Leadership, not location determines security maturity
Jason: Firstly, I’d be curious to find out whether you think certain countries are more mature at exposure management? I feel like potentially Australia isn’t as mature as it possibly should be, with the U.S. leading the way, as always. What do you think?
Nathan: From my experience, it’s not based on the country at all. There are a lot of very immature security programs in the United States in companies big and small, sometimes even shockingly big companies. So I’ve never seen a regional boundary of sorts. The maturity of the program really comes down to leadership.
If you have a business where the leadership understands that cyber security is actually a business risk process then they tend to support CISOs and security programs that are more aligned with Finance and Legal than they are with IT and Operations. And if you support a security program that way, it’s actually kind of fascinating how quickly those programs mature because your folks are staying out of the really tactical work.
These culminate in two very different conversations, one being: “I spend my time managing the number of scan jobs that we run every week,” and the other being, “I need to help advise my CFO on which financial systems are most at risk and could impact $20 million of revenue per month.”
When you take the latter approach, it forces the security program to generate better data, more context, and build prioritisation capabilities to help inform business decisions. You have to mature a program in order to support that kind of decision-making.
The Golden Triangle: People, process, technology
If you think about your organisation like a car, your security team is essentially your brakes. Now people hear that and they initially go, “Yeah, brakes stop you from doing things.” But really, brakes allow you to go fast. If you didn’t have brakes, would you drive a hundred kilometres an hour?
Jason: I’m a big believer of the ‘People-Process-Technology’ Golden Triangle framework, and in the need to nail the fundamentals all the time, and I feel like that gets lost in translation with the myriad of matters that we handle every day.
Nathan Wenzler: I always joke that when I was starting out in my career, we, the security team, were the department of “No.” We weren’t very popular people in the organisation. But I will say, the best analogy I’ve ever heard is that if you think about your organisation like a car, your security team is essentially your brakes. Now people hear that and they initially go, “Yeah, brakes stop you from doing things.” But really, brakes allow you to go fast. If you didn’t have brakes, would you drive a hundred kilometres an hour?
Jason: No.
Nathan Wenzler: Right. You would barely crawl along at one or two and stick your foot out the side to slow yourself down Flintstones style. Having brakes in place is what allows us to be able to go fast. It’s the same analogy for organisations. Yes, it’s putting controls in place. But, really the goal is creating those guardrails and boundaries so that the organisation can move confidently and with speed. That’s what we are really trying to do as a security organisation, and getting that to be understood by the business and by the users is not easy, but that is the truth of it.
Jason: I think we’re getting there. I also feel like due to how connected we are with the world, teams are getting distracted. When there’s a recent security event, you are more inclined to respond to the recent event and ignore your security program.
We have to work on avoiding that knee-jerk reaction to the current headline as much as possible and stay within that broader view. If I understand all of it, even when a new threat is introduced into my attack surface, I can see it in the context of all the other threats and make better decisions.
Nathan: Look, so much of what we do in cyber security is a people problem. And what you just described is a psychological issue, right? This is the immediate threat, so I’m going to focus all of my energy on that and suddenly I’ve forgotten about the things that are 10 steps behind me. That’s the classic approach to threat management we’ve been using since we were hunters. But to your point, it’s a big problem because most organisations don’t just have one threat. They’ve got dozens, and it is so tempting to just focus on the one immediately in front of us and lose sight of the rest. But the ones you lose sight of are also the ones that tend to sneak up on you or that you forget about.
We have to work on avoiding that knee-jerk reaction to the current headline as much as possible and stay within that broader view. If I understand all of it, even when a new threat is introduced into my attack surface, I can see it in the context of all the other threats and make better decisions. I think the more security programs mature and align with the business as a proper risk management function, they will start to build better processes that keep them away from knee-jerk responses and start to put everything into a decision framework where threats are considered in context as part of the bigger picture. That’s such a key thing that people miss.
The process of change
It's amazing how when you can get down to the heart of those kinds of problems people suddenly do the thing they were worried about as long as their own needs are being met. That’s when they're more willing to adopt the change. You have to get over that human resistance to change in general if you want to successfully change processes.
Jason: Definitely, we need to focus on those fundamentals. I feel like process is probably one of the hardest things to change in an organisation. Buying tech is easy, but leveraging it optimally is another story. You can buy the tool, but it doesn’t mean you’re using it effectively without the right processes.
Nathan Wenzler: I think you’re right. Again, I’m a firm believer that the vast majority of challenges around cyber security are all people issues. The tools are pretty good today. We have process frameworks, we have structure, and yet we’re all people at the end of the day. And when you’re used to a process and someone tells you they’re going to change that process, they immediately get defensive and the walls come up. It’s uncertain. It’s uncomfortable.
I have said to people that if you want to run a good security program, you need to hire an organisational therapist. Bring a therapist into the organisation to work with people to help them through change. When you really focus on the human level, it’s amazing how adoption rates go up and you start to understand why people are really resistant to process change. And especially when you’re dealing with technical folks like engineers, IT ops, and developers.
From working in the trenches ourselves, I’ve heard every reason possible on the planet about why we’re not going to patch a system. But those are never the real reasons why they’re not deploying that patch. Because for every technical reason they bring up, there’s a way to get around that.
I’ll often ask, “It’s not really about the technical problem of deploying that patch. What’s really the problem?” And they’ll tell me that the real problem is that they don’t want to get blamed if something goes wrong. This is a cultural problem. That person doesn’t have trust in the organisation. They feel like it’s a blaming kind of culture and will become a finger-pointing exercise.
It’s amazing how when you can get down to the heart of those kinds of problems people suddenly do the thing they were worried about as long as their own needs are being met. That’s when they’re more willing to adopt the change. You have to get over that human resistance to change in general if you want to successfully change processes.
To be continued…
Nathan Wenzler
Chief Security Strategist, Tenable
Chief Security Strategist, Tenable
Nathan has over 25 years of experience in the trenches as CISO of Information Security programs, helping organisations to optimise, mature and accelerate their information security and risk management programs. Nathan’s focus areas include vulnerability and exposure management, PAM, incident response, process and workflow improvements, executive-level program management, and the human-focused aspects of InfoSec.
Jason Trampevski
Field Chief Technology Officer (CTO), Sekuro
Field Chief Technology Officer (CTO), Sekuro
Jason is a strategic technology leader dedicated to helping organisations achieve their goals through the effective use of technology. His expertise lies in building resilience and driving business success. As a specialist in transforming complex business requirements into streamlined technology solutions, his focus lies in harmonising the essential components of people, processes, and technology to empower organisations to maintain agility and competitiveness in today's rapidly evolving digital world.
More Articles
Emerging Threat: AI vs. Human Deceit
UK Data Protection Bill vs. EU GDPR
