I'm going to tell you one of the dirty secrets of enterprise cybersecurity. There are a lot of practitioners that secretly wish their company would get attacked.
Because at least then, someone would listen to them.
These people tend to reside on what we frequently refer to as the blue team. In cybersecurity exercises and simulations, blue team members are the defenders, tasked with keeping their mortal enemies out of corporate networks. In the real world, the blue team is cybersecurity. They are the operational masters, and they comprise most available cybersecurity jobs.
The problem is, the blue team is easily ignored, seen as an expense rather than an asset to the organization.
Red Team Has All the Luck
Let's face it. The red team is sexy. It carries this aura of underground street cred. Some red teamers started off as hacktivists and gray hats. Some of them parlayed criminal experience into six-figure incomes as public speakers and corporate consultants.
These are the folks Hollywood makes movies about.
And when the red team makes waves, the media pays attention. And that makes CEOs and other executives pay attention.
The focus on red teams creates a distorted picture of reality. Go to any major cybersecurity conference, and you'll find dozens of well-attended seminars led by red-team experts.
It just so happens that everyone in the audience is from the blue team.
That's because there isn't a deep ocean of red-team positions. Those jobs are relatively rare, and while the people holding red-team jobs are extremely technically competent, the financial incentive for companies to employ them arises — at least a little bit — from the marketing and brand exposure they bring. Most cybersecurity companies don't sell offensive capabilities. They sell blue-team tools — but they use red-team flashiness to do it.
A Seat at the Table
Discussing this isn't sour grapes. After all, I am a professional security researcher, which technically makes me a red-team guy.
But I've spent years on the blue team. I've learned that a lot of the cybersecurity conversation is driven by red teams. The result is that a not-insignificant chunk of corporate security strategy is developed in an environment where the practitioners don't hold influence that is on par with their expertise.
The typical cybersecurity professional's day-to-day duties are incredibly important. They are also routine. Installing and tuning a Web application firewall and updating obscure applications aren't the material that turns into speaking engagements.
If we can give the people that perform these functions a bigger voice, we'd drive more impact. Think about it this way: What's more likely to improve overall security — an immediate response to a new and novel threat, or a strategic, methodical improvement in vulnerability management?
I think we all know the answer.
Not Letting Blue Team Off the Hook
If you are a member of the blue team, you might be cheering right now, saying, "Finally, someone understands my pain. I've always wanted more decision-making power in my organization."
But be careful what you wish for, because with great power comes great responsibility.
Having a seat at the table means solving problems, not just identifying them. And it means solving them with the resources you have. If you tell your colleagues, "we're at risk from X, Y, and Z," be prepared to tell them how to minimize that risk and what it will cost to do so.
Cybersecurity is an expense on your company's balance sheet. Maintaining a seat at the table and getting the resources you need may require finding ways to generate revenue — or at least prevent things that drive revenue down. If you work for an e-commerce site, look for ways to cut down on bot traffic that might be scraping information from your website to undercut prices. If you work for a subscription-based service, look for ways to cut down on customers sharing accounts.
These are small examples, but they have big impacts on the bottom line. They may yield the resources your company needs to reduce risk. And when that happens, maybe you won't secretly wish your company falls victim to an attack.