Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/5/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Mature & Unconfident: The Best Information Security Teams Ever!

Security through maturity and humility is a workable philosophy with proven results for organizations that are willing to give it a try. Here's why.

Traveling regularly, like many things, has its advantages and disadvantages. Anyone who has been through an airport lately is more than familiar with the disadvantages, but what about the advantages? One of the main advantages traveling brings me is the opportunity to meet with clients to better understand the security posture, strategy, and operational effectiveness of their respective organizations. One hour with a customer brings me more insight than a thousand white papers, because the greatest insights come from practitioners. 

In other words, enough about the problems and challenges! What are people doing to solve those problems and address those challenges? The answer depends on the organizations themselves, which I like to classify -- by maturity and confidence -- into four quadrants.

Mature & Confident
As you might expect, organizations in this category have fairly mature security programs.  Management laid out a strategic vision that was subsequently implemented. The organization took a risk-based approach to security. Risks and threats to the organization were prioritized and mitigated accordingly. An incident response process was set and followed. Security operations runs continually.

At first glance, you might say that this program sounds like a panacea. I would urge you to reconsider that assertion. What is the risk with this type of program? Look closely at the tense in the above paragraph. Everything is past-tense. As we know, our adversaries are continually adapting to maximize their effectiveness. As defenders, we need to continually adapt as well. Risks and threats change over time, as do the ways in which we mitigate them. The risk in this type of organization is stagnation. And stagnation is not a great recipe for continued success in the security realm.

Mature & Unconfident
The organization that is mature and unconfident is the best kind, in my opinion. These types of organizations took all the same steps as the mature and confident organizations. What’s the difference? They are never satisfied. They always remain hungry. They are never confident that they are safe.

This philosophy pervades these organizations at many different levels. People are never afraid to raise their hand to indicate that a risk is unmitigated, a new technology is needed, a process needs refining, certain gaps exist, or any of the other issues that may arise. This lack of confidence is not a weakness, as it is often regarded, but rather, a strength. It is a reality check that keeps the organization humble. Why is this important? That humility allows the organization to continue to mature and to avoid stagnation.

Immature & Unconfident
Organizations that are immature and unconfident are my favorite type of organization to work with.  At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness. But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome. 

Of course, the process of maturing a security program is a lengthy one with many details. The first step in that process is understanding that you need to work through it. Believe it or not, this self-awareness and organizational humility is something that is surprisingly uncommon. More often than not, organizations with immature security programs fall into the next category.

Immature & Confident
I’ve been known to describe some past co-workers as a “deadly combination of incompetence and over-confidence.” I’m sure you’ve all encountered this type of co-worker at some point in your work life.  He (or she) is the one who runs confidently, full-speed ahead in the wrong direction entirely, whose instinct is always to do the polar opposite of what is needed, and who cannot accept this possibility at all. I’m using this analogy to illustrate a somewhat sensitive and delicate point. Having an immature security program is something that can be remedied -- unless an organization is too overconfident to realize it. In my estimation, the number of organizations that fall into this last category is far greater than most of us would like to believe.

In a sense, this is the most tragic of all the categories; so much potential, yet a nearly impassable uphill climb. You might ask what leads me to lump so many organizations into this category. My answer to that question is fairly straightforward. I base it off of the questions that I receive from some organizations. Often, these questions indicate an underlying lack of understanding of the core challenges companies need to address -- and, as a result, any potential solutions to those challenges. More often than not, I receive these questions from organizations that tell me that they take a very strategic approach to security and have a very mature security program as a result.

Which type of organization are you?
I never ask this question of organizations I meet with, for obvious reasons. It is a question that each organization needs to ask itself and answer honestly. The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response. Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.  Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for information on the career trends program.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.