Why People are so Wishy-Washy When Talking About Security

A few weeks ago, I attended RSA Conference with the ISE team as a part of the IoT Village. We set up an exhibit in the RSA Sandbox to talk about some of the cool stuff we do when it comes to ethically hacking IoT devices and helping people manage their security challenges. One thing I noticed was the hesitancy many people had when talking about what they do for security. A conversation might go something like this.

Me: “Hey, I’m Ben nice to meet you. What brings you to the conference?”

Person: (Gives some info on what they do)

Me: “Nice, well what do you do to manage vulnerabilities?”

Person: “Uhh, well…we do tests sometimes. I dunno. We have a team that does it.”

As I start to ask some broad, high-level questions, some people seem to not want to get into it or just give vague, elusive answers. But why is this the case? If we were at the gym, and I asked you what kind of workouts you like to do to stay in shape, you’d probably tell me your entire routine and what you like about it. I wasn’t asking about their most critical vulnerabilities, or how much money they were spending, or security incidents they had. I was just asking how they approach managing a challenge.

In general, this shouldn’t be a secret. Let’s explore some of the things I have learned over the years about the hesitation to talk about security management. I’ll use some broad examples rooted in IT, but this could apply to web applications, IoT devices and embedded systems, or really anything where you have an asset you want to protect.

Reason #1: They think it should be a secret…because…reasons

Somewhere along the line, this idea came along that the way we manage security is sensitive. Maybe it’s a military/national security kind of mindset. “I can neither confirm nor deny that we manage security.” For the most part, I think this is kind of silly. We don’t need to get into the nitty gritty about every vulnerability we have found, or things we detected from our SIEM, or mitigation strategies we employ. Simply talking about some of the positive things we do to support our security goals should be totally fine to talk about. While we might not share every detail, one way we can make our security practices better is by talking about what we do and being open to change. Isn’t the whole point of going to conferences or engaging in the community to learn something?

Reason #2: They aren’t confident about their security practice

You’ve probably been to the dentist before (I hope). When you are in that chair, and the hygienist asks you about your flossing habits, there’s a good chance you play it up because you’re a little embarrassed at the truth.

“Oh yeah, I floss all the time. It’s my favorite thing to do. Yep, nothing like a nice floss to clear all that stuff out.” Meanwhile, your bleeding gums tell a different story. I wouldn’t know anything about this, of course. I’m just saying…

One of the things people do in general is talk about things in perhaps more of a positive light than the actual reality. We don’t want to be seen as irresponsible, or clueless, or anything that makes us seem like we aren’t doing what we are supposed to. But I have a secret to share with you…

Nobody is perfect. We all mess up. We all have blind spots. Things can always be better.

When I talk with clients about moving forward with security, whether it’s adjusting their testing methodology, cadence, investment, etc., I really try to come at it from a place of sympathy and a desire to help, as opposed to some kind of judgment. Rome wasn’t built in a day, as they say. We are here right now to talk about getting better, not re-litigate the dozen reasons why security isn’t as good as it could be. All of the stakeholders who are making an effort to improve security are trying and we should praise this effort, rather than look for reasons to shame them for security practices from the past which they probably had limited control over in the first place.

Reason #3: It’s hard to talk about security when it’s not organized

Over the years, I’ve talked to many people at the beginning kind of security assessment (often a penetration test). You always start by going over the landscape first. Let’s say we are assessing a corporate network for an average company. Usually, the client has some kind of IT person who is brought to a meeting to answer questions. The goal is to find out both the purpose of the network and why it provides value to the company, as well as what tools are in place to help manage risks and security.

Sometimes, I’ll discover that some of these areas are a little more organized than others. For example, an IT person will often know what every server does, what apps/services are running, the backup schedule, and even things like available storage space. Sometimes, these other more discipline-based details are less well known or handled more ad hoc, such as…

• Manual processes, like updating firmware on hardware
• Monitoring of logs, or if logs are even stored in the first place
• How Acceptable Use, Mobile/Personal Device and other usage policies are communicated to staff and updated as things change
• An approach to Threat Modeling, including documentation of important assets so we know what need to protect and why it matters
• How the vendors, 3^rd parties, and others that we share data with are vetted and managed
• What general standards your organization seeks to adhere to and why that standard was selected
• When the last security assessment happened, what the methodology was, the approach to remediations/mitigations, and the cadence in which these activities happen

Most organizations do some or all these things (and more), but the approach can be haphazard. “Hey, you know I haven’t updated the firewall’s firmware in a while, so I should go check on it” instead of “I check the firmware of the firewall every 3 months.” A better approach is to identify every practice and policy that contributes to security and documenting it. Put it in writing, even if it’s just a big laundry list. Give yourself a schedule or other tools to make sure the cadence of these activities are done appropriately, and make sure that includes time to review and update your security practice. Always try to improve and don’t expect perfection.

Reason #4: The discussion might create more work

Make sure you are sitting down. You might not believe what I’m about to say and it may shock you. Are you ready? OK, here goes.

As it turns out, people working in security, IT, policy management, compliance, and so on, have a lot of work to do. They might have more work than they have hours in the day. Sadly, it’s not uncommon to hear about people having to stretch themselves personally to take care of a critical function for their job. Now imagine being a person responsible for security with a full plate of work and suddenly, some consultant or manager comes to you and tells you it’s time to find a new SIEM, or find a pen tester, or adopt some kind of vulnerability management policy.

You already had enough to do! Yeah, you care about security, but you also care about not being overwhelmed by too many responsibilities. It can be a lot easier to just bury your head in the sand about a new initiative and leave things alone. This is a key area where leadership in an organization must support the team responsible for security by giving them the resources and space they need to achieve the goals set out for them. People can only handle so much. If you give a team a goal they cannot achieve, it’s not the team that failed…it’s the person who set the goal.

These are just a few reasons and if you have comments on them or have others you think are important, let me know! But why does this matter? Do we need to talk about how we approach security publicly? Yes, I think so within reason. Managing security and risk is a tough job, and the bar is constantly shifting. Dialogue is one of the ways we get better. Many of the things I learned to improve security for myself and my clients over the years I discovered through conversations with peers, experts at conferences, academics, and others who have their own experience managing security. These open discussions have saved me money, made me more efficient, relieved me of anxiety about security, and most importantly I believe they have led to better outcomes. But if you can’t talk about what you are doing, how do you expect to learn? When you go see a personal trainer, you must tell them about your workout routine so they can help you do better. Shouldn’t that be how security works? Plus, if you are doing a good job, it can be an advantage to tell customers or other people who you want to work with. People like working with other people who take security seriously.

Before I wrap up, here are a few things you should do so you can have these important conversations about security:

1. Start documenting everything you do for security. If you don’t have a format, create one. If you aren’t sure if it’s correct, fine. Just make it. This is very intimidating for some people, but the best thing you can do is just put something together. It will get better over time.
2. If you are a leader, make sure your security goals align with your resources. If you are on the team and you find yourself lacking resources to accomplish the goal, say something and make it clear where the current resources are going. Security doesn’t have to be perfect, but we should be efficient with what we have and recognize what is a reasonable goal.
3. Come up with a statement that you could make to any 3^rd party about your security in about 5-10 minutes that outlines the broad points about what you do to manage security. This allows you to talk about important themes, but without going into the sensitive information you should be a little more private about. It should be a mix of some technology you utilize, assessments you perform, policies in place, practices you adhere to, standards you meet and assess against, and other big picture items. You don’t have to memorize what firmware version your firewall is on, but you should be able to say how often you update it.
4. If you aren’t confident enough to talk about security, you probably need an independent, 3^rd party assessment not only to figure out where things stand, but also come up with an approach for the future. It’s hard to do this stuff by yourself. If the government and the largest businesses in the world need outside help, you probably do too.
5. Do your part to change the culture when it comes to security dialogue. Don’t shame people for trying. Encourage questions from people within your organization. Don’t be afraid to admit to someone who is trying to help that you have a challenge or just don’t know what to do.

What do you think? Reach out to me if you want to talk about any of this. I’d love to talk to you about your situation and ways ISE can help, even if it’s not something we can provide.