Security needs to shift away from risk and focus on trust
Repost. Recently, thinking about how to shift security from a cost center to a profit center.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m traveling this week, so I’m still working on a post, i.e. the post is delayed. I’ve been thinking a lot about Travis McPeak’s recent slides from his Campfire Stories talk. I realize that a lot of where security provides value… it’s not very good at, such as assessing risk. That means it’s wrong a lot and as a result, executive teams have a hard time justifying why they are spending money on something that doesn’t deliver on its promises.
It does make sense that security was more focused on risk back in the day when it was hard to convince people to care about security at all. However, with the increased reliance on SaaS tools and increased use of technology by society in general, people are starting to think more about where they are storing data and how it’s being managed. Specifically, more technology is “outsourced” rather than being centrally managed by an IT team on-premise. Therefore, I believe security should focus more on trust rather than risk. This also gives security some breathing room because it can make breaches and outages seem more digestible. It’s about how you respond and communicate as well as the precautions you’ve taken.
Anyway, here’s my article from a year ago. I think a lot of security organizations are starting to see this, and I know a lot of companies are starting to choose vendors where security and trust are key criteria and potential tiebreakers.
I was originally planning to write about the Okta breach, but there’s honestly not too much there that isn’t already covered in most articles. It’s another instance of credentials being stolen through a weak spot in the organization. Interestingly, it’s again in their customer support organization, but it’s their internal team, not outside contractors like last time. However, the way Okta (and other companies) have handled breaches did bring up a broader topic I wanted to discuss: the importance of trust in security.
It is obvious that security should establish trust. Any organization should have trust, but what does it mean? How do we achieve it? I believe that security organizations have been too focused on risk reduction and not enough on creating trust both internally and externally.
Security has historically been a risk-reduction organization
For those of you who follow my blog, I’ve talked at length about security operations and engineering organizations. Historically, security has been an operations-heavy organization focused on audit and compliance. As a result, the goals have been to establish controls to reduce risk. In other words, it’s a common model for security to create policies that others implement. With the increased use of technology, this model has become less effective as engineering technologies require more technical knowledge and context.
Security teams have focused on making sure compliance requirements have been met. Let’s use the vendor risk management process as an example. Security teams have been answering questionnaires so that customers buying and using the product can have confidence in the security practices and controls. However, due to the rise in vendor usage, this process has become more of a “checkbox” process than actually providing a security assessment of a product. Take Okta for example. It’s unlikely that security will reject the usage of Okta because the risk of not using Okta is higher. Also, it’s an established company, and using a less mature alternative will likely have more risk.
Many times, security teams operate on islands where they create and monitor policies. Don’t get me wrong. It’s an important and thankless job, but it’s hard to understand their effectiveness. Even, with the development of metrics, most of that is internal facing. The external facing work is focused primarily on external assessments, but security assessments, like SOC2, have become slightly outdated because they were designed for a different time. Pentests and bug bounty programs can vary in quality. This begs the question: How can we trust security teams?
Focus on trust is more important
Unlike products, security doesn’t have NPS. Security teams are usually judged by public incidents, but that’s the core of the issue. Security is a risk game, and with all risk-based issues, the probability of a negative outcome is never 0. Another way to summarize this is that companies with great security posture and teams can be hacked, and companies with terrible security posture might never experience a breach.
Security events don’t happen that frequently, and public security breaches are even rarer. As a customer or even as an internal business owner, how do you know if your security team is doing a “good job”? It’s hard. I believe with all functions, it comes down to trust. Some say that in bigger organizations, metrics might play a bigger role at least as an internal trust building. In my mind, those don’t matter if the executive team doesn’t trust the metrics or the leader to create the proper metrics. That’s why I believe it’s important to establish trust.
Trust is useful because even if there’s an incident, customers and executive teams will feel confident that the security organization will handle the situation properly. In general, trust is a defining feature of organizations and management. Leaders become less effective when they lose trust. Security isn’t any different. However, security has been so focused on reducing risk to protect the organization, but it hasn’t dedicated enough effort to improving trust both internally and externally.
So what are some ways to improve trust?
Having efficient operations increases trust
An important part of developing trust is to reduce chaos in the organization. Having efficient operations gives the security team the space to build relationships and understand what’s going on in an incident. For example, if operations are chaotic, it’s hard to even know if an incident is happening. The issue compounds, and from an external perspective, people perceive any confusion or communication delays as poor security. The root cause of these issues is usually poor operations. With more efficient operations, security can get to the root cause of issues more quickly. They know who to talk to internally and as a result, they can reach a better resolution quicker. The longer an issue persists, the more people will remember it.
Communication is key
As I discussed above, poor communication leaves a bad impression both internally and externally. A lot of security work could impact engineering teams, so it’s important to discuss with teams just in case it might cause an issue and the engineering team needs to respond. Incidents happen, and it’s no big deal as long as they don’t escalate or take too long to resolve. With regular communication to share context, this shouldn’t happen that often.
Of course, it’s important to communicate with your customers about what’s going on, especially if there’s an ongoing security incident or outage. An example of poor communication here was the CircleCI hack where they created a scramble for engineering teams who didn’t know quite what to do. A good example was the LastPass hack, which had great communication. Customers felt frustrated with Okta because many customers found issues before Okta did. Regardless, even if something goes wrong, customers trust that you have their best interests in mind.
Takeaway
Security teams have focused too much on reducing risk. Given the quickly changing technology landscape, they might not have had a choice. However, given recent breaches, it’s important to focus on establishing trust both internally and externally. An important part of that is to have strong relationships and communication. All that starts with strong operations and leadership. There are other tactical ways to improve trust too. Overall, I believe trust is a key area where security needs to change and improve.