Altruism in Information Security, Part 2: Identifying Hurdles Along the Path

Originally published by Tentacle.

Written by Matt Combs, Tentacle.

Welcome back! If you’re joining me for the second part of this series, I’m assuming I didn’t turn you off with my optimistic and ‘rosy’ view of the Altruism-Information Security relationship. That, or you didn’t read Part 1 and have no idea what you’re in for…but, do not fear, I will recap!

In Part 1 of “Altruism in Information Security” I shared my thoughts on how I find the concept of altruism to be woven into the fabric of the ideal Information Security program. Altruism, an ideology commonly discussed in the world of philanthropy (the world in which I spent more than a decade with my last software business), describes acting in complete selflessness to consider and protect the interests and welfare of others, above all else. Those who seek to behave altruistically likely find themselves working towards ‘ideal,’ as I imagine altruism is difficult to obtain and is a path complete with hurdles, set-backs, and lessons learned. ‘Ideal’ is key, as my opinion on this specific part of the topic (the relationship between altruism and Information Security) has everything to do with the intent of Information Security and therefore, the perfect-world, ideal state of an Information Security program. The evidence I’ve gathered of altruism’s presence within Information Security lies in the foundational design of a program; the ideal state defined by the industry frameworks, the expectation of a program’s continued growth, and the core pillar of ‘anticipating need’ critical to any InfoSec program.

No quest-for-ideal would be complete without hurdles and in the world of Information Security, the hurdles are plentiful! While each of us with a role in the InfoSec industry could compile an endless list of challenges, for Part 2, I’d like to focus on a few components of one major roadblock that I believe inhibits the altruistic execution of an Information Security program - growth of a business.

Business Growth and the Need for Speed

Scaling a business is tough! And scaling a business securely? This is a delicate balancing act of competing priorities. Even with the best of intentions - and no matter how altruistic a well formed InfoSec program may strive to be - it’s inevitable that it will meet resistance inside the wall of the business as the business plows forward in meeting its stated objectives. When business growth is solely prioritized over secure growth, altruistic efforts are cast aside, leaving the validity of an Information Security program at risk.

1. Speedy Messengers

Within an organization, an InfoSec program’s altruistic intentions often meet resistance in the form of growth at speed. And those tasked with growing new business, expanding existing relationships, developing partnerships, increasing an organization’s presence in the market - and doing all of this at break-neck speed? The Sales Team (dun dun dun). While I couldn’t resist the dramatic sound effect, sales teams carry the weight of countless metrics and expectations. They work diligently to present the value proposition and when it comes to security posture, the need to provide documentation, collateral, and answers related to the company’s security posture and must continually demonstrate to the outside world the importance the organization places on security.

Unfortunately, the metrics and expectations assigned to sales teams do not inherently align with the objectives of a security team. They don’t necessarily contradict one another, though their objectives are not derived from the same place. Sales teams need “yes,” and need to minimize any red flags while pitching for new business - and both things need to happen fast (knowing that speed is the ally of any good sales and development team). And this is an entry point for friction in the quest to InfoSec altruism.

To meet the demands of successful and shortened sales cycles, it’s not uncommon for sales teams to take on the task of responding to security assessments themselves. As a matter of fact, some organizations have established this as a standard operating procedure. Be it with or without permission - and no matter who is responding (or that respondent’s level of InfoSec expertise) - tasking unqualified individuals to respond to such important and sensitive topics, on behalf of the organization, for the purpose of speed, is risky, dangerous, and not ideal.

2. Quick-to-promise today, figure out tomorrow

Competing priorities coupled with incentive models that lack consideration for InfoSec objectives can lead to the practice of “asking for forgiveness rather than permission” in effort to achieve expected business growth. Each group within an organization from sales, security, IT, operations, to engineering, HR, finance, whomever - has unique motivations for positioning the business in the best way to achieve growth and to avoid anything that could put that potential growth at risk. When the topic is the organization’s security posture, these motivations lead to scenarios in which it just might be easier to “check the box”, give the “yes” - simply ask for forgiveness later for inaccurate responses - if the inaccuracy is ever identified.

What a conflicting situation a business finds itself in! Despite best intentions, such activities not only put the business at risk, but put all who rely on the accuracy of the information at risk as well, one micro-inaccuracy at a time. These checked boxes and yes answers where they don’t really belong relay incorrect information and in many cases, create obligations that the organization is then responsible for upholding, causing interference with other planned priorities. No matter to what degree the deviation from the truth might be, it contradicts the intent of a pure information security program. Fudging the truth, even ever so slightly, breaks the spirit of altruism that is embedded within an Information Security program.

3. Fast Pace but Missing the View

Speedy business growth and the need for up-to-date information goes hand-in-hand. It seems that with every day, every milestone, every achievement, every everything - an endless ‘stack’ of documented information needs to be updated and disseminated. In regards to Information Security specifically, a newly updated process can have a significant impact on the overall protection of the enterprise and on all stakeholders reliant on this process. Industry frameworks and their individual controls support this idea - diving into these frameworks you’ll find requirements for continual monitoring, re-attestation, re-testing, and pretty much re-doing everything on a very frequent basis. But when faced with fast-paced growth, quickly shifting priorities, and overloaded resources, this perpetual re-do is often impossible to manage. These requirements are hard to satisfy under any circumstance and made more difficult when it comes to how the industry currently assesses its InfoSec ecosystem and keeps the ecosystem up-to-date between assessments. In today’s world, I find Information Security processes to support “moment-in time”. And if that “moment-in-time” reveals no issues, then it’s simply assumed there should be no worries.

Information Security is far from moment-in-time. Threats are monitored and measured on a real-time basis. What was just fine yesterday, or even an hour ago, may no longer be acceptable right now. This is why the frameworks have been designed to promote alignment with actions centered around real-time performance and ongoing operational activity. The controls seek to minimize the gaps that reveal themselves between activity and reporting, thereby promoting utmost security at all times. Many businesses lack the supporting tools to have this real-time insight and to communicate this insight into their ecosystems at the speed to match their growth and the associated changes. Getting the most updated, real-time information in the hands of those that need it is challenging and if the methods for doing so are not improved upon, Information Security finds yet another path back to inaccurate and reactive - far from ideal and altruistic.

All is not lost…

Overwhelmed with the hurdles along the path to altruistic information security? I would be lying if I didn’t admit the hurdles are plenty - and quite large. I would also be lying if I said overcoming these hurdles was impossible or only solved at the sacrifice of fast business growth. Growing a business (and having to do so quickly) is exciting and not to mention, critical! I just tend to think we can all reassess how we are getting there and we can keep information security as a top priority as we grow. Speed is great when it still allows for efficiency, accuracy, and transparency. Maintaining the altruistic intent of Information Security will require us to properly support our InfoSec messengers, to align InfoSec objectives with growth objectives of the organization, and to open our view into the ecosystem - and expect our partners to do the same. With a major roadblock identified I’ll share my thoughts on how I think we can execute an altruistic Information Security program in my final part of this series. Stay tuned!

About the Author

Matt Combs is seeking to actually earn the title of "entrepreneur," now working on his fourth venture. Having successfully started and sold his last venture (YourCause to Blackbaud, Inc.), he is now committed to solving some of the fundamental challenges previously faced related to developing a proper information security program.