Frankly Speaking - Why security is hard

The technical problems don't make it hard

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Hiring still seems to be crazy in cybersecurity despite everything going on. When a security engineer is laid off, he/she is almost immediately bombarded with more interviews. I still have many friends with open reqs, so if anyone is reading this and is looking for something, please reach out, and I can help connect!

LET’S BE FRANK

In my last newsletter, I discussed why security is easy. In this newsletter, I will take the opposite side. In particular, I was inspired by this comment on my LinkedIn by Emilio Escobar, the CISO at Datadog:

It’s a vague but very deep comment. In essence, the core theme of what I’m going to discuss is that security is hard because security people can’t get out of their own way!

So what do I mean by that? Well… security leaders make it difficult for themselves to achieve their own goals. I’ll discuss a few main reasons below why this happens. This is by no means comprehensive and obviously doesn’t apply to all organizations. However, struggling security organizations suffer from some or all of the issues described below.

The key takeaway is that because it’s impossible to eliminate all security risks and vulnerabilities, security needs a more nuanced approach to identifying and mitigating risks in an organization that focuses on solving problems to achieve business objectives rather than creating them.

Security breaches are random.

This is somewhat self-explanatory. It’s impossible to eliminate all security risk, and a security breach can happen even to the best prepared organizations. Some security professionals have never seen a security incident their whole career even at places with poor security posture. It’s also possible that a security event escalates to a breach because of one bad decision made during incident response even though the company is very well prepared. In many ways, security is best effort, but having good preparation and relationships throughout the organization substantially reduces the blast radius and probability. Yet, there is always a chance. It’s hard reality to accept that security events and even incidents can and will likely happen, but it’s a matter of how an organization handles them.

Security typically operates on an island with little context.

Security tends to be isolated from the rest of the organization. This is a self-fulfilling prophecy because the more they operate on an island, the more they isolate themselves. They are using tools to gain visibility but will never have as much context if they collaborated with other parts of the organization, especially engineering. So, why don’t they do it? Well… they don’t speak the same language, and many security professionals feel that their job is to raise risks, which tend to be very disruptive to engineering velocity. It’s not fully their fault. Many times, security leadership encourages and enables this type of attitude.

The solution is simple but hard to achieve: Hire software engineers into the security organization. Many of you know that I’m a huge advocate of software engineers doing security. It does develop better relationships and closer collaborations with engineering. Not all security problems are technical. Having good processes and relationships can create a lot of relevant context for a security organization and substantially reduce organizational security risk. Doing this is hard because it’s hard to hire security leaders who build an effective and collaborative security organization.

Security tends not to sufficiently consider business risk while assessing risk.

A big problem with security is that they often are too focused on thinking about security risks and their blast radius. Many times, they don’t properly consider the tradeoffs. More specifically, it’s likely that reducing a security risk can increase business risk. In the extreme case, if there is no business, there is also no security risk. However, security teams try to bring up security risks without properly considering the business implications and the additional business risk that will be introduced. Unfortunately, security leaders feel that they are at odds with the executive team, but it’s because they have failed to find alignment. Let’s be honest. No executive team wants a breach to happen, but it’s hard for security people to find alignment because traditionally, they’ve never had much influence in board rooms or executive teams. In many companies, the CISO was not even part of the core leadership team and reported into the CIO. Only in the past decade has security become a board-level issue given the prevalence of hacks and their impacts on businesses. Learning to navigate these new dynamics requires a new skillset for security leaders to develop.

Security operates through fear rather than problem solving.

Traditionally, security has justified their value through fear, uncertainty, and doubt (FUD) because no one wants to be the next headline hack. As a result, many security teams have been given a blank check to surface random risks and be disruptive to development teams. In many ways, this has given security a bad reputation. However, with the increased number of breaches, many companies are realizing that what I described above — security breaches are random. The mentality has changed from reducing risk at all cost to making sure we are taking calculated risks. This fundamental changes the dynamic from one of fear to one of problem solving. I honestly believe this is better for the security team because the value creation and delivery are more sustainable. For example, if there is a product feature with a security risk, the security team can work to come up with alternative solutions or finding ways to mitigate risks. They can also discuss how to find ways to minimize the risk in the future. In this way, security acts more like a partner than a blocker. This method of operation is more productive than stating the risk and forcing someone to take accountability for it.

However, this mentality change is not easy. It’s much harder to find solutions than to state problems, but value creation is not easy. Security organizations need to evolve as the role they play is now different as described above.

Conclusion

Security has changed drastically in the last decade. Many professionals are adapting to their new roles. Although security might be easy, it is hard to change mentalities and habits. New things are hard to learn, but security needs to realize the new realities. Adapting to them requires giving up old habits, which can be hard but necessary. Change is easy and hard at the same time. That’s what makes security hard!