Security Experts:

In Security, What We Don't See Can Hurt Us

As unfortunate, sad, and tragic as traffic accidents are, they regularly have one thing in common.  When one of the people involved in the accident is asked how the accident happened, the response is often, “I just didn’t see the other driver coming.”  The fact that this is such a familiar response is not surprising.  Obviously, had one driver seen the other one coming, in many cases, the accident could have been avoided.

At this point, you may be asking yourself what traffic accidents could possibly have to do with information security.  In my experience, there is an important lesson we can learn here and benefit from within our field.  Many organizations invest a tremendous amount of time, money, and resources into mitigating risks and threats they are acutely aware of.  But how many organizations have stopped to think about what they might not be attuned to?

Or, to put it another way, humans are quite good at planning for and/or reacting to factors, obstacles, and events that they can see.  But how many times have you spoken with someone after an event has caught them by surprise (whether in life or in security) and heard “Wow - I did not see that coming!”  If you think about it, it is not surprising that this response occurs fairly routinely.

Many of us are quite prone to sitting in a familiar environment and gazing out into a field of view that we have grown extremely comfortable with.  But what many of us don’t realize is that our environment and field of view are often fantastically partial.  In other words, we are unaware of just how in the dark we are and just how much of the picture we are missing.

In security, one of our goals should always be to broaden our perspective, field of view, and horizons to minimize the risk that we will be blindsided by something we didn’t see coming. Most of the large breaches and embarrassing security incidents over the years have been caused by unknown unknowns.  So how can organizations reduce the chances that they will be caught off guard by something they didn’t see coming?  I’d like to offer 5 ways here:

1. Acknowledge your blindness:  It doesn’t matter how large your security organization is, how mature your security program is, how experienced your team is, or how long you have been a leader in the field.  There is simply no way that one organization with one group of people, one set of leaders, and one view of the world can obtain a truly broad field of view.  Coming to terms with this is the first step towards reducing the organization’s blind spot.

2. Be humble:  Overconfidence can be a terribly destructive force in so many ways.  In security, overconfidence typically manifests itself in the form of carelessness and neglect.  It’s far too easy to convince ourselves that we’ve accounted for everything.  That we are on top of the different challenges we face.  That we are protected against the risks and threats we are most concerned about.  I’ve met with many organizations who exude this level of confidence over the course of my career.  And more than just a few of them have subsequently been the victim of attacks and intrusions that would seem to suggest that a little humility would have gone a long way.

3. Survey the scene:  Many security organizations have developed relationships with peer organizations or are members of third-party organizations or industry groups designed to help them develop those relationships.  Most organizations use these relationships to share information about what they know, what they’re working on, or perhaps even their priorities for the upcoming year.  But how many organizations leverage these relationships to explore and probe what they don’t know, where they may be lacking visibility, or where they may be in the dark or missing something entirely?  In my opinion, this is one of the greatest missed opportunities in the industry.

4. Embrace being wrong:  It can be hard to come to terms with the fact that we may have missed something, that we may have been off target, or that we may have been focused on a very partial field of view.  But it’s important to embrace it.  We are human - no one expects us to think of and account for everything.  But you know what people do expect?  That we will accept that we have erred, be open to receiving feedback, and work to correct our mistakes.  There is no shame in this pattern of behavior.  Isn’t it preferable to catch our mistakes early on before we are caught by surprise after an attack or intrusion?

5. Rinse and repeat:  Now that you’ve completed steps 1-4, take a moment to revel in your reduced blindness.  But not for too long - take another look and see where your new blind spots are.  Where you can focus next on expanding your field of view and improving your information security posture?  Where can you accept feedback and take action based upon that feedback?  Where can you learn what else you might be missing or overlooking?  And of course, beyond your own organization, what other organizations and individuals could benefit from your newly gained perspective?  Don’t forget to pay it forward and help them find their way out of the darkness as well.

Perhaps one of the biggest ironies of being in the dark is that we most often don’t realize that we are there.  In security, a narrow field of view and a large blind spot can introduce significant risk into an organization.  When an organization works to expand its field of view and reduce its organizational blind spot, it goes a long way towards improving the organization’s overall information security posture.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.