The Importance of the Boring Stuff
13-May | Written by Jamie Rees • WorkSafeNB/Travail Securitaire • Fredericton, NB
This post is my take on two thoughts shared in conversations I’ve had at conferences. The first revolves around making security better by focusing on old-fashioned work (the so-called ‘boring stuff’) rather than chasing after the blinking lights. The other is about the economics of cyber crime. What stuck out to me was the evermore business-like conduct of the "bad guys".
I spent the drive home thinking about the points made in these two conversations and how they fit with other things I have experienced. My conclusion is this, we are not just being beat at information security. Sadly, and more profoundly, we are being beaten by these groups in a much more fundamental way.
They are beating us at the boring stuff- management.
We’ve seen examples of malware propagators with service desks and tiered payment plans, automated procedures for updating their customers software to avoid detection by large anti-virus companies. In further examples, we saw repeated ways of them using their data better than us to make product improvements.
This quote from change management guru John Kotter's book XLR8 sums up management;
"Management is a set of well-known processes that help organizations produce reliable, efficient and predictable results. Really good management helps us do well what we more-or-less know how to do regardless of the size, complexity or geographic reach of an enterprise."
Extending on that quote and the thoughts on the boring stuff in security management, I'd say some of these groups are moving to beat us in the wider aspect of business management. If they are beating us at management in general, how much worse can it get? Check out this diagram from the same Kotter book (Loc 639 in my Kindle edition).
In the past, we faced ad hoc groups without specific goals and targets. Now though, the ‘bad guys’ are businesses, trading their wares out in the open and building organizational processes and partnerships to ensure their revenues. We know that has moved many of them to the plus side on the management axis. I believe they are also, at least in some cases, on the plus side on the leadership axis.
If we look at the points in the leadership square above, we see terminology such as “innovative”, “adaptive” and “energetic”. The actions we see in today’s nefarious groups reflect these criteria. They have for quite some time.
They use media well, they plan, launch and track operations across wide groups of people and geographies via online media. They continuously adapt their plans to reflect changes in the ongoing engagement and energetically drive people in their causes. These organizations are also continuously innovating, both in small steps that gain efficiencies, or in laying out new disruptive strategies and playing long games to get them in place. Either way, often by the time we get something next-gen, they already have the next-next-gen.
So, if these groups are on the plus side of the leadership axis and heading to the plus side on the management side, does that put the rest of us on the doomed end of the spectrum? Not necessarily. We need to make sure we are doing the so-called ‘boring stuff” right. The management of our security defense business must be equal or better than the management of the security attack business. We need to have appropriate levels of people, process and technology in place, we must be well run.
The above alone isn't good enough. We need the adaptability to respond to ever-changing threats. We can't be afraid to change policies and processes to reflect something new. We also have to know when it is important to step outside the rules we set for ourselves. If we tie ourselves to one way of doing things that system will get gamed.
We need to find innovative ways to use and deploy the tools and people we have. For a whole slew of reasons, we can't always run out and buy the newest thing to combat today's threat. We must push the envelope on what we have, find new ways to use it, and share what we learn.
We need partnerships. We must bring people to believe in our cause, not just security practitioners, but our business counterparts as well. We need people to work together, informally even, sharing ideas, experience, problems and solutions. Without this, we are by default reactive, sitting and waiting to do something. This is not how the other side acts.
We can get to top right side of the diagram too, but we need a mix of security management and leadership to get us there as an industry. If we slack off on either axis, we will be beat by quickly maturing adversaries.