topic Re: Why don't people engage with security professionals early enough? Are we too steathy? in Industry News

Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Mon, 29 Jan 2018 21:39:31 GMT

Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients? It is because we frighten people? Are we too stealthy? Is it because they don't want to trouble us? Don't know how to engage with us professionally? Don't want to embarrass themselves by asking the wrong questions? Don't want to spend money on security? What drives them to these momentary moments of insanity, where someone makes a decision at the start of an engagement not to get security professionals involved? Which normally results in a high intensity catch up and help them out of a rut or in many cases save their bacon literally? Security is a business (business, people and technology) problem, adding additional technology, which does not integrate with the organisational security framework and how it operates, just exasperates the situation as we all know. Answers and points of view would be appreciated.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

CISOScott — Tue, 23 Jan 2018 21:32:03 GMT

It is easier to ask for forgiveness later than to get permission first.

I didn't want to be told no.

You guys always kill or slow down our projects.

Oh. I forgot.

Those 4 excuses are what I hear the most. So we have to get away from being known as the department of "No!". You have to start becoming an innovative security practitioner and finding ways to get invited to the early meetings. Make yourself available. Ask that you be brought in early and if you are needed you can bow out gracefully.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

jmccumber — Tue, 23 Jan 2018 21:39:13 GMT

Great question.

All the "excuses" you list as questions are valid, and happen frequently.

For thousands of years, security types have had these issues. This is nothing new with cybersecurity

We are seen as door stops, speed bumps, naysayers, doomsday preachers, fanatics, weirdos, paranoid reactionaries, hall monitors, nannies, scolds, project-stoppers, gadflies, and a few other terms I've heard. It's not insane. It's actually quite normal.

I am sure the Head of Security for the ancient town of Jericho had to reproach the king and say, "Seeeeeeee? I told you those blasting horns would be a problem when Joshua showed up. But did you listen? Nooooooo."

We all recognize that built-in security if far more cost-effective than security bolted on later. It's a wonderful maxim, but, unfortunately, most security policy (and technology) is written in blood.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

Caute_cautim — Tue, 23 Jan 2018 21:51:22 GMT

@CISOScott wrote:
It is easier to ask for forgiveness later than to get permission first.
I didn't want to be told no.
You guys always kill or slow down our projects.
Oh. I forgot.
Those 4 excuses are what I hear the most. So we have to get away from being known as the department of "No!". You have to start becoming an innovative security practitioner and finding ways to get invited to the early meetings. Make yourself available. Ask that you be brought in early and if you are needed you can bow out gracefully.

Great to hear from a live and kicking CISO from your perspective and I hope it elicits more constructive comments. Because without full and honest disclosure, between all parties, someone is going either lose their job, or the organisation is going to suffer a set back, they did not plan for at some point in time. Unfortunately, the probability is sooner than later. Well, as you state we have to be more innovative. Hey guys, we could be saving you tonnes of money and making the organisation far more productive, efficient and efficient and by the way resilient, so you can keep going, if we agreed to work together and be engaged.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

CISOScott — Wed, 24 Jan 2018 13:59:01 GMT

@jmccumber wrote:

We all recognize that built-in security if far more cost-effective than security bolted on later. It's a wonderful maxim, but, unfortunately, most security policy (and technology) is written in blood.

Mc

AH HA! We have hit the nail on the head. Security Policy is sometimes too rigid and if we follow it to the letter of the law (exactly as it is written) then we tell people no. I think we need to move to more of a risk based decision model. Have the ability to adjust as needed (provided you have the experience or have shown in the past, good judgement) or elevate to the decision makers to accept the level of risk. The DoD started going to this model in 2016 and I think it will help mend those fences we broke in the past by being too rigid.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

Caute_cautim — Wed, 24 Jan 2018 18:21:01 GMT

I agree, if you take the exponential growth in technology, digital transformation and breadth of innovations and the various demands of IoT, privacy by design and the many untold implications of what appeared to be a good idea at the time. Unfortunately, in general; humans learn in a more linear, phased approach, it can take time to adapt our thinking. Almost, as though we need to re-learn to learn, but we also need to make space in our demanding days to give us, the ability to rethink rather than rush head long from one issue to another.

We definitely, need to take a more fluid risk based perspective, static is out, dynamic and innovation is definitely in. However, even in an Agile adopted organisation, somethings need to be built-in, reviewed and re-checked and even to our best efforts and intent, some things will and do slip through the net. Therefore I agree we need to be more adaptable, rather taking the rigid approach of old.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

JoePete — Wed, 24 Jan 2018 18:34:08 GMT

@Caute_cautim wrote:
Why is it that in some or many cases, security professionals are not engaged at the start of new initiatives either internally by their own organisations or via clients?

Ask a home improvement contractor how many times they are brought in to finish/fix some homeowner's attempt. Now bear in mind you are dealing with an area a lot more tangible and regulated than that broad umbrella that we call "technology." Ultimately whether you are talking a small business or a multi-national conglomerate, we love to leap before looking. But the issue isn't that developers or executives don't come to "us" earlier. It is that our skill set is not part of their training and experience. While the world will always need security specialists just like it will need building inspectors, the mistake is thinking security is some discreet process or product - like spraying fabric protector onto shirts or jeans after they roll off the product line. Just like contractors spend years developing the training and experience to do things correctly, technologists should be doing the same. However, instead the model tends to be upside down. We first start using technology with no clue what we are doing - as we now see schools shoving tablets in front of kindergarteners and parents eating it up. As kids progress through their learning, in regard to technology, they are typically surrounded by people less adept than they are with the resources. In the work place, entry-level positions all focus on technology or service delivery, not on security because that is an "advanced" topic. Isn't that a little backward? Shouldn't the entry-level requirement be a good security foundation, then after that, we learn how to manage that router, mail server, etc?

Re: Why don't people engage with security professionals early enough? Are we too steathy?

Caute_cautim — Wed, 24 Jan 2018 18:59:21 GMT

If only we set out and engaged with the business owners, to understand what are they attempting to solve, what the priorities in terms of of alignment with the business strategy, objectives. But also to take a more holistic perspective rather than concentrating on the technology. The technology or services, may be a tool to resolve the business problem. But in deploying it, shouldn't we fundamentally review whether the benefits are fully obtained and potentially any implications of doing it this way too. It's rather like a vendor rolling up to an organisation, telling all and sundry that their approach and solution will solve all their problems. The majority, may go with the flow, i.e. what I call the group think or caught in a lobster pot thinking mode and purely accept what they are saying for expediency purposes. We need to give ourselves the room to think, keep evolving, and learning even as you state - from the floor up. The fundamentals should be your essential baselines, seldom do these changes in terms of principles and methodology. Yes, we need more appendices, the younger the better and grow them into the role, as they mature.

Re: Why don't people engage with security professionals early enough? Are we too steathy?

kratzy11 — Sun, 28 Jan 2018 15:02:03 GMT

short answer - security will too often say no. Longer answer, security says no for a reason, not because we enjoy it, but because there is a risk associated with doing it your way. So engage security early on and after a few iterations, you will understand what some of the concerns are and in the future, will be better prepared and the delay will be minimal.

I have been doing a lot of third party assessments / due diligence projects and people were always complaining that I needed documentation rather than just sign off on a purchase. A few years later and some bad apples weeded out among third parties, they now understand that the additional two weeks of prep work will save a lot of headaches later on.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

tavilucea — Thu, 08 Feb 2018 14:26:04 GMT

Great questions...good to see that others feel my pain.

I jokingly have a quote for Cybersecurity, "Cybersecurity Black Ops...Things just happen"

The way i try to attack this issue is to say "cybersecurity is the bridge to help your organization be successful". I'm constantly involving myself between the development and operational departments to ensure Cybersecurity is involved throughout the life cycle of a project. Its a constant challenge but in our worl we have to be the masters of change.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Thu, 08 Feb 2018 18:15:32 GMT

Hi All

Just to maintain momentum, we are also going through an "Agile" mystic with lots of organisation, who have literally adopted wholeheartedly the concept and philosophy with their teams. So initially, they throw out the rule book, principles etc and adopt an Agile focus that the team provide the "quality", discipline and security. It is the teams responsibility during their "Sprints". Who needs security, it is in built they state from top to bottom of the organisation? So, given these parameters, how do you inject security into the whole and still maintain at a level, reduced risk and reduced costs? Or is it purely a fad? Or is their benefits in this approach and security and privacy really is the responsibility of those involved and not management? Keen to hear about others experiences

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

JoePete — Thu, 08 Feb 2018 19:07:11 GMT

@Caute_cautim regarding your query - I think you're asking is security a senior management responsibility or something incorporated into each component/process (i.e. under an Agile framework). My thinking has always been that security is a function of quality - how well does each element execute its tasks. It's hard for me to think of a security incident that can't, at some point, be traced to sloppiness. Part and parcel of ensuring individual tasks are done right is a management level responsibility to eliminate single points of failure. In other words, total quality assumes individual failure. As such, you have to make sure an individual failure at any stage can't disrupt the entire operation. Two or three coincident failures bringing down an operation? Sure, the perfect storm can happen, but I am hard pressed to find a clear case of that.

Pulling back from all this though and asking how do we ensure quality/security, I think there is a spectrum of approaches that has at one point, very centralized operations - everything must go through a quality control function - and at the other point, very de-centralized operations - every unit does their own thing - but with very clear and enforced policy that ensures quality. I think on that spectrum of centralized to de-centralized, I think you will find security professionals moving from specialized (this is the absolute only thing I do) to generalized (I am a developer/administrator/analyst/etc. who also happens to understand security).

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Thu, 08 Feb 2018 19:25:27 GMT

Absolutely, I am testing my own beliefs and abilities to be exact. I am an architect myself. We see security as part of the qualities of the entire solution design phases through to confirmation from the client. It is a Non Functional Requirement (NFR) if you like which can be measured. Good to find another like minded person.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Tue, 13 Feb 2018 18:17:21 GMT

Unfortunately, this year, already the consequences are revealing themselves in many ways. 2018 is going to be a challenging year and people and organisations will be successful or face the consequences.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

phollan1 — Fri, 16 Feb 2018 14:46:54 GMT

Awareness, is a key reason here, people do not understand how important security actually is and how much more difficult it is to retro fit

Also people are under a general misunderstanding that security always says 'No' or adds complexity and costs to projects etc.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

D_Pengelly — Mon, 19 Feb 2018 21:10:21 GMT

The basic problem is they just don't see it. Business: "We need a new system; hire a programmer" is the logical progression or lately "Go to the Cloud".

I'm beginning to believe that we have been barking up the wrong tree. We will likely all agree that we are in the risk management business. I also believe that the cyber insurance business will do a lot to improve cyber security.

Why? because the insurance industry knows how to quantify the risks and their rates will go up for poorer risks.

Along this line I think it is time to discuss the risks of not having a cyber security integrated with IT Projects with the finance department. Cost over runs, project delays, breaches, increased cyber insurance costs... If we can get the money people to start asking the projects if they have engaged cyber security, then we may get earlier engagement.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Mon, 19 Feb 2018 21:15:10 GMT

There is also another perspective as well, which has just happened to myself. A group can be so fixated on technology, that they cannot fully appreciate or understand any other perspectives at all. I.e. they don't know how people and processes work along with technology. So they remain fixated on the only thing they know best, i.e. technology. Its their comfort area, they understand it and cannot grasp anything beyond it. Very closed minded, but this is an example.

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Suri — Thu, 22 Feb 2018 05:20:35 GMT

I have tried to break down the problem areas into multiple areas with some comments.

Mindset: Information Security in IT / Business is always seen as a trouble maker or that causes hindrance. This is to do with the mindset. This needs to be broken into with the notion that it is not an independent function, but more of a need and one that works in a cohesive manner.

Education: Teach / educate people about the business consequences of having a security as one of the core requirements. If it is for a C Level, they should perceive the issues and should be educated to relate to IP, Adherence, Compliance and the all the consequences associated with it. It has to be carry out without losing momentum and purpose to all the lower levels being it operations, development, support and all other supporting functions. Typically the education could be iterated to any common architectural implementation and give lots of examples for what needs to be protected and how it can be broken into. I do not want to quote examples, but it could be anything such as even building a house and protecting the valuables inside it. Be it human, money, things, vehicles etc., and explain about the iterative process right from designing the house, adding perimeter security, monitoring, installing access controls, adding safes, segregation and storing of valuables, using 3rd party services such as banks, insurance providers, personnel, vehicle and infrastructure safety measures, safeguarding information related to all access and authorization measures such as keys, passwords, vault codes, inside attacks, social engineering and anything that is there in this world. The same could be mapped to the threat modeling approach and related to what needs to be done for the business at every level. The systems that needs to be implemented to protect and safeguard the valuable information / data and the responsibilities of everyone who are involved in the process. Education goes a long way right from what as an individual - a single person could contribute and develop the personal security habits to what he does as part of his job will add to the culture of having the right security mindset and all the mentioned issues will slowly be addressed over a period of time. Enforcing without proper articulation will lead to people circumventing / not adhering to the processes.

People: Being from a programming background and subsequently progressed to an architect and higher into management, the planning was missing even in me. I used to think of ways to get away from Information Security practices / processes because it adds lot of delay and associated changes, but realized it is required for the success of everything that is related to business. As they say, human is the weakest link in a security chain, try and automate as much as possible with proper audit trails of all the activities and responsibility management. Based on the business requirements and needs, categories / segregation needs to be made with respect to the privileges and rights one shall possess to carry out their duties and it needs to be enforced to function. Bypassing / workaround on security will lead to and widespread and slow adoption resulting in with lot of troubles at a later stage.

All the information security problems can be avoided with little monitoring and a lot of educaton and cultivating the mindset. It involves all the people who could help build a secure environment, platform, business and making it more resilient to attacks.

To summarize, it is the people's mindset cultivation, education and the culture that could help to go a long way! Just my thoughts.

I wanted to write more, but the I believe the above covers the basic idea of it. It's not something new and which are not there, but, it's what came to my mind when I read the query. It is also something which I practice on a day-to-day basis and do as much mentoring to cultivate it among my peers.

Thanks and comments welcome. Have a fantastic day!

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Caute_cautim — Thu, 22 Feb 2018 21:36:03 GMT

I will indeed have a fantastic day:

Interesting update to my original question via this piece:

https://www.securityweek.com/do-business-leaders-listen-their-own-security-professionals

What do you think?

Re: Why don't people engage with security professionals early enough? Are we too stealthy?

Suri — Tue, 27 Feb 2018 04:55:33 GMT

It is an interesting article. Though the emphasis on identity is the focus of the topic, I believe, the various threats are seen as a medium to get to the ultimate, the "data".

An interesting analogy that mapped security to the brake of the car talks about it's functions to slow down the car, but practically brake being present will allow to drive faster. The mindset of seeing brake as a means to slow down the car should be perceived as an enabling factor which will allow to drive faster. Without brakes, you will be driving slow and carefully and cannot even stop the car when needed! 🙂

If a slightly different approach is taken to map the various factors that revolve around the protection of the ultimate (the data), it will become a easier to perceive the importance for employing security.

Just my thoughts. Comments welcome.