CrankySec

Maybe... Try Not To Suck?

How have you guys been? Good, good. Listen, it's been a pretty crazy month. I started this blog just to get some shit off my chest, and I am truly overwhelmed by the response. Our Discord went from zero to over 500 users in a matter of weeks! It is a very lively forum. Vivacious, even! I'm very happy that we got to get the conversation about the sad state of cybersecurity going. I've been "featured" on Reddit! That's a huge milestone, boys! Even when they call me an unprofessional edgelord. Which is funny coming from a Redditor. On top of having fantastic debates about a bunch of things, we've been fundraising, supporting each other, and trying to get something of a guild/union/professional association off the ground. It takes a minute, but we're trying. If that sounds good to you, come over and join us.

That being said, I'll do all you 10-ply vCISOs a solid: I'll tell you the secret to a great cybersecurity program! You're welcome, big shooter! You start with the basics: wanting to do the right thing. Everything else will kinda trickle down from this simple but elusive first step. After you've decided that doing your job properly is a worthy pursuit, you need to know how to do your job. The dumbest thing you can do as a cybersecurity executive (lol) is to be non-technical. I'm sorry, but that's just the way things are. You cannot manage this thing if you don't know what this thing is or how this thing works. You need actual, verifiable, unequivocal technical chops. You can be a little rusty, feel like you've been out of the game for too long, and all that, but, if you know the fundamental principles of the job, you're just a few questions away from getting up to speed. There's a bit of a speed bump here, though: this requires self-awareness, humility, and acknowledging that you don't know everything. Tall order for senior managers CISOs, I know... But give it a try. I've served under executives who had absolutely no idea what they were talking about, and their answer to every problem was a Jira board inside a Confluence page. This doesn't work. And this makes people mad. They don't tell you to fuck right off because they like the fine things in life like rent, groceries, HVAC, and running water. On their behalf, and in no uncertain terms: get fucked. And fuck Atlassian, too.

Assuming you managed to do that, what's next? Well, next step is also extremely demanding, but I'm sure you can do it: listen to your people. They are there everyday trying to keep the vessel afloat, they know what's going on, what works, and what doesn't. Especially people who rock the boat.

"If you really don't care you aren't going to know it’s wrong. The thought’ll never occur to you. The act of pronouncing it wrong's a form of caring."

Listening to your people comes with a bonus! You'll be able to tell who knows their shit, and who's completely lost and/or pretending because all they know is to pick one sentence out of 5 options in a multiple-choice test. You know what I'm talking about. Those guys. If the majority of your people is faking their way through the profession, you need to hire better than that. Hey! Idea! Come over to our Discord, lurk around, get a sense of the vibes, and hire from there. I can assure you that you'll get a better hire than some doofus on LinkedIn whose greatest display of knowlege is a one-pager describing how a TLS handshake works. And that one-pager is wrong, of course.

If you do those things, you'll be well on your way to a serviceable cybersecurity program! Congrats. You're not done yet, good buddy. Let's move on. Next, you want to know what the fuck you're even protecting. Geez, how do you do that? Well, bardownski, you can get an inventory going, and make sure things you should be worrying about are inventoried. Easier said than done? Of course, you dumbass. Everything is easier said than done. It doesn't negate the need to say it. One quick tip is to get everyone to oversee the works of everyone else. Your developers don't develop without the proper documentation. Your DevOps don't DevOp without the code being reviewed. Your networking guys don't add new devices to the network without those devices being inventoried, your IAM boys don't modify roles without it being documented and it leaving a proper audit trail, and someone should be tasked with overseeing all this. Internal audit is a good bet. But they have to know what they're doing, too.

You've got your team, you've got a list of things you need to protect, and you've got the willpower to do it. Now what? Now figure out your cybersecurity requirements, and do a fucking risk assessment that is not a useless piece of paper you show to some incredibly stupid/complacent auditor. Do it for real. Use a proper methodology. Come out of this process with actionable stuff. Use controls frameworks that make sense to you. Get in the habit of checking those controls to see if they're working as they should. GRC people worth a damn know how to do those things. Interviewing for a GRC position? Ask how they would go about this. Ask them to give you the play by play. If the answer is too far away from what I've described, they're not good. Even worse: They could be CRISC.

Notice something missing? Yep. Not a single mention of AI or Machine Learning or LLMs or shit like that. That's because these are tools one can use to help you get everything else under control. I suspect carpenters don't spend 95% of their time talking about, I don't know, orbital sanders. They need to sand shit. How they sand said shit is mainly inconsequential when you look at the big picture. It's about making things, not sanding things. Or maybe they do spend 95% of their time talking about orbital sanders, how the fuck should I know?

Still with me? Awesome. Now I want you to make a couple of synapses and think about how those things work together. The outputs of one team should be inputs to other teams. A pentest report by itself is useless. Blue team metrics by themselves are useless. Threat models that don't turn into actions are worthless. Risk assessments that don't help big honchos make decisions are a fucking waste of everyone's time. But when you link those things together... magic happens. Things start making sense. You realize that you have a gigantic toolbox, but you don't know how to drive a nail. This shit is easy, my guys. It's a lot of work, but it's not rocket science. Shit, not even rocket science is rocket science, let alone a functional security program. You can do it, big boy.