Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/15/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Information Security Lessons From Literature

How classic themes about listening, honesty, and truthfulness can strengthen your organization's security posture, programs and operations.

As someone who enjoys observing the world around me, I try to learn from many different things.  Sometimes, my inspiration might be a bit non-traditional or out-of-the-box.  Along these lines, I’d like to share a few lessons I’ve taken from two literary sources:  Robert Fulghum’s 1989 book All I Really Need To Know I Learned In Kindergarten. 

Fulghum’s book, which is a collection of fifty short essays, revolves around the theme that, sometimes, life’s basic lessons can teach us profound lessons. There is a catch though – we must be ready, willing, and able to internalize them.  Listening – or more precisely,  the simple fact that one cannot talk and listen at the same time -- is a good example of this.

During the course of my job duties and its associated travels, I meet with and speak with many different organizations. One thing I’ve noticed over the years is that some organizations listen better than others. Why is this an important point? Let’s take a step back.

Given the pace at which the threat landscape is evolving and maturing, an organization’s security posture is something that needs to continually evolve and mature. That is an ambitious goal that requires understanding the weaknesses of the security organization; only when weaknesses are identified and understood can they be addressed. Listening to observations, advice, lessons learned, and feedback from others in our field is a great way to identify weak spots ripe for improvement.  Granted, there is a lot of noise out there in the security world, but with an acutely honed filter, a lot of valuable information can be obtained just by listening.

Unfortunately, I often see organizations struggle with this skill. They spend a lot of time telling people what they are doing right, rather than soliciting and accepting input on what needs to be improved.  As I mentioned, one cannot talk and listen at the same time.  And, of course, a security organization does need to ensure that others understand its value.  But, there is plenty of room for more listening to take an organization to the next level.

In addition to listening, honesty is another great way to improve an organization’s security posture. Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  Here’s how:

Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.

Management: Intentions matter.  Management does not expect perfection, but it does expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.

Peers:  We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.

Clients and Partners: Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.

Other Organizations: Organizations can improve by interacting, sharing information, and learning from one another.  Similar to peer interactions between individuals, this requires  a forthright approach .  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as you might think.  People tend to see through that stuff, but they are often too polite to point it out.

It sounds counter-intuitive, but admitting weakness is actually a strength that can  help us to grow and improve, both as individuals and as a security organization.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards listening, honesty, and truthfulness. 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fscholl370
50%
50%
fscholl370,
User Rank: Apprentice
9/23/2015 | 12:38:08 PM
Security and Literature
Good post.  Another good book is the Confidence Man, by Herman Melville.  Good way to learn about the insider threat.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...