Cybersecurity Needs Style Points

Cyber security teams need to be proficient at building new security capabilities or maturing existing ones. Forgetting capability building means that while your organization may be engaged in tons of activity, they may never be on a path forward that ultimately reduces fire-fighting of disruptive security incidents. However, for all of the benefits, capability building also brings friction for users. With each new security tool or policy, there is some impact on how individual users perform their daily work. Leaders not only feel their own friction but also have to deal with the collective friction of their team as they try to achieve their business objectives. The less regulated the industry, the stronger the pushback over friction will be from leaders. With enough pushback in such industries, projects might be paused post-deployment or not even started. The hard message might be that everyone outside of the security team views this friction as a negative. 

Imagine a very different world in which cyber security teams were incentivized to not just build capabilities, but to complete each project with a plan and execution that causes the minimum amount of friction for users. My personal preference would be to codify the accomplishment of low security friction outcomes into “style points”. These wouldn’t be actual scores or points. The only judges that matter are your users and your execs. As projects become more difficult and complex, there will always be some level of friction and the outcome would need to adjust to account for this friction. However, style points may not be the closest metaphor. A similar but better metaphor might be the system that figure skating used until 2005: there was a first score indicating technical merit (usually the difficulty of the jumps) and a second score representing presentation (artistry). Again, forget any detailed scores. Let’s simply focus on the value proposition of the two categories. 

I’m talking about artistry as part of making the org safely more effective by mimizing friction of security tools or policies. Shouldn’t that be part of the status quo in cyber security anyway? Sadly, it isn’t. 

Often, we as security practitioners are so lost in the technical aspects of a deployment and the security benefits that we forget to think through the set of impacts on the people that matter most – the users. Or, if we do think about users, we take a very binary approach that includes users in a 30-60 minute meeting to get user feedback. Then, when asked if user feedback was incorporated in planning?  Check. Done.  Best practice? Sure. Disguised institutionalized mediocrity? Perhaps. It depends on the outcome and not the plan.

A more fundamental issue might be that the skillsets required for artistry don’t seem to be prioritized across the security industry. If we think of people, processes, and tools, tools seem to be given the top priority for hiring and promotion. Depending on the organization, the prioritized skillsets most often include broad technical knowledge, specific tool knowledge and certs/training/education.  All these are necessary and I’m certainly not advocating to have security team members without a technical background. I’ve “no-hired” enough security engineers with ten years experience that can’t explain simple yet important concepts like what a windows service is. But, certs and online courses also don’t teach or evaluate key capability building skills like engagement or negotiation.  Whether the project is done in-house or by vendors, we have control of the outcome. In short, the outcome should matter more than the plan. 

THE PREMISE

My premise is simple. The best security teams need to have both technical merit and artistry to build the hard yet most important projects that make enterprises safe. Hire and promote for both. Build processes that identify and reduce friction as much as possible in the deployment process rather than adding friction to your team’s firefighting list after a solution is deployed. Highlight the artistry in your executive reporting. Most executives will pay attention when their teams agree that a new policy or tool rollout has little negative impact. Make it easy for the execs to stay supportive during the deployment and then celebrate the accomplishments at the end. Then, start to scale by prioritizing, promoting, and recruiting differently so that these same outcomes can be a normal part of how your team builds capabilities. 

REAL WORLD EXAMPLE

Think it’s impossible in the real world? When I started in my current role, I quickly identified local admin privileges as the biggest near term threat to the company. Just about every employee had local admin and there were dependencies on local admin built into our line of business applications built in-house. I assigned a project to remove every standard user from their computer’s local administrator group to a brand new endpoint security engineer. He’d previously been a desktop engineer but was new to thinking about things as a security practitioner. 

Other long term employees told me that this was an impossible project as it had been tried with failure several times over the years. Even our big name management consulting partner advised that the pain was inevitable and so we needed to make the change all at once like pulling the band-aid off a scab.  I’m still puzzled how that would have worked. Sigh….

Despite all of the above, this engineer put together a work plan focused on minimizing friction, rolled up his sleeves, and got to work. The weekly reporting of progress as well as celebration of that progress kept both the engineer engaged and the senior management supportive. Four quarters later, local admin was a thing of the past for windows users and two quarters after that for Mac users. Every single employee had been removed and that’s how employees work today  That’s the technical merit. The fact that there were perhaps less than 5 complaints in total from the entire pool of employees was the artistry. 

THE ROAD FORWARD

As leaders, there is a lot to be gained by creating an environment in which artistry and lack of friction is prioritized. Doing so requires security team members to really think about their tools, their craft as security practitioners, and the impact of their plan.  The entire organization can be safer without even really realizing the change. That’s a magical outcome transported into the real world and can be done (as shown above as well as numerous other projects that we’ll highlight in future blog posts),. 

If you are an individual security team member, lead a security team, or even run the company, you only need to prioritize differently in order to live in this imagined world of capability building without far less security friction.  What’s wrong with routinely exceeding best practice? There isn’t anything holding you back. Just get started….

Follow me on Twitter for the latest blog updates: @Opinionatedsec1 

SEE ALSO

The Five Pillars of a Successful Application Security Program