Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/15/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Information Security Lessons From Literature

How classic themes about listening, honesty, and truthfulness can strengthen your organization's security posture, programs and operations.

As someone who enjoys observing the world around me, I try to learn from many different things.  Sometimes, my inspiration might be a bit non-traditional or out-of-the-box.  Along these lines, I’d like to share a few lessons I’ve taken from two literary sources:  Robert Fulghum’s 1989 book All I Really Need To Know I Learned In Kindergarten. 

Fulghum’s book, which is a collection of fifty short essays, revolves around the theme that, sometimes, life’s basic lessons can teach us profound lessons. There is a catch though – we must be ready, willing, and able to internalize them.  Listening – or more precisely,  the simple fact that one cannot talk and listen at the same time -- is a good example of this.

During the course of my job duties and its associated travels, I meet with and speak with many different organizations. One thing I’ve noticed over the years is that some organizations listen better than others. Why is this an important point? Let’s take a step back.

Given the pace at which the threat landscape is evolving and maturing, an organization’s security posture is something that needs to continually evolve and mature. That is an ambitious goal that requires understanding the weaknesses of the security organization; only when weaknesses are identified and understood can they be addressed. Listening to observations, advice, lessons learned, and feedback from others in our field is a great way to identify weak spots ripe for improvement.  Granted, there is a lot of noise out there in the security world, but with an acutely honed filter, a lot of valuable information can be obtained just by listening.

Unfortunately, I often see organizations struggle with this skill. They spend a lot of time telling people what they are doing right, rather than soliciting and accepting input on what needs to be improved.  As I mentioned, one cannot talk and listen at the same time.  And, of course, a security organization does need to ensure that others understand its value.  But, there is plenty of room for more listening to take an organization to the next level.

In addition to listening, honesty is another great way to improve an organization’s security posture. Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  Here’s how:

Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Management: Intentions matter.  Management does not expect perfection, but it does expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.

Peers:  We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.

Clients and Partners: Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.

Other Organizations: Organizations can improve by interacting, sharing information, and learning from one another.  Similar to peer interactions between individuals, this requires  a forthright approach .  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as you might think.  People tend to see through that stuff, but they are often too polite to point it out.

It sounds counter-intuitive, but admitting weakness is actually a strength that can  help us to grow and improve, both as individuals and as a security organization.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards listening, honesty, and truthfulness. 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
fscholl370
50%
50%
fscholl370,
User Rank: Apprentice
9/23/2015 | 12:38:08 PM
Security and Literature
Good post.  Another good book is the Confidence Man, by Herman Melville.  Good way to learn about the insider threat.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...