LAS VEGAS — “Start with yes.'”
That’s the advice to security teams from Dino Dai Zovi, mobile security lead at Square, giving the keynote on Wednesday at the 23rd annual Black Hat conference in Las Vegas.
Taking as a first principle the idea that security teams now have the ear of company boards and the C-suite, the challenge becomes figuring out how to communicate most effectively within this newly collaborative environment, and how to have the most impact organizationally.
One of the first things to do is to realize that in today’s software-centric world, where internal teams rely on software-as-a-service and the cloud for core missions, and where DevOps is becoming the norm, security must become a shared responsibility and resource. Thus, listening to the “asks” from different division leaders in terms of building security processes that don’t cause friction is in many ways Job 1 for dedicated security personnel.
“Saying ‘yes’ keeps the conversation going, keeps it collaborative and constructive, and opens the door for real change and real impact,” Dai Zovi noted.
Digging beyond this umbrella idea, Dai Zovi highlighted three transformational principles for boosting the impact of security within organizations. One: Work backward from the job to be done. Two: Seek and apply leverage, develop feedback loops and scale with software automation. And three: Understand that culture trumps strategy and tactics, every time.
Work Backwards from the Job
Jobs theory says that a job is both a function but also represents emotional context. Dai Zovi used the example of milkshake research at McDonalds. Market researchers found that most milkshakes were sold before 8:30 a.m., often as the only item, and via the drive through. In asking buyers what their motivation was, it turns out that they wanted something that would be easy to eat and would occupy a long commute.
“So the job the milkshake was doing wasn’t solving hunger, it’s alleviating boredom on a long commute,” Dai Zovi said. “Similarly, security teams need to determine what the job is to be done. Talk to internal teams, try to understand their struggles, what are they setting out to do, what adds friction and what makes things easier. When and why do they interact with security?”
In understanding what their “hiring” criteria is for a security solution (as well as the “firing criteria’) – it becomes possible to build agile way for the need at hand rather than spending time overlaying security principles that may or may not be useful, adopted or practical.
Seek and Apply Leverage
Dai Zovi also touched on the idea of how to have the most impact with limited resources. Taking Archimedes’ classic idea of using a lever as a force multiplier to lift an object much larger than oneself, it’s possible to see this play out in security, with automation as the lever.
“Security is still a small community, and the problems that we tackle can be huge,” he explained, using fuzzing for finding vulnerabilities as an example of scaling security’s effectiveness via automation. “We must work smarter, not just harder, through better software and better automation.”
He also stressed the importance of having automated feedback loops.
“We have to build them explicitly,” Dai Zovi said. “And, the tighter feedback loop wins. We have to build security services for observability, so you can understand if the protections are working and also perform anomaly detection. We have to be able to identify attackers when they’re probing, learning, attacking and succeeding.”
Culture > Strategy > Tactics
Culture is of course the term for what companies value and promote, and how its employees interact and communicate. Without a cultural shift towards embracing security, the technical aspects will fail despite best-laid plans.
“We in security are not outsiders anymore; we’re inside communities and companies,” Dai Zovi explained. “Now we need to use that access to improve things.”
He noted that making security a shared issue can go a long way to creating a safer organization. For instance, at Square, security engineers have to write code like everyone else.
“This created a cultural change – there’s a lot more collaboration and empathy for how people are operating,” Dai Zovi said. “A software engineering team would write security features, then actively go to the security team to talk about it and for advice. We want to develop generative cultures, where risk is shared. It’s everyone’s concern. If you build security responsibility into every team, you can scale much more powerfully than if security is only the security staff’s responsibility.”
This involves implementing a blame-free post-mortem process when it comes to responding to an anomaly or a vulnerability report.
“Turn these events into inquiries where you focus on getting at the root causes of the problems,” Dai Zovi said.
In the end, security teams should see themselves as an extension of internal teams, not a division apart.
“Instead of saying no, start with yes and here’s how we can help,” he said. “It’s all about cultivating empathy. It’s something you practice and grow. This is the way we meet the challenge of leveling up on security.”
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.