Recently we were interviewing for an entry level Information security analyst position and a candidate asked me, “With the really long time you’ve been in security, what changes have you seen over the last 22 years?” After getting past the feeling of being old, I told her that back in the day security was all about blocking and preventing. It made relationships difficult and prohibited the business from performing to its maximum. As a security community we realized that stopping the business was not ideal for the success of the company or our careers, so we began loosening controls and improving monitoring. This moved the focus of the five elements of the NIST framework from Prevent to Detect. We still tried to prevent where we could but attackers were too far ahead of security programs so we again moved the focus from Detect to Quickly Detect to limit the amount of time an adversary was in the environment. The concern is that controls will continue to loosen to allow the business to prevail but staying on this path could lead to a security program that is meaningless or non-existent. In the end, teams may revert back to the days of blocking everything to stop the bleeding and reassess their effectiveness, which nobody wants.
"When it comes to relationships, partnering with the business and internal IT teams is key to a security program’s success, but partnerships are a two-way street"
This brings us to today and the importance of awareness, automation and relationships, which will help prevent the scenario of returning to full prevention by balancing between enabling and securing the business. For awareness, we all know end-users are our first line of defense and they need to be properly trained to help defend the company against attacks. Even with training, there needs to be buy-in from the top to help push the importance of the training so everyone is engaged and has ownership in the protection of the company’s data, and their own in some cases. If you don’t have an effective security awareness program in place it needs to be a priority above all other security initiatives. Automation is an area that can help over-whelmed security teams and allow for more time with focusing on actual risk and building relationships. From there you’ll have a great foundation to a simple security program that will fit into any framework.
When it comes to relationships, partnering with the business and internal IT teams is key to a security program’s success, but partnerships are a two-way street. If you’re not reaching out to your security team to involve them in business meetings, you’re doing them and your company a disservice. It can be difficult to reach out knowing the security personnel can be creepy people working in dark offices, but today’s information security staff is being trained to communicate with the business and they’re learning how to build relationships because we know we can’t do it alone and need your help. Ask your security team about the threats they see and the challenges they have. Also ask them if there is any way a process can be done differently using the survivorship bias philosophy, which is simply changing your focus from looking at what you know to looking at what you don’t know. You’ll be surprised how excited they will get from being asked such simple questions. If you want to take it further, act on their advice and ask how you can help them be successful. Let’s be the leaders we are and make a difference every day.