[BreachExchange] 10 Security Behaviors That Anger Us

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 18 20:16:15 EDT 2018


Anyone who does a fair amount of driving knows how frustrating traffic jams
can be. Traffic jams can occur for any number of reasons, including a
merge.  If you’re like me, you probably get angry with those people who
don’t merge early on in the process, but rather, cut in at the last
possible moment.

Of course, if we take a step back and think about the situation
strategically, it’s hard to get angry with these last minute mergers.  How
can I make that statement?  Since most people struggle with merges, these
drivers are essentially doing what we have incentivized them to do.
Namely, they take advantage of every last piece of available roadway to
bypass those who struggle to merge and the backups they cause.  In fact,
there have been studies that show that last minute mergers are actually
good for traffic.

What could traffic patterns and merges possibly have to do with security?
I would argue that they teach us to be more understanding of people when
they do exactly what we incentivize them to do.  And that is something that
we can learn a lot from in the security field.  How so?  That is a fair
question, of course.  To answer it, I offer “10 security behaviors that
anger us, but that we incentivize”:

1. Focusing tactically:  On numerous occasions, I’ve heard different
organizations state that the security team is too tactically focused.  That
may certainly be the case.  But if your primary metrics involve the number
of alerts fired and the number of tickets opened and closed in a given
week, can you really fault your team for working towards the numbers you
measure them on?

2. Fire fighting:  No one wants their security team running from one
emergency to the next without any time to focus on everything else going
on.  But sometimes it’s hard to fault security teams that succumb to this.
There are some issues that arise that legitimately need to push everything
else aside.  Far too often though, security teams are on the receiving end
of a seemingly endless array of “emergencies” that result from a lack of
understanding and/or faith in both the issue and the abilities of the
security team.

3. Event “du jour”:  I haven’t met a security team yet that enjoys getting
sucked up into the spin surrounding an event “du jour”.  But it’s hard to
imagine how they could choose to do anything but that.  When a high profile
event happens, the questions “What are we doing about this?”, “Are we
affected by this?”, “Are we protected against this?”, and others start
coming faster than the security team can respond.  All incentives point
them toward responding to the rapid fire coming their way.

4. Market segment “en vogue”:  Many in the security industry mock or poke
fun at companies running towards the latest “en vogue” market.  But before
you laugh, look at what we incentivize them to do.  For startups, funding
and PR often overwhelmingly follow the latest hot market.  For established
companies, customer budgets often do the same.

5. Writing down passwords:  This is one of my favorites.  Everyone loves to
laugh at those “stupid” users that write down their passwords.  But perhaps
they should be laughing at us.  As an industry, we cannot prove that
insanely complex password rules actually improve our respective security
postures.  In fact, to do that, we probably need to move away from
passwords entirely.  But when we don’t provide our users any workable way
to grapple with our insane policies, what do we incentivize them to do?

6. Being unprepared for incident response:  No one likes to get caught by
surprise and appear unprepared when a critical or serious incident occurs.
But building a mature incident response capability takes a strategic effort
that won’t show its value immediately.  If an organization incentivizes
only tactical gains and not strategic ones, they shouldn’t be surprised
when they are unprepared for incident response.

7. Acquiring stovepiped technology:  How many times have we seen an acute
problem in security boil over to the point where everyone is screaming for
an immediate solution.  While we need to make sure we address acute issues
in a timely manner, we want to make sure we don’t “knee jerk” and acquire a
quick fix that is almost “disposable”.  We don’t want to end up with a
solution that we will get very little value out of in the future.  We want
to make sure we don’t end up inadvertently incentivizing our teams to put
additional stovepipes in place.

8. Under budgeting security:  Everyone loves the low prices of big retail
chains, but at the same time, loves to complain about lack of assistance
available.  We can’t really have it both ways.  We want our vendors and
providers to give us a lot of value at a low price point.  So, not
surprisingly, that’s where they invest most of their resources.  Security
is an overhead cost.  Of course we all know how important it is, but we
don’t necessarily incentivize our vendors and providers to make it a
priority.  We measure them on a different scale entirely.

9. Under training team members: It costs money to send team members to
professional training, and it takes them away from their job for a bit.  If
we can see the strategic value that properly training team members brings,
it is a no brainer.  But if we incentivize based on only near-term gains,
it’s likely that few, if any of our team members will get the training they

10. Not collaborating enough: There is a lot of talk about information
sharing and collaboration, but unfortunately, there is less action than we
would like to see.  There are many reasons why this is the case, but it
doesn’t help that most organizations incentivize their staff to keep
information close hold, as well as to keep up appearances around the true
state of the security program.  There is no shame in showing your cards a
bit, as it allows you to improve.  But you have to incentivize for the
right outcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180518/dd8f53fc/attachment.html>

More information about the BreachExchange mailing list