, it simply isn't enough. Today, each defensive layer in the organization needs to be augmented with identity. The layers alone are simply not enough. Firewalls and VPNs need to be checking for more than simple credentials; rather, they should be aware of who is connecting and what this user's capabilities are in the business.

Applications can't simply react to basic role-based access control logic, but rather must be supplemented with separation of duties and toxic role logic you get from an IAM solution. Web portals can no longer rely on simple SSL and authentication, but rather understand if the connecting user matches what we know about this user's typical forensic thumbprint. In essence, the only defense we have for the new breed of hacker (who is really just a modern "identity thief") is to always have identity front and center. It is this revolution in defense -- from defense-in-depth to identity-in-depth -- where we can begin to change the conversation.

Starting over
Again, our goal in security is to be an invited and trusted member of the business discussion, but both of our troubled security cultures above have a similar problem to fix. Whether your team has been bullying the business or has been seen as irrelevant, we need to re-introduce ourselves. Put your kingdom-building or your meekness aside and tell the business: "we need to talk."

The conversation can go something like this:
"The traditional approach to security has changed and I realize that we've both made some mistakes." Explain how you understand what the business thinks about security and that it makes sense to you, but then take some time to talk about the dangers of a security breach. Do this in a way that doesn't present tales of doom and gloom, but speaks to critical business issues that matter to them. (Typically people don't like drama.) Instead draw on recent examples of intellectual property theft, customer distrust and big losses to the bottom line -- all things that they know and understand, and more importantly, can hugely impede the business. Take some time to explain how the practice of security has evolved, and how through the concepts of identity-in-depth, we both have our best opportunity to stop them in their tracks. Now comes the easy part: Tell them how important they are!

The business is essential
As security team members, we can freely admit that we're not really experts on the tasks, goals, and issues that our business leaders deal with. This is why you need to explain that in this new world, business has a greater say in how our security posture is designed. Only the business knows who needs access to what function or which roles should be granted only with approval from the boss. Explain to your new partners that you are there for them and that you need to make decisions together that can satisfy the requirements of the company in general. It is because of the change in the threat landscape that you are here and that we need to build a new relationship.

For the bully in the room, your approach to security has done more harm than good. This redefinition of our goals in security give you an opportunity to repair your relationships and start working for the good of the business. Educate your team on a business-centric approach to security and teach them that changes made to the organizations simply cannot interfere with the goals of the business.

For the elephant in the room, your time spent away from the table must come to an end. We can't begin to embark on a new security relationship unless we are actively spending time to understand the business and you need to look for those opportunities. Listening at first, waiting until you feel you are beginning to understand, and then making the bold move to suggest partnerships that you know solve the problems the business has.

Building the trust that has been missing for so long is simply the first challenge you need to conquer. Only after that can we begin to tackle the technical problems that we face... and with our new partners.

Joe Campbell is principal security advisor at identity and access management company One Identity. professional career spans innovations for some of the world's biggest companies, and he's pioneered new, award-winning technologies in wireless, RFID, visualization, communications and telephony. As a trusted security advisor, his unmatched experience in security and software architecture makes him a highly respected leader in the technology industry.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.