It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.

Ira Winkler, Field CISO & Vice President, CYE

January 11, 2019

4 Min Read

People love to hear me describe the espionage simulations that I perform, putting together teams of former Special Forces and intelligence officers and targeting organizations, in what many might call penetration tests and social engineering. Still, I bristle when anyone calls me a hacker.

True, I admit that I love performing human elicitation and black bag operations, and it is always a rush to get the access to "steal" $1 million or its equivalent. Yet the "gotcha" games can get old, and while the results may be incredible, they are frequently useless.

I consider myself a security professional, and my goal is to leave a company more secure than I found it. Consequently, I've learned that finding flaws in security programs is only useful when you can identify practical countermeasures that can actually be implemented. Otherwise, you're essentially just highlighting that a company can be easily compromised, which is, at best, a footnote in a security presentation.

Even when a problem is seemingly simple to fix, it is usually not that easy. I am sick of hearing "social engineers" perform tests where they get employees to divulge passwords, and then proclaim that the solution is to tell employees not to divulge their passwords. Likewise, people performing technical penetration tests frequently find unpatched systems and recommend patching the systems. Any qualified CISO already knows these issues likely exist in their environment, and that they should address them. But it is grossly naive to believe that it is that simple to just do it.

Addressing the password problem requires a comprehensive solution of technology, process, and awareness, which requires proper funding, resources, planning, execution, and it still won't be perfect. Social engineering, when performed with proper statistical distributions, can potentially tell you the scope of the problem, but it is far from a useful solution. While patching systems appears to be straightforward, it is an incredibly complicated matter to first find all of the systems that exist, determine their architectures and versions, get administrator access, ensure that licensing exists to update systems, determine if there are any incompatibilities with patches, get the required permissions to have outages, acquire the systems, software, and/or personnel to roll out the patches, etc.

Then consider that these are just two projects among countless other projects that a CISO has to address, and especially prioritize, with each potentially project expending their organizational reputation, and all involving buy-in from other parties.

On multiple occasions, I performed penetration tests that were able to grab the attention of Fortune 50 CEOs by demonstrating the substantial business value that could be lost due to poor security, and providing actionable recommendations. In response, the CEOs increased the security budgets by more than $10 million and increased staffing to begin to address the problems. For my team and me, it was fun and easy. Periodically, we are brought back to advise and further assess how well the improvements are progressing. However, finding damaging flaws in the security posture of a Fortune 50 company is too easy for highly skilled attackers, like those on my team. The people with the really hard jobs are those responsible for fixing the problems.

The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.

It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.

About the Author(s)

Ira Winkler

Field CISO & Vice President, CYE

Ira Winkler, CISSP, is the Director of the Human Security Engineering Consortium and author of the books You Can Stop Stupid and Security Awareness for Dummies. He is considered one of the world’s most influential security professionals and was named “The Awareness Crusader” by CSO Magazine in receiving its CSO COMPASS Award. He has designed, implemented, and supported security awareness programs at organizations of all sizes, in all industries, around the world. Ira began his career at the National Security Agency, where he served in various roles as an Intelligence and Computer Systems Analyst. He has since served in other positions supporting the cybersecurity programs in organizations of all sizes.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights