Contrary to what many might think, hackers are not the biggest security problem. As I’ve mentioned here, getting priority right is very difficult in security and the major security problems are related to that. Without pretending to be a single source of truth, I could formulate the first problem as:
Opportunistic Approach to Security
As described in Security Manifesto, there are many domains of security that an organization would need to address to make it right. However, a number of security executives who understand all of them well is very limited. There are two common ways for a security executive to become a CISO: (1) SME path, where an executive gets promoted to CISO, because he was very successful in one or two security domains, e.g. infrastructure and networking; (2) managerial path, where an executive becomes a CISO, because he was a successful engineering, operations or compliance manager.
The second case is the worst, because an executive will most likely try solving all security problems by means that she’s comfortable with, e.g. if she comes from a s/w engineering realm, she would say: “let us write a lot of code and it will solve all our problems”. The latter approach can be perceived by security neophytes as a new “revolutionary”, “one size fits all”, “silver bullet” solution and will make everything even more complicated and dangerous for the industry.
The first case is bad enough too, e.g. if CISO comes from law enforcement circles, he’ll focus on creating and enforcing policies, while a networking and infrastructure guy will immediately spend all security budget on very expensive networking appliances and neglect all other programs.
Security as a Window Dressing
The second big problem is lack of real support from senior management. It’s not common at all for any sane CEO, CTO, CIO or board of directors to say that they don’t care about security or that security is not their priority. I’ve seen only one VP of engineering in my life who had said openly that “security is not a priority” for his team. I would give this person all credits for his honesty, at the same time, I think that many executives who say that security is their priority are not necessary committed to it enough and are not willing to provide resources to implement the security at the right level.
This trend shows up when you talk to an engineering organization asking for resources – either people or money, or time dedicated solely to security tasks. They will never say “no”, but always come up with the excuses like:
- An important release is coming and we can’t jeopardize its deadline.
- They can lecture a security SME about importance of partnership. It can go like this: if s/w engineers don’t do what you’ve recommended, probably you, as a security SME, didn’t explain threats or mitigation plan well, you should not be policing or dictating anything to the engineering team, you need to be a partner and explain everything well to them and then they will implement everything you wanted. Needless to say how invalid these statements could be especially when significant engineering resources are required – no engineering team will embark on this kind of tasks without a proper authorization coming from a senior management, no matter how articulate the security SME was in explaining the threats and a proposed solution.
- Finally, they can declare the whole security program as a low priority or cancel it all together, because a new CISO told them that there is another, more important program that should be given the highest priority (see “Opportunistic Approach to Security” above).
- Some executives think that since they hired a CISO and a security team, security is not their problem anymore and is completely owned by the security organization.
Solutions
Hiring CISO with the right skills is extremely important. An ideal CISO in my view should have broad knowledge in all security domains. Hiring CISO without any prior security experience is dangerous and doesn’t make much sense to me.
It’s primarily CISO’s responsibility to get resources and real senior management support. CISO should be vigorous and consistent in getting this message across and escalating issues related to lack of such support to the highest level if necessary.
Non-security executives should participate in making important security decisions and support security team with resources in other teams (operations, engineering, QA, etc.). A security program in any organization can’t be successful until everyone understands that security is a team game, where team is the whole company.