“I’m Looking for the Brave”
I jumped headfirst into the Information Security space as a result of being pummeled for years by the gross inefficiencies and ineffectiveness present throughout the industry.?I reached my limits, dumbfounded as to how a better solution had not been established for an industry that is not just important, but absolutely critical, and getting more so every single day.?Committed to bringing about a better solution, I have come to realize that no matter how amazing the technology you create may be, or how logical the solution you may be proposing, it’s all for nothing if you are unable to locate and support the true leaders within this space who are ready and willing to be brave—brave enough to bring about actual change with mass efficiency and overall effectiveness. This is my call-out to those leaders who are brave.?
Inefficient
To begin, let’s start with the simple fact that an Information Security Program is the backbone of an organization's ability to protect its employees, customers, and partners, both virtually and physically.?A robust Information Security Program keeps our world safe.?Period.
Now, examining the current process of developing, managing, and assessing an Information Security program makes it obvious how inefficient today’s systems truly are.?And when considering the role these programs play in all of our safety, perhaps it’s a bit more understandable why I have become so impassioned by this mission. In the absence of sufficient tools, large and/or “more dominant” organizations have been forced to develop their “custom spreadsheet” of controls—most often generated from snippets of the industry’s leading and accepted frameworks (NIST/CIS/PCI/etc.) – seeking to ensure all bases are covered in assessing a potential vendor. Then, those extensive spreadsheets are distributed to the tens, hundreds, or even thousands of vendors they engage with.?Which means, vendors, in the effort to win and maintain the desired business with the larger company, receive these “custom spreadsheets” in bulk, requiring them to?dedicate countless hours of manpower to answering numerous versions of an assessment that, when boiled down, are nothing more than a variation of a standardized set of industry accepted controls.
So, these spreadsheets, containing upwards of 800 control questions, are circulating among the vendor community (who at any given time are working to complete five to 20 assessments) and are requiring resources to repetitively fill in the same responses to questions over and over and over. And once the responses are complete, additional resources are required by the assessor to then aggregate and “assess” all responses to actually identify any risk and/or properly form an opinion on the security posture in question.
One may assume the big organization is staffed with an army of people who can receive these Excel files upon completion (to then run some glorified filter-and-answer check on them en masse), and while this may be true, the large organization also suffers. An inordinate number of resources are directing their focus away from the actual management and advancement of the Information Security Program, which results in further stagnation of the industry’s progress towards becoming more secure.??
And the small organization??Struggling to meet assessment completion deadlines, lacking ample internal security resources, and striving to grow their own business, small organizations are faced with over-extended teams and "cutting corners" just to stay in the game.
No matter from what angle you look at the current process, the market has decided to solve this problem by throwing human resources at it, versus building and integrating effective technology.?It reminds me so much of my last business (www.YourCause.com). When I started that business, the market was adamant that writing a physical check was the preferred method for people to make their donations. I chose to challenge the market, confident that donors needed easier and more accessible donation options, convinced it was only a matter of time before the system would collapse from the weight of its own inefficiency. I enlisted a few brave customers in those early days, and we set out to change an industry by bringing efficiency to where it was absent – and we did.?When was the last time you wrote a check to make your donation?
Ineffective
An ineffective Information Security program can also be characterized as insecure – a liability, risky, and dangerous.?A general level of ineffectiveness may be tolerable in some scenarios throughout the business world, though I fail to understand how there can be an “acceptable” margin of error when it comes to the protection, management, handling, and execution of one’s Information Security Program.?Businesses of all sizes and stages are often making a tradeoff: sacrificing efficiency and effectiveness for speed and growth. I can totally empathize with this balancing act. But (and I firmly stand behind this position), this tradeoff cannot be accepted. When it comes to how we are protecting the information flowing throughout our networks, our partners’ networks, and throughout the information ecosystems in which we operate, there is no tradeoff to doing it right.?
Unfortunately, I find it easy to argue that today’s processes are designed to simply accept ineffectiveness.?The process of how one business assesses another business, quite frankly, encourages dishonesty and short-term solutions—two outcomes that any information security professional would cringe to hear. Today’s system of passing around hundreds, if not thousands, of Excel spreadsheets containing questions derived from the same general set of frameworks and forcing businesses to put their time and attention into repetitively responding with what they know will be acceptable at that moment?strips away the fundamental elements allowing for genuinely effective security.?Two of those fundamental elements are:
With these fundamentals missing, are we 100% confident that we are not perpetuating the practice of simply "flying under the radar"? Is the industry simply accepting that, as long as the picture painted (over and over and over again) of a security program doesn’t raise any red flags or inhibit the acquisition of new business and that it satiates leadership’s need for security talking points, proper security is achieved??I’d go as far as to guess that, in terms of security, many businesses find themselves holding their breath, submitting an assessment and hoping nothing major happens over the next 12 to 24 months (likely the next assessment period) that would expose any contradictions (known or unknown) present within the hundreds of responses made as they hustled to complete any given assessment.?
The focus of the organization should be on operationalizing additional security controls, frequently, that are adding yet another brick to the proverbial “security wall”—all with a vision of making the wall as tall and impenetrable as possible. With that wall in place, anyone should be able to see the work you have done, to admire your continued efforts, and gain confidence from said wall, ensuring that your organization is not only safe but that all those who rely on your wall are safe, too.?Said another way, your actions should speak far louder than your words.?
The current system is nearly the exact opposite.?Our words do all the speaking for us.?We don’t demand that people come and see our “wall of security,” rather, we repetitively try to describe it throughout the year.?The industry’s focus is simply misaligned with its mission.?To get what we need to know, we’ve created a system of busywork that is costly, consuming, and ineffective.?In this space, ineffective translates to vulnerable and insecure—the antithesis of brave and opposite of what Information Security is aiming to achieve.?
领英推荐
Archaic
Just about every other industry, product line, or business category has gone through a digital transformation of one kind or another over the past 20 years.?Massive businesses have been built to facilitate this evolution, most of which we continue to depend on today. Yet for some reason, and despite the importance security plays within the entire digital transformation process, the process to ensure the business ecosystem is continually secure, is archaic.?
Spreadsheets dominate, followed by extensive pivot tables, manual reviews, and teams of security analysts seeking to find outliers and gaps that may point to a potential deficiency along the way.?For the few who have tried to break through this paradigm, the burst of innovation has quickly been met with stagnant processes, inflexible technology, and non-adaptive user experiences that, when all is said and done, amount to nothing more than a contribution to the ongoing problem versus a solution to the crisis at hand.?
And a crisis it is.?Archaic processes equate to complacency. A complacent industry lacks the ability to be aware of and fully understand the vulnerabilities within one’s network of vendors, partners, and service providers. Complacency with archaic processes has solidified an industry’s willingness to embrace a reactive stance to the ongoing and growing threats that organizations are facing, rather than proactive preparation in the prevention of what is yet to come.?Sticking to the old ways of doing things will ensure that this industry remains stuck in the past… and it's far from brave.??
Bravery
Per the title of this post (and a few hints throughout), we now need to recruit those willing to be brave. We want to support their enthusiasm for actual change in this space.?We need to find the enterprise/organization that finally says, “enough is enough": the enterprise willing to stop the madness in hopes of increased effectiveness and greater overall security.?We need to seek out the business networks willing to work together to agree upon a single method for determining security posture. This will enable the most efficient, effective, and sustainable solution.?
Luckily, our focus can move beyond foundational frameworks.?At this point, there is a comprehensive framework for just about every business/industry/sector out there.?But, it is time for our business leaders to focus on logic and common sense, to reject the old and ineffective ways, to spurn the waste within their organizations, and to push toward true security by ushering in new methods, systems, and processes that are addressing the demands of today’s InfoSec Industry.?
Tentacle.io
Over the past year since our product has been in the market, I have had this same conversation with some of today’s leading businesses dozens of times.?Each has acknowledged that the way in which the system is currently operating is not optimized.?Actually, I’ve yet to get a single disagreement; all agree that today’s system is more about “checking the box” and that it is easily “gamed” by those who know what they are doing.?I have yet to encounter pushback to the notion that change is needed, and I’m continually amazed to hear about how much money (especially in large organizations) is being spent to simply support the existing structure.??
I’m not so foolish as to think that Tentacle has all the answers. And no, I don’t think that Tentacle is the silver bullet for this industry.?What I do know is, Tentacle is taking a brave stance to course-correct this space: one that is informed, inspired, and motivated by experiencing all that has been wrong for many, many years.?However, the brave stance we are taking will only be effective as long as we are joined by other companies (no matter the size) willing to be the change makers with us.??
So, here is my official call for the brave. The company willing to say:
If you are willing to be brave, let me know.?I’m looking for more people to take this journey with us!?
Also Posted @ https://tentacle.co/blog/post/im-looking-for-the-brave
Customer Success | Customer Engagement | Customer Success Enablement | Customer Success Operations
2 年Cheers! I remember having this exact conversation with you numerous times back in the day when I was your CSM for Flexential/Yourcause. Glad you are looking to flip the script and make a change. If anyone can make it happen, it's you! I would say good luck but I know you don't need it!
Matt - you are awesome.
President amd CEO at Bullzeye Products LLC
2 年Matthew I appreciate the invitation I'm not quite sure how you're how to subscribe please please let me know
RETIRED
2 年Good luck to you and Tentacle, Matthew. And, I sure enjoy the photo of Zion National Park. Here’s a photo from the top of Zion. I’ve spent over 100 days camping in Zion and the place is absolutely amazing. ??