Having had the pleasure of 14 of Wellington, New Zealand's top corporate technology executives for lunch today, I've managed to confirm something interesting.
Even in the land of the Kiwi, enterprise security is (and has been) its own worst enemy. I recognize this won't be a very popular post amongst security practitioners, but you'll have to take my word for it that it's true according to your management.
There's no denying that enterprise security has largely been sold (whether internally or externally) to the enterprise on the basis of fear for the vast majority of the last 15 years.
Sure, I readily acknowledge people like Jon in our luncheon today who have long given up on pushing fear for business reality but by and large, we're in the business of fear.
Think of the years of pushing fear-based security as over, with corporate senior management. While there are still those boards and business executives that can be swayed based on fear, that population is quickly shrinking faster than ever before. There are a number of reasons for this...
- Breach overload - I've written about it before on this blog as applied to Software Security Assurance (SSA), but data breach overload in the media and every other medium is at an all-time high and it's long lost its shock value.
- Hierarchical detachment - If you look at the corporate structure of many organizations, the 'security guy' is so far removed from the business decision makes (from a strategic perspective) it's not even realistic for them to interact. The business is so insulated from the security function it isn't realistic for them to understand each other.
- Chasing shiny things - Related to #2 above, the folks in the room today reminded me how reliant on technology their security managers are...and how far from the basics they've moved. A dependence on technology is dangerous because it teaches security managers (or those responsible for security) to chase the next big shiny thing, rather than focusing strategically on supporting the business.
- The sky hasn't fallen, or it has - There are two outcomes to selling fear to pad your security budget. Either you get more money to 'secure' the company, and you still get breached... or you don't get a penny and you don't get breached. Neither of those are good outcomes... because they both vastly undercut the value of real security. Imagine if the "the company will go out of business if I don't get more money to secure it" CISO gets nothing ...and the company doesn't get hacked. The business just learned that they can get away with doing nothing and skating by - a dangerous (and largely untrue) lesson... which will end badly, guaranteed.
And so enterprise security organizations find themselves to be their own worst enemies. From what I heard confirmed today security is largely disconnected from the business, largely dependent on technology, and unable to be anything more than a cost center... and it seems like the more we rant and wave our arms the deeper the hole gets.
Security's inability to go back to the roots of why IT is around, is what's hurting. The inability to enable the business to move faster, like brakes on a high performance car, make things worse.
Every time the security group is given a chance and a seat at the table we seem to squander it being irrational and overly dramatic and this is leading security to be marginalized. Sure, this isn't true for 100% of the organizations out there, but many of the director-level folks in the room of 15 today confirmed it for me... it's true by and large, and it's not getting better.
So it seems the chickens are coming home to roost, if you fancy that phrasing. Pushing fear has made our enterprises largely apathetic to our cause, and now we have to work twice as hard to be taken seriously and gain acceptance. I believe that we have a chance, right now, to make a positive impact.
If you want to learn how to do security right you should be looking to people like Eric Cowperthwaite, for example, who has a pragmatic and no-bull approach to security... but unfortunately there aren't enough security practitioners getting on the bus.
Bottom line - security as a fear-based sale is quickly fading into something that is having an adverse reaction. Rather than scaring executives into throwing bags of money to "be secure", the fear-based approach is pushing executives further away from sound security strategy. How this story moves forward is entirely up to you.
Cross-posted from Following the White Rabbit