I am not planning on waxing philosophy in this post, but I do want to discuss ideology or mindset of a successful cybersecurity professional. In my Vulnerability Management post I went over how to structure your vulnerability management program. Here I plan to take a slightly wider angle at an even higher level.
Cybersecurity should be about business enablement. It is our job to understand the needs of the business and work with them to achieve those goals in the most secure way possible. If you are telling the business “No” or trying to prevent them from doing stuff you deem insecure, you are doing it all wrong. Not only are you working against the interest of your employer, but you are working against your own interest. When you try to prevent people from being insecure, you are seen as a block that needs to be worked around. Typically the workaround they choose is even worse than the action you are trying to stop. Once you become seen as a blocker folks will start to focus on avoiding and working around you, which typically makes things even worse. It also demonstrates that you don’t understand the business which can’t be good for your job.
What you should be doing is work with them to come up with a more secure alternative. Don’t mandate anything, it should be a dialog where you are troubleshooting together. This dialog should result in an agreement on the best path forward. It may not be the most secure option, rather a secure enough solution that allows the business to move forward, deliver its objective, with security that meats their risk appetite and fits their threat model. The key here it that there is no universal, or a one size fits all solutions. You have to understand the business model, what they are they trying to accomplish, what their threat model and risk appetite is and come up with solutions that match.
Just because Tenable, Qualys, MITRE, NIST NVD, etc., tell you something is import or critical, doesn’t mean that it is for you. Just because all the blogs are talking about X being bad, doesn’t mean it is bad for you.
This is why it is critical that you know your business, understand what their exposure is, understand their setup, their business priorities and such, and then make your own assessment based on that. It could very well be that something deemed medium priority by the industry might be critical for you and vise versa.
If you are operating on Fear, Uncertainty and Doubt (FUD), you really need to re-evaluate your methods. The sky is falling scare tactic and similar FUD tactics may work in the short term but will quickly lead to mistrust. If you don’t understand the issue and the business well enough to be able to help folks understand why this is an issue for them it is better to do some research and learn how to explain things better than resort to FUD. I find the industry is awash with FUD these days making it even more critical to separate the fact from the fiction and be ready to explain to your leaders what is and isn’t an issue and why.
The goal here is to build trust and both work with the business and get the business to work with you. Draconian rules and regulations do not work. While policies and procedures are extremely important to establishing proper security posture, probably the most important thing actually, they need to make sense for the business and not get in the way of the business delivering on its mission. If they get in the way of the business or are a major hindrance, then folks will not follow it. Policies and procedures that folks ignore or workaround, are worse than nothing as I covered earlier.
I want to close this post by reminding that there is no easy button in cybersecurity. Solutions are aplenty and not difficult, just hard work that few are ready to take on. It is a lot of hard work that for the most part is neither sexy nor glamorous and takes a lot of business knowhow in addition to technical knowhow. If you know your business and your environment and have your hygiene taken care of it is a lot easier. Also remember that no threat model is the same, this is why you can’t just blindly follow some outsider recommendation that doesn’t understand your threat model.