I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.
Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?
These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.
As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?
With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:
Powerless: Without POWER
This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.
Helpless: Without HELP
Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).
I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.
What did you find?
Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.
This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.
This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”
Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.
12 Steps (of insecurity recovery)
1. We admitted we were powerless over security – that our environments had become unmanageable.
2. Came to believe that a power greater than ourselves could restore us to being secure
3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.
4. Made a searching and fearless inventory of our environments and its assets, both information and physical.
5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs
6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.
7. Humbly ask for help remediating our flaws.
8. Made a list of all the persons we ignored and became willing to make amends to them all
9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.
10. Continue to take corporate inventory and when we were find flaws promptly admitted it
11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out
12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs
I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.
The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.
Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”