A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security.
Fatal Fails, Piecemeal Resurrections & The Budget Battleground
In the first part, I talked about Nick Leeson’s destruction of Barings Bank. I likened the way he concealed growing losses and gambled to try and recoup them, to the way companies accumulate security debts through long term underspend. Occasionally superficially reduced by splurges on shiny security solutions. Debts multiplied by periodic IT transformation activity. Activity motivated by a market pleasing drive to cut overhead costs. It ended with a prediction of horrific fallout, when all of those factors conspire with external threats to produce one monumental disaster.
20 years ago, both the Kobe earthquake and an audit conspired to end Nick’s billion dollar loss-masking fraud. So very similar to the kind of security events that jar complacent firms awake. Scapegoats are chosen, new brooms are bought and a more careful breed start to build infrastructure and security up from the depths of the recessionary dip. Frequently the causes of the longer-term breach-inviting decent are not recognised, or are ignored.
New brooms and tunnel ‘route to green’ vision
The new folk in charge are just as keen to establish and retain their creds. They know the half-life of the tenure of a CISO. They benefit from momentum, visibility and budget brought by post-incident audit findings. The one thing that still isn’t in abundant supply – patience. Natural gravitation is towards big ticket fixes. Ones that show a speedy and easily understood ‘route to green’. A route that often creates tunnel vision for board members, risk functions, auditors and regulators. Key performance indicators, defined critical success factors and targets are stretched to creative breaking points.
What’s not generally on the route is careful stock taking and a step by step repair of the cavernous and widespread holes dug in the past. Soon the mirrors reflecting progress are so smoky no-one can see anything resembling a real risk any more. At the same time, in the less reported background, old persistent problems bed in for the long haul. If the improvement work hits a pothole (perhaps one of the older, less sexy issues results in an impactful incident), the security chief gets swapped for a different model, or a new easily marketed fix is tried. That process repeats until a period of relative peace prevails.
It doesn’t last. Perhaps the share price dips, or more merger and acquisition activity looms, leading inexorably to overhead stripping conversations. IT and security are perceived as being in a good place. After all LOTS of money has been spent and the teams sustaining newly bolstered tools and processes are bigger than they’ve ever been…
…and so the wheel turns. Continuing the cycle I began to describe in part one of the story. A wheel on which the backs of many diligent managers and committed operational ‘resources’ have been broken.
Who can apply the brakes?
I have just painted a damning picture of corporate culture and it’s by no means true everywhere. It’s more like a ‘Bottom 10’ of counterproductive behaviours collated from a plethora of conversations over many years. There are firms who establish and responsibly scale security infrastructure and supporting functions. Responding not just to the push and pull of profit and loss, but to the reality of threats and risks that evolve with business growth, diversification and outsourcing. Achieving that is entirely dependent on a top to bottom understanding of how security fits into the wider world of business objectives. People who understand that, communicate it clearly and foster sufficient credibility to get and keep the confidence of business leaders, are rare. Not hens teeth rare, but rare nonetheless.
Folk who can do that in a business locked into the kind of boom/bust cycle described in the story so far, are more like chicken molars. Even if they do get their foot in the door and achieve some good constructive stuff, they’ll be unlikely to weather a serious cost cutting drive, or an incident linked to something they haven’t got round to fixing yet. The fact that risk mitigation is a never-ending journey is beside the point. It’s evidence of failure. Thus both the bad and the good guys (and we all know a number of incredibly hard working and supremely effective security leaders) get locked into political traps. They get forced to behave in a way that chafes on their better judgement, professional integrity and often (when teams really begin to suffer) their personal ethics. In that situation, as many jump as get pushed.
Security strategy vs never-ending whack-a-mole
Security management is not a straightforward job. Credibility of the function can get undermined simply because there’s no breathing space to formulate a useful strategy, meaningful plan and persuasive budget justification. Great achievements can drown in business as usual noise and activity can devolve down to a persistently reactive game of whack-a-mole. There are various management models out there, so what I’ve put below is my basic view of the corner pieces of the security jigsaw. Pieces either missing or squeezed out in many businesses:
Non-operational space to see the threat and risk picture. Match it (in collaboration with the board), to business priorities. Set realistic risk-driven benchmarks beyond legal and regulatory absolutes that reflect business risk tolerance. Define achievable short, medium and long-term goals and research the best options for rational, sustainable mitigation. Then mitigation needs sufficient budget and people to be planned, implemented and run (that latter part can get lost in the budget bunfight). Accumulated risk and performance information should be aggregated. Key findings fed up to strategists, architects and business stakeholders. Not forgetting to model resourcing requirements based on real effort and risk of headcount loss, for operational functions that generate the data while running and updating tools and processes. Then taking the trends and risk hotspots identified and translating that into easily consumable and impactful education for everyone in the business.
The IT vs security budget battleground
There’s tension between all of the above things. Constructive tension and natural challenges that help balance and inform priorities…the same constructive tension that should exist between IT and security, but as things stand that’s illusory. It’s like a tug of war with The Rock on one end and Pee Wee Herman on the other. It’s mainly down to one simple fact: People ‘get’ IT and IT risks better. They produce more measurable impacts (e.g. $x per lost work hour/day) and are more immediately felt by the business. That almost invariably puts security on the back foot (or on it’s arse) in the budget battleground. The source of yet more security debt to add to the stockpile.
That’s why I argue security should not have the same reporting line as IT. The driving forces, while similar, are not the same. The industry-wide understanding of what ‘good’ security looks like, compared to understanding of ‘good’ IT – not the same. The nature and length of the journey from now to sustainably secure vs stabilising IT to cope with future plans – little comparison.
But that’s still just a part of the picture. You need to convince the managers, players, referees and rule makers to change the game. There was a widespread web of tacit approval and silence enabling Leeson’s catastrophe. A web that included auditors and regulators.
If you don’t tackle cultural issues in all lines of defence, plans to repay security debts are unlikely to get off the ground, or if they do, they probably won’t outlast the first bump on the road.
This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.