In cyber and information security, there’s a saying: “Security is a process.” Hackers have a similar saying: “Screw the processes, let’s hack!”
Which is better?
I won’t answer yet. You won’t get off that easy. This answer requires a story.
There once was a woman who was the head of cybersecurity for a large and successful Internet and gadget company that everyone knew. She worked long hours, but the time was flexible and half those hours she could work from home. The people said she was lucky.
One day her team discovered some suspicious activity inside the company. It appeared that they had been breached through a third-party vendor access point. She had only been working there a year and didn’t even have time to roll out all her security updates to the policies and infrastructure when this had happened. The people said she was unlucky.
The investigation showed that the breach did not reach the databases and no customer information nor accounts had been compromised. The people said she was lucky.
The company decided to get ahead of the potential public relations hit and informed all their customers and users about the breach. The announcement of course made the news everywhere. Pundits speculated. Stock brokers shied away. The executive board mumbled. The people said she was unlucky.
The breach led to a sudden surge in resources for her department. She was now able to afford better technology to allow for faster, smarter, and prettier security products. The people said she was lucky.
The woman was called before the board to explain herself. She spent the day preparing her slides and went with her confident face on into the meeting room. She explained the breach and how she would rectify it. The board decided to fire her anyway to assuage customer fears and look like they were willing to act to assure everyone’s safety (except hers). The people said she was unlucky.
She wasn’t unemployed for long as the very next day a smaller but very successful security start-up picked her up. The people said she was lucky.
She decided to take a new approach this time and not wait to follow company processes. She rolled up her sleeves and watched the network traffic herself. She spent long hours investigating her new company for security weaknesses. She analyzed logs and packet captures until her eyes teared. Then she dove in and in a week she hardened what was soft, patched what was vulnerable, and hacked a fix for whatever had no fix. Most of all, she herded vendors into a locked-down corral she built on the network. And sure enough, she discovered an existing breach. Not yet one month on the job and she already had to announce they had been breached. The people said she was unlucky.
The management at this new company decided to give her their full support and the resources she needed to rectify it. She was able to close the breach, deal with the consequences, and hire more employees for her department. She still works there today. The people say she is lucky.
There’re a few take-aways from this story, so feel free to be conflicted. The story is less about the breach or even the cause of the breach, but about how people see the role of cybersecurity professionals in society. But you can still use it as a cautionary tale for third-party access to get more swag from vendors, I won’t tell anybody.
Fair vs. Unfair in Society
Society relies on processes. Everything in society has a role and is part of a process. If it’s not, then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness?
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s butt-covering.
People want fair. That’s why security is a process - to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal may be like a grizzly and a raccoon are both bears, but that wouldn’t be a fair fight. (Unless it’s a ‘washing putrid garbage in a stream before eating it’ competition, and then the raccoon wins - tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail, then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
The point of cybersecurity is not to control the hacker. The point of cybersecurity is to protect everyone and everything. You can’t do that following the processes. At best that will help you maintain the majority in a risk-neutral scenario eventually - but only once you’re secure. And getting secure isn’t the same as adding another lock to your door. No.
It’s not like you’re not racing the thieves to get the door locked before they notice. In cybersecurity you’re racing everyone on the planet with an Internet connection. There’s no time to play by the rules and wait for policy updates to roll out your security. There’s no time. Get secure and then maintain.
Or as we say in hacking, “Screw the processes, let’s hack!”