Frankly Speaking - Why security is broken
Organizational change needs to happen now
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I started a new role as the Lead Security Engineer at Headway, where I’m working to secure a new mental health system that everyone can access. This is a mission I’m personally passionate about!
I plan to continue writing, and I’ll be able to provide a new perspective given that Headway is in the healthcare space. So, this is a good time to run a sale! Use the button below to get 50% off an annual subscription for the first year.
Moving onto the newsletter post this week!
Almost on a daily basis, I hear about a security hack/breach. People ask me on a regular basis about my thoughts, and it’s becoming impossible to keep up. Even if you google “security breach” and see the news search results, you find articles that show multiple major companies are breached at least every week.
To be clear, these are not minor breaches. These are large disclosures of customer information, such as the T-Mobile breach where hackers claimed to have hacked them over 100 times in one year. There’s no easy way to say this: that’s insane! What’s worse for T-Mobile is that these hacks enabled SIM-swapping attacks that substantially weaken MFA for everyone.
I don’t want to harp on the T-Mobile hack specifically, but this is just another example of how security is broken. Despite all the new tools and budget for security, it seems like things are not getting better and arguably getting worse. Of course, it would be even worse without the investment, but there are serious fundamental issues. Honestly, not only does there need to be more accountability, but as a community, we need and deserve better security leadership.
In many ways, security suffers from the issues that the broader tech industry has over the past couple of years: CISO and security leaders are too far removed from the actual problems. There are too many layers of bureaucracy and politics to claim budget and power. It’s caused people to lose sight of the real problems: protecting customers and the platform. Unlike the rest of tech, where this inefficiency just causes bloat and more money spent to achieve a result that could be done with 50-70% fewer resources, for security, the inefficiency prevents them from actually solving problems that might lead to massive breaches.
You might disagree with me, but the data shows otherwise. Security organizations have grown, but the same problems still persist. Many breaches still are the result of the same types of issues, e.g. bad IAM/secrets management, and phishing, just to name a few. However, budgets in these areas and security have grown overall. Where is the problem? It starts from the top.
Many CISOs no longer solve real problems
There are common complaints that CISOs are spending too much time on LinkedIn and talking at conferences. They just manage people and present metrics to the board, and they no longer know or solve actual security problems. For example, many CISOs don’t have engineering backgrounds even though they are at companies that have strong engineering cultures or products that are deeply technical. Although they can rely on leaders to solve this problem, they have no intuition on whether these leaders are doing well. Moreover, strong engineering leaders likely won’t want to work with these types of CISOs. In many ways, CISOs have become figureheads since many of them actually delegate problems and decision-making to their reports. They end up being “operational CISOs” that just move resources around to feign work and results.
In short, CISOs have lost their vision and arguably their ability for creating successful security programs that mitigate serious risks for the company. They no longer get their hands dirty with problems as security organizations grow. In fact, many companies can probably operate better without one and re-invest that money and resources into their security programs. This leads to the next issue.
The security organizational structure is outdated
Many security organizations look like how they did almost 2-3 decades also. Since then, much has changed, and there’s been a flurry of change overall. For example, companies are reliant on technology more than ever before. Many traditional risks have gone away, such as those relating to physical security as companies shift to remote work. For technology-forward companies, we have the introduction of the cloud and agile work processes. There is increased use of the cloud and SaaS applications.
However, many organizations still look the same. Some companies can’t even agree on reporting structure, e.g. some CISOs report to the CFO, some to the COO, some to the CEO, and some to the CTO. It’s different everywhere. That’s like saying the head of product engineering reports to different leaders at different companies, which sounds crazy. It’s common for security engineering not to report in a path to the CTO!
The only major change is that there are now more layers of bureaucracy as security receives more resources and budget. However, these layers of bureaucracy, many times, don’t solve actual security problems. They just create more overhead and create more distance between the CISO and those solving problems.
Many organizations are focused on staying relevant as security skills shift from more operational to engineering. They spend time and cognitive load on keeping their jobs rather than closing security gaps. I get it, but as a community, we need to focus on efforts on ways to improve security issues, including how to transition security skills, rather than trying to maintain a status quo that’s no longer good for the defender but great for a hacker/attacker.
There is too much focus on the long tail of security problems
Finally, as I alluded to earlier, many of the major breaches still happen the same way, i.e. through social engineering or leaked credentials. Unfortunately, because of the two issues discussed above, there is a need to focus on the long tail of security problems for many leaders to stay relevant and “innovative.” But sometimes, boring security is the best security. There’s too much energy and cognitive load spent on buzzwords like ransomware or OS vulnerabilities, just to name a few.
Because of messy organizational structures, accountability for security leadership falls through the cracks. It is passed on from one executive to another because many times, that executive does not want to be accountable for a hack, so they feign ignorance or lack of understanding. We need to do better and find leaders that will keep security accountable. They don’t need to understand security, but they have to have the willingness to learn and spend the time and effort to ensure that the security programs make sense.
Takeaway
Something is wrong with the way we do security. Despite more investment and resources as well as attention from many sources, we are still seeing breaches on too regular of a basis. The current way of doing security is not working, and we need a change! Security organizations are bloated and outdated. They are not focused on solving the right problems, and customers and users are suffering as a result. As a community, we need to start solving problems again!
Bringing the 🔥