I believe that nearly all of information security can be summed up by a single line from the venerated film Men in Black: "A person is smart. People are stupid."
Recently, on multiple client engagements, I've seen organizations with very smart people open themselves up to security issues due to internal dynamics. It’s not out of willful blindness or due to lack of knowledge or experience, but simply thanks to the various arbitrary internal politics and boundaries that affect any organization larger than "one."
This is nothing new. It is especially not new to any of you who have ever held a job anywhere in any organization. But as a technologist, it is the kind of reality to which I personally struggle to recognize and adapt. I *know* people are at the core of security, heck, it's my first Personal Security Guiding Principle, but I tend to be more accepting of human behavior on an individual level than an organizational one.
I've said "simple doesn't scale" to represent the complexity introduced by even the most basic security control in a large environment, but perhaps I should say "people don't scale." Or perhaps "dysfunction scales" since the larger the collection of people, the less likely it is to operate efficiently.
There are few (professional) things as frustrating as seeing a group of intelligent, knowledgeable, motivated individuals struggle to overcome institutional inefficiency. I'm not going to claim I have any answer other than "be aware of reality." Here are three specific examples, and how I've seen clients push through:
- The Irresponsibility Bullseye: Security is a broad practice and, as a result, we have to specialize our skills. As an organization grows, it only makes sense to divide into different teams (network, host, vulnerabilities, incident response, etc.). The problem is when something hits that falls right dead-center between the teams. I see this nearly every day with cloud computing, which is a new tech that looks like old tech, yet spans team boundaries and requires new skills. Poorly-functioning organizations tend to totally drop the ball, no one takes responsibility, and security risk accrues. Better-functioning organizations put a team together and start working on the problem, but it's still very slow. The very best organizations have a formal or informal process that sends "new stuff" to some designated individuals who have both the authority and responsibility to make decisions and pull in other experts as needed. In other words, someone is responsible for the stuff no one else is responsible for.
- Arbitrary Economic Silos: Probably the single most common organizational dysfunctions come from the walls between different teams (security or otherwise). Very frequently this devolves into rivalry as teams fight for both identity and budget. If you are reading this and haven't experienced that, you are likely an only child, who never went to school, and currently lives in an isolation tank. When these silos become rivalries, and especially when security is seen as an obstacle, "bad things happen.” But even in large, messy organizations, I've seen these walls, if not crumble, at least become a little porous. Take your lessons from the DevOps movement and tackle things on a project basis. Find a project where you can cross the silos and everyone works together, hold that up as a success, and start repeating. I know it sounds fluffy, but I'm seeing this work time and time again in some very big companies.
- Self-Delusional Management: Both of my previous examples pale in comparison to working somewhere that those making the decisions are, if not idiots, are totally delusional. Will we deploy that application on schedule? Sure. If the devs tell me they can't, I'll just have them work some weekends. Security? It's fine. Innovation? We can just have a hackathon. Problem? No problem. The reality is that this is one problem those below the manager can never fix. All they can do is make sure they document the heck out of everything so they avoid the blame when things fall apart. Always sending answers in email with a “cc” is your best defense. And sometimes you just need to keep your resume up to date and bail out when things become untenable.
Look, I realize this list is far from complete. However, on recent engagements these are the three most common issues I've encountered, even in organizations I'd put in the "good at security" category. We all hit them from time to time, and the best thing is to be aware of them, realize when they impede security, and know now to break the logjam and move forward.