LAS VEGAS--In any kind of relationship, whether it’s person-to-person, organization-to-organization, or computer-to-computer, effective communication is the foundation of success. Applying that principle to the relationship between security teams and the rest of the organization has proved challenging for many enterprises, but improving communication and understanding could be the key to turning the tide for defenders.
“Communication is just transmitting information between humans. Risks are shared. If you can reinforce that security is everyone’s job, you can move toward a more generative culture,” Dino Dai Zovi, mobile security lead at Square, sad during his keynote speech at the Black Hat USA conference here Wednesday.
In many enterprises, the security team is walled off from much of the rest of the organization, sometimes including the software and engineering groups. This is mostly due to the nature of the security team’s job and the responsibility it has for protecting the organization from both internal and external threats. But that separation can lead to a variety of problems, including misunderstandings of how the security team operates, rivalries with other teams, and, most dangerously, a feeling among other employees that security is only that one team’s responsibility. That mentality can be difficult to move away from, but doing so can produce a number of benefits.
Early in his security career, Dai Zovi spent much of his time as an offensive security researcher, looking for new and interesting ways to break software. His knowledge of the way software worked and failed naturally colored the way he looked at both software development and security. But when he joined a corporate security team, he found that the security engineers were expected to write code, just like the software developers.
“We’re still a really small community, but the problems we tackle are huge."
“I thought, why do I have to do this? Why can’t someone else do it? But then I saw the cultural change it caused and that changed my mind. Because the security team wrote code like everyone else, there was a lot more empathy for how things work,” he said.
Understanding the way that the software teams worked, gave Dai Zovi more insight into what their needs were, and also a better perspective on how they thought about security. Many people only think about security when something goes wrong or when a defensive measure gets in the way of something they’re trying to do. Better communication about what security teams do and the challenges they face can help people change their mindset and consider security part of their job functions. But the reverse is true as well. Security teams can benefit greatly from listening to internal customers and figuring out what their challenges and concerns are.
“We need to understand internal customer teams to understand how they work each day, and ask the when and why they hire security and how they’d like to interact with security,” Dai Zovi said. “We’re still a really small community, but the problems we tackle are huge. By learning how to seek and apply leverage, we can better scale and meet those challenges.”
Misperception about how security works and what teams and technology can and can’t do is one of the major challenges many security groups face, and Dai Zovi said that effectively communicating the abilities and limits of both people and technology is one of the keys to improving the security posture of any organization. An avid skydiver, Dai Zovi said that fearlessness is not what gets jumpers out the door of the plane. It’s the confidence that they’ve been trained correctly and have the right tools to succeed.
“Skydivers aren’t not afraid. They just know how to manage it better,” he said.