Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How Insecurity Can Bolster Your Security Program

Insecurity Can Help Organizations Continually Learn and Make Changes

Insecurity Can Help Organizations Continually Learn and Make Changes

It’s always better to deal with issues in an orderly and strategic manner, long before they become a crisis.  Unfortunately, many organizations struggle with this.  As a result, they end up running from one crisis to another.  This is, of course, not a great way to operate.

Security isn’t much different in this regard, sadly.  There are some security organizations that are out in front and ahead of the challenges that await them down the line.  Many, however, are not.  

What constitutes the difference between a security team that continually operates in crisis and fire fighting mode and one that doesn’t need to?  It may sound contradictory, but it’s a healthy dose of insecurity.  Quite simply put,insecurity is good for security.  How can this be?

In my experience, overconfidence in our field results in a false sense of security.  A denial of sorts that the challenges awaiting us down the line will either never come, or if they do, will not be difficult for us to overcome.  Interestingly enough, openness to tackle the challenges of the future and room for improvement are only present when pride is swallowed and put in check.

In this piece, I’d like to show, through five examples, how insecurity can actually help bolster a security program by allowing an organization to continually learn and make changes, thus improving.

Breaches: Some people consider a breach a failure of security. I consider it a learning opportunity. How so?  Ideally, organizations would foresee potential breach vectors and work to mitigate them before any breaches occurred. In reality, however, this is difficult for several reasons:

– In a resource-constrained environment, operational issues always take priority over strategic ones

Advertisement. Scroll to continue reading.

– It is quite difficult to foresee all potential breach vectors ahead of time

– Foreseen breach vectors may not be taken as seriously as they ought to be due to a false sense of security and an unhealthy dose of overconfidence

Breaches make us feel insecure and put our overconfidence in check.  That gives us a great opportunity to correct the weaknesses that brought about the breach we’re dealing with.It’s also a great opportunity to take a step back and, with a sense of humility and an eye for detail, identify other potential breach vectors requiring attention.

● Hiring: An excellent piece of advice when it comes to hiring is to always hire people smarter than you.  It may sound like common sense – to try and find the best and the brightest to fill each and every position. In practice, however, it’s harder than it seems.  It takes a healthy dose of insecurity and a strong desire to do what’s best for the organization to hire people smarter than yourself.  Some smaller minded managers feel threatened by anyone sharper than them. This is foolish and shortsighted. A good manager is one who is a bit unsure of his or her own abilities. This pushes them to higher people who are more capable than they are or whose capabilities complement their own, thus building a better security organization.

● Process: Do you have mature processes? Are your processes well thought out?  Do your processes cover all necessary functions?  If your answer to these questions is yes, are you sure?  If so, your confidence may leave you with a blind spot, gaping hole, or systemic issue.  A little bit of self-doubt goes a long way here.  If you feel that your processes may fall short and put your organization at risk, you stand a chance of making meaningful improvements to them.  That, in turn, will allow you to improve the organization’s security posture.

● Metrics: I’ve heard people boast about their security organization and security capabilities many times.  Phrases like “we run a world class security organization here”, “our people are the cream of the crop”, and “our security capabilities are very mature” abound.  Oh yeah?  Prove it.  If your security posture is at the level you say it is, you ought to be able to show it with meaningful metrics that illustrate your point.  Worried that may not be so easy?  Good.  That’s a healthy dose of insecurity that will drive you to continually improve your capabilities and strive to show that improvement and performance over time.  Feeling that you need to constantly show the value you provide will keep your security organization maturing and moving forward.

● Patching: Feeling like your organization is a reasonably secure place?  That might not be so great. Complacency leads to laziness. Nowhere is this felt more acutely than in the areas of patching and vulnerability management. It helps to always feel a bit uncomfortable, exposed, and at risk.  Besides likely being the true state of the organization at any given time, these feelings cause the organization to sense a bit of urgency. This helps to motivate both the security team and the business to stay on top of patching. You snooze, you lose. When it comes to vulnerabilities, the price can be a high one.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Field CISO at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.