Security Teams are Not Enforcers

Your cybersecurity efforts are an exercise in futility without executive support

One of my posts on Governance and Cybersecurity Careers and Jobs.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post, I wrote about how cybersecurity is a team sport. Some of the most important people you need on your team are top executives. Most importantly, the CEO needs to back your plan, otherwise, your initiative will fail. I am speaking from painful experiences.

Although I already had a draft of this blog post in the works, the topic came up on an IANS research security consulting call just the other day. Creating a secure deployment pipeline with guardrails, automation, proper architecture, integrity checks, and failover in the cloud takes a significant amount of investment in terms of time and money to do it in a manner that prevents data breaches and facilities project delivery at the same time.

I’ve done it. I was a cloud architect managing a team of thirty people implementing a new cloud security product. You’ll likely need a dedicated DevOps team, a decent cloud architecture plan, and separate development and QA teams. You’ll want to train them all in the basics of cybersecurity for the least angst along the way as you implement and roll out your new deployment pipeline and security controls.

If one team is trying to build a secure and robust deployment pipeline at the same time as other projects it will take even longer to complete, if it ever gets done. (Not to mention, it’s probably not the best for separation of concerns or your cloud architecture and the outcome may have inherent security risks.) If it takes too long, the project will ultimately get axed if the CEO doesn’t understand the necessary investment, buy into your plan, or see the benefit of what you are doing.

I’ve seen the scenario many times. A well-meaning DevOps, cybersecurity, or IT professional wants to enforce rules in a cloud environment, so they create a number of automated guardrails and integrate security scans into deployment processes. They are usually implementing these things with the best of intentions. In fact, sometimes what they develop is in the very best interest of the company despite the outcome.

Then reality sets in. The new guard rails block developers and QA people from doing what they have always done in the past. The unexpected roadblock throws their schedule off track. They can’t deliver their projects on time because these new steps and processes weren’t in their original plans.

Now the development teams have to do additional work to accomplish what they were planning to do in a much simpler way. The developers don’t understand why they must complete these additional steps and why they can’t do it the easy way they did it before. (Psst. It’s easier for attackers, too.)

The people trying to build things complain to their managers, product managers, program managers who don’t understand the technology, the controls, or why they matter. They sometimes send emails that go over many heads to senior executives, vice presidents, and the CEO in large organizations to get their way. The business side of the organization complains that they can’t deliver projects that are going to make money for the company.

Some people are used to having free rein and doing whatever they want. They have no cybersecurity training and argue that the controls are unnecessary. Why executives listen to these individuals with no training or experience in the matter, I will never understand. But they do.

The security person who built the controls is protecting the company from risks that cost millions of dollars. However, no one else, least of all the top executives in some organizations, understands how that translates to something they understand — monetary impact to the bottom line.

In other words, the business owners, developers, managers, and top executives don’t see how that esoteric thing you are describing such as port 3389 exposed to the Internet translates to business dollars. What they understand is that they want their employees to be happy and not quit. The business has projects that need to get completed so the company can deliver innovative solutions. They need to make money.

The answer is usually something like, “Let’s just keep doing what we’ve been doing for now and we’ll deal with it later.” Later never comes. Either the company gets lucky, or they experience a data breach.

By the way, I use that example of Port 3389 because I just saw a report where attacks brute-forcing RDP passwords are taking on phishing as the number one attack vector for ransomware.

The end result is always the same, at least until the organization faces a serious data breach. The business people win. The developers win. The people who are building tangible things that make money succeed over the things that protect against something that may or may not happen — i.e. risk.

The other part of the equation usually also has something to do with the implementation of the security controls. Sometimes they get put in place with no understanding of how people are doing their jobs. When I used to build back-office systems for a bank I would go sit will the people for whom I built systems to have them walk me through the current system and how they do their jobs. I would build the new system to make their job easier, not harder, and I would ask for feedback along the way.

Coming back to the point in my last post on cybersecurity as a team sport, if only one person in the company takes a security class and comes back all excited to implement new security policies and automation, that probably won’t help an organization too much. Others in the organization need to be on board with new initiatives, and most of all the CEO.

These key points are one of the main reasons why I wrote my book on Cybersecurity for Executives in the Age of Cloud. I understand that businesses need to make money. I also understand the cybersecurity risk. I analyze breaches and their impact every week in my cybersecurity news feed including the cost of a data breach and its impact on organizations. I believe executives can understand cybersecurity fundamentals, and getting their support will help make cybersecurity initiatives a success.

In addition to including the CEO, a security person implementing controls may not understand the way the others work or how to build user-friendly systems and processes. They may not have tested the system properly before rolling it out. A well-designed deployment pipeline can save money in the long run. But only if it is well-architected and facilitates security while also being flexible enough for people to get their jobs done.

The converse is a system that fails often and halts progress. It may include processes and controls that take an excessive amount of time or create unnecessary roadblocks. And then there is the completely automated deployment pipeline with some scanning baked in but lacking proper security checks, process controls, and segregation. That lends itself well to another Solar Winds Hack.

Getting your whole company involved in the cybersecurity discussion through a cybersecurity class with 2nd Sight Lab facilitates communication. If top executives attend all or part of the class it can help them understand what really matters when it comes to cybersecurity risk and how the investment will pay off. It can help security teams get buy-in for important cybersecurity controls and initiatives. It will also help the different teams within your organization understand each other’s pain points and work together better to come up with solutions that are both secure and deliver business objectives.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2021

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab