Monday, April 5, 2010

Confessions of a SecAddict


grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”


I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.

Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?


These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.

As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?

With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:

Powerless: Without POWER

This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.

Helpless: Without HELP

Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).

I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.

What did you find?

Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.

This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.

This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”

Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.

12 Steps (of insecurity recovery)

1. We admitted we were powerless over security – that our environments had become unmanageable.

2. Came to believe that a power greater than ourselves could restore us to being secure

3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.

4. Made a searching and fearless inventory of our environments and its assets, both information and physical.

5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs

6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.

7. Humbly ask for help remediating our flaws.

8. Made a list of all the persons we ignored and became willing to make amends to them all

9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.

10. Continue to take corporate inventory and when we were find flaws promptly admitted it

11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out

12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs

I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.

The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.

Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”


  1. Chris,
    I'm digging it. Although I can't help but wonder if the 12 steps are more for the tester/auditor/savvy employee, or for the company themselves? As the boundaries of the internet melt away and people plug more and more of their lives online, the need for security goes up exponentially but the budget rarely moves in an upward direction. Too often, security is treated as a costly measure and not a cost saving measure, and thus so much of it is reactive. "Shit, we got pwned and gigs of cardholder data is on our twitter feed. Guess we better call ACME Sec. But ask if there's a coupon." Any why SHOULD they care? Jesus, look at the financial sector. One of the biggest economic fuck ups of our lives and the banks get bailed out on our dime. Where is the incentive?

    Being an InfoSecPro is a lot like being a parent. You can talk until you're blue in the face about not grabbing onto the scalding hot pot handle, because you're GOING to get burned, or don't ride your big wheel down the stairs or we have to go to the hospital. But unless the kids (or companies) take a few lumps and learn WHY you have to be careful, from scars, the lesson is never truly absorbed.

    As both an InfoSecPro and the father of a toddler, I am learning that my job is to make sure the kid/company lives long enough to learn and to reach maturity. Sometimes that lesson is expensive, but if we've done our job, it's not fatal or permanently disfiguring.

    But knowing that isn't enough to make it any easier, or less frustrating. That doesn't mean I don't stomp and scream whenever I see my kid put himself in harm's way. I don't know that I'll ever be able to stop doing that. I guess part of the process is knowing when to let someone get owned a little bit, so that they learn to listen, and when to put your foot down and say "If you don't listen to him THIS time, you might not get to hear me say anything next time."

    I think it's important to take your 12 step approach; I also think a helpful supplement to your program is the InfoSec Serenity Prayer:

    $deity grant me the serenity to accept the policies I cannot change;
    the courage to change the things I can;
    and the wisdom to know the difference.

    Living one assessment at a time
    Enjoying one hack at a time
    Accepting hardships as the pathway to security;
    Taking this sinful circle jerk
    As it is, not as I would have it.
    Trusting that getting popped and leaked all over twitter will make things right if we surrender to FUD
    That I may be reasonably happy in this industry
    and supremely happy with my job
    Forever and in retirement.

  2. Loved the “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE” quote!

  3. Awe, fuck. I missed the red text at the top before I posted, with your serenity prayer. Well, I guess it's suicide again for me.

  4. Thank you.

    PS Also liked the Vodka metaphor.

  5. First of all, I just want to say the opening lines attributed to Delchi are pure genius and I say they resonate with me, especially the last line which ultimately says, "Be happy despite not getting what we want every time."

    I think there are a ton of layers we could go through when talking about things like "learned helplessness" and powerlessness in regards to corporate or even individual security, and how it may relate to our own well-being in the face of not getting the security we know an entity needs. Likewise to the internal employees who have an ear towards being more secure.

    I get what jbrashars is saying about letting a few lumps get through to make a point in learning. I feel like until corporations feel a few lumps, the best they do is throw their IT ops into detox (assessment), pop some pills (appliances), and limit their view to only what they want to deal with (scope). But like you've said, that's not getting at the root of the issues, which is attitude/perception/happiness/human minds.

    Steps #2 and #3 could be a great approach for a corporate entity to start turning their initiatives over to security experts who can help them!


  6. Great points! But noone who is addicted goes to rehab unless they are forced to by circumstances… hitting rock bottom or some "intervention"… In the case of business, "rock bottom" could be a breach (resulting in substantial direct or indirect costs to the company) and intervention could be a Board member who understands business risks in terms of more than just credit, market or regulatory risks and factors in the IT security & business continuity, etc and the privacy components of risk management and pushes for better governance.

  7. Moon. So True. This is why I consider proper testing much like an intervention. Even proper education or training in an org can do this. Because as you said, they usually need some type of "force" to get them started.

  8. I am sorry, but am I the only one who finds the white text on the black background difficult to read?!! The article seems interesting and I see many a ppl have read and commented..but somehow I couldnt look at it for long... :(

  9. The Registration plate shall bear nine characters, laser branded into the reflective sheeting and would act as a permanent

    consecutive identification number. The hot stamping film shall bear a verification inscription.


  10. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. I am a new learner for racing. I would like to know the VIR Race Track as I know VIR is a world class track that everyone enjoys riding.