Altruism in Information Security, Part 3: Effort (and Sacrifice) in Execution

Originally published by Tentacle.

Written by Matt Combs, Tentacle.

I could not wrap up this blog series without at least taking some time to acknowledge and speak to the amount of effort that is truly required to pull off a proper information security program. There are so many InfoSec professionals I have encountered along the way that are doing this very hard work - AND are doing it well. I could not have formed my own altruistic view of Information Security without their influence so what kind of ‘School of Hard Knocks’ graduate would I be if I didn’t do my best to make suggestions for improvement? After all, any improvement to the hurdles I’ve seen stands to benefit the masses and any improvement will help all Information Security programs align more closely to their altruistic intent. For the third and final part of my blog series, I’ll outline key areas I believe require a significant amount of effort (and investment) and will share my ideas on how we might take a few steps closer to altruistic information security.

1. Prioritizing the Operational Loop

Like most big ideas and major transformations, the challenge lies in operationalizing - always easier said than done and far beyond ‘checking the box’. Operationalizing requires tools and resources, checks and balances, revisions and enhancements - and perhaps most of all - requires prioritization of these components in order to implement a sustainable change. A “real” Information Security Program is not a scattered pile of documents or the presence of an employee able to speak the relevant buzz words. A true InfoSec program has developed a plan, deployed procedures, instituted standards, utilizes modern tools, and is able to clearly point to the “how” in which the company is operating securely. It’s when the company is “being” secure, not just “saying” they are secure. It’s when we view security as a “way of operating,” versus “something we have done.” And this process continuously repeats itself over and over again.

The operational loop takes real effort and even more so if the company has a history of NOT embracing the prioritization of necessary tools and processes. It’s a paradigm shift internally that will require old habits to be discarded and new methods to be fully embraced and trusted. And many times, it may necessitate patience in implementation and execution as there will likely be a period in which “things just take a bit longer for us to get them done.” Prioritizing the operational loop also requires investment - InfoSec professionals need to have access to up-to-date technology to support their efforts and to focus their efforts on where it’s needed most. There’s simply too much at stake and an abundance of technological advances for Information Security not to be a top-of-the-list budget item. There are tradeoffs for aspiring to be more altruistically secure though I believe the tradeoffs pale in comparison to the impact of a data breach.

2. Critique Yourself, Critique your Network, Critique your Critique

Within the ideal program, you really never reach the ideal state - ideal is something you strive for; an on-going effort. Within a proper Information Security Program, you are always climbing the mountain - and the mountain you are climbing really has no known summit. This is exactly why a true information security program is so fluid, is always in action, and is never able to simply be defined as a ‘moment-in-time’ but rather, should be described in terms of “all the time.”

To achieve this, it’s a continual game of critiquing, analyzing, assessing, re-critiquing, re-analyzing, reassessing, etc. The program is never at an ideal state, rather, it’s at acceptable phases within the overall mission. To achieve these acceptable phases, we must become more comfortable with constant critique - critique of our internal program, critique of all we do business with, and critique of how we determine ‘secure’. To perform constant critique, the Information Security professional needs access to more real-time insight and to more connected ecosystems. An organization’s security is not confined within its walls - its security hinges on its entire ecosystem. An ideal program requires an overarching, enterprise-wide commitment to prioritizing how the organization will have visibility into data, its systems, its connectivity, network, and those of everything it touches.

3. Power of Sacrifice

Perhaps one of the most challenging concepts, requiring significant effort, in working towards altruistic Information Security is that of sacrifice. Sacrifice can manifest in many forms and undoubtedly requires the ‘hard’ choice, requiring us to forego the easy path and take the extra steps to achieve our goal. I believe the ‘sacrifices’, however, are essential to making any real, industry-wide change.

I believe that until we (as businesses) are willing to sacrifice a ‘won deal’ from time to time or to even sacrifice the potential for some not-so-great press, we will all continue to participate in the same actions that keep us stagnant in an insecure state. Organizations committed to achieving an altruistic InfoSec program will be faced with scenarios in which they will likely lose a new sale as a result of sharing a comprehensive but completely honest response to a security questionnaire. Likely a question that could have been ‘fudged’, but one that just might position them less favorably to their competitor. Organizations will also be faced with opportunities to sacrifice the quick end to negative press related to security breaches or mishaps. In the quest to altruism, organizations should more broadly share with the entire industry lessons learned from these mishaps. We are programmed to attempt to lessen the blow but every organization could benefit greatly from learning from points of vulnerability - and could collaborate more effectively on future solutions.

En Fin

If you’ve reached this far, I’m impressed. I too am a bit surprised at the time I spent writing about the parallels of altruism and the ideal state of an information security program, about the resistance met along the path, and about the steps I think we can all take to pull this off (knowing there is a fair share of effort required to do so). I’m exhausted just writing about it!

So, I can understand why I continue to see throughout the business community the inadvertent rejection of the altruistic approach to an information security program. It’s hard. It’s expensive. It requires all sorts of effort, it’s forever changing, and down-right exhausting. BUT with any big quest, there stands to be a big reward - and in the case of Information Security, I can’t help but be energized at the idea of helping to truly solve a BIG problem. As I’ve said before in previous blogs, I still believe it takes a brave few to lead the way - to embrace the challenge of an altruistic Information Security program - and to lead the entire industry to a higher standard of secure.

About the Author

Matt Combs is seeking to actually earn the title of "entrepreneur," now working on his fourth venture. Having successfully started and sold his last venture (YourCause to Blackbaud, Inc.), he is now committed to solving some of the fundamental challenges previously faced related to developing a proper information security program.