I was recently asked by a consultancy firm to provide a keynote talking about the challenges I had faced as a security leader during my career and how the consultancy could start thinking about how to help people in my position. I appreciated the customer-first orientation they were adopting, refreshing in a world of consultancies that have a habit of leading sales engagements with why it would be both foolish and dangerous not to buy their off-the-shelf industrialised services that were designed for smaller more focused firms with less in-house capability.
Large global enterprises share much in common but the key themes of concern for a security leader in my experience are:
- Complexity (the old enemy of security),
- Availability of the right people and
Complexity is a concern both in terms of how the business operates and especially how the technology supports the business. Large enterprises, especially old large enterprises, accumulate teams, processes and technology. Stopping or slowing down activity to manage that increase in complexity means not driving growth. Funds and people dedicated to paying down debt are not generating new value. Systems that service old products or services for which no new sales will be made have no economic justification for further investment unless it will significantly reduce costs. An 18 month forward pipeline of development activity supporting new business growth is not going to be derailed to fix technical or security debt without a very good reason.
People often talk about the risk ‘formula’ Threat x Vulnerability x Impact as the key concept to understand how to manage security. Putting aside the fact that the risk formula distorts our prioritisation activities (A blog for another day) it isn’t the most important concept to understand the security. This is:
More Data x More Connections x More Time.
Data grows exponentially, especially in the new digital world, and is both an asset and a liability. Connections, whether that be customers, partners or stakeholders, grow very quickly and for a large business that plans to continue generating value for a long time to come the length of time itself is an issue that an equivalent start-up just doesn’t have to consider. The complexity grows and grows.
Most enterprise technology platforms are designed for thousands of users and creak at tens of thousands of users, fail for hundreds of thousands of users. Large enterprises end up with patchworks of creaking platforms that support tens of thousands to hundreds of thousands of users. The management of these platforms at scales beyond a few thousand users is hard, messy and requires close attention from skilled people. There is a reason that the cloud companies have reinvented their technology stacks from top to bottom, there is no way you could build Google or Amazon on enterprise technology as it is sold right now.
When you hit tens of thousands of staff you end up with extensive management organisations, decisions at the very top of the business take months to implement and the detail of execution means few if any at the top are likely to have a clear view of what is actually being done ‘on the ground’. Just describing what a large enterprise wants to do is an exercise in simplification to the point that someone somewhere does not recognise how their particular job fits into that corporate strategy. There is always duplication, there is always inefficiency. The unexpected upside is that sometimes that inefficiency gives you unexpected pockets of capacity in a crisis that contributes towards big organisations being more resilient than smaller organisations.
Scaling anything up to a large enterprise isn’t insurmountable but it is a key challenge.
Despite having large numbers of staff having the right people is itself a challenge. By right I mean they have the right skills, they understand how the organisation works and its needs, they have the right authorisation, they are in the right location and they have enough time in the day to execute the task. Throwing contractors or consultants at a problem doesn’t work, if you’re lucky and they have the skills and are in the right place they probably don’t understand the organisation so will need that rarer set of people to support them in any case. Hiring people means waiting six to nine months to go through the hiring cycle and for them to get to a useful state.
Any large, regulated, enterprise is going to have developed cultural issues with security over time. A common response by boards and executive management to security issues is simply not to tolerate them, to ensure they are fixed. That sounds great until you realise the unintended side effects which can include:
- Good news culture: Executive management expect to get reports of issues that were found and fixed. Management report the good fixes they have delivered and downplay the systemic or long running issues.
- Lack of transparency: No-one wants to transparently report their issues because they will get forced to prioritise them over other work.
- Fixes over Improvements: Fixes must be applied but previous solutions are left to rot away while new fixes and solutions are applied
Paradoxically by trying to not take risks the organisation ends up with a huge unaddressed risk profile for security. Part of the driver for these sorts of cultural issues is a lack of understanding that you cannot have a risk appetite of nothing, you have to take security risk somewhere but conversely you have to actively manage the risks you take. Culture can be changed but it is the hardest and longest term challenge of the list.
These are the strategic challenges of effectively delivering and managing security in a large enterprise, complexity, scale, people and culture. How does your product or service reduce complexity, handle scale and support the people? Do you know what impact your product or service is going to have on my culture? That’s the sales pitch I listen for.