How to Lose All Credibility in Cybersecurity

There are some things in life that you assume everyone must know by now; give a firm handshake, never accept credit for someone else’s efforts, never be rude to waiters and so on. Yet so many vendors in the information security industry fall foul of an offence far worse than these.

They use phrases like:

  • 100% secure
  • Unbreakable
  • Completely safe
  • Fraud-proof
  • Hack-proof
  • and so on…

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants it badly enough, and they have the necessary skill-set/support, they are going to get it, and anyone who espouses differently should find another line of work before they cause any[more] damage.

And it’s all so unnecessary. You don’t need 100% security even if it was possible, what you need is security ENOUGH. The bad guys are lazy, and if you’re too difficult to breach they will move on, so just ‘build your fence higher than your neighbour’s’ From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

The calculation you have to make is this;

If the Cost of Security > Value of Data = do what you can afford and no more, OR, if the Cost of Security < Value of Data = do it, but do only what makes sense.

So what process magically gives you the answers to this equation? Easy, the Risk Assessment. One of the most basic tenets of a security program done well, and one of the most under-utilised business tools in every organisation I’ve helped. A risk assessment process performed appropriately will tell you what you’re not doing well, how to fix it, AND how much to spend on doing so.

But I digress.

I can actually empathise with organisations and individuals trying to sell security. It’s tough, but that’s no excuse for lying about your products, and that’s exactly what you’re doing if you claim 100% security. Lying. You have a responsibility to your customers, and whether you like it or not, and whether you ARE or not, you are the usually the expert in the room (if you know 1% more than the other person you are the expert). Your client came to you for help, it’s up to you to provide what they NEED, not necessarily what they asked for.

Your credibility as a provider of information security services or products goes hand-in-hand with your integrity as an organisation and/or individual. Think of your integrity as a form of currency; you can either invest it in your credibility, or spend it on quick wins. Only one of these has a long-term future.

I will note however that if you’re a buyer of security services, you have as much responsibility as the seller to buy only what you need. YOU must ask the right questions, and the only way you can do that is to either do your homework, or hire someone to do it for you. Never expect a salesperson to think twice about giving you what you ask for, then charging you again for providing what you should have asked for in the first place. This scope creep is your fault as much as theirs.

This white paper is not how to sell, I can’t do that, this is how I think you sell with integrity; How to Sell Security

If You Get Hacked, Blame Your CEO

According to statistics that I’ve just made up, less than [cough]% of all breaches are the result of a determined / planned attack, the remaining [mumble]% are the result of inadequate security of one sort or another.

The second sort is the overwhelming majority, but yes, I do need to start doing proper research.

My proposition is simple:

  1. CEO doesn’t seem to care = no-one else cares;
  2. CEO ignores security = everyone else ignores security;
  3. CEO is passive-aggressive and devoid of  charisma =  s/he will surround themselves with talentless sycophants…

…you get the point.

I am always amazed that the kind of people who have the ability to either raise themselves to the top position, or start their own company, are often completely incapable of using their enormous influence to an end that has value and meaning.  Well, beyond the selfserving kind anyway.

My absolute favourite Demotivator (www.despair.com) is this one;

leadersdemotivator

Like most humour, it’s only funny if it’s at least partially true. Sadly, this is the case for many organisation in terms of leadership in the realm of security.

As I have stated WAY too many times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [enter any goal here], it’s the CEOs fault, and no-one else’s.

I can think of one very good example in my own experience where the CEO actually took time out of their busy schedule to RUN the PCI assessment every year.  Of course she delegates the detail to her team, but she remains the focal point for communication and issues, and gets her hands dirty every day ensuring that her entire company takes security as seriously as she does.  The result is that they achieve compliance every year with a minimum of ADDITIONAL effort beyond their business as usual processes.

Unfortunately in this case her chosen consulting company also sold her a bunch of their crappy products that caused never-ending grief, but that’s life.

Despite all of the articles I’ve written on a variety of subjects, I really only have one goal for this blog; to change the perception of what security is, and what it can do for a business.

Security started out on the wrong foot by being lumped in with IT, who were already seen almost as a necessary evil. I guess it’s kinda like Scotty in Star Trek, he has saved their skins a thousand times by “giving ‘er all she’s got” but it’s always Kirk who gets the glory.  And yes, I’m very aware I just completely stereotyped myself.

In reality, no other department in an organisation has a better idea of exactly HOW they do business.  Every server, laptop, mobile phone (pre-BYOD), database and application is maintained by IT, and all of THAT is under the purview of security whose job it is to make sure it stays available and accurate.  But that’s just the beginning, it’s what the security folks can do WITH that knowledge that brings the real benefits (see How Information Security Enables Transformational Change for one such example).

The challenge I face however, is that the benefits will only ever be achieved if the CEO supports it.  Nothing happens without them, and seeing as I’m just in security, you can imagine how many CEOs I get in front of.

Still, a goal is a goal.

[If you liked this article, please share! Want more like it, subscribe!]