The Fallacy of Security as a Job

It was a meeting with the leader of a Security Operations Center (SOC) of a large company. Mid meeting, he got an alert and rushed out. As he returned, he apologized, and said he treats any IT security alert as "something that could cost lives". At first, I thought it was ridiculous bravado. Years later though, I have realized, it is probably that zeal and passion that has driven him to excel in his job. He is now a CISO of a major public corporation and a respected friend :)

And that is the point … Cybersecurity is doomed if employees in the security organization think its just a job. Their adversary is definitely not doing "just a job".

300 could defend against massive attacks only because they were passionate, well trained and worked together like their families lives depend on it (and yes, I know, all it took was a single malicious insider to take out the 300 … but that’s a blog for another time).

If you are on the board of a corporation or the CEO, look for an individual or two in your organizations that are that zealous about your cybersecurity.

For any organizations wanting to become a digital enterprise, cybersecurity thinking must start all the way at the top. With recent breaches like Ransomware and Solarwinds, this is a regular board topic, but how many boards know the questions to ask ? My suggestion is simple: find the one person in your organization that feels "lives are at stake" if he or she fails their job. Whether it is physical or economical, lives truly are at stake. 

When you find her, empower her to drive change. Cyber threats evolve continually, and if your security tools are unable to keep pace, no amount of passion can save someone taking a knife to a gun fight.

If people responsible for your security tell you that everything is good because they have been doing it for 10 years and there has been no breach…. Well most likely you just don’t know about the breach.

A passionate security org cannot do it based on just their wits. Every couple of years you need new tools. Equally importantly you also need training and enablement for building expertise to use them right. Sadly the incident response in most companies, even now, is to add a domain to the blacklist on a firewall. That approach is really effective… in constantly annoying the employees, doing busy work, and getting everyone a very false sense of security.

So what is the answer? Passionate architects and security officers that can redesign for digital, the SOC being paranoid and constantly aware of its true attack surface, better toolkits to make the SOC work smarter, smart SOC partners (MDR) , products that actually integrate well to create a coordinated response... and much more. Topics for next time :)

Action number one, though: Find that one passionate leader who will drive the change. It is the right person only if they push management out of its comfort zone, and their enthusiasm has to be tempered all the time ! :)