Bob Lord, Rapid7's CISO in Residence, presented this week on "CISO Skill Training: Lack of Security? It's All in your Head!". This was the first webinar of the Rapid7 Security Summer Camp series. Bob spoke about some of the biggest challenges facing security practitioners today, in particular when well-intentioned decisions from executives and board members end up weakening a company's security posture instead of improving it. Read on to learn the top 3 takeaways from this webcast:
1) Security is Different – There are many different scenarios in life where people prepare for disasters – security is unique because of the presence of a human adversary. It is someone's job to work at odds with a security professional's job, and they're going to change and adapt in response to the things being done at any given organization. Humans can be creative, sloppy, careful, and patient, and they can take advantage of organizational issues, technical debt, small mistakes, and more. Emphasizing this aspect of security is important for helping to demonstrate the need for ongoing improvements and support.
2) Models over Metaphors – It's easier to approach thinking about security from the right angle with accurate mental models rather than simplified metaphors. A good mental model can demonstrate the complexity, interconnectedness, distributed responsibility, resilience, and managed risk aspects of what a security team is doing. It can also demonstrate the need for all parts of the system to work towards a goal, and the importance of ongoing vigilance. Security teams are often under the gun, making it difficult to get to the point where they can think strategically. If you're able to demonstrate an actual vision, it'll be easier to get support from around the organization, and your team will be able to have much more focused and strategic conversations.
3) Avoid an Us vs. Them Mentality – When higher-ups make decisions that in-the-weeds security professionals don't agree with, it can be easy to turn cynical and feel frustrated. However, a lack of successful decisions often correlates with a lack of understanding. Teach the attacker lifecycle and kill-chain around the organization. Most people lack a frame of reference for security (which is why metaphors and analogies won't work), so they don't understand that an attacker will go around/evade many implementations and defenses. Once they understand the concept of the attacker lifecycle, it'll be easier for them to support and understand a security professional's decisions and processes.
To learn about the lifecycle model Bob Lord advocates for security teams to use, and more, view the full on-demand webinar today.