How to Escape the Cybersecurity Ghetto — James Voorhees
You work in cybersecurity, right? That makes you one of the ‘no’ guys. If someone wants to do something, you will say: They can’t,’ not until they have jumped through your hoops. It will take several wasted days to do that, especially because you are a check-the-box kind of guy who doesn’t really understand the technology you are supposed to secure. Of course, we all know the bad guys will get in anyway, if they really think our organization is worth attacking, despite the time and effort you insist on. Share
Did you ever find that people treat the cybersecurity crew like that? I have, and can understand the attitude. Why does it happen? Too often, cybersecurity lives in a cybersecurity ghetto.
Almost every organization I have been a part of—big and small—has created a cybersecurity office, division, center or group that has brought the cybersecurity staff together, frequently in the same physical location. Away from everyone else. A consequence: the cybersecurity crew is isolated: people don’t know the crew and the crew doesn’t know them.
All anyone in the organization will know about are the things that cybersecurity does that affect them. They could be the users who have to do something because cybersecurity says they did something bad or the sysadmins who need to make some change because cybersecurity says it is vulnerable. These people won’t know the cyber schmucks telling them these things. They won’t know what they do. They won’t know why cybersecurity does whatever it does. They won’t know how skilled—or not--the cybersecurity crew is. They will only know that someone is asking them to stop doing something they found perfectly reasonable. Or to spend time doing something they don’t think is necessary.
Living in the ghetto creates ignorance that works both ways. As security people, we in cybersecurity are supposed to know how the rest of the organization works. In my experience, we often don’t. We often don’t even know the vocabulary others use to describe what they do, any more than our non-cyber colleagues know the difference between threat and vulnerability or between trojan and worm.
The ghetto makes it more difficult for the cyber crew to do its job. After all, they can’t do it alone. They simply can’t: Cybersecurity should be everybody’s business. Indeed, you could say that it is too important to leave to the geeks. But when cybersecurity is burrowed in the ghetto, it becomes only what ‘those guys’ do. Nobody else owns it, nobody shares responsibility for it.
How do we escape the ghetto? The walls that keep cybersecurity isolated can be torn down, but it takes some thought and it takes work. There are attitudes we can adopt that make it easier to reach out to people. There are things the cybersecurity crew can do to let others know what it does and why. And there are things that each of us in the crew can do to make easier for our colleagues to approach us and adopt security as a task of their own.
Those who know cybersecurity through training and experience, know a lot of things others don’t about the threats that come from the Internet, the weaknesses that make them real, and the ways they can be minimized. After all, it is their job to know these things. But people turn away if the ‘experts’ in the ghetto don’t acknowledge that there is much about information technology and the business of the organization that they don’t know. People also feel patronized if the cyber ‘experts’ don’t recognize the importance of what they do, keeping in mind that, more often than not, security is not central to the purpose of the organization.
With that in mind, there are attitudes we in the cyber world can take that both respect our non-security colleagues, make it easier for everyone to get things done, and facilitate a security-friendly culture.
There are no 'stupid users.'
Each of us who has worked in security for any length of time can tell stories about users who do any of a number of risky things that put our organization at risk. People do click on the wrong links, go to the wrong websites, and choose foolish passwords. We have heard—or made--jokes about the problems that exist between chair and keyboard. Our colleagues outside security can be frustrating indeed, and our task would be much easier if they knew what we know and behaved as we know they should. In a perfect world they would (and we’d be doing something else).
But the world is not perfect, and not everyone knows cyber stuff. Moreover, we ‘experts’ need to keep in mind that in the eyes of a plumber, mechanic, or dental hygienist, most of us are stupid users. All of us expect that these people, experts in their own fields, will treat us with respect. We need to do our colleagues the favor of doing the same, of recognizing the value of the person who sits on that chair by the keyboard, even as they click on that all-too-tempting link.
Never say never; rarely say no.
It is true that we in cybersecurity often have to tell people not to do this or that. It is also true that some of the principles of our profession, like least privilege, put limits on what people can do. None of this means that we have to say ‘no’ automatically to what colleagues propose.
After all, is security ever simply a binary proposition where one thing is secure and another is not. In fact, it is about risk, which makes it a looser, relative concept: something is riskier than an alternative. And, of course, there are different ways of doing things, some riskier than others. It is in our interest to be seen as people who can find ways for people to get things done in the easiest, safest, most effective way possible.
It’s not just security
As the cyber defense lead of a government NOSC that was just being stood up, I found I had too few analysts, with too little training and too little understanding of the agency and the network. To be frank, we couldn’t do our job when it was given to us. But we could discover when a remote server was down. That became our saving grace. After a particularly appalling outage that went unreported for days and could not be fixed for weeks, the head of the agency demanded that we report all outages to him, ASAP. Because he wanted those reports, the rest of senior management did, too. We rose to the task and honed both monitoring and reporting.
As a result, we gained a reputation for competence. So much so that one afternoon when the power went out, the man in charge rushed straight to us, in person, knowing that we would find out what was going on. He was not disappointed. This reputation carried over into our cyber work, which we became increasingly good at.
What made this work for us is that many of the tools used for cybersecurity are dual purpose, and not just in the sense that bad guys and good guys can both use them. SIEMs, packet captures, vulnerability scanners, port scanners, and the like also give insight into what happens on a network. They can be used to monitor problems in network configuration or performance. A development shop can even use some of them to monitor applications.
This means that the cybersecurity crew may learn about any number of problems before others do. Letting fellow techies know about problems those colleagues will be responsible for can increase the value of cybersecurity. It can also help get cybersecurity out of the land of ‘no’ and open up the ghetto. An additional advantage of this approach is that the cyber crew gets to find out more about the devices, networks, and data they are trying to secure. They can see how these things behave and must understand why when things go wrong. Such knowledge will do much to help the cyber crew escape the ghetto; they can be a go-to resource for a multitude of problems.
Attitudes are personal, though often enshrined in a group’s culture. There are also things that the cyber component of an organization can do to reach out and spread awareness of what the cyber crew can and does do.
It is important to make an effort to get the word out about what the cyber crew does. Most organizations have several ways to do this. There are e-mail lists, including those that go to everyone. There are often internal web pages. And there are regular reports to management or others.
Cybersecurity should take advantage of these opportunities to inform the rest of the organization about what it does and why. Cybersecurity certainly needs a way to send alerts, particularly if immediate action is required. But it should go beyond that. It should make an active effort to reach out to the rest of the organization. Email lists can be good for that. Piggybacking on the efforts of others can be good, too. The company I work for now has an internal newsletter that everybody reads because it contains announcements about things they need to know. Our InfoSec group is take advantage of that to send out messages about security topics.
Such an effort takes time and effort. It also requires imagination: how do you get employees to read things that, on their face at least, have little to do with what people do every day as part of their job? An effort like this can also require skills that a cyber team might not have readily available.
But it may well be worth making the effort. Many organizations have a formal security awareness program. This can certainly be helpful. Even if there is no such program, the work available on security awareness through NIST (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf), the U.S. Department of Homeland Security (https://www.dhs.gov/stopthinkconnect), the SANS Securing the Human program (http://securingthehuman.sans.org/resources), and a score or more private companies that have awareness programs available can be used to advantage. There might also be resources elsewhere in the organization that cybersecurity could draw on.
Answer the mail
Answering the mail in a reasonable amount of time is a simple courtesy, but it influences how people view cybersecurity. After all, people have to know that you care enough about their concerns to respond, in contrast to, say, the telephone company. If not, why would they write in the first place? Answering the mail quickly and fully encourages people to communicate problems that could be related to security. If some restriction makes it more difficult for them to do their job, they may tell you, hoping to find an easier way to get things done that will still satisfy security requirements. Surely it is better to hear such a complaint directly than through bureaucratic channels and to find out about security incidents immediately rather than after all the proper buttons have been pushed.
Having a single, easy-to-remember address for cybersecurity can help. It can also help to make sure someone is responsible for answering the mail. In one SOC, we analysts rotated that duty, watching the inbox through an entire day. One of the guys in charge made sure that each piece of mail was answered within 10 minutes and got on our case if it wasn’t. None of us liked the duty; all of us found him irritating. But people kept reaching out to us, breaking down the walls of the ghetto.
Attend more meetings?
No one particularly likes meetings, and all of us complain about them. But they can do three things for cybersecurity. They can give insight into how others in the organization operate and what they find import. They can give cybersecurity a face so that others know who to talk to. And they can let cybersecurity know who to talk to when security problems arise.
Informal stand-up meetings like those common in several organizations I have worked in can be especially valuable. They are by nature short, open to outsiders, and focused on what is important. At more than one of them, a cyber question has come up with no one else to answer it. I have done that with several meetings in my current organization. It has given me insight into how cybersecurity is viewed, access to people who answer questions that make me—and the rest of the cyber crew better at our job, and the butt of occasional jokes about being careful around the cyber guy, That’s a good thing.
Let them see cyber
In too many organizations, policies and procedures are learned only through hard-won experience. What cybersecurity does and why it does it should be transparent to all. A public relations effort can do much to tear away curtains that hide the cybersecurity effort. But there needs to be a place where the documents are kept that spell out whatever the organization requires. Everyone should be able to access them and know how to do so.
That might seem obvious, but, too often, organizations treat such documentation much like state secrets. And then they wonder why procedures are skipped and policies ignored.
The Personal Touch
Many cybersecurity professionals proudly count themselves members of the community of geeks. They should. I do. Like geekdom at large, however, we are known for being introverts, more inclined to gaze at a screen than to roll with the crowd. But our work will be easier if people can recognize the people who make up the cyber crew and know something about who they are. That can give cybersecurity a human face. It can make it more likely that the people asked to do things to improve security see these tasks not just as requirements from the Bureau of Cybersecurity, but more like a favor for Fred or Fran.
In general, we can make yourself more available and more public. How we can do that will depend on the situation in our organization.
I do several things that make me better known and more accessible. I hang my coat in a closet close to people not on my team. Whenever I do, others see me and I get a chance to make contact. When passing someone in the hall, I acknowledge them with a glance, perhaps a word. If waiting by the coffee machine or copier, I have a set of innocuous, safe topics that I can offer a comment on. Days of the week is one. Monday: It is the worst day of the week. Or good, for a Monday. Tuesday: At least we got past Monday. Wednesday: Over the hump! Thursday: One day to Friday. Friday: TGIF. The weather also works, of course. It can be too hot, too cold, too wet, too dry. Or just right. Or it is a good thing that winter is over. Other topics may spring from things within the organization that everyone recognizes.
Suggestions like this are not always easy to carry out. Believe me, I know. For some folks, these things are simply contrary to nature. But they have numerous benefits. Some of the most important of these are professional: they make cybersecurity human and the people who do it recognizable. They let people know who they can talk to. They open up that ghetto.
Tear down these walls!
The cybersecurity ghetto is often erected because people believe that security is too different than the other things an organization does. Or that the sacred rites of cybersecurity—its processes, procedures, and policies—must be kept hidden if they are to be effective.
Yet none of that is true. And the ghetto keeps cybersecurity from becoming everyone’s job, as it surely is. The ghetto, therefore, makes the difficult work of security even harder, sometimes close to impossible.
The suggestions made here cannot guarantee that the walls that enclose the ghetto will vanish. But if my fellow members of the cybersecurity crew are to keep their colleagues safe in a dangerous digital world, they have to make like Joshua and do what they can to force those walls to fall.