Nathan Sweaney is a Senior Security Consultant for Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.
I have a friend who is an alcoholic. A few weeks ago after 5 years of sobriety, she stumbled and had a relapse. It doesn’t make her a bad person, just a fighter. She starts everyday with a reminder of where she’s been, and where she’s going. And in the last 5 years she has made incredible changes in her life.
What’s most impressive about my friend is how she handled her failure. It hurt. She was very disappointed. She was scared and embarrassed. Five years of struggle seemed to be gone in an instant. She considered hiding it. She was tempted to cover up what happened and swear her confidants to secrecy. But instead, she made it public. She wrote a blog post and posted it on Facebook. She openly told friends, family, and the world that she had screwed up. More importantly she determined that this incident would not define her. It wouldn’t limit her or prevent her from living the life of freedom she has grown to love. She’s truly an inspiration.
So what does that have to do with security?
Like my friend, everyone falters occasionally. We bypass processes and aren’t careful with configurations. We use bad passwords or forget to change defaults. We do the very things that we teach our users not to do. No matter how much we try, and how long we’ve walked the line, eventually we mess something up.
As consultants we see a wide range of attitudes from our clients. Some companies are very focused on maintaining their security. They are organized, have strong procedures, and train their employees well. Regardless of their history they are the model of sobriety, err… security. Others need an intervention. They don’t care and truly aren’t worried about the consequences of their actions.
Far more interesting though is how they respond to security failures. Whether it’s an actual breach or the results of an assessment. When the evidence of their misconduct comes to light, their response says more than the actual details of the incident. How they respond to failure sets the stage for their future.
Some organizations point fingers. They play the blame game to ferret out who messed up and then use that for political games. Unfortunately that kind of response rarely helps anyone. It puts the focus on the activity of the person who erred rather than the lack of activities of everyone else involved. That user in HR probably shouldn’t have opened that attachment, but where is the user training, the system monitoring, the intrusion prevention?
Other organizations deny. That couldn’t happen. That wouldn’t happen. We can’t reproduce it. That was out of scope. Regardless what excuse they use, they find some way to deny the results and pretend that it couldn’t happen to them. They would much prefer to assume that the tester was incorrect than to face reality.
Some get angry. How could this happen? Who’s fault is this? People get fired; projects get scrapped; contracts get cancelled. The embarrassment makes them irrational and often times the response is to go overboard in the remediation.
And some organizations just give up. They believe that there’s nothing they could do anyway. It’s hopeless and frustrating. They’ll never be successful. The potential attacks seem too likely and their resources too few. Instead these organizations assume an ostrich position with their head in the sand in hopes that no one else will notice.
But the most successful organizations, those who have a hope and future, react like my friend. They accept and acknowledge their mistakes. They recognize that failure is a natural result of trying. They seek out details on exactly what happened, not to make examples of employees but to determine what actions can prevent this from happening again. They set their course with an eye on the future. They get knocked down, but they get up again.
I’ve been told that there’s no such thing as a former alcoholic, only recovering alcoholics. In our industry there’s no such this as a secure organization. Each day we can choose to become more or less secure, but it’s a constant battle. We will fall down, but we must get back up.