In my last post , I talked about the fact that none of us knows how to solve the problem of cybersecurity. It's a tautology, so it shouldn't be surprising. If we knew how to solve the problem, the problem would be solved. Therefore we don't know how to solve the problem.
But it is surprising, and so it feels like a ‘hard truth’ rather than ‘the truth’.
When confronted with a long-standing problem (like cybersecurity), it is typical to assume that if we had more will, more resources, more intelligence, or perhaps more of all of the above, we could solve the problem. We don't stop to think about the fact that if what we are doing isn't working, doing more of that same thing probably isn't going to change the situation. It can be tough to admit when we don't know what we are doing.
I want to talk a little bit about commitment. I was thinking last night about what I would do if I were King. Maybe not actually King. But if I had enough power to change the world, what would I do to fix the cybersecurity problem? That naturally led me to think about root cause.
As I lay in bed, I realized that lack of commitment is one of the most common issues I see amongst the customers I work with who are struggling. It doesn't mean they aren't working hard at cybersecurity. It doesn’t mean they aren’t devoting considerable resources to the problem. But even if it doesn't feel like it from the inside, what I see is that they are pursuing half-measures.
On the other hand, the companies I see making substantial progress are those who have figured out how to fully commit.
Commitment to security sounds simple - but it's not, because it is a question of corporate values. Anyone who has worked in a large enterprise will recognize that changing corporate values is the hardest, most disruptive, and perhaps one of the most powerful things you can do. I don't want to trivialize the problem or make anyone feel bad when they recognize they are working for a company that doesn't fully commit to security. But if you're going to reduce your cybersecurity risk, it's worth being honest with yourself about what's holding you back.
Maybe you are thinking to yourself, we are committed! We've spent $NN dollars on security. I have a CISO. I have a security team. I train my developers. I train my staff. What more do you expect from me?
That's all well and good - you have taken some of the right steps. But you aren't committed. Not yet. To commit to security, to truly move the needle, it means you need to change everything. You need to change how you think. How you act. How you develop software (or purchase it). How you lead your teams. You need to change everything.
Most of us have grown up in a world where we could ignore the majority of the threats around us. We live in countries where the rule of law is the foundation upon which everything else is built. Maybe some of you have lived in or visited parts of the world where the rule of law has broken down. Think about how you had to think and act in that environment. Everything changes. That's the security environment we live in today.
Every single application you deploy on the Internet is a target for criminals and government actors that can come at you with virtual impunity. They are beyond the reach of the law. They have everything to gain and nothing to lose. You have everything to lose and nothing to gain. Sucks, right?
If you are building and deploying software as if your users will respect the rule of law, then you have not yet opened your eyes to the reality of the digital world.
What do I mean by commitment? Consider the level of commitment it takes to build and deploy a significant technology project. A bank moving to online banking. Netflix when it committed to streaming movies. A medical device manufacturer connecting their patients to their doctors in real-time. Amazon committing to cloud computing.
This is what it looks like to commit a company. It means everyone from the board and c-level executives, down to the individual staff are dedicated to this course in order to move the business forward. That is the level of commitment that cybersecurity requires of you.
Maybe that feels unfair. And it probably feels like a cost that was not factored in - a cost that means some of your software systems are no longer fiscally viable. I agree it's not fair. But that is our reality.
Maybe you can get away with business as usual for a while longer, and perhaps nothing will happen for a while longer, too. But that means you are ignoring the risk, rather than addressing it. You are building on a crumbling cliffside and pretending that the cliff doesn't exist. The cliff doesn't care. At some point, that decision will catch up with you.
I think the security industry deserves some of the blame for this situation. Most security leaders do not fully understand software security. And that's understandable. It is a large and complex area, and without a background in software development, it can be hard to get your arms around it. So what do you do? You look for software security experts. You talk to vendors. Each of these vendors are experts, no doubt, but their job is to sell you their solution. Very rarely will they tell you that what they are selling won’t solve your problem. Sometimes, maybe, they will tell you it will solve only a part of your problem. But most of the time their pitch will be that if you buy what they are selling, you no longer have to worry. You've outsourced software security into their hands. They will take care of you.
This is a convenient fiction. You cannot outsource software security. There is no tool that will make you secure. There is no training that will make you secure. There is no process that will make you secure. What they are selling you is a shortcut. It is a way to avoid the level of commitment and investment needed.
If you have invested in what a security vendor is selling you, I'm sorry to tell you that most of what you are doing is probably security theater . Maybe you bought DAST, SAST, IAST, or RASP. Perhaps you purchased staff awareness training. Maybe you are in that top tier of companies who are using the tools you bought to actually find and fix vulnerabilities consistently. Maybe your staff really does watch the videos you told them to watch, so they know how to do things like erase their whiteboards and clear their desks. You still haven't moved the needle. Not by much. If your corporate strategy is to ‘do something about security,’ rather than ‘transform the company around security,’ then you are not yet fully committed.
It’s a question of values.
I wanted to end the article here, but I have a few additional thoughts. Everything I wrote in the paragraphs above is true. But I hate that it’s true.
It’s a shame that security is so difficult and that it’s all so complicated. I wish that development teams could focus their attention on adding value for their users, staying focused on features and user stories to delight and inspire. I wish we didn’t have to spend so much time worrying about the bad guys. It’s a tax on productivity - and it’s a tax that’s growing steeper every year.
When I started on this software security journey over twenty years ago, I was taught that we needed to build a virtual castle in order to protect our digital assets. You can't slap security on at the end. You have to build it in from the ground up, with minimal attack surface, and with many layers of defense-in-depth. And yet, I never questioned why this was necessary. Why do we need to build every application like a castle? Why does it have to be so hard and ever so expensive?
Imagine if we lived in a world where your house had to be built like a castle. A world where if you couldn't afford to live in a fortress, you wouldn't be safe. Sounds like the middle-ages, doesn't it? We've moved past that model when it comes to our physical security. On the Internet we accept it without question.
Rather than building bigger and better castles, maybe the real challenge is to figure out how change the playing field?
This post is part of a series in which Joe and I will explore the gaps in the software security landscape, searching for solutions that might possibly get us to a better place.