Home > Information Security, Musings > Infosec’s Most Dangerous Game: Groupthink

Infosec’s Most Dangerous Game: Groupthink

October 12th, 2012

These days, I am very, very afraid for the future of CISOs. Over the past few years, and specifically the past 12 months, I have become increasingly alarmed at the level of “groupthink” and “synchronized nodding” going on with security executives. Here are some of the things I am seeing:

  1. Lots of talking about the same shit, with absolutely no innovation at all. Good examples include metrics (we need them! they’re IMPORTANT!) and talk about policy and governance that usually means absolutely nothing.
  2. A desperate need to find “the metrics” to report to “senior management” – there is no such thing. Your management, in all likelihood, does not want any tactical numbers on antivirus events, IDS alerts, or such blather. They want real risk advice on business goals and functions. Period.
  3. Managing by managing what everyone else is managing. You would not BELIEVE how many security products get purchased because other security executives are buying them.

Most CISOs are smart folks. You got to that spot because you’re competent, or maybe more politically astute, or ideally both. We need to break out of this. I remember a while back when everyone in infosec lamented that we “never communicated”. Now, I almost think we OVER-communicate. It’s easy to play it safe by following what others are doing – I hear this in SANS classes, IANS forums, and sporadically with consulting clients. Not overtly, but sort of “between the lines”. We need innovation, and that means getting outside the echo chamber of security. I give a talk at a few IANS forums that adapts the concepts from the book “The Lean Startup” into the world of enterprise security programs to try and kickstart this. I don’t know that I do a great job, but I’m going to keep trying. Here’s a few key pointers from that talk.

First, think of your security program like a startup, and the overall program and its performance as your product. Ask yourself a few questions, and answer them honestly every day:

  1. Do Consumers Recognize the Problem We Solve?
  2. If there’s a solution, will consumers buy it?
  3. Will consumers buy the solution from us?
  4. Can we build a solution for the problem?

Your “consumers”, of course, are your constituents, ranging from employees to senior leadership, to customers and partners. Think about how THEY look at security, why they care or don’t care about it, and you’ll be on the right track.

The next thing to do is leverage the “Entrepreneur Pyramid”, shown below:

Create a security program mission/vision statement, and make it realistic. Define a short and long-term strategy, and be willing to “pivot”, or change, that strategy often – maybe every 6 months or even more regularly. Look at your product today as the MVP – Minimum Viable Product. Then optimize and build. To do that, leverage the Feedback Loop:

Focus on the major phases:

  • Build from ideas: Get creative. Think about different ways to accomplish your goals, and get feedback and input from people, and NOT just security people.
  • Measure your product, often: How effective are you? Are you missing attacks? Are you educating the business? Are you facilitating business, and becoming more trusted by business unit leaders? This is metrics, perhaps, but ask yourself what success looks like…?
  • Learn from the data: Data should drive insights. If it isn’t, you’re wasting time collecting it in the first place.

My final concept to try is “The Five Whys”. For every brainstorming session or security meeting, when trying to solve problems, come up with new ideas, or determine a root cause, drill into each idea five times. Not to be annoying, like a 3-year old that won’t quit, but to see how deep you can get, and force that “out of the box” thinking. In many cases, by the 3rd or 4th “why”, you’ll be really digging for answers or more ideas. That’s OK! Just keep digging.

This isn’t a perfect science, but if we want to be real business leaders advising on risk, we need to start thinking of new ways to do it. I recommend reading Eric Ries’ book, too – it’s really good.

Categories: Information Security, Musings Tags:
  1. October 12th, 2012 at 13:17 | #1

    Definitely agree about the “metrics” thing. In any number of infosec conference talks, people talk about “metrics” and further, about getting the “right metrics”. NEVER is an example of an ACTUAL metric provided! Never!

    My take on metrics: Do you want your people spending time cataloging their failures – or correcting them?

  2. October 17th, 2012 at 10:55 | #2

    Awesome post, Dave. That’s really the current picture of our field: people doing what the others are doing. I like your idea of treating the security program like a startup, but an interesting thing to consider is how many CISOs would have the opportunity to do that. Their bosses would expect something different, their peers, security committees and external consultants/auditors. It’s not easy to escape the rat wheel!

  3. Russell Eubanks
    November 3rd, 2012 at 06:54 | #3

    Love the picture.. Makes me think of We the Sheeple.

Comments are closed.