Four ways security teams sabotage their own efforts

hand-pushing-over-dominoes

There are many reasons why enterprise security teams struggle to succeed in better managing the risks positioned against their data and business-technology systems. Sometimes these obstacles come from elsewhere within the organization, and sometimes they are self-created.

At times it’s a lack of serious executive leadership and understanding behind internal cybersecurity efforts. The security program is treated like a policy compliance exercise, and not an attempt to stop intelligent adversaries from exploiting weaknesses in systems and people. Or there is a lack of sufficient budget or sufficient on-staff expertise. The challenges are numerous, and many times security teams have limited, or no direct control, to meet these challenges.

As you can see, there are plenty of obstacles security professionals face that are not of their own making. However, there are also ways security professionals, and teams, self-sabotage their own efforts. Based on my interviews with many CISOs over the years, the four reasons listed below are among the most common:

Security teams don’t align themselves with the IT organization. Too often security teams don’t consider themselves part of the technology teams. This is accurate whether talking about traditional IT organizations or DevOps shops. The security team considers itself something external, instead of something integral. This creates an us vs. them atmosphere and positions security as a road blocker and adversary to forward progress, rather than a trusted partner or advisor in enterprise risk reduction.

Instead, focus on supporting the IT team as it evolves. If the organization is moving toward DevOps, for instance, work to make it the most secure DevOps organization as possible rather than fight the move every step of the way.

Security teams don’t align themselves with the business. This is the same challenge as above, but instead of it being about technology teams it’s about alignment with business leadership, business units, and overall business goals. Many security teams view themselves as simply security teams: They stop threats and help manage risk. But to most effectively manage risk, they need to understand and align themselves with the business and industry they are in. A healthcare organization will have a much different risk posture, and risk tolerance, and even face different threats than a manufacturer, or a trucking company, or a pharmaceutical company.

When it comes to managing IT risks there is no one-size fits all — so security staff needs to not only understand how to secure the bits, but also how those bits fit in with the broader context of their business and industry.

Security staff fights automation. Too many security professionals fear automation as if their jobs are going to vanish if they automate away mundane aspects of their work, such as asset discovery, configuration management, security assessments and other scriptable tasks. The reality is their security expertise is needed for other things such as running training programs, team building, helping to align security with development efforts, threat modeling, designing ways to keep security efforts aligned with compliance demands and so forth.

To provide maximum value, security staff needs to automate away mundane tasks and move on to higher-value work.

Security messaging relies too heavily on fear mongering. Fear sells security, or at least the security industry likes to rely on fear, uncertainty and doubt (FUD) to market and sell their services and equipment. You know the messaging: Every year vulnerabilities are more severe; malware is more virulent and dangerous than we’ve ever seen before; there’s an increasing number of attackers who are growing more sophisticated in their attacks; and regulators are going to drag corporate CEOs out in handcuffs, en masse, at any moment.  Many of these can be true, year over year, and many times it’s more hype than reality. But it’s always true that such messaging is overused and typically falls on deaf ears throughout the organization. That’s why when security staff starts talking fear-based messaging they risk coming across as a Chicken Little and turning off the ears they want tuned in.

Keep the risks real and in perspective and focus on secure enablement, and when it is time to pull out the spooky statistics, people will be more inclined to hear them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: