The failure(s) of Security

So, let's start the rant with a question I keep asking myself;

Why am I dispelling the same 5 myths or explaining away the falsities in every company I work in?

Obvious Disclaimer
- If you believe these myths it isn't your fault.

Unless you claim you work in security and have done so for more than 5 years. It is your fault.

Let's start strong and attack the profession and the knowledge body of Information Security first. However, let us also acknowledge the elephant in the room. Until recently there has been no clear path into the field of security, no "everyone should know this" and no way of collectively convening ourselves.

I am not even sure there is now, but I might be wrong and this blog may age like milk left in the sun if I don't accept or pretend to reference that someone is trying to fix these problems.

So, first things first. It isn't hard and it isn't complicated. The situation/ environment/ business you go into will always be in flux and that might provide a facade of complexity on top of the job but the topic and its goal always stay the same.

However, the myth it is hard and it is complicated is often used to buy time, remove the need to get buy-in on merit alone or raise funds for investment in place of good project management or a solid business case. It is also used by suppliers to sell you the super special sauce or silver bullet which is that one extra thing you must have to make all the problems go away.

IRONICALLY, believing it is hard makes it hard, and letting suppliers sell you silver bullets that become magic dead beans makes it much more complicated.

Selling my own snake oil, go to the isms-ep-1 and realise this might be Cod Liver oil and not snake oil offered. You need to know the following no matter what;

1. How much you are willing to lose (Risk Appetite and for god measure it in your local currency)
2. How much you are willing to spend (... making it a % of risk appetite makes the business case easier)
3. What are you protecting (what are your assets?)
4. Who has access (why do they?)
5. Where can you prove you know the above and what have you done to make come all together (your security strategy)

Honestly, you can be a company of 5 people of 500,000 the above is what you need to do/ know and educate. That's it. Yes, there is a lot that can be done to be more confident in your answer, make the education easier for your different stakeholders and speed up getting your information. But... It still always comes back to the same 5 questions

If 5 questions underpin everything... it's not complicated and it isn't "Hard"

Security is a Niche, simple. It's a niche or either... technology, risk or compliance. However, accept that those three are also niches. So guess what, that stakeholder that isn't within Security does not care about the in-depth details and shouldn't.

Most people will want to help, but they don't need to be preached at, lectured at or become an "expert" before understanding your point. So work out your point, put in a language your stakeholder will understand and remove the in-depth professional specific language or jargon.

When I say language, I mean to work out their skin in this game and frame it in that way.

• If it's the Finance Director put it in money spent vs money saved
• If it's the CTO put it in money spent vs time saved or speed increased
• If it's the Product team put it in money spent vs problems for them you have removed
• If it's the executive put it in money spent vs the best decision on what to do next and why the other options are not optimal but possible.

Notice anything in common. You are a RED LINE in a finance spreadsheet. You do not bring in money, so show why spending it is the best option. Explaining the in-depth details of % of patching, mechanism of ransomware and why Russia is a big bad isn't going to in their heads workout if the one more dollar/pound/euro is better spent on you or the marketing team who promises them for every $5 they get 10. Up your game and remember you are in a business, act and talk like it.

However, those details you learned while getting the information or data needed to simplify your message. Make sure that documented, and structured in such as way anyone can get it when needed. While it isn't needed 99% of the time.

It is needed that 1% of the time when the world is on fire when that is clearly the worst time to find it been misplaced.

Just don't. Honest to god, the fear tactic is so empty like crying wolf to a crowd of wolves or maybe to a crowd who know wolves are extinct. Guess how many people have gone to jail due to bad security... 0 (more information here)

OH NO WE WILL ALL GO TO JAIL WITH ALL (ZERO) OF THE OTHERS.

Ok story was in 2020, but a quick Google and no one has. Yes, there have been criminal cases involving security but that tends to be because of other crimes. And, Gartner's claim that CEOs will personally be accountable for breaches by 2024 is still unsurprisingly nonsense (Another spot-on prediction by Gartner. They need a rant about them... crystal gazing technology "experts")

If this is the tagline you have heard, you are talking to a witch doctor "Trust me I know the best type" and run. Now, the legal norms are changing with GDPR being better understood and people deserving basic privacy rights. However, again unless you do something Malicious or just straight up Dumb it is unlikely you are going to be forced out of business by the legal system due to breach. You might lose too many customers, but there are ways of dealing with the PR nightmare of a breach as well.

So please don't use this line to justify your existence, it's a short-term survival method when you need to make sure security thrives. Learn to help the business, educate them and make your job more financially stable compared to trying to scare them, you Edge-case apocalyptic sprouting echo chamber of a human.

If Humans are the weakest point, you designed something without the Human in mind and honest to all the gods you deserve the pain that brings you. Technology can be limited (yes that can be difficult) to set boundaries as chaos or randomness is extraordinarily hard for a computer to do. You know what doesn't have that problem... Humans. We are only limited by imagination, patience and laziness.

Therefore, if you make a system hard to understand, engage with or with added friction expect someone cleverer or dumber than you to work out a clever or obvious way around it. And never talk to you again, losing your two most important resources when something goes to shit; Trust and Communication.

They are going to help you when shit hits the fan, so treat them with respect when it isn't.

Test your changes, your controls and your systems on a wide spread of users and roll it out slowly. Learning and accepting when things go weird, wrong or even right over time with the understanding you may need to change or kill what you are rolling out. This is common practice in the field of product design and software development.

Accept all of your designs and plans are exactly that, designs. No design is complete and optimised so don't expect your controls to be and when someone does something spectacularly obvious or clever to get around it, thank them, then adapt the design and learn from 8 billion potential testers... not weak points.

Any Knowledge professional should be taught how to teach. This one as an ex-academic hurt and annoys me the most. Annual training, Security training, ad hoc training and those dumb tagline message reminders.

Let me be clear, education is required before training, and training helps reinforce specific education to specific circumstances.

If I taught you how to do Stochastic Statical Modelling without teaching you how to count, you would eventually learn the answers to the questions (especially multi-choice, try as many times as possible quizzes) and then forget the answers or the minimal part of the theory that made sense 2 minutes after you got the - 80% minimal - Congrats you passed message.

Training is skill-based, and to have a skill you need to have an understanding of the "thing" the skill is based on. Security training is flawed as it is provided by experts who don't acknowledge the lack of education of those not in security on security (see the niche of a niche part above) nor do they realise if they are not working in security, the likelihood is they don't want to be an expert. Ever. And why should they, I don't want to be an expert in finance, but I trust the accountant does and they don't force me to learn to balance a book before giving me money.

The best you are doing is re-inforcing how to react to specific situations and what are the tick boxes and steps to do when that happens. Phishing, report it to security...

Ok. How? Do you email a specific email address, do you press a report phishing button, or do you phone me? And then what? Pray it away / delete it / click it for fun? Is your training ever related to the system they are actually using and seeing on a daily basis, if not what are you training them on?

If you also explain the basics of cyber hygiene and then build up understanding to the point they can relate the training to the knowledge they have, how will they know how to react when facing a situation even slightly different from the one in your training?

Let's accept this is a missing element in everyone's security plan (education) and that training is done for audit and a tick box on a spreadsheet. Therefore, if that is the case explain that to them and don't make it SUPER IMPORTANT and encourage the We are all going to Die behaviour of the above.

The rant was to educate, try and remove some encouraged behaviour and blow steam making sure that those who have the same thoughts don't feel insane like myself.

The rant has convinced me further exploration of this subject(s) needs to be done and when this is done, with hopefully solutions. They will be linked back to this. For now... don't do the above. Please.