New Year's is the time for predictions which I don't go in for much. However it is a good time to reflect and think about trends and goals. Here is my New Year's goal for the infosec industry - start taking yes for an answer,
I have done a fair amount of risk briefings over the years. Ten years ago, I would do them, get escorted along mahogany row, and the execs would give you thrity minutes to talk information security risk. Around minute twenty they would be looking at their watches. These sessions usually were comrpised of two basic approaches - "20,000 yard stare, how long before this is over and this guy shuts up so I can go back to something that matters" or hostile, I am going grind and twist everything you say and then dismiss it all out of hand. Good times.
Not that that accomplished all that much, but it had to be done. Instead we learned over the years to work effectively by going direct to developers, getting them to care about security and build better stuff.
Herer's the thing, things have changed. I've gone back to those same mahogany row rooms, sat across from C level folks, and they get it now. Now they give you an hour and sometimes extend to two or three with ongoing follow ups. I worked with a CFO who was particularly adept at sitting on the edge of his chair for multiple hours, pounding second and third level questions, and slicing and dicing threat models into different risk buckets.
People care now. Everyone in infosec sees it. You used to go to holiday parties, people ask what do you do, you say infosec and they turn and walk off diagonally across the room. Now its like saying you are an accountant and you have to start fielding random tax questions when you are trying to relax. You get pounded with what about Target. what about my phone, what about my credit card? In the future I will just start saying I am an accountant.
Anyway, the difference between the C level experience ten years back and now, is not that I am a better presenter or have learned new frameworks, I am saying in many cases the exact same things. The difference is that people, especially execs, care. They are pulling the info out of us rather than having it forced upon them. The line between digital and real is evaporated and its all business risk now.
There are micro and macro implications here. At the micro level, anyone in AppSec has played the sad and depressing "my VP beats your VP" game. Its a case study in passive aggressive behavior. AppSec rolls yup with an uber long set of requirements, developers nod uh huh, uh huh. Wait for security folks to leave and go back to whatever the hell they were doing before. Rinse, repeat. Then its time to ship and scans fail. What next? Both sides escalate up to their VPs, guess what? 99 times out of 100 the dev VP beats the security VP, and the broken product ships.
So this is the first micro observation. Developers and middle managers still routinely play this game, *IF* you have taken the time to educate execs and get them on side, you may be able to win this stupid, passive aggressive game. I wish we did not have to play it at all, but here we are. We can learn from the dark arts of the Accentures of the world who have used this for years, go straight to the execs then rain the solution down from above. Having air support does not hurt. And I think there are some ways to play this game while still endng on speaking terms with the people you will still need to work with. First step is exec education. Having an exec mandate, the more brutally simple and to the point the better, goes a long, long way. See Bezos' service mandate for example. Having a mandate for improving AppSec in the back pocket when you meet initially should head off at the pass the passive aggressive game played in the middle of most organizations. If not, well you tried, call in the air strike.
The macro observation is that we need to start taking yes from an answer. The industry as a whole is still massively geared toward "proving there is a problem." Believe me, most sentient people get that now. I have been in so many meetings where people lead with breach reports, states and so on, the execs nod and say "ok what do we do?" then the security people come back with more brech reports, stats and still try to prove the problem exists. People get that now, we need to go to the next steps.
What happens when the exec or director says yes? Are you ready? Do you have an architecture to propose? Will it integrate with what you have? What people and process do you need to bring to the table to make it real? These questions are unanswered in many secruity organizations today, and its not that we get yes every time, but we are getting it more. Don't come back with yet another dimenstion of the problem, we have more support at all levels than we did before and should be ready to walk out of the meeting with checklists, patterns, and plans ready to execute on. We need to get moving on fielding better architecture and processes.