Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
    o
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
    o
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]

From Corporate, to Start-Up, and Back Again

In 2013 I was made redundant from a company where I had worked for the previous 12.5 years. I had grown with the company from the 14th person to join (as a firewall admin) to a position leading 28 people across 14 time zones in a company of over 1,000.

I subsequently discovered that I was basically unhirable, so I started my own consulting practice, which I thoroughly enjoyed. I then joined a very small start-up for a year, which I thoroughly enjoyed, and went back to my own practice.

I swore up and down that I would never go corporate, ever again. I convinced myself that there was never enough freedom, or room for innovation, or ability to make a difference in a large organisation to EVER go back. Not that ‘corporate’ would ever have me back.

Now here I am, at the end of my 3rd week at an organisation that is bigger by far than any I have ever worked for previously.

…and I’m thoroughly enjoying it.

Many times in the course of my blogs I have expounded on the need for self-reflection, on being honest with yourself enough to know when something was entirely your fault, and to adjust your career choices accordingly. Well clearly I had mistaken ‘corporate’ for my own inability to effectively create the change needed to stop me from being made “redundant”.

While I’m not saying I now have that ability, as I will always have a big mouth, when you’re in an organisation who ALL seem to want the change you’ve craved your whole career, it’s a feeling unlike I’ve ever experienced at work. I’ve never needed, or even particularly wanted, to be part of a team growing up, I now find myself in one.

…and I like it.

Frankly I’m not even sure why I’m writing this blog, except perhaps as a tip for those who find themselves in a position where they cannot decide on what’s the right place for them to work. Corporate, start-up, self-employed, or somewhere in between. Every one of my jobs had its benefits, and had its downsides, and I’m under no illusion that this one will be the same. The only difference this time, is that I have now seen both sides of the fence.

It’s not the fence that matters, your skills and talents have no fences.

The only reason I think that corporate fails to attract the truly entrepreneurial is that they are still very attached to job titles and descriptions, effectively pigeon-holing a person into a role that will always limit them. It’s the organisations that go looking for talents to fill known functional gaps, but then get out of the person’s way, that will attract the game changers.

Not saying I’m a game changer, but my title was only assigned to complete a field in the HR system, and my job description was a run-down of the challenges my new organisation was facing. And in just 3 weeks I have not only learned more than I did in the last 6 months, I have a learning curve ahead of me for which I can see no end.

I loved running my own business, and have no regrets about the start-up, but this little adventure is a revelation that has me very excited for the future. And the lesson I learned from all this?;

Don’t limit where you look for your next job, just ask the right questions.

How Smart Watches Will Offend My Generation

I could not help but laugh while having drinks with a friend of mine yesterday. He kept looking at his watch, and before I understood why I was starting to get annoyed he said that he had an incoming call.

To people of my generation and above (not many of those left) looking at your watch frequently is a sign of impatience, and that you have somewhere you need, or would rather, be. For those sensitive to these non-verbal clues, it signals the end of a conversation, date, meeting, and so on, often resulting in stilted conversation and perhaps even resentment.

Ironically, if he had been looking at his phone that frequently, I would not have thought twice as I do the exact same thing myself. We are both busy, he the CEO / Founder of a successful security company, me an insecure addict of social media affirmation (please like this).

I have tried to figure out why I found this so amusing, but have not reach a conclusion yet, but seeing as this would be a very short blog otherwise, here are some thoughts:

  1. My laughter contained at least a hint of nostalgia, it’s clear that I was remembering a simpler time. And by ‘simple’ I mean utterly disconnected from anything not immediately in front of me. A time without mobile phones. A time when the ‘Like’ button was a smile on your friend’s face.
    o
  2. My laughter also contained chagrin. I thought I was as up to speed with technology and innovation as anyone, but clearly my values and reactions to everything around me were formed in a time very different from this one. I now know that part of me will always stay there.
    o
  3. Jealousy that I didn’t have one because I have not seen one I like, and I have the wrists of a 7 year old girl.
    o
  4. Frustration that ALL of this can’t be replaced by a contact-lens-driven heads-up display.
    o
  5. Several large Woodford Reserve bourbon and ginger ales.

I don’t think anyone can deny the enormous impact mobile devices (especially smart phones) have had on both work and personal interactions. And we mostly agree that because this change has been so profound in so remarkably short a period of time indicates that we are actually only at the beginning of bigger changes to come (Internet of Things for example). Where people differ is their reaction to it; from abject fear and utter rejection, to excitement and complete embracement. Most of us are somewhere in-between.

What I do know is that to reject this change is to be left behind, and to stick with traditional concepts of privacy will exclude you from the conveniences to come. I’m not judging this in a negative way, I’m sure you are perfectly happy to BE ‘left behind’, and to do things the ‘old way’ but I’m also saying that I will not be one of those, I’m too bloody lazy not to have as many things done for me automatically as possible.

I am also happy to accept the consequences, and I will likely be laughing all over again when it all goes horribly wrong! 🙂

How to Lose All Credibility in Cybersecurity

There are some things in life that you assume everyone must know by now; give a firm handshake, never accept credit for someone else’s efforts, never be rude to waiters and so on. Yet so many vendors in the information security industry fall foul of an offence far worse than these.

They use phrases like:

  • 100% secure
  • Unbreakable
  • Completely safe
  • Fraud-proof
  • Hack-proof
  • and so on…

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants it badly enough, and they have the necessary skill-set/support, they are going to get it, and anyone who espouses differently should find another line of work before they cause any[more] damage.

And it’s all so unnecessary. You don’t need 100% security even if it was possible, what you need is security ENOUGH. The bad guys are lazy, and if you’re too difficult to breach they will move on, so just ‘build your fence higher than your neighbour’s’ From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

The calculation you have to make is this;

If the Cost of Security > Value of Data = do what you can afford and no more, OR, if the Cost of Security < Value of Data = do it, but do only what makes sense.

So what process magically gives you the answers to this equation? Easy, the Risk Assessment. One of the most basic tenets of a security program done well, and one of the most under-utilised business tools in every organisation I’ve helped. A risk assessment process performed appropriately will tell you what you’re not doing well, how to fix it, AND how much to spend on doing so.

But I digress.

I can actually empathise with organisations and individuals trying to sell security. It’s tough, but that’s no excuse for lying about your products, and that’s exactly what you’re doing if you claim 100% security. Lying. You have a responsibility to your customers, and whether you like it or not, and whether you ARE or not, you are the usually the expert in the room (if you know 1% more than the other person you are the expert). Your client came to you for help, it’s up to you to provide what they NEED, not necessarily what they asked for.

Your credibility as a provider of information security services or products goes hand-in-hand with your integrity as an organisation and/or individual. Think of your integrity as a form of currency; you can either invest it in your credibility, or spend it on quick wins. Only one of these has a long-term future.

I will note however that if you’re a buyer of security services, you have as much responsibility as the seller to buy only what you need. YOU must ask the right questions, and the only way you can do that is to either do your homework, or hire someone to do it for you. Never expect a salesperson to think twice about giving you what you ask for, then charging you again for providing what you should have asked for in the first place. This scope creep is your fault as much as theirs.

This white paper is not how to sell, I can’t do that, this is how I think you sell with integrity; How to Sell Security

Humble Expert, or Confident Idiot, Do You Know Which You Are?

[This article is based loosely on the Dunning-Kruger Effect.]

Have you ever been part of a meeting where someone whom you suspect has no idea what they are talking about, is actually the one controlling the meeting’s outcome? Or the opposite; been part of a meeting where you KNOW someone in the room is an expert on the relevant subject, yet remains quiet? Now combine the two; the expert stays quiet while the idiot rambles on.

I’m sure at some point I’ve been both, and if I’m honest, mostly the idiot.

One of the many aspects of human nature is our susceptibility to bow to confidence. Con artists and organised religions alike (but I repeat myself) have preyed on this for millennia. Politicians, emperors, dictators, cult leaders, you name it, all have the ability to make us believe utter nonsense. We are invariably less influenced by what is said, than how it’s said, and by whom.

Those who can make you believe absurdities can make you commit atrocities.”
– Voltaire

The opposite aspect of this is that even if you are an expert on something, if you aren’t confident in your presentation, your knowledge and skill may be of little impact. Potentially, even if you did speak up, your hesitant manner would negate your audience’s trust in your message. That’s if they were even listening in the first place.

Another aspect of human nature is that we really don’t care about other people’s opinions. We are either pleased when people agree with us, or we’ll debate, argue, even fight with those who don’t. Our tolerance for alternative opinions, was well as our ability to adjust our own, only get worse as we get older. We spend our lives surrounding ourselves with things that make us comfortable, all of which do nothing but reinforce our established beliefs.

I have long been a proponent of self-reflection. The ability to take an objective-as-possible look at yourself, maybe even from another’s perspective, is critical in being able to adapt to whatever the world throws at you. From my experience, there is a direct correlation between the ability to self-reflect and the ability to accept responsibility for both your life, and your actions.

Blaming others is a form of blind-faith, it suggests an infallibility that can never exist. Both experts and idiots are affected equally on this point, both negatively.

The lines between confidence and arrogance, faith and stubbornness, mentorship and patronisation are all blurry, and entirely dependent on the recipient’s perception, not the deliverer’s intent.  Self reflection / observation is the only way you can adapt to the person(s) opposite you, and without that adaptation your own needs will not be met. At least not in full.

While being aware of your tendencies does not equate to an ability to make immediate adjustments (as I know very well), we all have to start somewhere. Whether you’re an expert or an idiot, everything you do is in some way contextualised by those around you. It’s up to you to maximise your impact in a beneficial way.

In your personal life, do as you wish, but at work you are beholden to someone; employer, stockholders, customers, or just your immediate team. Neither the humble expert nor the confident idiot are any good to anyone.

Including yourself.