Last updated at Tue, 25 Apr 2023 23:34:29 GMT

In last week's blog (which you should read now if you have not), I said:

The core problem with security today isn't about technology. It's about misaligned incentives. We are trying to push security onto people, teams, and processes that just don't want it.

To be clear, it's not that people don't care. They say they want security, and I believe them. Or more precisely, part of their brain wants security. People who want to break a bad habit, or to lose weight, or to stop smoking, all want to achieve their goals, but other parts of their brain are in charge. What matters are their actions and behaviors. Outsiders will judge you by the results, not your efforts, goals, and intentions.

How do we bridge the gap between people and organizations wanting to be more secure, and actually being more secure? Thinking about the long-term effects, how do we get from where we are now to a world in which breaches are rare?

As I dreamed in the previous blog post, it's all about incentives that move responsibility from people with “security” in their title to people everywhere in the organization.

I don't have any great answers (other than my “All red team, all the time” dream), but I will offer a few  characteristics of an organization that will be more likely to be secure by design.

Product teams have to care more about the security of the data they collect than the security team does. To use an analogy (which I admit are always fraught with peril) I simply must care about my own health more than my personal trainer and doctor because when something goes wrong I'm the one who has the heart attack, not them. Today the incentives don't line up that way in infosec. Teams regularly ignore or override the advice of their security “doctor.” And when the incident happens, the security teams often bear the brunt of the incident response process. Everyone with Product Manager as a title should be well versed in the attacker lifecycle, the black market value of the data they collect, the legal impact of a breach, and should have a written runbook for when all that private data is dumped on torrents (among other scenarios). As an equal partner in securing the data, security is more likely.

The CEO is the implicit Chief Security Officer. She has to set the tone for everyone. She has to brag to her VPs about how she's tightening up her personal security. She needs to be the first to update her laptop OS, experiment with a new secure instant messaging system, and to request security report cards for the various team. She has to require each VP and Director to formally explain what they are doing to improve security in their areas (as opposed to putting the sole burden on the security team). She should ask them to explain why they are collecting and holding customer and employee data for so long. What really matters is not what the CEO says to the security team about security, it's what the CEO says to everyone else about security when the security team isn't present. Small, continuous reinforcement is stronger than a single bold pronouncement.

Everyone thinks like an attacker. You are up against dedicated, human adversaries. After you make a move to improve security, your adversaries will decide what to do, if anything. When you start to think this way consistently it gives you new perspective. Your company does a lot of work to pass the audits, build ISO or NIST controls, train people, roll out a new IDS system, refactor networks, implement an SDL, and a lot of other hard, painful, expensive things. But when you view your results through the lens of an attacker, you may find that it's not enough; that it's necessary, but not sufficient. Or that you over invested in one area like Protect at the expense of Detect, or Respond, or Recover. If you knew for a fact that you were going to be attacked tonight, what would you do differently? If you knew you had an intruder in your networks right now, what would you do? Thinking like an attacker doesn't devalue all those hard things you do to defend. It gives you perspective to know if it's enough and balanced. Thinking like an attacker will let you know if you've changed the incentives and economics for the adversary.

Those are a few characteristics that will lead to a more secure organization. I'm sure there are others.

Let me be blunt. Until those things happen, compromises and breaches are inevitable because the incentives are misaligned.

Have a story or a dream for me about about incentives that worked? Or went awry? Drop me a line on Twitter at @boblord. If you want to tell me confidentially, send me a DM! My settings allow you to DM me even if I don't follow you.