Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/15/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Information Security Lessons From Literature

How classic themes about listening, honesty, and truthfulness can strengthen your organization's security posture, programs and operations.

As someone who enjoys observing the world around me, I try to learn from many different things.  Sometimes, my inspiration might be a bit non-traditional or out-of-the-box.  Along these lines, I’d like to share a few lessons I’ve taken from two literary sources:  Robert Fulghum’s 1989 book All I Really Need To Know I Learned In Kindergarten. 

Fulghum’s book, which is a collection of fifty short essays, revolves around the theme that, sometimes, life’s basic lessons can teach us profound lessons. There is a catch though – we must be ready, willing, and able to internalize them.  Listening – or more precisely,  the simple fact that one cannot talk and listen at the same time -- is a good example of this.

Source: Amazon
Source: Amazon

During the course of my job duties and its associated travels, I meet with and speak with many different organizations. One thing I’ve noticed over the years is that some organizations listen better than others. Why is this an important point? Let’s take a step back.

Given the pace at which the threat landscape is evolving and maturing, an organization’s security posture is something that needs to continually evolve and mature. That is an ambitious goal that requires understanding the weaknesses of the security organization; only when weaknesses are identified and understood can they be addressed. Listening to observations, advice, lessons learned, and feedback from others in our field is a great way to identify weak spots ripe for improvement.  Granted, there is a lot of noise out there in the security world, but with an acutely honed filter, a lot of valuable information can be obtained just by listening.

Unfortunately, I often see organizations struggle with this skill. They spend a lot of time telling people what they are doing right, rather than soliciting and accepting input on what needs to be improved.  As I mentioned, one cannot talk and listen at the same time.  And, of course, a security organization does need to ensure that others understand its value.  But, there is plenty of room for more listening to take an organization to the next level.

In addition to listening, honesty is another great way to improve an organization’s security posture. Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  Here’s how:

Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Management: Intentions matter.  Management does not expect perfection, but it does expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.

Peers:  We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.

Clients and Partners: Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.

Other Organizations: Organizations can improve by interacting, sharing information, and learning from one another.  Similar to peer interactions between individuals, this requires  a forthright approach .  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as you might think.  People tend to see through that stuff, but they are often too polite to point it out.

It sounds counter-intuitive, but admitting weakness is actually a strength that can  help us to grow and improve, both as individuals and as a security organization.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards listening, honesty, and truthfulness. 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fscholl370
50%
50%
fscholl370,
User Rank: Apprentice
9/23/2015 | 12:38:08 PM
Security and Literature
Good post.  Another good book is the Confidence Man, by Herman Melville.  Good way to learn about the insider threat.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8996
PUBLISHED: 2020-02-16
AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.
CVE-2020-8997
PUBLISHED: 2020-02-16
Abbott FreeStyle Libre 14-day before February 2020 and FreeStyle Libre 2 before February 2020 allow remote attackers to enable write access via a specific NFC unlock command.
CVE-2020-7050
PUBLISHED: 2020-02-15
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies ...
CVE-2019-13965
PUBLISHED: 2020-02-14
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed...
CVE-2019-13966
PUBLISHED: 2020-02-14
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).