DISQUS

Rick · 2 years ago

I would agree. As a consultant I see the same things as a rule. But the one that is most detrimental and most common among our clients is the second mentioned issue of 'internal politics'. The other two is a matter of the business being couched in how to know who to hire for what security positions, but the second is one the is normally fostered by the ones that say they want it gone. Those that play the politics for their own career safety and departmental success. Don't get me wrong, there is a difference between being a good team player and understanding your co-workers and 'politics'. But all and all, it is 'politics' that does not allow a company to address their risk posture.

Very true Daniel.

Dave · 2 years ago

The issue of the organization standing "in the way" is more often an issue of perception. Security folks (consultants, employees, etc) often assume that they've been tasked with the most critical task.

"Make things safe".

That's rarely the case. Most often, especially for consultants, you've been brought in to meet the requirement of "best effort" or "due diligence". The goal for the company is to meet the invisible bar that determines if they've tried to secure their data or not. Their goal is to remain profitable, not to secure anything. If it costs too much or affects business too much, whatever you feel needs to happen simply isn't going to happen.

It's frustrating as hell, but 90% of the time, you're there because they *had* to have you come, not because they wanted you to.

Daniel Miessler · 2 years ago

There is truth to this, but it's a simple fact that when breaches happen, management *do* come to security teams and ask why they happened. It's not as if there's just a "wink wink" under the table because they met the threshhold of due dilligence. They do want to avoid embarrassment, among other things, so there are definitely real reasons why companies do expect tangible results from their security efforts.

So while I agree that no security team is going to get full control of a company because profitability is paramount, they are still being given quite a bit. The problem is that they are squandering what they are being given, and that's what the focus was of the article?

Am I missing something else?

Dave · 2 years ago

Management comes to the security team to ask what happened almost always only because they'll be asked what happened. If they ask, and it becomes apparent that it was a persons direct fault, they have someone to fire/blame. If they ask and there's no one to fire, they at least can answer the questions they'll receive. If they're asked and cant answer, they'll be the ones fired. It's mostly CYA, rarely FYI.

The only empowered security teams I've *ever* worked with were ones who worked for organizations that had suffered serious loss due to an incident. All the rest were there to go through the motions. If securing the network/product/servers was going to be more expensive than deemed profitable, they were generally nerfed.

It's bullshit, but true. =(

I have heard of some orgs in the financial sector who operate on the idea that they only want to hear of their competitors incidents and never their own, but I've not met these people first hand. They're usually spoken about in the same context as unicorns and dragons =(

Daniel Miessler · 2 years ago

Hmm, I don't know, Dave. I think there are quite a few companies out there that haven't been breached that still want to be as secure as possible. Remember that they are protecting their reputation, and they know that it doesn't take much to get it smeared when it comes to a security incident.

I think there's quite a bit of wiggle room between not caring and being deathly afraid, and this is where the change in focus to organizational issues can reap rewards.

Rob Lewis · 2 years ago

Hi Daniel,

All of your comments are excellent, based on status quo technologies. SInce any security technology is really a band-aid fix attempting to compensate for inherent system flaws, which you have written about, they are ALL SNAKE OIL and a waste of money. Only a technology that addresses inherent design flaws in operating systems and drastically reduces the risk model should even be considered.