Building Better Internal Relationships

By Mark St. John

We’ve come a long way as an industry. Time moves fast when you get older. It seems like yesterday I was trying to convince people of the value of doing basic network segmentation across data centers. These days, the conversation has accelerated into discussing segmentation across multiple, highly scalable, constantly evolving microsystems and services. It’s a lot to understand, let alone learn enough to properly communicate and arm your organization with proper controls.

Being the security advocate for your organization has gotten somewhat more manageable; however, our seat at the table is still one of a recognized burden. We have to be there, we have to say things people do not want to hear, and we have to accept when those things aren’t taken into action for whatever reason.

I want to share a few statements that help me keep perspective when talking to non-security folks about issues I care about.

Security is a cost center Security is always slower than technology

Once you accept these two basic statements, you can apply a different perspective when approaching issues you want to tackle.

Security is a cost center

Yes, financially, our tools and people are pricey, but as expensive is our operational costs to other teams’ time. We are continually asking them to build restrictions on deploying systems, add complexities to their daily workflows and fix broken windows as we discover them. When we find exposures and vulnerabilities, we can never have them addressed fast enough in our minds. What is important to us may not carry the same weight as other business units. The cost of a patch could greatly outweigh the efforts; the cost of building a fancy new SPAN network for enhanced visibility requires lift and upkeep, the cost of deploying EDM adds resource consumption to end-users and admins.

Remember this when you start rummaging through the latest round of things that need triage. This is what goes on in people’s heads when you reach out to them, “more work.” Taking additional steps to ensure you bring as much clarity and information as possible when presenting these and understanding their hesitations and push-back goes a long way in building relationships. We like to think of security as moving to a project management role, where you need to champion the fixes, not just disseminate them.

Security is always slower than technology

We can build and deploy software across organizations and to our phones almost instantly. Developers can push updates with F1 racer speeds and users these days are (mostly) lucky to have this kind of support system behind them. Developers have the support of admins and SREs who give them faster, more resilient ways to deploy. Admins and SREs have plans that provide them with the ability to build that scale almost on demand.

Where does that leave the security team?

At the mercy of communications, discovery, and accurate context. It is no secret that at AlphaWave, we feel security starts with well-documented inventory. A single change in a DNS record can have a cascading effect on new systems exposed to the Internet(communications). A new package deployed may present a fresh exposure, such as a loosely configured storage bucket(discovery). These scenarios require the security operator to acquire proper context on the changes and the infrastructure involved to gather the appropriate people to communicate the appropriate gameplan to mitigate future damage.

The vulnerability management life cycle isn’t a new concept; it just needs to be updated to consider the human elements and the dynamic environments that have grown beneath it. You can get ahead of these problems by continually auditing and documenting your environment, changes to it, and working in tandem with your coworkers to build an understanding of why you feel something needs to be addressed. Arm your team with the ability to have informed conversations and disarm any pants-on-fire chats. This is how we continue to ease the burden!

If you have any questions on how to continually assess and improve your Internet-facing inventory and attack surface, please reach out to us!