To quote the great master Yoda, “Pass on what you have learned. Strength, mastery. But weakness, folly, failure also. Yes, failure most of all. The greatest teacher, failure is.” Taking his advice to heart, we asked security leaders about their past failures and the lessons they want to pass on to others. I’ll start off with one of my own failures.
Never Assume Things are Working Right
For me, I made the mistake of not focusing enough on the basics, such as asset discovery, when I began building a new security program. This has become an important mantra for me, as I’ve written about in To Protect Your Network, You Must First Know Your Network.
The specific failure is how one of my largest, eventually most successful security programs nearly went right off the rails in the first six months. I made the amateur mistake of taking what I was being told by staff at face value instead of double-checking it myself. I knew that some developers had access to customer data, which I shut down as soon as possible. I had been told this meant their access to the data was revoked, but within a few months, my folly was revealed. Database dumps of customer data were still sitting around on developer workstations, unencrypted and uninventoried. Worse, network access control rules restricting developer access to customer data had some notable gaps in coverage for some subnets.
What followed was a panicked stampede of laptop file inventory scans and a full network rules audit. Eventually, I added Data Leak Prevention (DLP) tools as well as automated network access list audits. No, you can’t check everything yourself, but when it’s something as important as critical data asset inventory and access controls, you need to know the ground truth.
Get Help, Especially in the Beginning
Erik Pierson, Director of Information Security at Slalom Consulting, said he regretted "Not bringing in outside consulting help early on to help set objectives and plan our program. We eventually got to where we needed to be, but it took longer than I had hoped."
We eventually got to where we needed to be, but it took longer than I had hoped.
You never want to go it alone in cyber-security. It’s a hard enough job with a fully-functional team backing you up. And in security, governance is just as important as technology. Consulting help in setting up a security program for the first time can save a lot of frustration and dead ends. Choosing realistic objectives and measures, matching controls to risk, and laying out the roadmap are all things a consultant can help with. Having an outside perspective is also useful just to have a fresh set of eyes on the problem. One thing to remember though, you can use consultants and advisors to help you build a strategy. However, just as the risk burden is yours alone, so ultimately is ownership of the strategy to manage it.
Assume Breach Means Detection and Response
Mike Hamilton, Founder and CISO of CI Security and former Chief Information Security Officer for the City of Seattle said, “If I could do it all over again, I’d have much more of an emphasis on detection and rapid response. The realization that preventative controls will fail against a determined adversary must be coupled with a focus on monitoring the network and hunting for aberrational behavior. In this way, risk is managed by minimizing the impact of what is now a foreseeable event.”