The better team does not always win.
The most qualified applicant does not always get the job.
The strongest warrior doesn’t always win the battle.
We see this reality most clearly in sports. Upsets happen all the time. Underdogs beat the favorites.
For example, the Oakland Raiders rolled into FedEx field last Sunday night in Landover, Md., expecting to crush the (supposedly weaker) Washington Redskins. Most experts predicted an easy Oakland win, but to most everyone’s surprise, Washington dominated the game — winning 27-10. Just another NFL weekend you say?
More substantial sports upsets are recorded in history going back decades, such as Chaminade’s (David vs. Goliath huge) 1982 victory over Virginia in college basketball or the USA Olympic Hockey Team’s “Miracle on Ice” beating Russia in hockey in 1980.
But why? Why do the most talented professionals, the best sports and other teams, those who understand what it takes to get the job done right, still fail?
It may be that the underdog works harder, is clever (Trojan Horse-style), perseveres longer, does better research or has a better game-plan.
Sometimes, the favorite team is overconfident or underestimates his/her adversaries. They don’t bring their “A-players.” Or the “A-players” don’t bring their “A-game.”
We’ve heard it hundreds of times: Pride comes before a fall.
I like this clip from the movie The Patriot, in which Mel Gibson dramatically illustrates the point that pride can be a weakness, even in war:
Data Breach Lessons
But what does any of this have to do with data breaches or recent enterprise security incidents?
The conventional wisdom says the opposite is true. Overconfidence should be the last thing on the minds of any cybersecurity pros in the world right now. Companies are being hacked daily, so why even mention hubris (or excessive pride) and cyber in the same sentence?
There are many great articles showing how cybersecurity is in trouble because we are out-gunned online. The common storyline is that the bad guy hackers are too good — right? We are facing nation-state experts who can go beyond anything we can possibly stop.
Typical chief information security officer (CISO) answers include needing more dollars for cyberprograms, more talent, more cybersecurity wake-up calls, better technology, more centers of excellence and accelerated public attention on all cybertopics at home and work.
Further, there are an untold number of lists of lessons learned after Equifax for companies and individuals which seem to point in lots of other directions. I really like this blog from Forrester outlining the conventional wisdom after the “B2B Breach Trifecta: Equifax, SEC, and Deloitte.”
Yes — I agree with most of the advice on these lists. No — I have not changed my mind on the global state of our cyberchallenges. Many black hat hackers and nation-state actors are very good at using zero-day malware or sophisticated techniques to get around the best defenses.
But I believe we also need to look at other people and culture issues, because I don’t think these lists adequately answer some basic security questions for enterprises.
Questions like: Why did Equifax not patch a well-known vulnerability that led to the massive breach?
Were these just unlucky one-off mistakes by a select few staff?
These situations led to significant data breaches, and there has been plenty of media ridicule and online name-calling as a result of these incidents. Many are questioning the qualifications of the specific people doing the work (or their leadership) or mocking their experts for not doing what they have told others to do.
Yes — huge mistakes were made, but I’m not going to pick on specific individuals or their resumes. I have seen similar mistakes made by governments and private companies all over the world — albeit often with much less at stake.
But going back to the list of questions above, do we truly believe that Equifax, or the SEC or Deloitte (or for that matter OPM or Target or Yahoo or a long list of other top global companies and governments) did not have (or could not get) adequate resources to address their cyberproblems before these incidents occurred?
I have worked with experts at companies such as Deloitte and other top consulting firms, and I know they have smart, well-qualified consultants who know what to do to prevent these and other types of data breaches. They make billions of dollars in profits every year, so I don’t believe that they were lacking in global corporate resources for email.
Now whether management thought that more attention to detail was necessary, or deployed the right people, processes and technology at the right places is another matter — and goes to the heart of my comments on IT culture below.
While resource and cybertalent concerns certainly exist for many smaller companies and governments, these top organizations are supposed to be the best and the brightest, the standard for excellence. They understand the risks, and (in other parts of the organization) even teach cyber best practices to others. So why could they not prevent these straightforward issues that led to the data breaches?
No doubt, it’s sometimes an easy out to say: “the bad guys are just too good.” I think the real answer is sometimes a culture of IT pride and individual practices that are prevalent in many top-tier organizations — and yes I am referring to the top consulting firms, tech companies, and three-letter government agencies in Washington, D.C.
I am not talking about striving for excellence, pride of skill or craft or profession, being “proud of a job well done” or the great feeling of being proud of your child for bringing home straight A’s on their report card.
No, this is a blind spot type of pride that plays out as overconfidence and/or a lack of preparation and/or a not “bringing your A-game” into a situation in many of the same respects as good sports teams get beat by lesser opponents.
But before I provide a list of specific ways that I believe that this issue can play out and what we can do about it, I want to say that this topic is by no means new. I have personally seen this challenge come up plenty of times during my career — in both vendor partners and in award-winning government security teams.
Back in 2010, I wrote about some of the people-oriented problems that cause security pros (and teams) to fail, along with aspects of this particular problem in the CSO blogs titled: “Not enough humble pie” and “Are you an insider threat?”
Nor is this topic limited to security. Similar issues can occur in almost any professional IT role, and I’ve seen professional overconfidence lead to network and email outages, backups going bad, poor code being written and many other technology issues and concerns.
How overconfidence can impact organizational security and cause data breaches
Here are some of the ways that executive management and technology and security pros fail under the banner of pride or overconfidence — possibly even leading to negligence:
- Not putting the right person or the right team(s) on the right task(s). Or doing the proper things initially but pulling them off and bringing in the B-team or C-team. Or using college interns to run things over the weekend or during vacations to save money. Note: Top tech firms and consultants want to place their top players where they can be billed for top dollars. Oftentimes, that is not the system administrator for email or internal staff who patch security vulnerabilities.
- Not fully implanting tools, processes or procedures. Or not enforcing policies — (such as allowing enterprise email administrators to forego 2-factor authentication.) Not training as you should. Note: This challenge can flow from professional pride because some think that they “wrote the book” and already know this stuff and can break their own rules. Or as Morpheus said in the movie The Matrix: “There’s a difference between knowing the path and walking the path.”
- Underestimating your adversary, while overestimating a technology tool’s ability to stop incidents with junior staff. Therefore, not preparing properly to implement new projects. Professional negligence.
- Qualified staff not bringing their “A-game” for any personal or professional reason. The old “Been there done that, got the T-shirt” mentality. Or, “I know the risk, but it’s fine.” Really? Are you sure?
- Executive management assuming that everything is being done right — because millions of dollars are being spent on cybersecurity. Management thinks: “We’ve got this covered. We are the best! It won’t happen to us.” Or management not paying for awareness or technical training or new activity because they don’t understand the risks and mitigation steps being taken.
- Assumption that the outsourced function (by support vendor or their team) is taking care of things properly (overconfidence in vendor’s ability) — without understanding that you can’t outsource the responsibility.
- Staff not wanting to ask the questions that need to be asked out of fear of reprisal and/or telling their management things that could get them disciplined. Note: Overconfident management can also ignore warnings that they have heard from staff before because staff seem to be “crying wolf.”
- Not willing to change with the times regarding security tools and techniques when cyberattacks change. Maintaining the old saying: “We’ve always done it that way.”
- Burned-out teams, but management doesn’t see it. Executives believe you’ve done incident response miracles in the past, so you’ll somehow do it again. But now the team is worn-out and ill-quipped to keep performing at a top level. Good management understands that cyberincident response teams can only go for so long, just as when emergency management teams respond to hurricanes Harvey, Irma and now Maria recoveries.
- Lack of understanding what talent you really have left. Yes, you were the best a few years back, but perhaps your top cybertalent left. Some managers don’t want the executives to know that they are in trouble. The executives are still proud of the trophies won a few years back, but they are about to get a rude awakening.
I agree that there are times when top teams bring their A-game and still get beat by Russia or China or some other hacker A-team. The best players and tools and processes and overall cyber defense can certainly be overmatched despite an organization’s best efforts.
But that is not what happens in a large percentage of cyberincidents.
Based on what’s been revealed, the data breaches at Equifax and Deloitte were avoidable, and the enterprise leadership had the ability (people, processes and technology) to stop the bad guys. I don’t know enough details about the SEC data breach to make that same statement, but many other headline data breaches could have been stopped with available tools and ongoing vigilance.
Moving forward, executives must collectively look in the mirror and recognize that we can do better. With cyber best practices being followed, such as: good patching, proper cyberhygiene, the basic cyberblocking and tackling tasks, updated security awareness training for all staff, and implementing the cyberframework checklists from NIST and others, many more data breaches can be avoided.
And my message to cybersecurity pros is this: Stay humble and vigilant. You never know what or who is around the next corner.