Overcoming the Blame Game – Improving Security without Destroying Careers

Today, I was sitting in an awesome class being held at @BSidesHSV, and it got me thinking.The class entitled “Fundamentals of Routing and Switching for Blue and Red Teams” put on by @paulcoggin was a deep dive into layer 2 and layer 3 configurations and possible means of compromise. The content was outstanding, and Paul did an awesome job communicating a very difficult topic.Throughout the class, Paul relayed many stories of compromises and attacks (all done in a completely generic manner of course), and I couldn’t help but put myself in the shoes of the poor sap that made the choices leading to the compromise or unexpected result. I thought to myself this could easily be me in a different scenario. In spite of my knowledge and experience, I feel like we are all just one “screw up” away from the unemployment line.I have over 20 years experience in a multitude of technologies and consider myself to have advanced skills in many areas. That said, I am not deluded. Today’s class served to remind me that no matter how much real world experience I have, there is always something I can learn and something that I don’t know. And its that one thing that I don’t know and don’t implement that could be a career limiting move.Mulling over those thoughts, I realized that this just should not be. But unfortunately, the world operates this way but why? I think it comes down to this – a moral society is always looking for justice for moral wrongs committed within that society. This is what makes civilized societies stable, safe and orderly. Unfortunately, we have generally adopted that same “justice at all costs” in the InfoSec world when poor security practices lead to compromise or outages, but we forget that those getting the blame haven’t committed any moral sin against society.The scenario goes like this:Big Boy Company, Inc. experiences a data breach.CEO of Big Boy Company does damage control then blames CISO.CISO denies fault while seeking an underling to blame.Eventually, CISO names Employee X as the lynchpin.Employee X loses their job, their reputation and possibly career.In the background, CEO, CISO and rest dump stock before story breaks.All this happens because everyone wants “justice” and wants a simple answer as to why this terrible thing happened. The problem is technical shortcomings, unless blatantly done for malicious purposes, don’t equate nor align with those moral crimes against society for which we seek justice in a criminal court. Yet, the public and the organization wants somebody upon which to hang all blame.This fallacy is preventing us as a profession from moving forward and solidly improving security practices. Why? Unless the person getting canned (blamed) is completely incompetent (in which case, why were they in that position in the first place?), removing them means you just removed the most experienced and well-versed employee you had at that level. In case you haven’t noticed, there is a shortage of qualified and educated InfoSec workers. Now your organization has to find a replacement, train them and get them up to speed.In the meantime, don’t you think you just greatly increased the likelihood of another attack since you just let the world know you took out your star? Malicious actors read the news, fully expect the upheaval and will take advantage.While the poor employee who lost their job and reputation and fights to retain their career, the C-level people share kudos among themselves celebrating their “resolution” and perceived increased security posture after having removed the “problem employee.” They keep their jobs and comfortable career. After the smoke clears, life returns to normal until the next breach that is!I submit this is not how things should be. I keep going back to @kevinmitnick and The Art of Exploitation written almost 15 years ago. We are still making the same mistakes today. What the heck is wrong with us?So how should we be approaching things? Businesses need to adopt a mindset that accepts the fact that tech employees need to spend about 25% or more of their work hours in training learning new skills, re-enforcing existing skills and keeping up with the latest trends in security and technology. Next, employers need to listen to what these employees learn and adopt those things that will enhance their business security posture.Training develops awareness. Awareness requires communication followed by management acceptance and action. Any breakdown in this chain leads to trouble.Unfortunately, businesses today expect workers to “learn on their own time.” They might reimburse the employee for their costs. Some even go as far as to provide access to things like Pluralsight or other training platforms. A step in the right direction,but one that overlooks two components: time and accountability.Full-time employees have 2080 hours per work year. Most are overworked, have too many expectations placed upon them, and are spending the bulk of their time responding to reactionary problems rather than proactively learning and fine-tuning their organizational security. And they are doing this knowing that they are one “screw up” away from walking the street.Employees also don’t have clear expectations communicated to them. They are often not held accountable for their own self-improvement. Lack of sufficient time and accountability lead to less-than-stellar improvement in skills.This is a travesty. Management needs to change their perception and implement policies that give their employees confidence and the freedom to fail without fear of being thrown under the bus. Managers are coaches, and their job is to develop talent. Build a time and dollar budget for every employee and provide them with the tools they need to better serve the organization. These investments will always be far less costly than any breach.Management should protect their employees, take responsibility when bad things happen and implement positive policy change to increase security. Happy, fulfilled and growing employees are the best security investment you could ever make! 

JimNitterauer

About the Author: Jim Nitterauer, CISSP is currently a Senior Security Specialist at AppRiver, LLC. His team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global SPAM & Virus filtering infrastructure as well as all internal applications and helps manage security operations for the entire company. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published.