[BreachExchange] In Security, What We Don't See Can Hurt Us

[Audrey McNeil]

https://www.securityweek.com/security-what-we-dont-see-can-hurt-us

As unfortunate, sad, and tragic as traffic accidents are, they regularly
have one thing in common.  When one of the people involved in the accident
is asked how the accident happened, the response is often, “I just didn’t
see the other driver coming.”  The fact that this is such a familiar
response is not surprising.  Obviously, had one driver seen the other one
coming, in many cases, the accident could have been avoided.

At this point, you may be asking yourself what traffic accidents could
possibly have to do with information security.  In my experience, there is
an important lesson we can learn here and benefit from within our field.
Many organizations invest a tremendous amount of time, money, and resources
into mitigating risks and threats they are acutely aware of.  But how many
organizations have stopped to think about what they might not be attuned to?

Or, to put it another way, humans are quite good at planning for and/or
reacting to factors, obstacles, and events that they can see.  But how many
times have you spoken with someone after an event has caught them by
surprise (whether in life or in security) and heard “Wow - I did not see
that coming!”  If you think about it, it is not surprising that this
response occurs fairly routinely.

Many of us are quite prone to sitting in a familiar environment and gazing
out into a field of view that we have grown extremely comfortable with.
But what many of us don’t realize is that our environment and field of view
are often fantastically partial.  In other words, we are unaware of just
how in the dark we are and just how much of the picture we are missing.

In security, one of our goals should always be to broaden our perspective,
field of view, and horizons to minimize the risk that we will be blindsided
by something we didn’t see coming. Most of the large breaches and
embarrassing security incidents over the years have been caused by unknown
unknowns.  So how can organizations reduce the chances that they will be
caught off guard by something they didn’t see coming?  I’d like to offer 5
ways here:

1. Acknowledge your blindness:  It doesn’t matter how large your security
organization is, how mature your security program is, how experienced your
team is, or how long you have been a leader in the field.  There is simply
no way that one organization with one group of people, one set of leaders,
and one view of the world can obtain a truly broad field of view.  Coming
to terms with this is the first step towards reducing the organization’s
blind spot.

2. Be humble:  Overconfidence can be a terribly destructive force in so
many ways.  In security, overconfidence typically manifests itself in the
form of carelessness and neglect.  It’s far too easy to convince ourselves
that we’ve accounted for everything.  That we are on top of the different
challenges we face.  That we are protected against the risks and threats we
are most concerned about.  I’ve met with many organizations who exude this
level of confidence over the course of my career.  And more than just a few
of them have subsequently been the victim of attacks and intrusions that
would seem to suggest that a little humility would have gone a long way.

3. Survey the scene:  Many security organizations have developed
relationships with peer organizations or are members of third-party
organizations or industry groups designed to help them develop those
relationships.  Most organizations use these relationships to share
information about what they know, what they’re working on, or perhaps even
their priorities for the upcoming year.  But how many organizations
leverage these relationships to explore and probe what they don’t know,
where they may be lacking visibility, or where they may be in the dark or
missing something entirely?  In my opinion, this is one of the greatest
missed opportunities in the industry.

4. Embrace being wrong:  It can be hard to come to terms with the fact that
we may have missed something, that we may have been off target, or that we
may have been focused on a very partial field of view.  But it’s important
to embrace it.  We are human - no one expects us to think of and account
for everything.  But you know what people do expect?  That we will accept
that we have erred, be open to receiving feedback, and work to correct our
mistakes.  There is no shame in this pattern of behavior.  Isn’t it
preferable to catch our mistakes early on before we are caught by surprise
after an attack or intrusion?

5. Rinse and repeat:  Now that you’ve completed steps 1-4, take a moment to
revel in your reduced blindness.  But not for too long - take another look
and see where your new blind spots are.  Where you can focus next on
expanding your field of view and improving your information security
posture?  Where can you accept feedback and take action based upon that
feedback?  Where can you learn what else you might be missing or
overlooking?  And of course, beyond your own organization, what other
organizations and individuals could benefit from your newly gained
perspective?  Don’t forget to pay it forward and help them find their way
out of the darkness as well.

Perhaps one of the biggest ironies of being in the dark is that we most
often don’t realize that we are there.  In security, a narrow field of view
and a large blind spot can introduce significant risk into an
organization.  When an organization works to expand its field of view and
reduce its organizational blind spot, it goes a long way towards improving
the organization’s overall information security posture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180706/b3d1447a/attachment.html>