Interesting conversation about the security field

Cyberscum

I was in an interesting discussion with some high execs (6 of them) and the topic of certification and accreditation/general INFOSEC came up. What worries me is that IT security decisions are being made by these businesses from more of a forced compliance perspective than from a perspective of actual concern. I was talking with them about the C&A process and reasons why security needs to be more funded and manned, but their argument was why?

Literally, they were asking me who cares if a system goes unaccredited? If a system or network will not be turned off and will be given waivers to operate then who cares? I explained the vulnerabilities and the impact of preventing businesses from actually operating. Their agreed upon response was that these were risks that they were willing to take in business. It seems that more and more businesses are willing to take these HUGE risks day in and day out knowing full well of the potential damage that awaits them.

This made me start thinking about the entire security field. I could imagine countless INFOSEC professionals out there working their rears off day in and day out to secure these networks and systems with no actual support. Business managers and CEO’s telling these guys that they are important and that they are a core function of business when in fact they could care less. The less security associated “things” they can deal with the better. These guys literally don’t care about any of it. I kinda understand where they are coming from, they are not in the business of security nor do they ever plan on being. But it makes me wonder where the future of IT security is going. I know that we all understand the importance of IT security, but I have a feeling that this feeling is not shared with the business community. Maybe publically businesses say that they are genuinely concerned and that they take security seriously, but deep down inside they don’t care at all if it does not make money. At the end of the day you can make a million regulations, restrictions, policies, procedures etc…For what? To give people the impression that you actually care about them and their info, when in reality you don’t give a crap until you actually have to, or forced? What are your takes on IT/INFOSEC future?

zxbane

Interesting post, I'm curious, do you happen to work for the government, or the private sector?

Also, I definitely have seen this mentality in my time in IT. Many on the business side of things view security as an annoyance and a hindrance to business desires, until like you mentioned an incident actually occurs that either costs money or damages the organizations reputation. To be honest I don't know if that will ever change completely or if it will continue to be viewed as a "necessary evil". I think that this can be tied to the fact that the ROI from Security isn't really tangible until an incident is prevented, and even then the fact that an incident was prevented might not ever even be known since it didn't become an issue to begin with.

colemic

See #1. 10 Things to Stop Doing in IT Security in 2014

And all of this:

We Are Privacy and Security Hypocrites

JoJoCal19

I'm sure as more and more Home Depot, Target, PF Chang, JPM Chase type of breaches continue, more companies will start being more proactive in security rather than either reactive or just having a mindset of minimally maintaining compliance. I do think that some of the companies will only change when their bottom line is hurt due to consumers going elsewhere. If I remember correctly, Target's quarterly results after the breach did not meet expectations and they definitely felt the drop in business after the breach hit the national news.

Hammer80

JoJoCal19 is correct, and Target is still feeling the pain of that breach their business has still not recovered from the damage that breach did to public perception. Target has now become the poster child for corporate breaches in security, not exactly a good label to have. I know Target fired their top IT guy which also happened to have had a felony on his record and also fired their CEO for this, so hopefully the C-level executives will start taking notice that this could cost them their job and take IT Security seriously.

Cyberscum

I see all of your points, but honestly these guys I was speaking with know the business of security, and all of the fall out that comes from the lack there of. They looked me straight in the face and expressed their disconcern for the entire field, or at least the importance of the field. So I have myself wondering do businesses really care about their security? I hear people talk about security all of the time but I wonder if it all just hype. I love security, dont get me wrong, this meeting just really caught me by surprise...

Danielm7

JoJoCal19 wrote: »

I'm sure as more and more Home Depot, Target, PF Chang, JPM Chase type of breaches continue, more companies will start being more proactive in security rather than either reactive or just having a mindset of minimally maintaining compliance.

I'm starting at a job next week in security and they are building a new department where they didn't have the funding before. Then, the Home Depot hack went public and suddenly they were motivated.

Cyberscum

@Danielm
Good, put it too these businesses that dont take our jobs seriously. I see so many security guys get burnt out because they work thier butts of to try and secure an already insecure environmet and then they are the first to get blamed when an "incident" happens. They get asked, "well, why didn't you secure that?" And as most security professionals can attest to the answer being "We are understaffed, overworked and we did tell you, but you ignored it and what we said could happen did."

kurosaki00

Systems decisions are sadly like you mentioned taken from the business perspective.
In my previous job It was much, but MUCH more important for us to work on frontline stuff (shutting fires) than security the systems and making a better infrastructure.
It was very hard to explain higher ups we needed some time off or have one of the admins to focus on a project rather than shut fires or be 100% available for frontline. "Because if something happens, we lose money".
In my current job we have customers that shut their DC because it saves them $$$....
Everything is taken from the security perspective.

Sadly, until companies data/money are breached, they dont care. I think Security is the new network/systems. By that I mean, try to explain someone 10 yrs ago why they need to invest in a 5 meg connection instead of a T1. Or why we need a new DNS server and need to stop using stuff out there.
People are just still very uneducated about security and it's importance.
As JoJo said... this will change over time as more and more companies are hacked/breached.

wes allen

Maybe the IT security team has not been doing a good job informing the executives of the risk in terms and values they can understand, and then in turn defend to the people above them? If you don't handle credit cards, then using retailers as an example wouldn't make sense, for instance.

pevangel

Do you have a monitored alarm system with a glass break sensor and motion detector? Do you have cameras around your house? Do you have a guard dog? Do you have a firearm?

Most people don't think that a break-in will happen to them so they don't invest in alarm systems, cameras, firearms and training. When it happens to them or to someone they know, then suddenly it's a concern. It's the same with businesses. If you answered no to most of my questions above, then I'm sorry but you're a hypocrite.

What's the worst thing that can happen if a business disregards INFOSEC? The business shuts down.
What's the worst thing that can happen if a homeowner disregards home security? The entire family is killed during a break-in.

the_Grinch

After some courses in school and working with executives I will say the biggest hindrance to IT security is IT security. Business people understand metrics show them a chart and a report then they'll be on your side. As an example, you say you need a firewall and that it will help to protect the network. All the business side sees is the price of the device. So you show them graphics that display how many hits your firewall is getting. Show charts with statistics of the number of attacks that are being stopped every day, each week, and monthly. Show them the value of what is being done and the improvement it will make.

As an example, in my industry geolocation is a huge deal. Companies are spending a lot to implement it and it's nice to show that it's actually doing something. The company a lot of people turn to has a Google Map with pin drops. Someone connects and a pin drops on a map as it happens. You see people who are allowed, people who are blocked (the reason they are blocked), who they are connecting with, and what device they are on. The Director went nuts over this. We give tours and what is the number one thing everyone loves hearing about/look at? This simple map where pins are dropping. From that we can pull reports showing all those stats and prove the importance of using geolocation. We have vastly more important systems that show other things, but the map is what everyone talks about. Business people understand reports and metrics. With another system we caught what appeared to be a hack. From the detection we were able to pull logs, create charts, and map where it came from also what they did.

You need to be a cheerleader for your department. A lot of people don't understand IT and think it's just magic. As one customer put it me a long time ago "computers are like light switches, they are on or they are off." I was taken aback by how untrue this actually was. But that is what people understand about IT. A well developed SIEM can prove everything you are doing provides value to the company. As wes points out, show specifics to your industry and you will be gold.

Jon_Cisco

pevangel wrote: »

What's the worst thing that can happen if a business disregards INFOSEC? The business shuts down.
What's the worst thing that can happen if a homeowner disregards home security? The entire family is killed during a break-in.

This fails to take into account the probability of something happening.

My experience has been that IT in general is an expense that most companies would like to live without. Businesses are formed to make profit and good security cost money that eats into profit. Now executives often get compensated for short term results. This is not something an expensive security plan is going to produce. So they have incentives to gamble on poor security.

The vast majority of companies see IT as just another operating expense.

docrice

I've only skimmed this thread, but I'd say security is a much more visible issue today than ever. It is, however, an "unfortunate expense" that business managers have to deal with, and I can see why. From the perspective of a business leader, it's very much a hindrance when technology becomes more expensive to run the organization when for years it's been touted as a way to increase efficiency, reduce costs, and fatten up the bottom line.

Most business leaders aren't technically versed and risk management isn't something they're trained for. There's always risk in general when running a corporation, but the wonderful blur of technology advancements doesn't feel like swiss cheese on the surface since they don't think in terms of how software code is envisioned, created, tested, implemented, and ultimately abused.

The whole golden parachute notion lends itself to short-term gambles as already mentioned here. Once the higher-ups are held accountable directly, then infosec will start to feel more real. It's not just security, but IT in general. Software licenses, hardware, maintenance, support contracts, etc. are expensive and IT departments are almost always cost-centers, not profit centers. Then you have to train your staff, keep them so on an ongoing basis, and this starts really eating up budget.

Today's market moves a lot faster than before and even if you have your IT security ducks lined up properly, doing it right might put you towards the back of the line in market competitiveness. There's little incentive to think about security when the shareholders are yelling about quarterly numbers all the time and it's the only metric in your dashboard.

I'm in the trenches everyday and I fight the fight. It is exhausting, never-ending, and constantly in motion. While I have the benefit of working in the security industry and the execs where I work at are mindful of security, as an employee I also recognize that the business has to move forward. It's a cut-throat world out there and it's not going to get easier anytime soon with complexity adding on more layers of complexity. Being in infosec is very much a balance, and often that balancing point is one where there's a lot of inward compression.

It takes a certain personality type to really cope in this world.

pevangel

Jon_Cisco wrote: »

This fails to take into account the probability of something happening.

My experience has been that IT in general is an expense that most companies would like to live without. Businesses are formed to make profit and good security cost money that eats into profit. Now executives often get compensated for short term results. This is not something an expensive security plan is going to produce. So they have incentives to gamble on poor security.

The vast majority of companies see IT as just another operating expense.

A probability other than zero means it can still happen and companies/homeowners would still have to face the consequences. I live in an area with a really low crime rate, but I still invest in a home security system, cameras, etc. If you look at it in terms of a risk assessment, the probability of occurrence may be low but the potential loss is high. I understand why some companies don't take security seriously the same way I understand why my friends do not have alarm systems in their house. A lot of people just don't see the value of security until something bad happens to them or someone close to them.

I agree with you that businesses are in business to make money and most execs view IT as an expense that they’d rather not have to deal with. This is why the “cloud” is so enticing for a lot of companies especially for small-med size businesses.

Chivalry1

Interesting topic....so figured I would weigh in. Most business executives are not interested in probabilities of IT security related dddevents. As stated before companies are in the business of generating profit and more profit. I think as security professionals we must start showing/sharing the "Return on Investment" to the top level executives. That includes showing how we prevented various threats/vulnerabilities in a business quarter.

In my opinion its going to get worse before it gets better. Corporations now have "scape goat" measures now. They can purchase Cyber Security Insurance to protect against a Cyber Attack. Or they can fire the CISO and other Information Security personal within there corporation. And then launch a mock "BS" campaign about how "now" they are serious about Information Security & protecting customer data. In many cases if its a regulation/compliance related discussion, many business executives would rather pay the fine than spend the money on personal and technology to become complaint. I have seen this first hand.

So unless you are working within the government sector; information security is a hard upheld battle with carefully placed barb wire and land minds. My suggestion save copies of those email transmission where you have warned them. That way when the security incident occurs, and it will, they cannot fire you unjustly.

Cyberscum

Chivalry1 wrote: »

So unless you are working within the government sector; information security is a hard upheld battle with carefully placed barb wire and land minds. My suggestion save copies of those email transmission where you have warned them. That way when the security incident occurs, and it will, they cannot fire you unjustly.

Let me clarify, this is for a government agency and multiple civilian, contractor, private businesses associated with the network and operations. I am not going to go into more detail, but the government has an issue with under qualified and inexperienced IT professionals, which directly reflects the issues at hand. In my opinion the civilian workforce is held to much higher standards because their jobs are not protected as much as they are in the government.

MSP-IT

Generally speaking, I'm against the idea of over-regulation by the government. The current C&A process, from what I've seen, is more or less broken. Any time focus shifts away from qualitative measures to quantitative measures, something is lost. In thinking about the current process the government has put in place, what if our focus turned more towards corporate transparency? I'm a believer that if I'm a customer of a certain company, I should understand how my personal data is being handled. This being said, I wonder what kind of effect a security transparency report would have on business. I understand that something like this exists under PCI, but to what extent is it understood by the average consumers? If a corporation is protecting an individual's data in a frivolous manner, the consumer should definitely be aware. What would the implications be if there were a type of non-profit organization that maintained a "security shaming" list?

Cyberscum

^^^To your first point I agree whole heartedly. A compliance system practicing human input is flawed from the start. I have seen many times where security admins/CIO's/IAO's/ISSM's fudge compliance numbers or just plain out lie to get accredited or waivered.

Second, the media does a pretty good job of creating this "security shaming list." People immediately react and the company suffers, but people forget just as fast and fall back into their old tendencies. This is why I feel that people (for the most part) dont care about their security enough to make a permanent change in thier behavior.

joehalford01

pevangel wrote: »

Do you have a monitored alarm system with a glass break sensor and motion detector? Do you have cameras around your house? Do you have a guard dog? Do you have a firearm?

Most people don't think that a break-in will happen to them so they don't invest in alarm systems, cameras, firearms and training. When it happens to them or to someone they know, then suddenly it's a concern. It's the same with businesses. If you answered no to most of my questions above, then I'm sorry but you're a hypocrite.

What's the worst thing that can happen if a business disregards INFOSEC? The business shuts down.
What's the worst thing that can happen if a homeowner disregards home security? The entire family is killed during a break-in.

I don't think this is a relevant argument. Now, if I stored all of my neighbors cash, jewelry, and other valuables in my house for a fee and didn't have a security system - then yes I'm a hypocrite....

There is nothing wrong with a business that won't invest dollars to protect its own intellectual property or financial information. There is a problem when they tell their customers that they are protecting their customers information and doing the opposite. At a previous position I held, the company determined that the least expensive way to protect their customers was to simply not store their credit card information. By not storing the information, it made compliance a lot easier!

stryder144

That was a topic that a panel of experts took up at a recent InfraGard meeting I attended. They tried to answer the question of how you get the C-Suite folks to better understand and fund IT security measures. To say the least, not much agreement on that area. There seems to be a lack of concern at all levels of business, not just the C-Suite. We have a long, uphill battle ahead of us.

Cyberscum

^^I dont think it is a battle that we will win. I feel that security is the big thing right now only because businesses are looking for ways to please shareholders/public. There is alot of money being thrown into R&D for encryption, secure devices, automated C&A, virtual, cloud etc... I dont think IT security as a profession will ever gain the respect it deserves and it will always be an afterthought. Or large portions of IT security will be replaced with technology.

pevangel

joehalford01 wrote: »

I don't think this is a relevant argument. Now, if I stored all of my neighbors cash, jewelry, and other valuables in my house for a fee and didn't have a security system - then yes I'm a hypocrite....

There is nothing wrong with a business that won't invest dollars to protect its own intellectual property or financial information. There is a problem when they tell their customers that they are protecting their customers information and doing the opposite. At a previous position I held, the company determined that the least expensive way to protect their customers was to simply not store their credit card information. By not storing the information, it made compliance a lot easier!

I'm sure a person is not OK with their own valuables getting stolen just like a business won't be OK with their intellectual property and/or financial information getting stolen. There are lots of things wrong with a business that won't protect itself. It is in their best interests to keep their intellectual property and financial information secure.

Cyberscum

pevangel wrote: »

It is in their best interests to keep their intellectual property and financial information secure.

One would think, but it is in their best interest to make money...At whatever cost in my opinion.

colemic

And that's the rub: security is perceived as a cost center, not a profit enabler.

stryder144

Such an odd mindset: IT security is a cost center. Instead, why can't they see it as a profit protector?

docrice

You have to bear in mind that businesses are run by people chasing quarterly numbers and there's a lot of bean-counting going on. These folks aren't acutely aware of the risks except in the news and the whole technical aspect of IT or IT security is associated with "cost" somewhere. Old habits die hard, and if avoiding the issue (or just checking the compliance worksheet) has worked in the past, then hopefully you can save a bit right now by not seeing the doctor for what appears like a superficial tumor. And maybe it'll just go away.

Just came across this article which I thought was interesting:
http://blog.securestate.com/high-turnover-equals-increased-risk/

Cyberscum

stryder144 wrote: »

Such an odd mindset: IT security is a cost center. Instead, why can't they see it as a profit protector?

All in all it is an expense. Businesses avoid all expenses at all costs. This is why people that keep saying security is going to get better, or security sections will eventually get funded or fully manned are unfortunately mistaken. Businesses will operate a skeleton crew for every business component that is not profitable, this is the nature of business.

Cyberscum

Now the interesting thing would be if governments could make security profitable to businesses.

Any business that has no major events in a year gets a tax break paid for by taxpayers?

Would you be willing to pay?

colemic

Personally - no. Because I expect orgs that I deal with to protect my information.

Stryder - docrice hit the nail perfectly. Security metrics aren't quantitative enough to show the value, unless you are happy trying to prove a negative, which doesn't fly in business logic.

stryder144

Believe me, I fully understand that businesses want to see the value and, unfortunately, value always has a dollar sign attached to it. I also realize how hard it is to prove the negative. Business is about making money, not saving it or spending it, unless it is in relation to making it.

I still think it is important for people in IT Sec to continue trying to advance the conversation about why it is important to the bottom line to protect data. Of course, I see it as an "in one ear, out the other" endeavor but you never know...one day, one business leader will listen. Then he'll get fired!