I’ve hired a lot of people. Between academia, government, and industry I’ve been on hundreds of hiring boards. I’ve been junior enough to be a primary assessor and senior enough to rate other peoples skill at hiring. I like building teams and turn them loose on really onerous projects. I don’t mind managing teams from current state to some perceived goal state. I really don’t like being handed a dysfunctional team and I have not taken jobs because that was where a place found itself.
I don’t necessarily list my rules for employees. There are lots of reasons to let chaos reign in an organization, but there are some key indicators of things that I find objectionable in employee behavior or organizational structure. They all relate to when I know a security team is running itself into the ground. I see these issues often on the information technology side of the house especially in operations. But, in general I’ve seen the following characteristics in organizations that have significant issues.
Success has many fathers and failure is an orphan is a proverb. I see this play out in organizations where they blame the user for most incidents. Usually organizations will try training users to some level of information security mastery. Then the security team will start referring to the user constituency as (L)users. I’ve actually fired a person for constantly berating users which led to a stakeholder revolt. Not only is it disrespectful, promotes a hostile work environment, and it fails to create a sense of community. It is futile to expect lawyers, doctors, sales people, or secretaries to be top tier information security talent.
The other side of this is blaming management for the failures of the organization. There is nothing like a bunch of information security engineers turned on to blaming management for inaccurate priorities, inconsistent policies, and further technology choices. Parsing each one individually would waste time. Do you really want a management layer that holds you to specific metrics on a concrete time scale? Security is a process and change and adaption are part of the environment. There is nothing more obvious when parsing information security practitioners bitch session that show “concrete” non-adaptive thinking.
Rules are for users
There is also the egotistical over repressive information security professional who writes the acceptable user policy for an organization. The rules are lists of what thou shall not do in triplicate and written so a contracts lawyer would have a conniption fit. These rules are written and instantiated regardless of the business lines in the organization. The rules are written absent user feedback. Rarely are these tombs of user expectation signed off by leadership of the enterprise. To make matters worse if you ask about them the repressive information security professional will say it is some higher levels policy, but will never actually produce the policy. Parsing the rules against some human resources requirements you may in fact find the acceptable use policy specifically violates people’s rights or privacy.
To make matters worse the rules being applied to users will never have to be lived with by the megalomaniac information security team. They will act as if they have an exemption and will use separate systems. Two factor authentication required for users? Not the security team. As we have seen the security team has rapidly become a target of opportunity since they apply none of the rules against themselves. So what if they say we can’t run hacking tools on the network. I have an exemption. They don’t actually have an exemption and often the exemption is for something completely unrelated or is older than the new policy saying all previous exemptions are forfeit.
I require my security teams to live with the same common desktop as the users for their own network activity. If they want to use some off brand derivative operating system they have to move it at least internally through the same test process as the production environment. As you can imagine I’ve lost this fight on a few cases. When I lose I then create a series of incentives for the recalcitrant team. We’re special, we’re experts, we have special needs is said by the security team. Much like is said by the user community. If the security teams wants to persist I start removing or constraining their systems. I also will require massive and extensive logging and make their team management pay for the auditing by an outside agency. That usually is two to three FTEs. I will get security that is reasonable to many through their compliance or my mitigation.
Vendor T-Shirts are for Weekends
I was consulting at a corporation in the early 2000s. When I arrived to work with the CFO and CTO of the corporation they explained I was to help their budget team with a risk assessment. The corporation was in the process of receiving bids for a new technology and the process represented several million dollars in investment. I was a bit puzzled why they had paid my substantial retainer and travel. Until we had the meeting.
The vendors were doing 4 hour pitches over several days to the C-Suite and their representative (me). The information technology and security teams walked into the briefing and they were all wearing a competitor’s product. Imagine the corporation you are consulting for the entire team walked into a briefing by Ford, and the entire team was wearing Chevrolet branded polo shirts. Then came Chrysler, Honda, and Toyota for their briefings.
I argued with the CFO and CTO that such behavior would weaken their negotiation strategy, showed a significant lack or professionalism, and eroded their negotiation capabilities. That last point came home when I discussed how shareholders would look at a large ticket item obviously being cleared hot into the data center without a valid acquisition process. Vendor t-shirts and polo shirts should be banned if you have any say or advisement in the procurement process. In government this should be an offense you can be fired for.
At another company I was sitting in the lunch room forlornly considering the salad I was being forced to consume. I prefer steak, but my wife prefers I eat salad. I like a happy wife so eat salad. Two ladies were talking about how the information technology folks all were reading their emails. Since I was there talking to the companies privacy officer I was intensely interested. I asked how they knew this to happen. The young lady not a day over 70 said it said so on the technician’s shirt. “I read your email” was on his black t-shirt. Thus I started banning hacker t-shirts that say “Got Root” and “I read your email”. What is a joke to some is an affront to others. More importantly it is disrespecting the user community. There is nothing funny about that.
Pardon my dust
There are three things information security groups seem to do collectively and with purpose. They bloat up on tools like a Labrador retriever eating an entire bag of dog food. They customize and create tools regardless of change control processes. They believe maintenance windows are for wimps.
First, we’ve been doing maintenance windows for decades. Unless the system is cleared for out of window updates (user password resets, user creation, dynamic firewall updates, SNORT signatures updates, etc.) I will give you days off without pay if you take down a security system outside the window. An executive had better have signed off on it each time and out of window maintenance is an auditable activity. It is poor planning and even in emergency situations you had better be very careful. The counter to this is ANYBODY who is a security team member can take a network or system off line. There had better be a ticket explaining why, and every time that is done at least two layers above the decision maker need to be part of an after action report process. Usually we build that into the policy structure.
The ability to write custom tools, code, and simply get things done is important. The writing of custom tools, and code because you don’t want to use the software we already acquired is a waste of company resources and time. If you are writing software and you are not a software engineer it had better be an approved alteration or enhancement to a current system. I see people who wrote tools on company time, and go to hacker conventions to show how awesome they are writing the next awesome incident response tracking database. I’ve got Remedy and you just threw away 10% of your yearly production.
This is also related to tool bloat. Auditing the tools you’ve already paid for and analyzing where they duplicate effort can be a disappointing task. Some tools do one or two tasks really well and their other features are not so great. They should be evaluated that way and trained that way within the organization. But, simply allowing the technofascists to buy whatever they want creates tool bloat. If there is no assessment mechanism up front those guys who are still wearing t-shirts to work are going to cost you money.
You don’t get reality
I’ve been accused often of being too academic, being too industry specific, being too government, and being too Pollyanna. I’m sure I am all of those things to somebody. I see these guys and sometimes one guy who makes all of the mistakes above. I get a deeper reality that many of the schlubs that consider themselves Super Ninja Hackers 12 degree black belts don’t get. Their way doesn’t work. They are fully employed because a bunch of the Baby Boomers in charge have no clue what is happening. The Baby Boomers that do know what is going on invented the Internet, got rich and are retired.
Now though another generation of C++ programming, SOCK script writing, Metasploit is Ruby are growing up and they know something. In 40 years of modern telecommunications we haven’t ever fixed information security. We likely aren’t going to fix it. That means that information security is a practice and process. The only way to have any kind of success is to standardize processes, and professionalize the work force. That means holding people to the level of the culture of leadership within the domain they are working. If your industry leadership wears a suit and tie your security team had better be wearing a suit and tie. The same goes for your information technology operations staff. If they complain about the requirement ask them why they would argue to be less professional.