Monthly Archives: May 2015

Security and Ugly Babies

Recently a colleague confessed his frustration to me over the resistance he’s been encountering in a new job as a security architect. He’s been attempting to address security gaps with the operations team, but he’s being treated like a Bond villain and the paranoia and opposition are wearing him down.

It’s a familiar story for those of us in this field. We’re brought into an organization to defend against breaches and engineer solutions to reduce risk, but along the way often discover an architecture held together by bubble gum and shoestring. We point it out, because it’s part of our role, our vocation to protect and serve. Our “reward” is that we usually end up an object of disdain and fear. We become an outcast in the playground, dirt kicked in the face by the rest of IT, as we wonder what went wrong.

We forget that in most cases the infrastructure we criticize isn’t just cabling, silicon and metal. It represents the output of hundreds, sometimes thousands of hours from a team of people. Most of whom want to do good work, but are hampered by tight budgets and limited resources. Maybe they aren’t the best and brightest in their field, but that doesn’t necessarily mean that they don’t care.  I don’t think anyone starts their day by saying, “I’m going to do the worst job possible today.”

Then the security team arrives on the scene, the perpetual critic, we don’t actually build anything. All we do is tell the rest of IT that their baby is ugly. That they should get a new one. Why are we surprised that they’re defensive and hostile? No one wants to hear that their hard work and long hours have resulted in shit.

What we fail to realize is this is our baby too and our feedback would be better received if we were less of a critic and more of an ally.

Tagged , , , ,

Are You Trying To Improve Security or Just Kingdom Building?

I’m a huge Seth Godin fan. Technically, a marketing guru, but he’s so much more than that. His wisdom easily applies to all facets of business and life. A few days ago, I read a post of his, “But do you want to get better?”

…Better means change and change means risk and risk means fear. So the organization is filled with people who have been punished when they try to make things better, because the boss is afraid.

I wonder if Godin ever worked in Information Security.

Some days it seems as though the practice of Infosec is more about how it sounds and looks to outsiders and very little about actual reduction of risk. Most of the time, real improvement to an information security program doesn’t arise from exciting changes or innovative new tools. It often comes from making better policies, standards and procedures. It could mean that you really don’t need five extra staff members or a Hadoop cluster. Maybe it means you learn to operationalize controls, automate and collaborate better with your peers in apps and infrastructure. Worrying less about kingdom building and more about what helps the organization.

But this kind of change is a gargantuan shift in the way many infosec leaders operate. Often, they’re so busy cultivating FUD to get budget, they can’t or won’t stop to ask themselves, “Do I want to make it better?”

Tagged , , ,

I’m a Doctor, Not a Security Expert!

While I don’t completely agree with the Rob Ragan’s sentiments in a recent article in Dark Reading on the limitations of security awareness training, I think the writer makes some good points, especially regarding the appropriate use of technical controls in combination with training to mitigate risk. I love the quote he includes from Adrienne Porter Felt from the Google Chrome Security Team:

 “…users are neither stupid nor lazy. They are musicians, parents, journalists, firefighters — it isn’t fair to also expect them to become security experts too. And they have other, important things to do besides read our lovingly crafted explanations of SSL. But they still deserve to use the web safely, and it’s on us to figure out that riddle.”
This was prevalent in my mind as I assisted my Luddite physical therapist last night in resetting her AOL password. She couldn’t get into her account for an entire day, all because a “security feature” locked her account for suspicious activity. Basically, she bought a new iPad and entered her complex password incorrectly multiple times. But because she used IMAP to connect to her account from her laptop, she had no way of knowing that the account had been locked and didn’t understand how to use the UI. So I did the unthinkable: I requested an account reset, then logged into the Gmail account she uses for account recovery and gave her the new password I created for her AOL account. She thanked me and told me how much harder my job was than hers, and that she would never do it. And this admiration was all predicated upon my resetting her password. Supposedly, one of the most trivial activities in IT. Any user should be able to do this, right?
Earlier this week, my team received a request to allow a user to install the Fitbit application on her company-owned system. It prompted an esoteric discussion on the security of the Internet of Things and the Quantified Self. I recommended that we approve the request and said, “Why are we even having this discussion? We’re an organization that has an employee wellness program and we’re wasting precious resources discussing whether or not this application increases organizational risk? We have approved applications that are more dangerous, such as Java, Adobe Flash and Internet Explorer.”
Why are we still so disconnected from our users, making user interfaces that are too complex, byzantine security procedures and arcane policies?
I'm a doctor, not a security expert!
Tagged , , , ,
%d bloggers like this: