We’re targeting our security efforts at 3 types of people. Who are we dealing with when we’re building security systems?
1. Attackers #
What attackers care about?
- Attackers don’t care about your written threat model.
- Attackers don’t care about your elegantly crafted risk statement.
- Attackers don’t care how many unit tests you have or if you are ‘testing on production’.
- Attackers don’t care about certifications of your organisation.
- Attackers don’t care where your CISO worked before.
- Attackers don’t care about the content of your latest pentest.
- Attackers don’t care about security control coverage spreadsheet you maintain to keep track of every security measure.
Attackers care about one thing: how much effort does it take to achieve their malicious goals and is it really worth it?
If you can make breaking your system / organisation harder than the benefit that stems from it, you’re likely to cut off most attackers. Why? Because some attackers are just motivated vandals, others might see your organisation as a stepping stone into your partner’s infrastructures. Anyway, the goal of security investment is to make security attacks unattractive.
All of the measures above are very important: they all improve security one way or another. None of them guarantee that the attacker will not succeed.
2. People outside #
What do people outside care about? What is the probability of a security incident in your organization, if you took efforts to prevent it?
Many of the measures named above are just the signals to your regulatory body, customers, suppliers and enablers of your business:
- You have taken some action, you’re OK to deal with.
- You’ve put some thoughts into your security efforts.
- Your ISO and SOC certifications are valid.
- Your pentest doesn’t look like an automated tool report and says you’re putting effort to fix things.
- Your CISO actually understands the nuance of your business domain.
Sending the right signals and having the right type of evidence is an important goal for any business.
But fundamentally, if your company has something to lose, you’ve done the security work anyway. The formalization requires some additional effort: to write down policies in a certain format, pick controls that match a certain standard, etc.
However, when security work aimed at signalling people outside is seen as an absolute goal, it sidetracks the effort into wrong priorities, and essentially leads to a disaster.
How many ISO 27001 certified companies have been broken? How many FIPS 140-2 certified cryptographic implementations have been flawed? Enough to understand that no seal of approval warrants real security.
3. People inside #
What do people inside care about?
- Most people don’t care about how awesome this security control is.
- Most people don’t care about the security certification organisation is trying to attain.
- Most people don’t care if the threat model reflects reality or is just a conspiracy theory copypasta.
All they care about is their job.
Depending on exposure of their job duties to the organisation’s risks, people are more or less aware that “there is security I have to keep in mind”.
- For executives, it’s about risk management and signalling.
- For sales, it’s about signalling during sales.
- For the product, it’s a competing priority that slows down product development and is hindering market penetration.
- For engineers, it’s time spent fiddling with things that don’t bring business value yet have to be done in the chosen way (which they don’t always understand).
For almost everyone, security is an obstacle in going ahead with their business and minor discomfort in daily lives, if security controls / procedures are noticeable.
So the incentive to minimize security effort and associated outrage is intuitive.
Realistic approach #
Any security measure, advisory, tool we deliver to our customers takes into account these 3 groups:
- Attackers need to be stopped.
- External signals need to be sent.
- Internal outrage needs to be controlled and limited.
From our long experience with organisations that face security requirements and challenges, there is no “universal optimal balance” that works. It’s never 33/33/33 allocation of effort.
- For a critical national infrastructure operator, security incidents during war could mean much more than any amount of internal outrage.
- For a startup or a product that is actively fighting in the market, a certain level of outrage is unacceptable, and certain signals need to be sent regardless of their ability to prevent actual attacks.
Although we’re the most efficient with organisations focused on preventing actual attackers breaking their systems, we’ve learnt a good deal of diplomacy.
We’re not the best compliance consultants or RFI filling assistants, but we understand the necessity of such work. We’re not the best organisational psychologists and office politicians, but, as an outside team, we can find optimal engagement priorities.
- There’s a minimum threshold of outrage in any organisation that doesn’t need to be crossed.
- There’s a minimum amount of external signalling that needs to happen to get business going. It needs to be heard and taken into account.
- And if countering attackers could be done in a way that helps signalling and lowers outrage, we’d pick that way and optimize return on investment on any security spending.
Maximalism doesn’t work. Nihilism doesn’t work either. Finding a realistic middle way does.
When switching between high-growth startups, governmental agencies, and critical infrastructure operators, we’ve learned a great deal about finding the middle way, unique for each organisation.