Running From Complacency: Getting Off Your InfoSec Hamster Wheels

TL;DR Breaking free from InfoSec complacency: We discuss how security leaders can align their security strategy with business goals, evaluate metrics critically, and collaborate with peers instead of running aimlessly on their information security hamster wheels.

The past months have been your typical Information Security chaos with a bit of extra political flair. A rapidly moving political situation, ongoing ransomware attacks by the DragonForce ransomware group against retailers, and the annual RSA Conference in San Francisco.

For you, dear CISO, this probably means a combination of the below:

• Your budget has come up in conversations related to proposed tariffs; after all, security is a quick way to recoup some costs.
• The board is asking “Could this happen to us?” after having heard about the recent ransomware attacks against prominent retailers.
• Your inbox is flooded with ‘post-RSA’ emails from vendors, all wanting to schedule a meeting because they caught a glimpse of your badge.

Within Information Security, the saying, “never let a good crisis go to waste” is often well understood. When a crisis happens, we improvise, adapt, overcome the crisis, and go back to business as usual. However, having been in the security industry for many years (and having been a CISO myself), I see another pattern I believe CISOs and other InfoSec professionals should be made aware of: The looming danger of getting complacent. Management positions (i.e., CISOs, Managers, and VPs) seem to be losing the intrinsic motivation to grow and become more efficient, forgetting the bigger picture and still trying to reinvent all wheels themselves.

As the title implies, I dare you to get off your hamster wheel. Check the structure of your wheel, apply some oil to the bearings, be critical, and wonder if you were just standing still or actually running.

Apply the Oil

Let’s take a step back and look at your hamster wheel. Compare the wheel to your Information Security strategy, which needs the proper foundations, funding and adequate budget to work the way you intend it to work. Where can you optimize?

When you are in doubt, don’t be afraid to review your security strategy even outside of the annual cycle. Yes, you promised to look at it once a year, but even then are you really analyzing it thoroughly? Defining your security strategy should never just be a checkbox exercise; it is the CISO’s purpose for the Information Security function within the organization. This purpose should be closely aligned with the other business functions in the organization. If you cannot properly align your security strategy with the organization’s overall strategy, you are setting up for failure. Like finance, HR, and IT, Information Security should be integrated so well into the organization that, like the other functions, it becomes part of doing business.

Once your strategy properly aligns with the business, it will be ‘selling’ security internally. Effectively, you create a solid basis for your budget, which is now your playing field. If external events affect the business heavily, it should never be an ‘easy’ choice to ‘just’ squeeze the security function’s budget. It is the CISO’s job to make security equally indispensable as any other function. What you should offer instead is to play with the parameters of how hard you run on the hamster wheel or to apply more oil. Together, you can redefine direction or help any function in the organization to become more efficient. In doing so, the entire management team keeps the wheel spinning as smoothly as needed at a pace everyone is happy with. As long as your wheel turns in the right direction, it doesn’t have to be a perfect circle. Even a square or triangle will work.

Were we Actually Moving at All?

Don’t be afraid to be critical about yourself, your team, and your organization. For each, ask whether you’re actually moving, be that walking or running, and see if this speed aligns with your security strategy.

So what do I mean in this metaphor with the speed of movement? Let me illustrate with some examples:

• Key risk indicators (KRIs) have shown the same positive values for years. Are you really doing such a good job, or are you providing overly positive KRIs to look good or show ‘progress’?
• Sending three phishing campaigns in the last year shows that click rates are trending downwards (e.g., 30%, 20%, and 10%); however, is this an actual trend or are phishing campaigns getting easier? Is this even the correct metric? Instead of tracking lower click rates, why not look at the percentage of correctly reported phishing emails?
• You perform an annual pentest, yet did not remediate the findings of previous pentests. Are you trying to check a box or are you actually trying to improve your security posture?
• You bought 10 new tools last year. Are you just spending money to show ‘progress’ and to reach certain objectives, or are you choosing wisely? And if so, are you actually using the tools you bought effectively?

The above are just some examples I and some fellow CISOs have run into in the past. It can be confronting, perhaps even feel like admitting you were wrong, but do not be afraid to do this and be critical, as part of doing your job is to evaluate the effectiveness of everything. Don’t just scrutinize security controls; be critical and fair in your judgement. If something does not benefit you, throw it out. Also, make sure that all metrics support your story and show the speed of your movements. Next time you are asked if ‘this’ can happen to your organization, you can be more confident in your answer and better support your ‘it depends’.

Prioritization of findings can also help you in terms of both speed and effectiveness. Instead of a traditional approach where you focus on specific vulnerabilities and getting them remediated one-by-one, why not focus on where it really matters? Adopt the principle of Attack Path Management and focus on strategic choke-points. If you can empirically measure the impact of an attack path on the overall security posture of the environment, you can make the changes where they matter. Spending less effort, time and budget on having the most positive impact on your security posture. It is a different approach, and will have different metrics and outcomes, but it will allow you to pick up your pace and be more effective.

Many Hamsters. Many Subcommunities.

Dear CISO, let me be critical and ask: Are you and your challenges truly unique? If the answer is ‘yes,’ then we need to speak because I am intrigued to learn what challenges you face. However, if you are honest, your challenges are most likely not that unique. Maybe parts of your challenge are unique, but it is likely that a peer has faced something similar. Do not be afraid to ask peers and to share your experiences or discuss your security strategy. While you are going at it, and running around your own hamster wheel, everything probably seems obvious to you; however, when you share this with fellow CISOs, it may help them and prevent them from re-inventing the same wheel themselves. Don’t make assumptions; ask for help and don’t hold back on sharing.

Sharing within communities truly is caring. That is why, at SpecterOps, we believe in empowerment through transparency. We believe sharing our knowledge enables anyone in the industry to drive meaningful improvement and, as a CISO, you should be doing the same. Give back to the security community to ultimately help everyone become more resilient. After all, we all have overlapping goals and, in security, there should be very little competition between end-users. We don’t need to share secrets; however, if we are being honest, how much different is your SIEM from mine? They are probably the same, yet we guard it like it’s a secret. But wouldn’t it be great to learn from each other how we deployed the SIEM or how we experienced switching from one to the other?

It’s a good thing we have many industry conferences and other events, as they’re a great opportunity to learn and share. Now the thing is, although I really liked this year’s theme of RSA (“Many Voices. One Community.”), I had to amend it a bit. It is correct that we are many, but we are really one community with countless subcommunities: Offensive, Defensive, Security Engineering, Technical communities, Tool-specific communities (such as our own BloodHound community), IAM user groups, CISO circles, and the list goes on. I would like to dare everyone, not just CISOs, to partake in at least one community outside of your comfort zone and give something back to them. Don’t just visit the same events over and over again expecting a different output. Who knows in what weird ways a technical Security Engineer and IAM consultant can teach a CISO a thing or two and vice versa. Increase the odds of this happening by trying something new and being open to continuously learn from peers.

Meanwhile, many vendors are still trying to sell CISOs something with an AI sticker slapped onto it but won’t help solve their challenges. This is hurting security vendor reputations and is just putting a burden on CISOs who are already tired from running backwards in their octagon-shaped hamster wheels. Reaching out is fine, but respect boundaries and search for meaningful partnerships and not just pushing a tool. A fool with a tool is still a fool and an underutilized tool is just wasting resources. So please, don’t blindly buy something because some trendy AI feature will solve all your problems. CISOs stay critical, only acquire that what is needed to truly progress on your security strategy, but always be open to meaningful connections. Everyone in this community has a seat at the table and, even though we may not always agree, we should follow our common goals as an industry.

Your mother was a hamster!

You read that right: Your mother was a hamster, and your father smelt of elderberries! Confused? Read my LinkedIn profile and watch the amazing Monty Python film ‘Monty Python and the Holy Grail’. I am not trying to insult anyone here, trust me. I’m merely bringing this hamster madness to a closure! 

In doing so I can hopefully inspire infosec professionals to remain critical, to re-sharpen their focus, to be open to the community and to share more knowledge by giving back to the community. And whatever it is you do, dear CISO, please don’t get stuck on your hamster wheel.

Got feedback, questions or want to have a chat? Feel free to reach out, I promise I won’t call you a hamster too!