How Insecurity Can Bolster Your Security Program

Insecurity Can Help Organizations Continually Learn and Make Changes

It’s always better to deal with issues in an orderly and strategic manner, long before they become a crisis.  Unfortunately, many organizations struggle with this.  As a result, they end up running from one crisis to another.  This is, of course, not a great way to operate.

Security isn’t much different in this regard, sadly.  There are some security organizations that are out in front and ahead of the challenges that await them down the line.  Many, however, are not.  

What constitutes the difference between a security team that continually operates in crisis and fire fighting mode and one that doesn’t need to?  It may sound contradictory, but it’s a healthy dose of insecurity.  Quite simply put,insecurity is good for security.  How can this be?

In my experience, overconfidence in our field results in a false sense of security.  A denial of sorts that the challenges awaiting us down the line will either never come, or if they do, will not be difficult for us to overcome.  Interestingly enough, openness to tackle the challenges of the future and room for improvement are only present when pride is swallowed and put in check.

In this piece, I’d like to show, through five examples, how insecurity can actually help bolster a security program by allowing an organization to continually learn and make changes, thus improving.

● Breaches: Some people consider a breach a failure of security. I consider it a learning opportunity. How so?  Ideally, organizations would foresee potential breach vectors and work to mitigate them before any breaches occurred. In reality, however, this is difficult for several reasons:

– In a resource-constrained environment, operational issues always take priority over strategic ones

– It is quite difficult to foresee all potential breach vectors ahead of time

– Foreseen breach vectors may not be taken as seriously as they ought to be due to a false sense of security and an unhealthy dose of overconfidence

Breaches make us feel insecure and put our overconfidence in check.  That gives us a great opportunity to correct the weaknesses that brought about the breach we’re dealing with.It’s also a great opportunity to take a step back and, with a sense of humility and an eye for detail, identify other potential breach vectors requiring attention.

● Hiring: An excellent piece of advice when it comes to hiring is to always hire people smarter than you.  It may sound like common sense – to try and find the best and the brightest to fill each and every position. In practice, however, it’s harder than it seems.  It takes a healthy dose of insecurity and a strong desire to do what’s best for the organization to hire people smarter than yourself.  Some smaller minded managers feel threatened by anyone sharper than them. This is foolish and shortsighted. A good manager is one who is a bit unsure of his or her own abilities. This pushes them to higher people who are more capable than they are or whose capabilities complement their own, thus building a better security organization.

● Process: Do you have mature processes? Are your processes well thought out?  Do your processes cover all necessary functions?  If your answer to these questions is yes, are you sure?  If so, your confidence may leave you with a blind spot, gaping hole, or systemic issue.  A little bit of self-doubt goes a long way here.  If you feel that your processes may fall short and put your organization at risk, you stand a chance of making meaningful improvements to them.  That, in turn, will allow you to improve the organization’s security posture.

● Metrics: I’ve heard people boast about their security organization and security capabilities many times.  Phrases like “we run a world class security organization here”, “our people are the cream of the crop”, and “our security capabilities are very mature” abound.  Oh yeah?  Prove it.  If your security posture is at the level you say it is, you ought to be able to show it with meaningful metrics that illustrate your point.  Worried that may not be so easy?  Good.  That’s a healthy dose of insecurity that will drive you to continually improve your capabilities and strive to show that improvement and performance over time.  Feeling that you need to constantly show the value you provide will keep your security organization maturing and moving forward.

● Patching: Feeling like your organization is a reasonably secure place?  That might not be so great. Complacency leads to laziness. Nowhere is this felt more acutely than in the areas of patching and vulnerability management. It helps to always feel a bit uncomfortable, exposed, and at risk.  Besides likely being the true state of the organization at any given time, these feelings cause the organization to sense a bit of urgency. This helps to motivate both the security team and the business to stay on top of patching. You snooze, you lose. When it comes to vulnerabilities, the price can be a high one.