We Need to Have “The Talk”
Let’s talk about two subjects many consider to be off-limits. Verboten. Taboo. Namely, “sex” and “IT security.” I’ll start with the easier of the two subjects: Sex. Specifically, talking about sex. With your kids.
A common bit of parenting wisdom is, if you’re having The Talk for the first time when your kid is 16, you’re too late — by roughly 16 years. In these situations, parents realize their child is liable to make critical choices based on misinformation, peer pressure, and a false sense of invulnerability; and these unfortunate adults (the parents) must combat those forces armed with little more than their experience and a paltry handful of facts.
Likewise, a common bit of IT pro wisdom is, if you’re talking about security for the first time with leadership only after there’s been a breach, you’re too late — by roughly the time since the last infosec emergency. Far too often, IT practitioners realize their managers are liable to make critical choices based on misinformation, peer pressure, and a false sense of invulnerability; and these unfortunate adults (the IT pros) must combat those forces armed with little more than their experience and a paltry handful of facts.
Before you roll your eyes, I want to stress that “talking to management about infosec is like talking to your kids about sex” being a kitschy gimmick for a blog post doesn’t make it any less true. Having serious conversations about security — conversations that may be difficult but are nevertheless incredibly important — requires IT practitioners to act long before the chance for actual problems is near.
Just as we know how an effective conversation with our kids means laying the groundwork long beforehand, the same is true in IT. We must build an infosec vocabulary, establish ongoing dialogue, and build a relationship of trust, transparency, mutual respect, and non-recrimination. Do that, and even conversations we fear could become (and let’s be honest, sometimes are) difficult or uncomfortable will get the hard work done quickly and effectively.
When (not if — because trust me, both of these “S”-word conversations WILL happen) you want to focus on understanding the scope of the issue, creating a strategy to address it, and executing the plan. It’s not the time to be sidetracked by excessive and unnecessary hand-wringing and unproductive “how-could-this-have-happened” navel-gazing.
When — again, not if — you must patch a vendor’s software because they’ve identified a vulnerability, you want to be able to do it NOW. You want to be able to pivot immediately and identify the work-of-the-work: obtaining the patched, vulnerability-free version; testing and validating for production use; installing it; and getting critical systems back online. You don’t want to be stuck in an angry confrontation with leadership, explaining the IT facts of life to an executive who’s making decisions based on misinformation, peer pressure, and a false sense that “it’s in production” guarantees magically bug-free perfection.
Lest you think I’m being purposely vague, or blithely glossing over talking points you’ve likely heard during the news cycle, let me be clear: yes, I’m talking about the cyberattack on SolarWinds and their customers. Yes, I’m talking about Log4J. Yes, I’m talking about SQL Slammer. Yes, I’m talking about WannaCry. Yes, I’m talking about whatever-just-happened-and-led-you-to-this-old-blog-post.
And yes, I’m writing because of things every IT practitioner caught in the thick of those types of breaches learns as part of the process of identification, remediation, and self-improvement. I’m sharing this because this process not only gave me a healthy dose of humility, but it also has the opportunity to create a more secure, more thoughtful, and stronger organization.
We thought we were doing a good job at security. Then again, everyone does until something bad happens. As a famed pugilist pithily pointed out, “Everyone has a plan until they get punched in the mouth.”
As parents, most of us believe we’re doing our part to communicate, educate, and nurture. Hell, some of us are convinced we’re hip, edgy, cool, and incredibly worldly; we not only believe it, we think it will allow us to convey our own poor decisions, the indiscretions of our youth, in a way that helps our progeny make good choices. Then again, our parents thought that, too, but still decided the best plan was to teach us about sex by opening the encyclopedia to a page showing a penis and asking if we had any questions. Or by taking us to see The Postman Always Rings Twice (when we were 12).
To those who look at a breach, hack, vulnerability, or exploit happening to another company and think (or post on social media. Over. And over. And over again.) “Security isn’t that hard. You had one job! How could you have let this happen!” all I can say is:
“You have no idea what you’re talking about.” Because trust me, my friend, there is some weird shit out there.
Coincidentally, this is the same response I have when talking to my kids about things appearing on their TikTok feed. And I’m grateful that they still ask.
Turning back to the subject of infosec, I’d like to share a lesson that became clear to me as a review of security postures and practices was started (at a place I may or may not have worked at, with the enthusiastic “help” of multiple private and government organizations): We were doing “good security,” but it was “good” in the context of risks that existed five (or so) years ago. “Why,” we reasoned, “spend effort trying to predict what infosec risks might be invented in the future?” This question was answered by partners from both inside and out of the federal government.
“Upwards of 90 to 95% of threats are based on known techniques,”Christopher Krebs, former director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA)
Protecting against 90% of the potential threats sounds like enough, and one can reasonably argue it was — until recently. Even, “Einstein,” the system used by the Department of Homeland Security (DHS) to catch threat actors, only looks for known attack patterns. The newer attacks and breaches, Krebs said, was just “too novel.”
Today’s infosec landscape is not the same that existed even a few short years ago.
Similarly, and despite our determination not to make the same mistakes our parents made, we often find ourselves challenged, uncomfortable, and ill-prepared to explain, let alone guide, our kids through today’s experiences. Their world is fundamentally different from the one we navigated ourselves at their age. The answer is to recognize that difference, rather than wish it away or insist it’s unimportant. Our past experiences may allow us to predict certain perrenial problems, but only if we acknowledge the presence of risks we never had to face.
Chalk it up to one more example of the “next normal” we find ourselves facing. The hard truth is 90 to 95% isn’t enough to keep ourselves (and by extension our customers) safe. Harsh experience taught me (and should serve as a warning to all organizations, really) to look at today’s technology risk landscape, and leverage it — along with my experience with monitoring and IT — to plan for the risks we see just over the IT event horizon. Obviously, every predictive defense won’t pan out, but during those exercises new vulnerabilities and defenses will undoubtedly be discovered.
IT security doesn’t just happen on its own, or as a result of some magical culture within the organization. Like an open and trusting relationship between parents and children, it happens when everybody puts in the effort, day by day and conversation by conversation, to build it up and keep it strong.