CrankySec

Your Security Program Is Shit

It is. And everyone knows it. I know it, you know it, your nonna who got her identity stolen and is now on the hook for $100k worth of Ethcoin or whatever the fuck those things are called knows it, and your computer nerd with a little bit of charisma CISO knows it, too. Everyone in this industry loves to pretend otherwise, and we all knowingly and willingly keep the charade going. Why is that?

My hypothesis is simple: it's very easy to bullshit your way through the profession if you're not directly involved with the operational aspects of infosec. If you're directly involved with the operational aspects of infosec, you're probably too overworked and too underpaid to actively participate in this circus. But, if you're not... The whole world is your stage.

For the sake of argument, let's imagine this very common scenario: You're the director for all intents and purposes CISO of a, let's see, hospital. Your employer enjoys a near monopoly in your region, your clientele is not made up of folks who have much of a choice when they need the services you provide, and cybersecurity is not something they're particularly worried about. Sure, you have HIPAA and shit like that, but I'd be hard pressed to come up with a single example of average hospital goers who pick their healthcare providers based on cybersecurity maturity levels. "Help me! I got shot! Just don't take me to St. Mary of the Immaculate Fucks. Their SOC 2 had a qualified opinion!"

Your boss says "Hey, corporate wants us to become ISO 27thousandsomething certified. I don't know what the fuck that is, I don't care what the fuck that is, and I wouldn't give a shit about any of this were this not tied to my bonus. Here's ten dollars. Go see to it." You relay that message to your Gee Arrr Cee director (manager, functionally), and tell them to get it done. The barely manager director tells his managers (administrative assistants whose only form of managerial autonomy is approving PTO) to do a gAp AnAlYsIs, and assigns a project manager (lol) to "help."

After who knows how many hours of standups, Jira stories, sprints, and every other attempt by the project manager (sic) to Agile-ify shit not meant to be Agile, your team comes back to you with the news that shit's not looking so good. Not a single fucking control required by the standard is being met, there's no way in hell this company can get certified, and they have the receipts.

At least that's what Ms. Analyst With Technical Background And Twenty Years Of Experience says in this report that I didn't really read beyond page 3. What the fuck does this gal know anyway? If she was any good, she'd be director (manager) by now. You know what? Let's get a second opinion: get Deloitte on the horn! Hello? Deloitte? I need a "gap analysis" and a "ISO 27001 readiness consulting" pronto! 5 million dollars? Of course! That's the price of quality, knowledge, and expertise! A CPA with zero knowledge of technology in general or the things we use in particular is going to be here tomorrow? Fantastic. Their opinion is much more valuable than some individual contributor fuck who knows our shit inside out and has been here for 10 years. If they were any good, they'd be charging $5mil, and not the $78k/year we pay them. In fact, the Deloitte CPA's opinion is about 65 times more valuable, because $78k times 65 is about $5mil.

The CPA delivers their report, and man... Everything looks amazing. We're ready to go, bitches. Fuck those individual contributors contrarians. Deloitte > Our Cybersec Fucks. Get me some ISO certifying company that sources their auditors straight from those BSI ISO trainings that pump out Lead Auditors who can't even spell ISO, pronto!

The ISO auditor who doesn't know shit about shit pretends that they know what they're talking about, you pretend like you know what you're talking about, the people who actually do work are taken from their already busy day to participate in your little theater and try to explain what a CI/CD pipeline even is to a complete moron, you get your certificate, the auditor gets paid, the certifying company gets paid even more, Deloitte makes $5mil while having zero at stake, and everyone's happy. You bring your brand new certificate to your boss, y'all send a mass email patting yourselves on the back, you get a bonus and a promotion to CISO II (senior director), and Ms. Analyst With Technical Background And Twenty Years Of Experience gets a "Below expectations" performance review, gets put on a PIP, fails the PIP because PIPs are just "firing your ass with extra steps", and is now unemployed because she's a party pooper.

Your security program sucks because it's very similar to this one. The people who should know better don't give a shit, the opinions of an external idiot are more valuable than the opinions of the internal smart people, your CISO can't read a log to save his life but keeps getting promoted, and your rank and file are penalized for doing the right thing that just so happens to make the CISO look bad. They'll give $5mil to someone who's going to tell them what they want to hear (for $5mil I would, too), and they'll get rid of the people who tell the truth for $78k/yr.