This post is long overdue and may not have ever been written had it not been for the recent news on the Capital One breach. I’ve had so many inbounds on being part of the security team and everyone wanting to know what happened. I had to sit down and write this up.
Moving from vendor to defender is an astonishing wake up call. My life used to be focused on the niche vertical and solving the cool/forward looking problem. The more complex and innovative the hack and or technology the more valuable and awesome it is. That was the way I used to think. There are a multitude of things that changed my way of thinking but I’ve tried my best to roll it up into three major points.
1. Security is hard
You walk into an organization and suddenly instead of focusing on the newest threat you are shoved into a boat that has thousands of leaks with some holes bigger than others. While the crew continues to row the boat to the destination you are faced with having to figure out how to plug all the holes with only 10 fingers & toes. Meanwhile half the boat is already under water. Welcome to being on the enterprise security team. What have I learned overall? Wow what a crappy job this is. Get up right now and go give your CISO a hug — they deserve it (their team too while your at it)
Let’s hit the top points in what makes security hard:
- People & Process: Everyone has heard the comment that it is all about people, process & technology. I would like to rephrase that into just people & process. Technology makes no difference if it sits on the shelf or is implemented incorrectly because the process was not there or the people were not educated. By a long margin MOST of the problems in security stem from this. It is not a technology problem. We have the tech to stop, prevent, detect, contain most of the breaches you see today. It all lies in the people & process around it.
- Culture: How the company thinks/feels about the security team and the same for the team itself. This creates the culture. The security org is in a very odd position for it is held accountable for risk but has no ownership for being able to reduce that risk. This is the paradox of which we sit. So does the organization look at the security team and say “security is your job” or do they say “security is all of our jobs”. Btw many will pay lip service to the latter but in practice mean the former.
- Understanding that the security team’s job is to be a bodyguard, they can recommend and advise routes you should take and jump in front of the bullet when it comes. They cannot however stop you from doing what you want to do — They can only follow along and try their best to reduce risk and enable you to do whatever you want safely.
The #1 thing that surprised me the most about joining Capital One was how incredibly fast and fluid the company was. It was an extremely refreshing thing to see. In an environment where tech changes quickly and projects and teams come and go in a blink — the fundamentals tend to get ignored.
I came to Capital One for innovation and quickly realized that true innovation lies in the fundamentals. All the boring stuff is actually the sexy stuff. The foundations, plumbing, wiring just overall stuff you never hear about in presentations at Blackhat. This is the stuff that matters. When technology is dynamic and ever-changing — no fundamental is ever done to completion.
Ready for simple examples? logging, asset identification, patching, change control, IAM, vulnerability management. Dumb right? This is a solved problem right? Nope. I challenge that by and large most organizations can’t even claim that they even do what I just listed well.
Don’t give me a new AI/ML zero day attack mitigation product — give me a product that helps me do patch management 10% better, or just gives me better visibility around IAM. I can tell you that when I start my next company it will be focused on doing the boring stuff better.
3. Good security requires good engineering
Per my bodyguard analogy previously. If the president decides to go have a vacation in a war torn area and is considered the #1 most dangerous place on earth and wants to walk freely around. The President can do whatever they want but I can tell you that the bodyguards job just got a lot harder.
Any security guy that walks into a well executing engineering team will leap for joy as this makes their job a LOT easier.
Engineering must have best practices and fundamentals in place in order for security to work well — standardizations, good processes, change management, accountable leaders & enterprise architects, up to date documentation, engineering culture of pride.
I was talking with someone the other day who accepted a challenge that any ‘high vulnerability’ found in code would be remediated easily within 24 hours in production. How can this be done?
- The culture of the engineering org takes security issues in their product personally. Sense of pride for them
- They have the engineering pipeline & processes in place to commit code/review and test quickly
- Clearly the relationship between engineering & security is a good one. Engineering trusts that the issues found are real & security has the pipeline to verify/test quickly on patches.
What many companies don’t realize is that an engineering team that has great best practices and standardizations in place can actually execute FASTER than engineering teams that don’t.
Capital one was a great experience and taught me a lot about how a bank can be a fast moving tech company. It also showed me that even security teams with unlimited budget, large teams and broad reach all still struggle with the same thing everyone else does. Now I’m off to Databricks to learn the struggles of what a fast rising unicorn tech company deals with.
Don’t forget to go give your CISO a hug.
📝 Read this story later in Journal.
👩💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.