Security Teams Need to be Recognized as the Even Keel that Stays the Course Even When the Rest of the Organization Gets Distracted.
Security is often a pretty thankless job, and one that typically only gets noticed when something goes wrong. In some ways it is a bit like an offensive line in football. The big tough guys that toil in the trenches, that no one ever notices unless there is a sack or penalty. Yet while, these guys rarely end up on the covers of magazines or dating supermodels, it remains true that the top teams typically all have very good to great offensive lines. This sort of analogy for security is typically well understood, and will get heads nodding in the boardroom.
The rub comes down to an order of operations. What is the priority, and what do you do first? Most organizations know that security is important, and all things being equal they want to do the right things. But in real-world organizations, things rarely are equal. Young, ascendant businesses tend to be heavily focused on growth and will sacrifice almost anything in the name of new customer acquisition. These businesses are often doing everything they can just to keep pace with the speed of their own growth, and even basic security can slip from “must have” to “nice to have”.
LinkedIn learned this back in 2012 when it was reported that 6.4 million usernames and passwords were stolen. These credentials were not salted, making it much easier for criminals to crack the passwords. Unfortunately in May of this year, it became apparent that the breach was much larger than initially reported and affected 117 million users instead of 6.4 million. Even though LinkedIn began following industry best practice and salting passwords after the 2012 breach, the full database was apparently already compromised and being used for the past 4 years. Sometimes the mistakes we make in our youth can plague us for years.
On the other end of the spectrum are businesses that are well-established, but perhaps are attempting to break through a plateau or stave off new competitors. Here we can take a lesson from the recent record-setting breach at Yahoo. In the PR aftermath of the disclosure, Yahoo was quick to point the finger at a nation-state source for the attack; a notion that was disputed by security researchers. Yet while the debate festered over who was behind the attack, word began leaking out that Yahoo had done itself no favors on the security front. The decision-makers at Yahoo balked at adopting automatic reset of user passwords for fear of losing subscribers, and decided not to invest systems to detect active intrusions into the network.
In this case, the pressures to reverse Yahoo’s decline trumped, what in hindsight was a clear need for stronger security. Of course most things are clear in hindsight. It is easy to empathize with what the executive team was likely thinking at the time – “Hey, if we lose subscribers, there may not be a business left to secure.” But even in those dire times, the decision to shortchange security came back to bite them. In light of the breach, the lawyers at Verizon seem to be lining up to revisit or renegotiate the terms of the proposed $4.8 billion acquisition of Yahoo.
The point here is that, regardless of whether an organization is ascendant, stable, or descendent, we always have everything to lose. The pressures of the day can cloud this reality, but it is our job to keep bringing it to the fore. You don’t wait until you get rich to start wearing your seatbelt, because no matter your age or where you are on your personal journey, once again, you always have everything to lose.
It is almost never a perfect time to invest in security. There is always a critical goal or an exigent pressure within sight that could take priority. But we have to continually remind colleagues and ourselves that attacks don’t happen on our terms. In fact the opposite is true. Attackers are always looking for opportunities, and underfunding or understaffing security plays into their hands.
And this is where CISOs and security staff can provide steady guidance for the rest of organization. It is our job to remain focused on the practical, responsible things that need to be done to keep the organization safe, or at least to mitigate risks as best we can. This is never more important than when an organization is under stress. It often falls to the security team to be the adult in the room, and remind our colleagues that the very times that you want to wave your hand and ignore security are typically the times that you are at most risk.
Whether it’s as simple as being in a hurry and clicking that email link that you really didn’t pay attention to, or something more strategic such as not investing in attack detection and response because the company can “get by” without it until next year – these are the decisions that can lead to a breach. Instead of the “Department of No”, security teams need to be recognized as the even keel that stays the course even when the rest of the organization gets distracted.