Black Hat keynote: Why security culture needs to change
- 08 August, 2019 20:31
Grumpy security curmudgeons, your days are numbered.
In a Black Hat keynote heralded by rock concert lighting and sound effects, security engineer Dino Dai Zovi from Square told a packed arena in Las Vegas that culture is a key lever to automate security in an organization. "If you reinforce that security is everyone's job, you move towards a more generative culture" in which risks are shared, cooperation is valued, and messengers don't get shot on sight.
"Culture is leverage for people," Dai Zovi said.
At a time when the world is experiencing a vast cybersecurity skills shortage, that spells the end of the bottleneck information security team whose knee-jerk and abrasive "no" screeches throughout an organization like fingernails on a chalkboard. "We're not outsiders anymore," he said. "We are now inside communities and organizations and we need to think how to best to use that opportunity to improve security."
Finding ways to make security everyone's responsibility, and ensuring failure is treated as a learning experience, and not a blame game, is the best way to scale security across an organization.
"We need to engage the world starting with 'yes'," he added. "It keeps the conversation going. It's collaborative and constructive. It says, 'I want to solve your problems and make them safe,' and results in real change and real impact."
"Instead of 'no' start with 'yes'."
DevSecOps key to future success
Saying yes means saying yes to DevSecOps. Software is eating the world and security along with it. Integrating security into DevOps on both a cultural and technical level is essential, Dai Zovi argued. Defenders are outnumbered and need to leverage software to scale their defenses. "Automation of software can be a force multiplier when opponents have more resources and people than you."
At Square, security engineers had to write code like everyone else, he told the Black Hat crowd. "Because the security team wrote code like the rest of the company, there was a lot more collaboration and empathy."
One often overlooked component of a successful DevSecOps culture, he said, is to build not only for reliability but also for observability. Without a tight feedback loop to measure the success of automation, things can quickly go off the rails. Focusing solely on reliability is like "building a bank vault and then abandoning it in a parking lot," he argued.
Information security teams cannot secure what they cannot see. Saying yes ensures that frustrated DevOps engineers don't decide to spin up on a random cloud instance with company data on it, and it ensures that security is built into every step of the DevOps process, and not bolted on afterwards.
Enterprise security is like skydiving
Skydivers gonna skydive, and enterprise security pros can learn a lot from incremental safety improvements to parachutes over the last 50 years, Dai Zovi, himself a skydiver, said. He cited the example of legendary skydiving safety pioneer Bill Booth, skydiving's "mad scientist" who invented many of the safety features now de rigeur throughout the world today.
Nobody regulated these changes, he pointed out. When Booth asked, "How can I be safer jumping out of an airplane?" there was no curmudgeonly security expert to say, "Well have you considered not?"
The metaphor, of course, is far from perfect; Safety and security are not the same. As a general rule, adversarial skydivers don't try to shred your parachute in mid-air. Nevertheless, the metaphor is worth a ponder. How can enterprises enable activity that may at first glance seem unsafe--jumping out of an airplane--but on further reflection may not be as dangerous as they seem? Humans tend to overestimate risks like terrorism or zero-days and underestimate garden variety risks like heart disease or credential stuffing attacks.
The security team exists to enable the business, not the other way around. Thinking carefully about the true nature of the risks involved, and how to mitigate them, ought to be job number one.
Empathy and coding skills in short supply
If Dai Zovi is right, as we suspect, that means tomorrow's cybersecurity pros need better coding skills and--crucially--more soft skills. Empathy, communication, understanding have long been in short supply in the security trenches, and it's clear this legacy culture is now counterproductive to the mission of Securing All The Things.
Automating security functions using software is easy. Creating a seismic cultural shift where security is everyone's responsibility, and security teams are kinder, gentler, empathetic folk than in the past? A bit trickier.