Frankly Speaking - Why security is broken

Organizational change needs to happen now

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

I started a new role as the Lead Security Engineer at Headway, where I’m working to secure a new mental health system that everyone can access. This is a mission I’m personally passionate about!

I plan to continue writing, and I’ll be able to provide a new perspective given that Headway is in the healthcare space. So, this is a good time to run a sale! Use the button below to get 50% off an annual subscription for the first year.

Moving onto the newsletter post this week!

---

Almost on a daily basis, I hear about a security hack/breach. People ask me on a regular basis about my thoughts, and it’s becoming impossible to keep up. Even if you google “security breach” and see the news search results, you find articles that show multiple major companies are breached at least every week.

To be clear, these are not minor breaches. These are large disclosures of customer information, such as the T-Mobile breach where hackers claimed to have hacked them over 100 times in one year. There’s no easy way to say this: that’s insane! What’s worse for T-Mobile is that these hacks enabled SIM-swapping attacks that substantially weaken MFA for everyone.

I don’t want to harp on the T-Mobile hack specifically, but this is just another example of how security is broken. Despite all the new tools and budget for security, it seems like things are not getting better and arguably getting worse. Of course, it would be even worse without the investment, but there are serious fundamental issues. Honestly, not only does there need to be more accountability, but as a community, we need and deserve better security leadership.

In many ways, security suffers from the issues that the broader tech industry has over the past couple of years: CISO and security leaders are too far removed from the actual problems. There are too many layers of bureaucracy and politics to claim budget and power. It’s caused people to lose sight of the real problems: protecting customers and the platform. Unlike the rest of tech, where this inefficiency just causes bloat and more money spent to achieve a result that could be done with 50-70% fewer resources, for security, the inefficiency prevents them from actually solving problems that might lead to massive breaches.