Why change is hard in security?
A few theories
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Hope everyone had a great July 4th! I’m extending my 50% off an annual subscription sale for another week for those who are interested in supporting me more and upgrading to a paid subscription. I appreciate everyone who has subscribed. It inspires me to write more!
I recently talked with a startup about the various types of security organizations and how that would affect their go-to-market strategy. I have this conversation regularly, especially with people who are usually new to the security business. The tl;dr is that security is complicated because there’s a wide spectrum of organization operating styles that require and use different products.
I’ve talked about this in the past, but in my mind, there are two ends: operational-focused security and engineering-focused security. There are, of course, different flavors in the middle of the two ends. Those who follow my blog know that I am fiercely on the engineering-focused security end — I believe that security should not just audit but also build and fix problems they uncover. This is currently a smaller percentage of organizations, which makes it a smaller market. Operational security is more focused on auditing and surfacing issues and ensuring that they are fixed. Compared to operational security, security engineering is a more efficient way to handle risk.
We’ve seen this true in other industries, such as manufacturing, an automation-heavy industry, where productivity growth has been great than service industries. Noah Smith talks about this in his recent blog post on US manufacturing:
[M]achines improve faster than human beings do, so industries that depended on better machines naturally tended to advance faster than labor-intensive service industries.
Operational security was a somewhat efficient way to operate in the past (and is still not a bad option), especially when security wasn’t so technology-focused. For a long time, it was focused a lot more on physical security, IT security, and other operational elements like ensuring secure processes around financial processing, etc. But now, almost every company is a technology company. That is, regardless of sector, a lot of a company’s operations involve technology. As a result, most of their security risk is technology-related.
I’ve talked about this before. Security is always a late adopter of change. In my opinion, even with the move to the cloud and AI, security has been slow to adapt. One can argue that as a community, we are always reactive, and I agree that most people don’t think about security until the end. But, if you think about most security organizations, they haven’t fundamentally changed in many years. Sure, this might be okay at a company where the organization has been relatively stagnant.
However, especially in non-technology sectors, such as finance, hospitality, food, etc., many of these companies have software engineers now. Some of them even have advanced technology stacks! These companies have found that software engineers can build more scalable operations. Yet, security organizations at many of these companies are slow to change. So, why is it that companies don’t transform their security teams and make them more efficient? I have a few theories/reasons.
Security is traditionally seen as a cost center
As stated above, security has typically been operations-focused and seen as an IT function. So, it has reported to an operational executive, such as the CIO, CFO, and COO. Some security organizations have grown large, so it’s hard to move an organization completely under a new leader, especially an engineering one that operates differently and with different expectations. But, this isn’t impossible. This happened with DevOps moving into engineering and leading to the transformation of how IT is done at a company. In that case, the move was gradual as the company slowly migrated to the cloud and hired more people as part of a digital transformation project. Also, the financial and business impacts were clearer. An organizational change like this likely has to happen at a company building a new security team, or it has to come from the top.
Fewer security people lead to slower iteration cycles
This is somewhat of a fuzzy argument, but it’s the idea that having more people thinking about a problem causes faster iteration/innovation cycles. That is, more people lead to more ideas and mistakes, which then lead to more improvements. Dedicating more resources allows people to think more about the problem. In most organizations, security is only a fraction of the size of the engineering organization. Given the way they operate, they are likely under-resourced for the work they are expected to do, so they likely don’t have time to innovate and improve processes. (There’s some nuance here. When I say they are under-resourced for their operating mode, it doesn’t mean this mode is correct or efficient.) Surprisingly, this isn’t true with security startups and quite the opposite. In fact, we’ve seen a surprising amount of innovation and product improvements over the last decade with the influx of VC money.
The security labor market doesn’t give executives leverage
Without a doubt, it’s a candidate’s market. With an increased number of breaches and pressure from the government, CEOs and boards are under increased pressure to hire a security leader to manage risk. Unfortunately, these leaders are incredibly hard to find, and many are out of the job market because of burnout. I’ve talked about how this turnover can be good, but because of the increased scrutiny, executives likely won’t take on a less experienced leader and less experienced leaders won’t want the job.
Therefore, security leaders have the leverage to run an organization the way they want because it is difficult to find someone at all in the first place, and replacing them will be costly. This reasoning trickles down through the whole organization as security talent is limited, let alone engineering-focused security talent. Labor economics in security make it difficult to hire someone willing to risk change. Why run a different playbook and take on more risk when you don’t have to? That’s also the logic at the core of cybersecurity risk!
Executives and boards don’t know how to keep security leaders accountable
This is related to the reason above — given the labor market, it’s hard to push your security leaders too hard. However, that assumes the CEO and board know how to keep a security leader accountable. Security risks have been around for a while, but they have increased over the past few years. I don’t think the security community has agreed on how to measure and manage this risk properly. Therefore, it’s hard for executives to know how to keep security leaders accountable. On top of that, for a long time, I believe that companies have under-invested in security, but now, they have overcorrected without understanding the return on their investment. It’s hard to force change when you don’t know what’s wrong, what needs to change, or what good looks like.
Change is always hard, and people are generally resistant
This is maybe the most obvious reason and also the most philosophical. People don’t like change. It is disruptive and causes conflicts. This is especially tough in an organization that is already overloaded and under high scrutiny. It’s easy to focus on incremental changes, but it’s hard to see that a massive overhaul or change in philosophy might solve a more fundamental issue. Most companies won’t feel the need to make major changes until they experience a major issue, which is unfortunate. Also, there’s generally a feeling that “machines” and software will “steal” jobs, but in an industry already behind and low on talent, change is the only way to keep up.
So what now?
It’s hard to effect change on a large scale, but I believe changes are already happening. We’re seeing reduced cybersecurity budgets and a push for efficiency. I predicted this last year and predict that this will continue more intensely this year.
I do think all the reasons above play a role — some more at certain companies than others. The important aspect is that security should want to push for change. There’s been a lot of talk of security needing to become more of a business function rather than just merely a support function. To do that, security needs to push for it to be treated that way. This starts with something as basic as having a conversation about what risk means and the return on investments for resourcing. Security should negotiate, set expectations, and work with executives to figure out how to efficiently deliver value rather than using FUD to get more resources. It’s a mentality shift, but I do think this is necessary and will ultimately benefit security — if they choose to embrace it rather than avoid it.