I recently had the pleasure of traveling in the Pacific Northwest to conduct several visits with top network security teams. I enjoy making these types of trips, especially when new patterns of insight emerge.
A long time ago, I learned just how different corporate cultures can be. Visit ten companies in five days, and you can’t help but notice how different each one is. Security teams are much the same – some are pragmatists, some cynics, some shell-shocked, many are paranoid, and you still meet a few optimists.
My trip had me thinking about the downsides of too much skepticism. Voltaire knew all about this back in 1759. In his novel Candide, he has a curious character named Pococurante. Nothing was ever good enough for him, despite his great wealth and possessions. The following is an exchange between Candide and his friend Martin after a visit with Pococurante:
“True,” said Candide, “but still there must certainly be a pleasure in criticizing everything, and in perceiving faults where others think they see beauties.”
“That is,” replied Martin, “there is a pleasure in having no pleasure.”
It seems to me that Voltaire well understood the IT security mindset.
My point is not that we are a joyless lot; some of the best wine snobs and music aficionados I know also happen to be security professionals. But we are professionally pre-disposed to pessimism, perfectionism, and pedantry. There are times when this is essential to our effectiveness; being detail-oriented and skeptical is necessary. So where is the limit? Where do we stray into too much of a good thing?
One focus of these discussions was what we call security program evolution. Over the years, we’ve found organizations generally shift between five different levels of use of our technology, in a fairly standard sequence as they mature. In two of the three meetings, I had a chance to discuss our “maturity model” with management without the individual team members present. Each time, the reaction was very positive. However, the management teams firmly insisted that they were “stuck in second gear,” and they were keen to get to the higher gears as soon as possible.
In one retail organization, the individual team members arrived later. I showed them the same maturity model, and they could immediately cite instances of work they had done in gears three to five! But how did they talk about it? They mentioned challenges they had run into along the way. Nothing fatal, just some speed bumps they had to step over to get where they were going. It was interesting that they phrased their successes as criticisms!
After that meeting, I went on to a private financial institution. Here, we met only with the managers. The rest of the team members were offsite, but had left a list of questions. First, we talked through the maturity roadmap, and the managers repeated that they felt stuck in second gear. After reviewing the team’s questions we noticed they were detailed, highly technical observations about the inner workings of gears four and five of the system. There is simply no way the team could have asked these questions without working extensively within the sophisticated layers. Management had no idea! Even as they read the questions back, they couldn’t see what they implied – not that they should be able to, since as managers, they aren’t responsible for tracking which features achieve which ends.
So where is the disconnect? How could the managers and the team members be so far out of alignment? The natural security cynic might say it’s likely to be self-preservation. That is, some teams don’t want management to know about advanced uses of security tools, because it will just be added as another job duty. But that doesn’t bear out with the teams I met.
This brings me to team number three, where I had worked only with the individual team members. They had advanced questions for me in the area of decomposing high level security metrics on their management dashboards.
Measuring security posture is quite hard, but is being done by many leading network security teams. Of course, once you have meaningful measurement of your situation, you begin to pick up all kinds of bumps in the road you couldn’t even detect before, which is one major point of the exercise. This team wanted to dig into a recent subtle case, where the overall attack vulnerability metric shimmied less than 10 percent.
I politely suggested that the team lead should make a note for their next performance review, because it is no trivial thing to be able to stand up a metrics program and get the baseline established so well that a 10 percent deviation is even detectable. The response? “I guess you’re right – I never thought about it that way!”
I think this is one point where our ingrained fault-finding lets us down. We are so steeped in the ways of the skeptic that we miss our own successes. It was quite a shock that the successive teams of security professionals reached high levels of success, and totally missed the opportunity to communicate that to management. This is where our necessary habits for this job turn into a liability, as we apply our negative turn of mind to our own departments and organizations, and fail to talk about success or progress.
Maybe we think we’ll appear to have gone soft, or maybe we just lose the habit along the way. But what a career limiting move! Lighten up, we can and are making real progress, and better yet, we can measure it! Now we need to communicate it.
Related Reading: What Does Your Cybersecurity “A Team” Look Like?