Anyone who has worked in IT any length of time probably has an anecdote or two about a mistake or misconfiguration that caused profound results. In fact, over thousands of interviews I have conducted over the years with potential job candidates, my favorite question asks the candidate to tell me about the biggest mistake they ever made in their careers and how they handled it. The answers can be profound as they reveal so much about the integrity of the candidate.
In hindsight, I wish I would have written all of the answers down over the years as they would compile nicely into a humorous collection of life in the IT trenches. Despite the sometimes memorable tales, the question remains an integrity measurement. Integrity matters in this business because we must be able to establish a root cause of an outage or breach in order to make necessary changes to improve and prevent the same issue from happening again. Without integrity and transparency, crucial facts remain obscured and we retain unnecessary risk.
So why is there a detection gap between the time a breach occurs, and the time it is discovered? There really is no single answer, as many potential points of failure can come into play. However, fear and lack of transparency can be contributing factors which hinder our efforts.
Some of the fear driving lack of transparency is of course learned. Many of us have had to deal with the sales person who wants to put a spin on what we may tell a customer. Or, perhaps we have dealt with a boss who wants to politically manage the message to the higher ups. It is human nature to want to seek the course of least pain, rather than to stand up and do the right thing. Perhaps the detection gap is driven out of fear of losing a job? Perhaps it is.
My own journey into a career in information security began 15 years ago when I transitioned out of a strictly IT centric role into running and building an in house security team. The allure of building something new and making an impact was simply too irresistible to pass up. Grandiose thoughts quickly came back to reality as I soon realized that I had taken on a role which the company needed to put someone into, but that no one really wanted me to do; I felt more like a figurehead and potential scapegoat for when things would go wrong.
Perhaps at the top levels of management, there is a misconception that investments in security technology, tools, managed services, etc., can guarantee that the organization will never be breached. When there is a breach, then it must be the fault of the security team or service provider so there is always someone to fire or blame. It is fairly easy to identify some of these organizations by watching the job postings, as they routinely advertise for a security manager or director every six months or so.
Security breaches cannot be kept quiet and dealt with in the background, hoping to minimize the impact and also hoping that the customer or management may not notice. As a security professional, it is incumbent to set an appropriate expectation with the customer and management, that we do in fact guarantee that the organization will be hacked and breached; it is simply a question of when. Some of the very best working relationships I’ve had in my career have evolved from times where I had to share bad news, and then moved forward to solve problems together. Character, integrity, and most importantly, trust, is earned when we are transparent and honest about problems and breaches in a timely manner.
Part of the potential fear factor contributing to the detection gap of security breaches is rooted in misguided improvement programs. Too often continual improvement programs and activities are directed at the security operations team, ignoring the other components of the program. This is a dangerous omission which can leave substantial unaddressed risk in the organization. Consider the figure below:
Notice that each phase of the program builds upon the next. A good security program begins with a well thought out strategy, which leads into design and then transition activities as the program evolves into a working operating framework within the organization. Encompassing all of these prior phases lies continual improvement, which must address all of the components of the program, not simply the operation.
In the event of a breach, we need to determine why and examine all facets and elements of our security program so that we can drive appropriate improvements and further mitigate risk to the organization. While the root cause very well may be a breakdown in the operation, it can just as likely be a failure way back in our strategy formation, or our program design, or in our transition process as we rolled the program out to the organization. Or, we may have a failure at multiple points. Regardless, we must identify the cause and introduce corrective actions at the appropriate places in order to mitigate future risk. This can only be accomplished by taking a higher level, comprehensive view in an atmosphere of trust.
Earning a reputation as a trusted adviser takes work, even though the principles are simple and straightforward to implement. Management, sales, and security leaders can all work towards building a culture of transparency instead of fear within the security organization, which could potentially help to shrink the detection gap between breach and reaction.