Start With Yes: Flip the Model of Security, Reflecting on BlackHat, DefCon, and a Week in Las Vegas
As I’m sitting on a plane returning home after a week-long trip to Las Vegas, I have the opportunity to reflect on some of the news that came out of the Blackhat and Def Con security conferences and my company’s core mission to securely enable organizations’ digital transformation strategies. The annual Blackhat conference began with a keynote speech from Dino Dai Zovi, head of mobile security for Square. With a simple speech title, “Start With Yes,” Dino was able to effectively communicate both the root problem with security today and the not so simple solution.
“Start with yes,” such a novel, but powerful idea. Whether I was attempting to get a phone number at a bar in my college days, convincing a prospect that my solution is the best fit, or allowing my employees to be more productive, saying “no” or allowing someone to respond with a simple “no” effectively ends the conversation. “Would you like to learn more about why we’re the best in the industry?” No, “Can I buy you a drink?” No, Is XYZ SaaS service working well for you?” No. Saying no and ending the conversation holds whether looking for a potential life partner or enabling organizations to transform digitally in a secure fashion. Saying “yes” keeps the conversation going and fosters a collaborative environment where people believe they are being heard. Having that open and honest communication is the only way to make impactful and effective change.
It is an undeniable fact that organizations must embrace digital transformation or threaten to be left behind. What do Blockbuster, The Good Guys, and Sears Roebuck have in common? These were household names just 10 or 15 years ago, but they did not make the pivot to the digital world where Netflix, Amazon, and Target did. Another undeniable fact is that IT Security is now a board room discussion for most organizations. The positions of the CIO and CISO are relatively new compared to the traditional CEO and COO roles. That is because data is quickly becoming the new currency. It is not US dollars, Chinese Yuan, or Bitcoin, data and information is today’s modern currency. Sure, sometimes that data is stolen to convert into money, but in today’s world, it is not the dollars in a bank account that is a company’s most valuable asset, it’s the data in a data center or cloud storage facility. If an attacker drains a bank account, there is insurance to protect against that and the company will earn the stolen money again. However, if the secret formula for Coca Cola, the eleven herbs and spices in Kentucky Fried Chicken, or the cutting edge manufacturing process for Intel chips, customer lists, or source code were stolen, those companies might never recover.
With these new C-level positions and power that the IT security organization has, they possess incredible strength and responsibility to secure the organization’s data and assets. Starting with no or forcing employees to do something they do not wish to effectively kills the conversation. In general, people want choice (or at least the illusion of it). IT is often branded as the organization of no. Can I use Dropbox? No. Can I use a Mac? No. Can I do work on my personal phone? No. Surveys show that employees are much happier when work policies are more flexible and security does not necessarily have to suffer as a result.
Dino outlined three transformational ideas to change the security culture in today’s organizations.
Identify the job to be done and work backward
Seek and apply leverage, with continuous feedback loops
Culture trumps strategy and tactics every time
The first is to identify the job to be done and work backward from there. Dino cited a marking study from the early 2000s commissioned by McDonald’s when they were attempting to boost milkshake sales. McDonald’s tried to boost milkshake sales by changing the recipe to no avail. An astute marketing researcher noticed that milkshake sales spiked before 8:30 am and by drive-through customers who ordered nothing else. He began asking people why they were buying the milkshake instead of asking what could be done to make them better. It turns out that young males would buy a milkshake before a long commute to work because it was easy to eat and would last the entire commute. ’McDonald’s was trying to solve the problem of making people not hungry when their customers were buying the milkshakes to keep them occupied for a long commute. When McDonald’s reframed the question, they made milkshakes thicker, added fruit chunks for a bit of surprise, and made them more accessible inside the restaurants and sales skyrocketed as a result.
Reframing the security conversation also allows organizations to achieve their goals without sacrificing productivity. Talking to internal teams to determine what they are attempting to achieve allows for an open dialog on the most efficient way to resolve it. When security understands how other teams work and what they are setting out to achieve, more efficient and narrowly-tailored methods can be used to secure the way they work. Backhauling branch office traffic to a regional data center or requiring full-tunnel VPN for inspection achieves the goal for security, but increases friction and is an utterly inefficient method for user productivity. Allowing local breakouts and direct to cloud access without sacrificing security will satisfy both security teams and employees. As companies adopt more SaaS and IaaS, the backhaul problem will become worse and local breakouts will become inevitable. Start with yes. Yes, you can work from home and go direct to the cloud. Yes, you can have access to internal applications without needing to think about VPN. Yes, you can securely work from your personal phone or tablet.
The second transformative idea is to seek and apply leverage. It is no secret that good security people are hard to find, hire, and retain. I receive no less than a dozen invitations to speak with corporate recruiters every week for some of the hottest companies and startups in the Valley. At the same time, IT security teams are being asked to do more with less, which requires more efficiency through automation and outsourcing to maximize impact with minimal effort. SalesForce built their entire value proposition on the “No Software” advertisements in the early 2000s. Now that software is in the cloud, that frees up resources within the organization to work on other tasks more important than updating, maintaining and patching software. With the explosion of SaaS and IaaS in recent years, it is a natural evolution also to have security delivered as a cloud service. With security running in the cloud, it is always on the latest version of the software with the latest security updates, without administrator intervention. Leveraging the cloud allows security teams to leverage the cloud and free up resources to perform other mission-critical tasks rather than looking after physical appliances in the datacenter. With the addition of machine learning and artificial intelligence, this will scale security’s effectiveness when delivered as a cloud-hosted service. Automated feedback loops must be purposely added to the security process to understand if the protections are working and to ensure the job identified in step 1 is completed.
Lastly, between culture, strategy, and tactics, culture trumps all. Culture encompasses the values companies promote and how employees interact and communicate. Without a shift in culture towards accepting security, technical controls sill fail despite the best-laid plans. Security teams are not outsiders anymore; they are inside units now with the ability to improve things from the inside. Security is everyone’s concern. Building security responsibility in everybody’s team will allow it to scale. Compared to the traditional model where Security IT teams are viewed as outsiders who pounce on any opportunity to phish a fellow employee and shame them if they fail the test, security teams should view and treat themselves as extensions of other internal teams. When considering a topic such as IoT insecurity, there are many devices produced with little or no security built-in. Instead of saying no, organizations can say yes by finding a more secure alternative, isolating management networks to authorized individuals, setting up strict access control lists so the devices can only communicate with pre-determined IP addresses, or adding a reverse proxy in front of it to handle authentication, authorization, and auditing.
Dino is advocating changing security through a cultural transformation while organizations themselves go through their digital transformation. More forward-thinking organizations will tend to embrace the cultural shift towards security and I believe that they will be rewarded for being agile just like Netflix, Amazon, and Target. The time has come for IT Security to shed the reputation of the department of no and embrace the future. The future of organizations digitally transforming by increasing their consumption and migration of SaaS and IaaS is inevitable and this gives an opportunity to also transform security by moving it to the cloud. Change is coming and change must be allowed to happen to ensure the survival of the organization. Security is no longer the sole responsibility of one team; it is the responsibility of all employees at an organization.