If you’re a CEO or in a leadership role, there’s a strong chance your security team is burnt out.
2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home challenges, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-premise storage and operations to the cloud. Research by CIISec indicates that more than half of security professionals have either left a job due to burnout or have worked with someone who has.
As your friendly neighborhood hacker, I’m going to make the argument that a philosophical shift in the way we think about security could curb the burnout problem and help you source the right person for the job.
As it is, CEOs rely on CISOs and their security teams, expecting them to create a system which is free from threats. But these days, there is no such thing as a truly secure system, and this realization must be reflected in your organization’s expectations of them. In this world, security itself exists purely as a hypothetical, but what you can and should have is a “resilience” team.
The Kobayashi Maru is a fictional exam conducted on Star Trek’s Starfleet Academy cadets before their graduation. It features a combat scenario in which the subject is given command of a ship that is under attack and doomed to be destroyed. The point of the exam is not to win the battle — but rather to experience defeat. Security pros work in a constant Kobayashi Maru exercise; they’re asked to win an unwinnable game.
Where No One Has Gone Before
It may be unsettling to accept that there is no such thing as a secure system, that all companies will get hacked and that safeguarding them doesn’t come down to stopping compromises. Rather, it’s about assessing how and how frequently attacks will come and being prepared to withstand them. It’s scary because it indicates that we have no control at all. But it’s important to remember that security is not a zero-sum game, it’s about resilience.
CISOs and security teams frequently take the blame when companies experience large-scale attacks. C-suites read the negative news headlines and watch their share prices drop, and they ask, “What went wrong here, and how can we eliminate it?”
This approach is highly illogical, as it assumes that the goal of security is to create an airtight environment. This cannot be the goal; instead, it must be to reduce risk of attackers achieving their objectives and respond appropriately to mitigate damage when they do. Compromises will happen, but resistance is not futile.
The Needs of the Many, the Few or the One
Just like on the USS Enterprise, communication between the bridge and main engineering is critical to the success of any mission. The executive team and the security team operate mostly in isolated silos, and therefore, when they do have to interact, they speak completely different languages. A perfect example of this is their definitions of security itself, as noted above. These two parties must be on the same page about their mutual goal: creating a system that is resilient to attack.
As an executive, you should learn to speak the language of security — and understand that it is not a language spoken in absolutes. If your goal is to reduce risk, the business’s leadership must adopt a comprehensive business plan that includes a realistic approach to securing what’s most important. You should not ask your CISO to win every battle, but the battles that matter. Make this your mantra: Our goal is not security, it is resilience.
Aside from the major philosophical shift that needs to take place, adopting an effective process to reduce risk will go a long way toward reducing the workload for security teams. Find ways to assess the real-world risk your assets hold and focus your energy on those with both a high probability of attack and a blast radius your organization can’t afford.
Make It So
Passing the Kobayashi Maru itself was never the issue for the characters in Star Trek, and it isn’t your CISO’s issue either. They’re seeing a bunch of enemy ships on the viewscreen, and that’s causing them to panic, as it should.
The only way to win the Kobayashi Maru is to change the rules of the game, as Captain Kirk inevitably learns. This is the lesson you must absorb, too: Your security practitioners have been handed an impossible task, and it’s not their fault that they can’t accomplish it. What you can do is participate in an industry-wide shift of how security is perceived and what is expected of those under your command.
The industry must move from a binary, results-based approach to an approach structured around real-world risk, in a manner that is supported by the C-suite. Organizations need to understand where an attacker would strike first, so they can devote resources there right away — rather than treating all threats as equal in radius and impact.
Trying to eliminate all vulnerabilities in a network is impractical and debilitating. It leads to burnout, frustration and scapegoating. But you can avoid these negative outcomes. If you reduce attack surface area, understand which threats can be left alone and automate and operationalize the tasks you do have, you’ll have taken the first steps toward reducing these effects.