Three weeks ago, I stepped on a rock in the parking lot and sprained my ankle. As I examined the aftermath of my tumble, I decided it must be my shoe’s fault so I went online for a new pair of shoes. Without any plausible explanation about WHY I neither saw the rock nor avoided the rock, the only thing my brain could land on was a need for another pair of shoes to avoid slipping and twisting on a rock the next time it happened.
Last week, on the road to recovery, I went to go put my new shoes on. Buried deep inside one of my fancy new Asics was a fist full of rocks and the broken prong of a fork. I jammed my recovering foot in, prong got me, embedded into my toe thru my sock. My daughter had decided that my new shoes needed some extra “fairy magic” to make sure I wouldn’t hurt my ankle again. Gotta throw everything at a problem, right?
Neither the new shoes nor the magic fairy treasure could stop an injury. The best I could hope for was having all the supplies and skills to bring on a speedy recovery and maybe learn a couple of lessons.
Why tell you this?
It is literally the only way I can think to explain the issue facing security professionals today. Imagine that your CISO is literally racing through the parking lot on her way to solving a completely unrelated problems. Rock > slip > sprain > recover…only to jam her foot into a shoe and be injured by another completely unrelated incident. The goal is to have the right tools BEFORE you get to the parking lot and even more tools and the right talent to recover AFTER you fall...because you ARE going to fall.
It isn’t unreasonable to say security teams are playing the most exhausting game of multi-dimensional whack-a-mole where at least four stacked game boards are popping digital moles at the same time and you only get 1 mallet. From the attacks themselves to the strategies of protection to the constant demand to justify spend, the pace is exhausting and the cracks created by the strain of responsibility is starting to show.
Let’s just look at SOME of the issues and numbers:
- Cybersecurity budgets have grown, on average, from $6 million to $31 million annually. (Ponemon Institute) So yeah…spending is WAY up.
- Attacks are accelerating and growing in double digits. 90% of executives surveyed by security vendor Tanium said they experienced and increase in attacks due to the pandemic. 93% said they had to delay key security projects to prioritize work-from-home security measures.
- The SOC (security operations center) is a key point of investment as some 70%+ executives say it is essential. (Ponemon Institute)
- The teams running the SOC are exhausted. 67% of SOC team members found information overload is a massive problem. 78% of team members say working in the SOC is “very painful” and 75% say the increased workload is the #1 reason for burn out. This pressure has led 60% of team members to actively consider changing careers…that’s right…LEAVING security all together!
- Then there is the turf war between IT and security. 70% of SOC team members told the Ponemon Institute that they lack visibility into IT infrastructure. 64% admit that the silos between IT and the SOC are adding to the pain of addressing key security issues.
The sobering reality is that for every positive move we make, the adversaries are moving faster and with more intention. And today, every move requires security professionals to carry more baggage along with them. The recent revelation of the massive and exceedingly dangerous SolarWinds hack is a testament to that.
To the non-security and even non-IT leader, this attack has started to be boiled down to “Who didn’t pay enough attention?” This was an intrusion that happened 8 months ago and went unnoticed by some 18,000 companies that accessed a corrupted Orion update. “Who didn’t see it? Who was on watch when it happened? Who should get sued?” are all comments and questions I’ve seen on message boards, social and in conversations.
The truth is we ALL missed it because it was purpose-built to be missed. It was architected and deployed by a well-oiled, well-funded, sophisticated machine that lay in wait, carefully executing a supply-chain attack with precision and intention…and then they just watched. Nation-state attacks of this magnitude are planned…they are cultivated. This isn’t some faceless dude wearing a hoodie in his mom’s basement.
If we want to figure out who to blame…I’d suggest we ALL start by picking up a mirror. Yes, that face you see could share the blame in how we got to this. Bad actors count on all of “us” to brush off any accountability as part of their fog of war. We don’t consider the impact of clicking on that link to that email about a PayPal account…we just “call IT” and they can “handle it.” We don’t tell anyone and we just go change our passwords to call it a day. We don’t even know we fell for a phishing scam. We are to blame for not understanding that our own fallibility is a key ingredient to the hacks and attacks out there.
Adversaries aren’t getting slower, less intelligent, or less sophisticated. Now that SolarWinds is part of our pop-culture lexicon of the moment, we have an opportunity to STOP being part of the problem and START being part of the solution.
- First and foremost, stop looking around for someone to BLAME. Blame culture in security gets us nowhere FAST. Hold people accountable…but blame tends to be a destination and rarely gets us to solutions.
- Second, ask better questions. The reality is that the complexity of digital transformation is being dumped onto security teams like a nasty sweating onion that is just stinking up the joint. We must be allies to security…something I have encouraged CMOs to do more publicly and more purposefully. For me it boils down to two questions every C-Suite leader should be asking their CISO colleague right now:
- Ask what you do to inadvertently create vulnerabilities and enrage the security team.
- Ask what you can do to help.
- Third, pick a side and grab a shovel. The sides are simple: left of bang and right of bang. Left of bang is the team working their butts off to prevent incidents from happening. Right of bang is the team working their butts off to address, mitigate and remediate once something DOES happen. We need both sides…and we need more people holding shovels on both sides to be part of a holistic solution. Regardless of function, we are all part of the value chain here. We need to understand what our role is based on which side of bang we find ourselves. Take part in a attack simulation to best understand what happens AND what could be and will be asked of you. Design think the whole thing and see what it would be like in other shoes. To even begin to understand the speed, scale and scope an attack can have, you need to sit in the belly of that beast. Think of it as the most twisted corporate executive retreat to someplace like IBM's X-Force cyber range.
I know that for my security peers and IT allies, this advice might seem ridiculous. But here is the hard, harsh truth…our security posture is weakening while we play corporate don’t touch my button. Security needs allies. Our businesses are at risk. Full stop. With every engagement, sale and transaction, we are making a promise to our customers, rooted in trust…breaking that promise puts our business at risk. And believe me…a security incident is the fastest way to break a promise and loose trust forever.
Security needs allies. Pick a team. Play hard. Play to win.