People love to hear me describe the espionage simulations that I perform, putting together teams of former Special Forces and intelligence officers and targeting organizations, in what many might call penetration tests and social engineering. Still, I bristle when anyone calls me a hacker.
True, I admit that I love performing human elicitation and black bag operations, and it is always a rush to get the access to "steal" $1 million or its equivalent. Yet the "gotcha" games can get old, and while the results may be incredible, they are frequently useless.
I consider myself a security professional, and my goal is to leave a company more secure than I found it. Consequently, I've learned that finding flaws in security programs is only useful when you can identify practical countermeasures that can actually be implemented. Otherwise, you're essentially just highlighting that a company can be easily compromised, which is, at best, a footnote in a security presentation.
Even when a problem is seemingly simple to fix, it is usually not that easy. I am sick of hearing "social engineers" perform tests where they get employees to divulge passwords, and then proclaim that the solution is to tell employees not to divulge their passwords. Likewise, people performing technical penetration tests frequently find unpatched systems and recommend patching the systems. Any qualified CISO already knows these issues likely exist in their environment, and that they should address them. But it is grossly naive to believe that it is that simple to just do it.
Addressing the password problem requires a comprehensive solution of technology, process, and awareness, which requires proper funding, resources, planning, execution, and it still won't be perfect. Social engineering, when performed with proper statistical distributions, can potentially tell you the scope of the problem, but it is far from a useful solution. While patching systems appears to be straightforward, it is an incredibly complicated matter to first find all of the systems that exist, determine their architectures and versions, get administrator access, ensure that licensing exists to update systems, determine if there are any incompatibilities with patches, get the required permissions to have outages, acquire the systems, software, and/or personnel to roll out the patches, etc.
Then consider that these are just two projects among countless other projects that a CISO has to address, and especially prioritize, with each potentially project expending their organizational reputation, and all involving buy-in from other parties.
On multiple occasions, I performed penetration tests that were able to grab the attention of Fortune 50 CEOs by demonstrating the substantial business value that could be lost due to poor security, and providing actionable recommendations. In response, the CEOs increased the security budgets by more than $10 million and increased staffing to begin to address the problems. For my team and me, it was fun and easy. Periodically, we are brought back to advise and further assess how well the improvements are progressing. However, finding damaging flaws in the security posture of a Fortune 50 company is too easy for highly skilled attackers, like those on my team. The people with the really hard jobs are those responsible for fixing the problems.
The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.
It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.