Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/5/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Mature & Unconfident: The Best Information Security Teams Ever!

Security through maturity and humility is a workable philosophy with proven results for organizations that are willing to give it a try. Here's why.

Traveling regularly, like many things, has its advantages and disadvantages. Anyone who has been through an airport lately is more than familiar with the disadvantages, but what about the advantages? One of the main advantages traveling brings me is the opportunity to meet with clients to better understand the security posture, strategy, and operational effectiveness of their respective organizations. One hour with a customer brings me more insight than a thousand white papers, because the greatest insights come from practitioners. 

In other words, enough about the problems and challenges! What are people doing to solve those problems and address those challenges? The answer depends on the organizations themselves, which I like to classify -- by maturity and confidence -- into four quadrants.

Mature & Confident
As you might expect, organizations in this category have fairly mature security programs.  Management laid out a strategic vision that was subsequently implemented. The organization took a risk-based approach to security. Risks and threats to the organization were prioritized and mitigated accordingly. An incident response process was set and followed. Security operations runs continually.

At first glance, you might say that this program sounds like a panacea. I would urge you to reconsider that assertion. What is the risk with this type of program? Look closely at the tense in the above paragraph. Everything is past-tense. As we know, our adversaries are continually adapting to maximize their effectiveness. As defenders, we need to continually adapt as well. Risks and threats change over time, as do the ways in which we mitigate them. The risk in this type of organization is stagnation. And stagnation is not a great recipe for continued success in the security realm.

Mature & Unconfident
The organization that is mature and unconfident is the best kind, in my opinion. These types of organizations took all the same steps as the mature and confident organizations. What’s the difference? They are never satisfied. They always remain hungry. They are never confident that they are safe.

This philosophy pervades these organizations at many different levels. People are never afraid to raise their hand to indicate that a risk is unmitigated, a new technology is needed, a process needs refining, certain gaps exist, or any of the other issues that may arise. This lack of confidence is not a weakness, as it is often regarded, but rather, a strength. It is a reality check that keeps the organization humble. Why is this important? That humility allows the organization to continue to mature and to avoid stagnation.

Immature & Unconfident
Organizations that are immature and unconfident are my favorite type of organization to work with.  At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness. But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome. 

Of course, the process of maturing a security program is a lengthy one with many details. The first step in that process is understanding that you need to work through it. Believe it or not, this self-awareness and organizational humility is something that is surprisingly uncommon. More often than not, organizations with immature security programs fall into the next category.

Immature & Confident
I’ve been known to describe some past co-workers as a “deadly combination of incompetence and over-confidence.” I’m sure you’ve all encountered this type of co-worker at some point in your work life.  He (or she) is the one who runs confidently, full-speed ahead in the wrong direction entirely, whose instinct is always to do the polar opposite of what is needed, and who cannot accept this possibility at all. I’m using this analogy to illustrate a somewhat sensitive and delicate point. Having an immature security program is something that can be remedied -- unless an organization is too overconfident to realize it. In my estimation, the number of organizations that fall into this last category is far greater than most of us would like to believe.

In a sense, this is the most tragic of all the categories; so much potential, yet a nearly impassable uphill climb. You might ask what leads me to lump so many organizations into this category. My answer to that question is fairly straightforward. I base it off of the questions that I receive from some organizations. Often, these questions indicate an underlying lack of understanding of the core challenges companies need to address -- and, as a result, any potential solutions to those challenges. More often than not, I receive these questions from organizations that tell me that they take a very strategic approach to security and have a very mature security program as a result.

Which type of organization are you?
I never ask this question of organizations I meet with, for obvious reasons. It is a question that each organization needs to ask itself and answer honestly. The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response. Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.  Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for information on the career trends program.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.