Security is a hard gig, honestly, it really is. We need to know about all the threats that haven't even come to be yet, protect the organisation with all the latest blinky light solutions as well as know the ins and outs of every application and its implications to your company. After that, you need to be available 24/7 for any incident that may suddenly just pop up no matter what plans or personal life you think you deserve. What about the endless hours of dredging through logs and alerts just to find that they are all false positives, but what happens when after two weeks of 14-hour days and you miss one instance that was a legitimate threat?
The organisation that you have almost killed yourself defending throws you under a proverbial bus just to save face. Does that sound fair to you? Hell, no it doesn’t but it is happening all over the world right now. When breaches occur which honestly is every day now, these security professionals who are overworked and sometimes balancing on the edge of both a physical and mental break down put everything in their own lives to the wayside and do everything they can to protect their organisations from all forms of attack. They may even be successful at stopping the threat but that doesn’t matter.
If it comes to the crunch and the organisation needs to blame someone for the issues the finger will point straight at the CISO and his security team. “It is their fault if they had done their jobs properly then this wouldn’t have happened” but that is bull S#!t. It honestly is but this is truly a reality in the security world, it needs to stop.
Lets actually try to look at the pressure some of these teams are under and look at the growing adversaries we are all fighting against. This is a war we are losing and shooting all our soldiers for trying to fight the good fight is the stupidest thing I have ever heard of in my life. Yes, I get it sometimes it really is the fault of the CISO and maybe some of the security engineers but how about we change the default finger-pointing attitude that is so rampant in our industry and in the media.
Let's acknowledge that many times we are just outmatched and outgunned in this fight and all we can do to survive is put the fires out as best we can. On those occasions when it is their fault and it was negligence, okay I understand, throw them under that proverbial bus that just keeps rolling by, give them fines and whatever punishment is reasonable for the malpractice they committed.
However, don’t destroy the lives of hard-working security professionals doing everything they can to save you, if they lost at no fault of there own then its not really their vault. How about we help them out and if it turns out it was because they are missing a skill that may have helped them match the malicious actor's skills, why don't we train them instead of firing them for doing their best.
If it is their fault and they have just made an honest mistake, then that needs to be a lesson learned not to pack your things and leave. Honestly, anyone would think with the amount of security staff churning with all this blame floating around that we didn't have a skills shortage…
Oh, hang on wait, apparently, we do have a major skills shortage that in the coming years is only going to blow out to massive proportions, but you want all of the potential new recruits to come into an industry that does not support their own, we just throw them aside and move on when it is convenient for us. This just seems like we have monkeys behind the wheel and no one is actually using their brains to really consider the consequences of this problem.
So how about we do something a little different, why don’t we instead make a decision that as a company we are in this fight together. Support our staff and take an active part in this together. Don't get frustrated when the security team needs to take systems down for a 30 minute window in the middle of the night to patch systems, listen to them when they say that the risk of whatever thing you want to do is too high and at least consider that they are the ones working all night to save your systems instead of being at home with their families.
Be patient and ask them if you can help in any way, just offering could be enough to make their day just that little bit better. But most of all, if the house comes burning down around you don't just throw them under that bus to save face, stand tall with them and help put out the fires. This will be a better result for all if we acknowledge that the fires are spreading, and we need to all stand together or we have no chance of surviving. Breaches are not an if anymore, it is a when (if it hasn’t already happened and we just don’t know about it yet) so let’s stop all this stupid behaviour and do the right thing by our teams.
If we can actually do this, we might even look good to the potential new entrants in the industry and they will join us in the fight to eradicate cybercrime (or at least get some sort of control back). This will mean we will have happier security folk with better training because instead of throwing them to the garbage we will help make them better.
Security is a taught skill, we aren't born with it. So, don't have a tantrum when someone doesn't know everything we are all just human after all. Okay, I think that is enough of a rant, for now, just be better.
As usual, if you don't agree to tell me, I want to have an educated discussion about this, so speak up and tell me what you think. We don't need to agree we just have to be open to other opinions, that is in my belief how we will find the solution to all our problems.
Till next time...