Computer security is difficult (maybe even impossible), but imagine for a moment that we’ve achieved it. Strong cryptography where required; secure protocols are doing whatever needs to be done. The hardware is secure; the software is secure. Even the network is secure. It’s a miracle. Unfortunately, this isn’t enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. – Bruce Schneier (in Secrets & Lies book).
I agree with Bruce (well, it’s difficult to disagree with him on cyber security affairs anyway). People – the end user and the security practitioner alike – represent the weakest link in the security chain. When they work well together, the organization is better for it. When they don’t, it’s worse off. Of these two classes of employees, however, the cyber security practitioner has the duty of strengthening that weak link through prompt action and well informed decision making when required.
FUD is short for Fear, Uncertainty and Doubt. In cyber security, a FUD guy is a fall guy in the making. That title is not cool so I don’t think anybody wants it. Apathy is on the other end of the scale. The apathetic cyber security practitioner, on the other hand, is popular because s/he tends to “let things run”. As a professional, how much of a struggle is this for you? Do you always scream “time out” or do you always want the business to run by default?
Any one of FUD and apathy is a sin.
The most important (and arguably, the most difficult) aspect of cyber security is risk-based decision making. If you’re guilty of constantly rushing your decisions then chances are high that you’re either a FUD guy or an apathetic professional.
The FUD guy says “there’s a problem” almost every time while the other guy hardly ever sees any problem. One of the things I learned in the early part of my cyber security career is how unhealthy false negatives and false positives are. This lesson comes to mind each time I think of these two categories of professionals.
False Positive: The FUD guy is like an intrusion detection system (IDS) that lights up like Christmas tree, spewing up thousands of high priority alerts on daily basis. Analysts typically find most of these alerts to be mere noise, which are then suppressed through various tuning techniques. This is a false positive situation. Here the security tool falsely sends the kind of alert that the analyst is concerned about to the console. This results in waste of valuable time as the analyst needlessly gets busy doing so much without getting any meaningful thing done.
False Negative: The apathetic guy, on the other hand, is like an IDS that fails to do its primary job thus denying an analyst the much needed visibility into events of concern. In a false negative situation, the adversaries’ activities fly under the radar of the security analyst because his/her trusted tool fails to do its job.
Knowing when to flash the red or green light is a function of several factors, chief among which are the professional’s level of experience, the endangered asset, corporate culture, and the organization’s appetite for risk.
The FUD guy presses the panic button nearly every time a security issue is identified and tries to scare people into actions that may introduce bigger risk while his/her apathetic version hardly ever sees a problem in the identified issue. Both these professionals commit the same sin of not duly considering aforementioned decision making factors.
In Andrew Jacquith’s Security Metrics book, he wrote about the Hamster Wheel of Pain as thus (paraphrasing): identifying security issues is easy, because that is what highly specialized, domain-specific diagnostic security tools are supposed to do. Quantifying and valuing risk, however, is much harder because diagnostic tool results are devoid of organizational context and business domain knowledge.
In my opinion, the line between apathy and FUD is not fine at all. Each behavior is symptomatic of the mindset and perspective of the security practitioner. This mindset can be changed if the practitioner is made to see the importance of thinking through (and answering), among others, the following questions before drawing their conclusion or making a decision:
- What is the value of the asset at risk to the business and the bad guy alike?
- What other mitigating controls are in place and how effective are they?
- What could go wrong should the realistic worst case scenario come to fruition?
- What is the cost (in time, money, human resource) of the proposed control in relation to the realistic worst case scenario?
- What other risks could be introduced if we treat this one? Are they higher or lower?
While the foregoing list of questions is not exhaustive by any stretch, it represents a good starting point for the practitioner to arrive at a well informed and carefully thought out decision point.
One thing to always bear in mind is that as a security practitioner paid to keep an organization secure (enough), senior management relies on you to make the right call in the best interest of the organization. If your priority is to be popular always, then you’re in the wrong field.
Regardless of your position in the field – whether you’re an associate or a CISO – you’re a leader simply because you’re relied upon. More often than not, the calls you make will be unpopular in most quarters but as long as you fully understand why you’re making a call and can duly justify it, you would have been earning your keep.