My sister and I have recently finished emptying our Mother and Father’s house. Those who followed me in the early days know the blog was initially as much about fighting her pancreatic cancer as security. 18 months on, after two sales dropped through at the last minute, the house is finally sold. That left nowhere to hide from the job of deciding what we individually keep, sell, store, or dispose off. Anyone who’s been in a similar situation knows it’s the mundane stuff that floors you. The pairs of glasses found in odd places, because she ALWAYS lost her glasses. Old cigar boxes he kept ‘just in case’, some empty, some full of ‘stuff’. The handwritten recipe escaping from pages of an old cookbook. Her expired passport in a handbag, waiting to be renewed for the holiday she never got to take. That kind of thing.
There was also a mountain of tax and accounting paperwork. She ran a holiday let business, and (being an ex company accountant), every ‘i’ was dotted and ‘t’ crossed in tree exterminating detail. Not to mention the books, towers of books, with more value than the contained words. It was something that tied the family together. A passion for both classic and well written popular fiction, plus factual texts of myriad flavours. Things discussed, shared, laughed about, and pored over.
While dealing with that I’ve also been reflecting on security consultancy challenges. More specifically hitting the floor running when you start a job, and dragging coherent actionable sense out of seas of information.
To say it’s been a time of psychological gear changes is to put it lightly. My mental landscape kinda feels like a kaleidoscope in the hands of a hyperactive toddler. And out of those shifting colours, a common theme started to emerge:
Racing to recognise material and qualitative value against a backdrop of rapid change
Switching to the InfoSec context, the biggest challenge on entering any firm is to understand the lay of the technical, procedural, structural and cultural land…well it is if you aim to deliver locally relevant help, rather than a ‘what worked last time’ cut and paste.
The successful creation of fit-for-purpose security capability depends hugely on quality of information available, time allowed for acclimatisation, and how long stakeholders expect to wait for results. Different stakeholders, with different bits of skin in the game, will give you more or less time to prepare vs deliver. That picture also hinges on history. Have you been airlifted into a post-breach maelstrom, or exec driven audit point closure drive? Are you arriving after decades of underspend, or when the security function is seen as overfunded and top heavy? Do the board accept the fundamental role played by security, or have a passing interest stirred up by media FUD, consultants, or regulators?
Embryonic reputations grow or die based on how well new and existing staff manage expectations and balance those BAU, fire-fighting, and strategic development priorities. The people, processes, tools, and vendors blamed for current noise are often casualties of the race for recognition. Deciding how much blame is justified, convenient, or just plain unfair is tough when you are just through the door. Delving into root causes can be seen as a negative…causes might have been miscast as excuses and the remit is to fix things, so roots often remain. Cracks in foundations that can make new growth shaky and invite history to repeat.
Culture, people, and best laid plans
Given the average tenure of a CISO is reportedly 18months, and folk commonly estimate 3-5 years to change company culture, there’s an obvious problem here. Some are savvy and influential enough to create stock-taking space, some try, but are defeated by prevailing politics, and others already have an eye on the next prize and routinely indulge the Alpha lion urge to kill their predecessor’s young. A cycle of perceived or real failure, consultant feeding frenzies, new brooms, and culls.
Circling back to the personal, how do we know what to save? How do we do our ancestors’ effort justice? Is the balance between tradition, future focus, and a desire to just be done with it, well struck? That might be as mundane as sorting paperwork, or as emotive as disputed ownership of most important things. The critical things are time and scrupulous honesty. Looking forward to imagine a future with or without particular things. Being brutal and clear on what’s really needed, versus crumbling in the face of the overall task.
And there is the crux. That split focus. Head, heart, and guts. Keep, bin, defer. Things you can change and things you can’t. Finding space, information, and clarity of mind to differentiate, with the right locally knowledgeable people.
In more formal terms:
- Staff status quo: remit, experience, skills and workload
- Current security status: Latest reports to all stakeholders, risks, compliance findings, audit findings and incidents
- Business priorities & strategic objectives: What’s driving and set to drive security requirements and appetite to get it right.
- Information assets: Paper, structured and unstructured data. What, how much, where, and who owns it.
- IT assets: Network, web, server, database, endpoint, mobile, media, documents, software.
- Security assets: Software, tools, services, both in-house and vendor supplied.
- Owners: Risk, System, Service, Control and Supplier Relationship owners. Sometimes embodied in the same person, sometimes individually owned.
- Vendors & strategic partners: Who provides what, where do in-house/outsourced responsibilities split, how well have those responsibilities been defined and how well is delivery managed.
- Processes & process supporting tools: Vulnerability and threat management, SOC and non-SOC incident management, access management, physical security management, business continuity/disaster recovery management, code management, key management, vendor security, change security, compliance management, risk management. SOC tools, GRC tools, access governance tools, incident management tools.
- Policies & control frameworks
- Applicable legislation & regulation
- Governance and lines of defence: Which masters must be served, what do they get, and how often? 1st line risk, second line risk, internal and external auditors. Who has most influence, what at are the cyclical reports, are they fit for purpose, and is there appetite to change things?
Lack of precedents, standards, visionaries, and planners
Small wonder balls get dropped, dependencies get missed, and plans (created in first flush of new-start optimism) develop slippery delivery dates. The best antidote to that is an independent set of eyes. Someone without long term skin in the game, someone who’s worked through it before, someone free of operational responsibilities, someone who can see bigger pictures, define achievable aiming points, foster support for the planned future, and see the incremental steps required to get there. The trouble is those people are few and far between.
The security industry is still young. Best practice for security function structure and staffing is far from settled. Skill-sets and performance benchmarks are evolving past attempts to add standardisation. ITIL and NIST lessons are good ones to borrow, but are necessarily generalist.
Just like our personal challenge, the fact it’s such a common occurrence, doesn’t mean best ways to cope are common knowledge. We wished someone could step in and help us, because each step was at risk of growing out of all practical proportion, but the fact is, for us, no-one could. The task of closing one life chapter and moving to the next is all about local culture and the people who understand it. Culture that you can’t wave a magic 2-quarter wand to transform, no matter how many top flight technical people you recruit.
The better news for businesses on that security transformation journey is that more people get their history. Pre-existing stars freed up to invest their local knowledge. Strategic visionaries. Programme managers who can make the vision real. And risk focused communicators who comfort stakeholders that a difference is being made. Some of those skills are still hens teeth rare, but the need for them is better recognised. What’s tougher to find are CISOs and ultimate budget authorisers who see that need in a function still mainly viewed as a technical offshoot of IT.
That’s a whole other challenge. Persuading CXOs that good enough security will never come in a vendor stamped box, and improvement will be a long incremental journey that the whole business needs to support.
I was concerned that some might think it mercenary to twin this very personal story with a professional post. My sister gave her unconditional approval to do so, and when all’s said and done, it’s up to us. Just like for newly appointed CISOs: There are no fully reusable precedents, and each experience is distinct from the last.