Finding Meaning in IT Security
The Value of a Thankless Job
“Your credit card was found on the dark web…” read the opening of the letter from my bank. They’d proactively sent me a new card and a year of identity protection. Such is the cost of doing business in a digital world.
While discussing with a friend it was interesting how ordinary this has become. He’d received several of these types of letters in recent years. I’ve been notified that my information was accessed in breaches of TaskRabbit and a much scarier “Office of Personal Management” breach. That one involved my DoD security clearance so it’s nice to know that my historical and psychic profile is probably out there somewhere, but what can you do.
Has this type of activity become more than regulatory requirements levied on a business? Is secure operation and breach recovery now an expected part of service as important as 24/7 access to your music library or scheduled maintenance on your Tesla? Yep.
Despite how commonplace network breaches have become, it is still an awful, ugly thing. It is debatable how much it hurts the company besides the dips in patronage after publicized hacks. It doesn’t appear to be an apocalyptic event for most. The impact on affected consumers is far worse.
Equifax, OPM, Hilton, Target, and TaskRabbit are still around in some form or another. In a day when almost everything becomes a commodity, the company’s reaction to these types of events is a differentiator.
Good old fashion word of mouth still exists. I’m more than happy to talk up my bank especially after they called me when somebody skimmed my card and spent $500 at a Mississippi walmart. Savvy consumers want to know that a company is operating securely as well as a manufacturing quality widgets.
So companies with good security policies are giving customer’s further peace of mind. Who doesn’t want peace of mind? On the other side of the coin, the many decisions and activities involved in securing a company’s data and processes can feel like a descent into madness for IT security pros.
Security Operations Centers are a funny place. Conversations get philosophical. What are we really defending? What’s the point of all this? Why are we here? What did the ending of Inception mean?
Security is a relatively high paying field, but once in a security position you feel like you’ve come into possession of forbidden knowledge. You realize the network is damn near Swiss cheese. Swiss cheese that’s sat on a hot sidewalk since the 90's.
You learn the internet was never created with security in mind. It can make the work feel futile when every node that touches a network can be exploited. So every new IT project or device on the network weighs on the conscience of the security team.
Security pros daily think about insurmountable odds. How does a shepherd care for 8,000 geographically distributed sheep? Sheep that like to walk off cliffs and click on the wolf’s ransomware ads. How do they make meaning and sense of their mandate to protect the Swiss cheese.
The premise of a security vendor is that you don’t know you need their product until its too late. You don’t necessarily want their product, probably based on cost, because you could hire a handful of developers for the price of their product.
The thought is discomforting. So you buy a security product because there are monsters on the edges of the map. It leads you to think, how valuable is your reputation and your customer’s data?
How can this be quantified to justify buying a T-1000 to protect your enterprise. How many IT departments have truly mapped that out? How many companies analyze that at all?
To map the value stream we ask what are the products and services? How are they produced? How do we support those processes and data flows? Many IT Security pros instead take up the simultaneous position of the Dutch boy with his finger in the dike and a screaming chicken little. This is often easier than getting hard numbers.
Sometimes the bureaucracy of a company won’t even allow an IT pro to do this type of analysis. That gets old fast. So you might resign yourself and wait to utter four of the possibly most unhelpful words on the planet, “I told you so.”
The Phoenix Project is unknowingly the story that every IT security engineer needs to read. In the book, John is the groan inducing Chief Information Security Officer that people avoid. If they implemented every security control in John’s goofy binder they might as well shut down the entire network and issue every employee a pencil.
With John everything is a problem. Nothing is acceptable besides martial law. He never attempts to understand the goals. He goes so far as to take down their order fulfillment system because, with good intent, he forces a developer to shoehorn an encryption feature that in turn makes customer data unusable for the company’s other systems.
In the book John is understandably stressed out and frustrated. It leads to a nervous breakdown. He later becomes one of the heroes in the story by rethinking his role. He starts interviewing VPs and Chiefs to understand their concerns, needs, and goals. The CISO is not to run around hitting people on the head with a security stick.
A successful CISO understands the development pipeline is the lifeblood of an IT department these days. To be able to code intellectual property from scratch is magic. Its alchemy. They understand that our IT solutions exist to support and enable our end users.
So the security pro must learn development practices, maybe learn to code a little on their own. This allows them to understand the origin of bugs and vulnerabilities. It helps them understand where security controls fit in.
It even helps them have a say in implementing things like “infrastructure as code” that, while not a security control, helps lead to secure and “auditable” environments. The modern security pro must understand modern development practices, programmatic thought, and open source to create an adaptive and flexible security layer.
So we must learn to fit in security with the rapidly evolving enterprise where servers and containers are fleeting, spun up and down moment to moment. Where code commits happen 20 times a day, no longer 20 times a year.
Therein lies the value of IT security. How can we secure the enterprise while allowing it to move and grow as it needs to meet the needs of business. IT Security becomes the seat belts, the good maintenance practices on a roller coaster, not somebody trying to shut down the ride.
To re-appropriate Jordan Peterson’s thoughts on order and chaos. Too tight of an environment creates a stifling, non-productive place. Too chaotic of an environment swamps us with constant change and instability. Or to borrow from a giant purple villain, “Perfectly balanced, like all things should be.”