I did work at a major cable company building customer premises hardware about 5 years back (the only reason I'm sharing this story). They were alerted to a major, easily exploited and REALLY stupid vulnerability in their system that exposed their core management network for the product to customers. They just hired the guy who reported it then fixed the problem 6 months later. The short-term mitigation was to put passwords on all their database servers (they were not there previously).

Security was just not a concern until they had a major breach. The security teams had been screaming bloody murder for a while, but could not get the product teams to allocate sprint bandwidth to the massive, coordinated security hardening effort that needed to happen to prevent a potential headline in the New York Times.

Yes, nailed it.

Mgmt/non-sec care about pretty clear, often profit-oriented metrics (ROI, etc.). There is such a clear precedent for successfully internally selling, implementing, and creating buy-in for cost-producing (i.e. infosec) but business-saving practices. Insurance, financial risk departments, legal departments etc. etc. etc. Sec can fall under that too. Sec people don't bother to learn the language 90% of the time. Sec people then burn out because they feel they're paddling nowhere.

Failure to learn that ^ language as a sec eng, means you fail to learn how to successfully implement sec in a way that has lasting buy-in. It's doable. It takes a bit of leadership, a bit of buzzword-learning.

If you want to play ball with mgmt and not be a mindless keyboard monkey sec eng who has no care if people care about sec or not, you must be able to take all those sec thoughts, distill it into 3 power point slides and 120 seconds of 'so what,' and be ok doing it over and over.

Why doesn't legal have to fight the same fights? Their domain seems similar: Legal problems take years to surface, and when they blow up, they explode spectacular. Implementing procedures involving legal is a huge drain of time, motivation and opportunities. Yet, in many companies the power dynamics is inverted: Anything non-trivial has to go through legal and is blocked by default. Why don't new deployments have to go through security?

> Why doesn't legal have to fight the same fights?

Legal constantly fights the same fights. They get those systems put in place because they acknowledge that fighting these fights is a critical aspect of their job and they make sure those control points are in place. Before I became an InfoSec PM I consulted for legal departments to fight those internal fights for them. They’ve had decades to refine and develop best practices around how to do these things.

Also places where everything is blocked by default by legal are generally badly run legal departments and have plenty of handshake agreements and covert business activity going on the same way places with intransigent and uncooperative InfoSec or enterprise architecture ends up with tons of shadow IT. They’ve been moving towards automated review and self-service tools to speed things up for a while now.

It's a great point, and largely due to legal teams speak a really similar language to business teams, just looking at it from different sides of the same apple. As nearly every company goes digital, security can fall in that same legal bucket.

Why does legal succeed then? Partially, there are pretty firm laws covering risk, that haven't quite caught up to sec breaches and such (but this is clearly beginning).

However, the big reason: Legal can explain the 'so what' because of that shared common language. Sec folks seem to largely not bother learning how to translate tech jargon to 120 seconds and a power point slide or two that business can understand.

This is what happens when companies don't understand security.

https://www.csoonline.com/article/3410278/the-biggest-data-b...

You think a million a year is expensive? It's not - not if it's saving you a $200m fine, and possible class action damages.

It's tough for me to think that Yahoo! didn't "understand security," and yet, their entire user database was ganked. I have to assume that they were doing everything they could to implement all of the white paper suggestions and consulting recommendations they could get their hands on. I also presume they were running the largest, most-expensive "security" products that they could buy. The depressing thought that struck me at the time was: if one of the biggest web properties to ever exist couldn't figure out how to secure their database, what hope do the rest of us have? (Maybe I'm being naive; I've never seen a disclosure on the nature of the intrusion.)

All of this sort of thing leads me to think that there is currently a huge mismatch between the security products industry, and how companies implement all the conflicting white paper snake oil, and what the ACTUAL vulnerabilities are. And I know how stupid this mismatch winds up making the average Fortune 500 worker bee's daily life. But that's a topic for another post.

Pretty much.

I think it's difficult but there's almost no doubt that Yahoo would have people who understand the problem with security. The problem is, were they, and did they have the power to reign this in at scale?

All too often, you get risk people buying products then asking for all your logs, promising the easy silver bullet. Being a pessimistic engineer, you're unlikely to ever be near a leadership position with people who want easy answers.

The trick is, how do you estimate risk of such problems in a particular company, in order to provide the suits with an expected dollar figure?

The problem is, the person who refuses to understand this, typically includes the senior guys in InfoSec who own this, and will continue to do so irregardless of how you present it.

I mean, who else is buying a SEIM, asking for all logs, and then hoping it'll take care of everything? That's the CISO, Director, VP, Head Of, etc.