cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Security Narcissism

Neil_Gershenfeld.jpgA couple of weeks ago, I was pleasantly surprised to find that Neil Gershenfeld would be giving the keynote at a large East Coast security conference I was attending.  I’ve been a fan of the fabrication movement pioneered by people like Gershenfeld for a few years. I’ve been humbled to see how tools like 3D printers and laser cutters are starting to improve lives and empower communities. Consider the e-NABLE project, which fabricates prosthetic hands for children, or various up-cycling projects in the developing world to reduce pollution by reusing computer parts or plastic waste. 

Gersenfeld spoke of fabrication disrupting production and consumption, reinventing the way we work and live. His ideas alternately perplexed and excited everyone in the room and at the end of his talk; he had more groupies lined up to meet him than William Shatner at a Sci-Fi convention. But what was someone like Gershenfeld doing in a room full of people whose careers were based upon finding faults in systems and software? I had reason to hope that I wasn’t the only security professional tired of the worn-out breaker mentality so prevalent in our field.

Maybe the tendency towards narcissism in the security community is finally starting to shift. Many industry veterans I know no longer feel the need to constantly display their prowess by exploiting vulnerabilities. They’re also burned out from repeatedly addressing the same problems with no apparent end in sight.  Perhaps the industry is evolving because its participants are maturing. They have families who are dependent on stable and safe technology. But more likely the change has to do with organizations questioning the value delivered by information technology groups and by extension, security teams. The stakes are higher as breaches get larger and more frequent. Those who are in the business of safeguarding digital assets are being held accountable when losses impact the bottom line.

At Gershenfeld’s keynote, someone asked what security professionals could do to support this evolution in the way we use technology. Shouldn’t this start with an attitude adjustment? The truth is that as much as we want it to, the security tail can’t wag the dog. Security controls only matter if they add value and don’t become an obstruction to the business.

Instead of fearing change to our reactive security processes and checkbox procedures, we should restructure them by focusing on operationalizing security.  Most of the security problems that plague our organizations are still basic, solved by simple controls. These include configuration management, system build templates, access management based upon data and user classification and embedding responsiveness to alerts into our systems.  By approaching security as a feature instead of an end in itself, it becomes everyone’s concern and is more likely to be implemented. No longer some unique skill to someone with a special certification.

Security professionals no longer need to be the center of attention in a room full of technologists. We are simply subject matter experts called upon for guidance to help improve a product or project. This may change the nature of our jobs as digital cops, but ultimately anything that furthers the business will benefit information technology and security groups. Once security teams finally abandon their self-centered need to be a gate, grinding business to a halt, we might actually see progress that will make our jobs truly rewarding. The aim isn’t to increase the security budget, but to collaborate with a team to improve our workplaces, our organizations and maybe the world.

12 Comments

There was definitely a culture shift at our place of business.  Security has morphed from "No".  "Stop" and "You Can't Do That!" to more of a "You can't do it that way, let's find a way to meet your needs whilst not destroying the company we both work for"

MVP
MVP

" Once security teams finally abandon their self-centered need to be a gate, grinding business to a halt, we might actually see progress that will make our jobs truly rewarding. The aim isn’t to increase the security budget, but to collaborate with a team to improve our workplaces, our organizations and maybe the world."

That statement speaks volumes...

Thank you for posting this.

I'd offer that Security as a corporate function addresses only part of the need.  Call me Pollyanna, but we'd spend a lot less time and money securing our systems if there were fewer  folks attacking or hacking. As we protect ourselves and our companies today, there should also be that "ounce of prevention" going into our budgets towards improving ethics and morals in our youngest members of society.

I won't go all touchy-feely and cross socio-political lines on you.  Just imagine how our dollars would go farther if we spent as much on preventing problem behavior as we do counteracting it. 

It starts in showing the benefits to the tax payers. 

It follows by changing curricula in colleges that train and create school administrators and teachers to produce a future generation that isn't interested in conquest and theft.

It expands by providing safe environments in which kids can grow up, accompanied by great education and good nutrition for all.

And it finishes by producing intelligent workers who are trustworthy and efficient.

Not just in your city or your state, but in all nations.

All of a sudden you'll look around and see you've created an environment in which greed and violence have a smaller and smaller place.

It won't happen in a single generation.  Maybe not in a hundred, but a long journey begins with a single step.

Just imagine how much work and money we're putting into locking down our systems against everyone from script kiddies to disgruntled workers to industrial espionage to military attacks.

No, I'm not saying cut it all and pray everyone will play nicely together.  Just spend that ounce of prevention and save the money that would have been spent on the pound of cure.

MVP
MVP

That's the second positive feedback you've left for your company. Are you looking for a raise? 

MVP
MVP

One things I've seen in the past that caused problems was when the security team was deeply segregated from the rest of the IT team.  One organization that I worked in had a security team who would try and deny the existence of their LEM appliance.  We would fairly routinely have issues that the sysadmins were chasing down only to find out weeks later that the security team knew about the source of the problem from the very beginning due to the event log noise it was triggering and hadn't felt it was necessary to relay the info to anyone else since it wasn't a problem they were going to be directly involved in fixing.  If security isn't integrated alongside the rest of the IT staff they are going to be missing a lot of opportunities to casually encourage better operational behaviors and can have a harder time getting buy in from power users on improving procedures.  You don't want to foster an us/them rivalry.

Security is no longer in the hands a of few but on the shoulders of all.  Whether it is Operation Security (OPSEC), Information Security (INFOSEC), and Communication Security (COMSEC), we all live by the organizations security policies.  Where it is limiting personal devices at the office, living Privacy Act materials on our desk, or discussing corporate happenings on the phone, at the end of the day we all need to think and respect security.

When it comes  to us IT folks/Geeks/Gods/Goddesses, we need to standardize, consolidate, template-tize, and document our environment.  I have been through many a workplace where the diagrams, documents, and policies are years (3+) old and no one is 100% without a doubt sure about what is in a specified branch office.  I find walking around with a cup of coffee in the morning something yields more information than searching/troubleshooting for an hour.  Security is not just behind my desk......

MVP
MVP

I've noticed over the years that no one seems to like the security professionals. They come across as being more important than anyone else. I've always tried to be friendly to them even though they can be major road blocks.

I must say though, that in recent times they've become more approachable and much more helpful.

I don't actually believe that Information Security has to be in IT. This often causes *more* political problems. In multiple organizations I've been in, there was decentralized IT, because no one wanted to work with the original group. If Information Security is embedded in one of those IT groups, they often have very little authority. Throw in some compliance and you've got a train wreck. But wherever the information security group is located, collaboration should be the central theme.

MVP
MVP

I can agree with that, I felt the issue was the level to which they cloistered themselves away and refused to acknowledge the fact that we were all on the same team, not just IT but within the organization as a whole.  It would be comparable to the accounting department not notifying us that a purchase order to one of our vendors hadn't gone through until after things go sideways because the new equipment did not show up at the scheduled time.

Level 9

I never have been one for using the "No, you can't do that" mentality.  All that does is shut down people, lines of communication, and processes.  I would say "To comply with policies and standards this is not the best way to do it, let's come up with a better solution together where it is a "win/win" for all parties involved". This way it not only shows that everybody has an ownership in security, but it gives the other parties the ability to understand that the Information Security team is not a roadblock but an office that understands both the needs of business and management.

CourtesyIT, your comment:

"I find walking around with a cup of coffee in the morning something yields more information than searching/troubleshooting for an hour.  Security is not just behind my desk....."

to be on point.  When I walk around and stop at people's desks I personalize myself rather than everybody viewing Information Security as a monolithic and archaic beast they have to slay.

We all know it starts from the top down.  If C-Suite sees Security as a thorn in their side, then it will trickle down to the entire organization. However, if they publicize (and show) that security is a very important (and not a "necessary evil") part to the overall business then hopefully staff will embrace it as well.

At the end of the day, Information Security needs to speak to everybody about the elephant in the room which nobody really understands when building a system or enforcing an Information Security program.  That elephant is "Risk"--what it the organization's threshold when it comes to "Risk versus Reward".  Risk Management is the keys to the kingdom, at the end of the day everybody will be able to make informed decisions if they understand the risk.

"Ketch22"

"You can ensure systems security implementation with "can" and still accomplish the "can't."

Level 14

We have "security" people on each of our teams.  I am on the network team and security is a collateral duty for me.  The Windows (Core) team and the Unix\Linux (C2) team each have people who are concerned with security for their respective teams.  Often we collaborate and provide each other with ideas and fixes.  Sometimes we just sit and nerd out.  Having the "security" people on each team allows for ownership of the systems and a better understanding of how to make things secure and operational.

Being in the DoD.  Operational trumps everything.

Level 17

I think what you need is a 'Security' person with the understanding of how to learn and evolve when it comes to Client vs Security need.

About the Author
Mrs. Y is a recovering Unix engineer currently working as a security architect. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop.