Exposed by failure...

I know it is a bold statement, but today information security gets the headlines because of the exposure due to massive outbreaks of attacks that hit companies failing to protect themselves and the data of others.

Your virtual castle only channels the bad guys, it does not deter or prevent them from stealing your data.

But believe it or not, security professionals have been doing their utmost to provide a safe cyber environment since the era of the Internet emerged. Though it seems difficult if not impossible not to speak about how daunting it must be. Those willing to work in such an environment must have some form of psychological deflection. We, security professionals, are asked to provide knowledge and insight on legislation, regulation, frameworks, methodologies, technical solutions, vulnerabilities, risks and moreover we need to be able to speak with all levels of the organization and understand the business model(s). It sounds ok so far, we (security professionals) are up to the task. We have our bag with skills, confidence, courage and other soft skills required to conquer this challenge.

However in the real world where business rules and where money is involved, things get overly complicated because of budgets. Budgets rarely reach security at the beginning of the spend. We, information security, mostly come at the end, when all requests are fulfilled and someone smart in the room pointed out that security is something the organization might have to consider. Then, the hassle starts, how much is left to spend, how much is required, what security do we already have and can it be leveraged into the new requirements.

If you think risk is funny, risk your life and save money (Professor Zurich University)

Everyone in a board room understands risk to some extent. We, security professionals, also need to understand the same lingo. When talking risk, it is common practice to have executed a risk assessment on the new project. It provides a view on the risks exposure of the company. Afterwards we'll use those risks and start quantitative or qualitative approach and we can, with some magic, dig up numbers that can be easily manipulated, are biased and because of powers can be overruled. These numbers rarely speak in the advantage of the security professionals' plea. On the contrary, on many occasions they show how good the company is doing; the reality is that it hides how bad things are due to past decisions. I believe in risk assessment, if there is risk exposure it should be mitigated. Where the difficulty lies is that we look at individual risks, in a world where everything is connected. Such an approach might leave us prone to attack. The context is missing in many cases, and one individual risk that seems small could become the next Pandora's Box when this materialises into a real attack.

This is not intended as another rant on risk management. If we're honest there is a lot of room for improvement and to get there we need to recognise the shortcomings.

never test the depth of a river with both feet (Warren Buffet)

But we, security professionals, can deal with that. We must bring the context and point out the dangers not being covered as a whole. And I'm sure it happens in many cases, but we're overruled by money making decisions. I'm not talking hyper complicated attack scenarios that happen on a rare occasion or sophisticated targeted attacks. Take #Wannacry as an example: it could easily be avoided by applying patches in due time. Somehow companies managed to block those updates. I wonder how that got passed any qualitative or quantitative risk approach, the costs of patching are low in comparison with the havoc a successful attack might cause.

Welcome to the future

There are moments in time, mostly during severe incidents, that we need to seize the window of opportunity. I'm convinced many of the security professionals do, but we must not fall in the same thinking process as many of the non information security literate people. Because we end up by attacking the symptoms and not identifying and remediating the cause, it is crucial to use these moments and fundamentally change things around for the better.

Insanity is doing the same thing over and over again and expecting different results (not A. Einstein apparently)

Not an easy task. I'd be naive to think this is an overnight accomplishment, it will be most likely an endeavor to pursue for the rest of your career. And if I look at some security professionals in the likes of Bruce Schneier or Rebecca Herold to name a few, it seems they are doing just that. Making people aware of the issue, question current approaches and look for better, more accepted and more secure way of using the Cyber World.