We Don’t Need Another InfoSec Hero

Published:

Jun 30, 2022

Reading time:

5 Minutes

By setting yourself up as the defender, the solver of problems, you cast your business colleagues as hapless victims or, worse, threats. This is not a useful construct for engagement.

Reprinted with permission. © IDG Communications, Inc., 2022. All rights reserved.  [https://www.csoonline.com/article/3663514/we-don-t-need-another-infosec-hero.html]

 

There’s this belief among a lot of security professionals that we are special, in that we are the defenders of our companies. We like to think we hold ourselves to a higher standard of care than our coworkers. If not for us, the thinking goes, our companies would crash and burn in horrible ways. Breaches would run rampant. Data would be stolen left and right. Cloud environments would be filled with adversaries. Enterprise systems would be locked up by ransomware. Without our heroic efforts, those things would be happening all the time! We are the defenders!

Except we aren’t the defenders. We might be defenders, but we aren’t the only ones. Our DevOps teams defend reliability all the time. Our lawyers protect us from liability. Our product managers and sales teams protect our paychecks (maybe they’re the real heroes). In setting ourselves apart in our own minds, we set ourselves apart in practice. While we like the heroic feeling it gives us to be the defenders, it has a lot of downsides.

In taking on the mantle of a hero, it’s necessary to project roles onto others. Some people need to become villains (that evil product manager who dares to launch a product that might not be perfect, or the negligent engineering manager that doesn’t halt their feature pipeline to patch every component they own), while others become cast as victims without agency (those woeful users who click on links, or the executives who just don’t know enough to make better risk decisions). We begin to look down on all of them, because we know so much more than they do.

Nothing could be further from the truth.  InfoSec professionals do tend to have deep, highly specialized knowledge. But most of us are still struggling to understand how our businesses make money. We find the marketing pipeline to be pretty opaque. The list of business functions that we don’t understand is far longer than the ones we do. And when we approach those organizations with well-meaning but brusque guidance, things don’t go well.

Consider the last time you were working on a project where you were responsible. At some point, someone with no vested interest, no skin in the game, gave you some outlandish advice. On paper, in theory, that advice might have worked in some other situation, but not in yours. Well, that’s exactly how our business partners often view us: as arrogant experts who don’t have the practical experience to judge how useful their advice isn’t.

Be the supportive sidekick

Instead of thinking of ourselves as heroes—we aren’t Wonder Woman, or Batman, or Superman—it’s time to think of ourselves as sidekicks. On a good day, we help someone else make wiser risk choices, and those choices result in more profitable outcomes for everyone. But it is someone else who is the hero; we just hold their cape and refill their utility pouch.

How do we do that?  It begins with some humility. Most people in our profession work in cost centers. To the rest of the company, we are a drag on the business, and while we like to talk about business enablement, our first goal has to be removing the business impediment we’ve become.

Are you responsible for product security? Engage the software architects who write the code and teach them how to do their own safety and security reviews earlier in their process. They’ll find, and fix, far more flaws than you ever would looking from outside. Embed tools in their DevOps process that empower them, rather than adding tools that focus on helping your team criticize their team.

Maybe you’re focused on IT security? Recognize that phishing, as a problem, is the fault of IT, not the end users. Stop focusing on gotcha metrics like “phishing click rates” and work to improve your architecture. Why is phishing a problem? Have you not yet implemented FIDO-MFA? Is lateral admin movement so easy in your environment that you can’t afford a single machine compromise?  Work on those challenges and stop wasting energy on blaming the users.

No matter what part of the business you support, start learning what they need to do to get the job done. Identify opportunities where you can get out of their way first, and then look for ways to help improve their processes to be faster and safer. But stop trying to be the hero, and start celebrating their successes, even if all you did was get a little bit out of their way.

Andy Ellis is the Advisory CISO at Orca Security, and 2021 Inductee into the CSO Hall of Fame. He is an Operating Partner at YL Ventures, and was formerly a US Air Force officer and the CSO at Akamai Technologies. You can find him on Twitter at @csoandy.